Affected devices could include wireless access points, routers, switches and VPNs.

Multiple vulnerabilities in TP-Link Omada system could lead to root access

LockBit claimed to have breached Federal Reserve but in fact the data came from Evolve Bank & Trust

A shockwave went through the financial world when ransomware group LockBit claimed to have breached the US Federal Reserve, the central banking system of the United States.

On LockBit’s dark web leak site, the group threatened to release over 30 TB of banking information containing Americans’ banking data if a ransom wasn’t paid by June 25:

LockBit leak site

> “Federal banking is the term for the way the Federal Bank of America distributes its money. The Reserve operates twelve banking districts around the country which oversee money distribution within their respective districts. The twelve cities which are home to the Reserve Banks are Boston, New York City, Philadelphia, Richmond, Atlanta, Dallas, Saint Louis, Cleveland, Chicago, Minneapolis, Kansas City and San Francisco.
> 
> 33 terabytes of juicy banking information containing American’s banking secrets.”

The statement ends expressing the group’s disappointment about a negotiator who apparently offered to pay $50,000.

So, you can imagine that everyone was anticipating the end of the countdown that signalled the release of the stolen data with bated breath.

However, when that deadline passed and the data was released, people who looked at the data found it did not, in fact, belong to the Federal Reserve but instead to a particular financial organization: Evolve Bank & Trust.

Overview of the available data

All the links lead to directories containing data that seems to belong to Evolve.

There hasn’t been enough time to do a full analysis of the huge amount of data, but it appears it is only remotely tied to the Federal Reserve by some included links to a Federal Reserve press link from mid-June.

At that time, the US Federal Reserve Board penalized Evolve Bancorp and its subsidiary, Evolve Bank & Trust, for multiple “deficiencies” in the bank’s risk management, anti-money laundering (AML) and compliance practices.

According to the Federal Reserve statement released at the time:

> “In addition, Evolve did not maintain an effective risk management program or controls sufficient to comply with anti-money laundering laws and laws protecting consumers.”

So, as expected, LockBit drew a lot of attention under false pretences.

The group was disrupted by law enforcement in February of 2024 and their activity diminished as a result. As the ThreatDown monthly ransomware review of May review pointed out:

> “While LockBit is technically still alive, it’s fair to say the group is not what it was: Not only are its attacks dwindling, but in early May law enforcement also revealed the identity of alleged LockBit leader Dmitry Khoroshev, aka LockBitSupp. LockBitSupp, who is now subjected to a series of asset freezes and travel bans, also has a reward of up to $10 million over his head for information that leads to his arrest.”

And recently the FBI announced it had over 7,000 LockBit decryption keys in its possession, allowing it to help victims to recover data encrypted by the gang in past attacks. LockBit ransomware has impacted over 1,800 US victims, according to FBI stats.

Back to the data, it’s good news it appears not to be from the Federal Reserve. However, it’s not good news for customers of Evolve Bank & Trust and their data may well have been stolen and published. And it’s a lot of data.

A lot of data

We’ll keep you updated on this developing story. For now, there’s no official statement from Evolve, but there are general things to know if you think you have been involved in a data breach.

**Protecting yourself after a data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Malwarebytes has a new free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Federal Reserve &#8220;breached&#8221; data may actually belong to Evolve Bank 

Google has taken steps to block ads for e-commerce sites that use the Polyfill.io service after a Chinese company acquired the domain and modified the JavaScript library ("polyfill.js") to redirect users to malicious and scam sites.
More than 110,000 sites that embed the library are impacted by the supply chain attack, Sansec said in a Tuesday report.
Polyfill is a popular library that

Supply Chain Attack / Web Security

Google has taken steps to block ads for e-commerce sites that use the Polyfill.io service after a Chinese company acquired the domain and modified the JavaScript library ("polyfill.js") to redirect users to malicious and scam sites.

More than 110,000 sites that embed the library are impacted by the supply chain attack, Sansec said in a Tuesday report.

Polyfill is a popular library that incorporates support for modern functions in web browsers. Earlier this February, concerns were raised following its purchase by China-based content delivery network (CDN) company Funnull.

The original creator of the project, Andrew Betts, urged website owners to immediately remove it, adding "no website today requires any of the polyfills in the polyfill\[.\]io library" and that "most features added to the web platform are quickly adopted by all major browsers, with some exceptions that generally can't be polyfilled anyway, like Web Serial and Web Bluetooth."

The development also prompted web infrastructure providers Cloudflare and Fastly to offer alternative endpoints to help users move away from polyfill\[.\]io.

"The concerns are that any website embedding a link to the original polyfill\[.\]io domain, will now be relying on Funnull to maintain and secure the underlying project to avoid the risk of a supply chain attack," Cloudflare researchers Sven Sauleau and Michael Tremante noted at the time.

"Such an attack would occur if the underlying third party is compromised or alters the code being served to end users in nefarious ways, causing, by consequence, all websites using the tool to be compromised."

The Dutch e-commerce security firm said the domain "cdn.polyfill\[.\]io" has since been caught injecting malware that redirects users to sports betting and pornographic sites.

"The code has specific protection against reverse engineering, and only activates on specific mobile devices at specific hours," it said. "It also does not activate when it detects an admin user. It also delays execution when a web analytics service is found, presumably to not end up in the stats."

San Francisco-based c/side has also issued an alert of its own, noting that the domain maintainers added a Cloudflare Security Protection header to their site between March 7 and 8, 2024.

The findings follow an advisory about a critical security flaw impacting Adobe Commerce and Magento websites (CVE-2024-34102, CVSS score: 9.8) that continues to remain largely unpatched despite fixes being available since June 11, 2024.

"In itself, it allows anyone to read private files (such as those with passwords)," Sansec said, which codenamed the exploit chain CosmicSting. "However, combined with the recent iconv bug in Linux, it turns into the security nightmare of remote code execution."

It has since emerged that third-parties can gain API admin access without requiring a Linux version vulnerable to the iconv issue (CVE-2024-2961), making it an even more severe issue.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Over 110,000 Websites Affected by Hijacked Polyfill Supply Chain Attack

Injected malicious JavaScript code gives attackers administrator rights on websites, and fills sites with SEO spam.

Source: Primakov via Shutterstock

A threat actor or actors has compromised multiple plug-ins on the WordPress.org site with code aimed at giving attackers administrative privileges as well as conducting further malicious activity.

WordPress.org's Plug-in Review team warned users on Monday that a plug-in called Social Warfare was infected by malicious code, according to a forum post. After noticing the post, Wordfence researchers did some follow-up and discovered that there were several more WordPress.org plug-ins injected with the same code, according to a blog post published by Wordfence on June 24.

In addition to Social Warfare, versions 4.4.6.4 and 4.4.7.1, the affected plug-ins include: Blaze Widget v2.2.5 to 2.5.2; Wrapper Link Element v1.0.2 to 1.0.3; Contact Form 7 Multi-Step Addon v1.0.4 to 1.0.5; and Simply Show Hooks v1.2.1.

Of the plug-ins, Social Warfare (a social-media-themed offering) has the most installations, with more than 30,000; the rest reached no more than hundreds at the most. Still, the presence of the same malicious code across all of them should raise alarm bells, as it suggests attempts at a larger supply chain attack, according to Wordfence.

Social Warfare has been patched in version 4.4.7.3; however, it and all of the affected plug-ins have been delisted and are unavailable for download, at least temporarily, though WordPress.org did not respond when Wordfence reached out about its discovery.

None of the other plug-ins currently have a patched version; however, someone has removed the malicious code from Wrapper Link Element in a current version that's been tagged as 1.0.0, which is lower than the infected versions and thus may make it difficult for users to update, according to Wordfence.

**Malicious Behavior**

The malicious code injected in the plug-ins "attempts to create a new administrative user account and then sends those details back to the attacker-controlled server" located at 94.156.79.8, Wordfence threat intelligence lead Chloe Chamberland wrote in the post. The campaign also uses the plug-ins to inject malicious JavaScript into the footer of websites and to add SEO spam throughout it, she said.

"The injected malicious code is not very sophisticated or heavily obfuscated and contains comments throughout making it easy to follow," Chamberland added.

The origin of the attack was likely June 21, and attackers were still updating plug-ins about five hours before WordFence published its post on the attack on June 24. The researchers still don't know exactly how the infection began, and is performing a deeper analysis with updates to follow, she said.

**Mitigating Attacks Via WordPress Plug-Ins**

Due to its widespread use as a foundation for websites, the WordPress platform and its plug-ins especially are a notoriously popular target for threat actors, giving them easy access to a broad attack surface. Typically, attackers target singular plug-ins with large install bases; however, the new attack suggests that attackers now may be eyeing more ambitious supply chain attacks across multiple plug-ins to broaden the impact of malicious campaigns, according to Wordfence.

As such an attack demands greater vigilance, Wordfence — which focuses on the security of the WordPress platform — is actively working on a set of malware signatures to provide detection for these compromised plug-ins. In the meantime, anyone using any of the plug-ins should remove them from any websites immediately and "go into incident-response mode," Chamberland said.

"We recommend checking your WordPress administrative user accounts and deleting any that are unauthorized, along with running a complete malware scan" to remove any malicious code, she said.

Wordfence also included in the post various indicators of compromise (IoCs) — including known usernames associated with attacker-controlled admin accounts — that WordPress administrators can use to identify evidence of the campaign. Also included is a link to a guide that provides advice on how to clean WordPress-based websites of malicious code.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

WordPress Supply Chain Attack Spreads Across Multiple Plug-ins

PRESS RELEASE

SAN FRANCISCO, June 20, 2024 /PRNewswire/ -- Abstract Security, crafted by category creators who have consistently redefined the cybersecurity landscape, today announced general availability (GA) of its revolutionary platform designed for the future of security operations. Already in use by customers, Abstract's platform helps security analysts and operations teams navigate the complexities of data pipelines, increase security effectiveness and lower costs.

"Since the inception of Abstract, we've been working tirelessly to combat the challenges of security operations today, offering a tool that focuses on the data that matters and ties security back to business value," said Ryan Clough, co-founder and CPO of Abstract Security. "With the explosion of data over the last few years, customers need a more customizable approach that moves beyond saved searches and dashboards. We're excited to reach this GA milestone as we bring the future security operations platform to more customers."

A key feature of Abstract's platform is the Abstract Security Engineer (ASE), which leverages a combination of AI, expert systems, machine learning, and subject matter expertise and connects to data sources across an organization, delivering instant data and detection capabilities. The security data fabric approach enables:

*   Advanced analytics and correlation: Abstract's platform enables customers to surface threats across their enterprise and cloud infrastructure in real-time. It's powered by out-of-the-box detection content provided by the Abstract research team, which is purpose-built for cloud and SaaS threats.
    
*   Security pipelines: With data routing, transformation and enrichment that is geared for security telemetry, customers can reduce the volume and cost of log data sent to their SIEM. A single point of collection enables drag-and-drop routing of data to any number of sources, including cloud storage, SIEMs, and data platforms.
    
*   Optimized storage: 95% of collected log data is not usable for detection. Abstract's platform intelligently divides hot, warm, and cold storage tiers to automatically optimize storage and compute costs and make the data relevant to security analytics accessible via instant queries.
    

Since emerging from stealth and announcing its Seed funding earlier this year, Abstract Security has expanded its global footprint, hired an experienced technology leader as CTO, and appointed a long-time industry expert to its Board of Directors. To aid in the continued development of the Abstract Security platform, the team has added visionary and innovator Jon Oltsik to its Advisory Board. With over 35 years of technology industry experience, Jon founded the cybersecurity practice at the Enterprise Strategy Group (ESG) in 2003 and has spent the subsequent 20 years studying cyber threats, cyber-risk management, technical defenses, and CISO strategies. Jon is widely recognized as an expert in all aspects of cybersecurity and is often called upon to help customers understand a CISO's perspective. Jon is a founding member of the Cybersecurity Canon, a project dedicated to identifying a list of must-read books for all cybersecurity practitioners, and he was named one of the top 100 cybersecurity influencers by Onalytica.

"Defending against cyber-attacks is more difficult today than it's ever been. With the complexity of infrastructure and sheer volume of data that organizations must manage, today's security analytics teams are tired of the status quo," said Jon Oltsik, Advisory Board member of Abstract Security. "Working as an analyst and advisor has given me a unique perspective into the pain points of industry leaders, and that's why I'm so excited about the unique approach that Abstract Security is taking to solve the problems in the SIEM marketplace, and have the opportunity to support and guide the team as they grow."

In the past several months, Abstract has also been recognized by notable industry awards including a Global Infosec Award for "Pioneering Cybersecurity Startup" at RSA Conference 2024, and most recently, a 2024 Cybersecurity Excellence Award in both "Best Cybersecurity Startup" and "SIEM" categories. The team's commitment to crafting an excellent platform for customers, keeping their sights on innovation, and thoughtful leadership won Abstract the award in both categories, beating out more than 600 applicants.

To learn more about Abstract Security's growing team and accomplishments, visit https://www.abstract.security/our-team or watch this Q&A with Jon Oltsik and CEO Colby DeRodeff. To book a demo, please contact \[email protected\].

About Abstract Security  
Abstract Security, founded in 2023, has built a revolutionary platform equipped with an AI-powered assistant to better centralize the management of security analytics. Crafted by category creators and industry veterans known for redefining the cybersecurity landscape, Abstract transcends next-gen SIEM solutions by correlating data in real time between data streams. As a result, compliance and security data can be leveraged separately to increase detection effectiveness and lower costs – an approach that does not currently exist in the market.

Co-founders Colby DeRodeff, Ryan Clough, Aaron Shelmire, and Chris Camacho bring a unique set of experiences and backgrounds in product development and company-building expertise, formerly at companies like ArcSight (acq. by HP), Mandiant (acq. by Google), Palo Alto Networks and others. For more information about the company, please visit https://www.abstract.security/ and follow the journey @Get\_Abstracted.

Abstract Security Announces General Availability of its AI-Powered Data Streaming Platform for Security

Government ministries keep falling victim to relatively standard-fare cyber-espionage attacks, like this latest campaign with hazy Chinese links.

Source: Mint Images Limited via Alamy Stock Photo

A Chinese-language advanced persistent threat (APT) has been spying on government ministries across the eastern hemisphere.

The first signs of it date back to late August of last year. Back then, the as-yet-unidentified group began to use a modified version of Gh0st RAT, nicknamed "SugarGh0st RAT," to spy on targets in South Korea, as well as the Ministry of Foreign Affairs in Uzbekistan. Since then, Cisco Talos revealed in a new blog post, the group now called "SneakyChef" has been cooking up new campaigns across more countries.

Based on its lure documents, likely targets for the campaign have included:

*   Ministries of foreign affairs from Angola, India, Kazakhstan, Latvia, and Turkmenistan
    
*   The ministries of agriculture and forestry, and fisheries and marine resources in Angola
    
*   The Saudi Arabian embassy in Abu Dhabi
    

Talos has not attributed SneakyChef to any particular government itself. They did note, however, the Chinese language preferences present in its code, its use of SugarGh0st RAT — particularly, though not exclusively popular among Chinese threat actors — and the similar profile of its targets.

**Sneaky Chef's Latest Servings**

Where early campaigns utilized malicious RAR files embedded in LNK files for initial infection, now SneakyChef prefers self-extracting RARs (SFX RAR). The shift offers some modest benefits.

"RAR files just got official support in Windows 11, so for anything prior to Windows 11, you need to have extra software to be able to extract the file," explains Nick Biasani, Cisco Talos' head of outreach. "A self-extracting RAR file eliminates the need for extra software, so it probably increases the likelihood of infection."

Among the goodies SFX RAR drops: a decoy document, a dynamic link library (DLL) loader, some encrypted malware — either SugarGh0st RAT or SneakyChef's newest tool, SpiceRAT — and a malicious Visual Basic (VB) script for establishing persistence.

The decoys are legitimate, scanned documents relating in some way to the targeted ministry or embassy. They'll describe some kind of government business, most often an upcoming meeting or conference. Notably, Talos was unable to find any of the documents used in recent campaigns on the open web. (This might indicate they were themselves obtained via espionage.)

When it comes to government cyberespionage, "What we commonly see is that this would be the 'first wave.' This actor is not typically highly sophisticated, they're more aiming to send a lot of lures and get a lot of people infected so they can get initial footholds and start gathering data," Biasani says. Then, when they need access to a specific, extra-secured government body. "That's when you start seeing the more sophisticated elements of these attacks play out."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

'SneakyChef' APT Slices Up Foreign Affairs With SugarGh0st

A previously undocumented Chinese-speaking threat actor codenamed SneakyChef has been linked to an espionage campaign primarily targeting government entities across Asia and EMEA (Europe, Middle East, and Africa) with SugarGh0st malware since at least August 2023.
"SneakyChef uses lures that are scanned documents of government agencies, most of which are related to various countries' Ministries

Malware / Threat Intelligence

A previously undocumented Chinese-speaking threat actor codenamed **SneakyChef** has been linked to an espionage campaign primarily targeting government entities across Asia and EMEA (Europe, Middle East, and Africa) with SugarGh0st malware since at least August 2023.

"SneakyChef uses lures that are scanned documents of government agencies, most of which are related to various countries' Ministries of Foreign Affairs or embassies," Cisco Talos researchers Chetan Raghuprasad and Ashley Shen said in an analysis published today.

Activities related to the hacking crew were first highlighted by the cybersecurity company in late November 2023 in connection with an attack campaign that singled out South Korea and Uzbekistan with a custom variant of Gh0st RAT called **SugarGh0st**.

A subsequent analysis from Proofpoint last month uncovered the use of SugarGh0st RAT against U.S. organizations involved in artificial intelligence efforts, including those in academia, private industry, and government service. It's tracking the cluster under the name UNK\_SweetSpecter.

Talos said that it has since observed the same malware being used to likely focus on various government entities across Angola, India, Latvia, Saudi Arabia, and Turkmenistan based on the lure documents used in the spear-phishing campaigns, indicating a widening of the scope of the countries targeted.

In addition to leveraging attack chains that make use of Windows Shortcut (LNK) files embedded within RAR archives to deliver SugarGh0st, the new wave has been found to employ a self-extracting RAR archive (SFX) as an initial infection vector to launch a Visual Basic Script (VBS) that ultimately executes the malware by means of a loader while simultaneously displaying the decoy file.

The attacks against Angola are also notable for the fact that it utilizes a new remote access trojan codenamed SpiceRAT using lures from Neytralny Turkmenistan, a Russian-language newspaper in Turkmenistan.

SpiceRAT, for its part, employs two different infection chains for propagation, one of which uses an LNK file present inside a RAR archive that deploys the malware using DLL side-loading techniques.

"When the victim extracts the RAR file, it drops the LNK and a hidden folder on their machine," the researchers said. "After a victim opens the shortcut file, which masqueraded as a PDF document, it executes an embedded command to run the malicious launcher executable from the dropped hidden folder."

The launcher then proceeds to display the decoy document to the victim and run a legitimate binary ("dxcap.exe"), which subsequently sideloads a malicious DLL responsible for loading SpiceRAT.

The second variant entails the use of an HTML Application (HTA) that drops a Windows batch script and a Base64-encoded downloader binary, with the former launching the executable by means of a scheduled task every five minutes.

The batch script is also engineered to run another legitimate executable "ChromeDriver.exe" every 10 minutes, which then sideloads a rogue DLL that, in turn, loads SpiceRAT. Each of these components – ChromeDriver.exe, the DLL, and the RAT payload – are extracted from a ZIP archive retrieved by the downloader binary from a remote server.

SpiceRAT also takes advantage of the DLL side-loading technique to start a DLL loader, which captures the list of running processes to check if it's being debugged, followed by running the main module from memory.

"With the capability to download and run executable binaries and arbitrary commands, SpiceRAT significantly increases the attack surface on the victim's network, paving the way for further attacks," Talos said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Chinese Hackers Deploy SpiceRAT and SugarGh0st in Global Espionage Campaign

The new remote access trojan (RAT) dubbed SpiceRAT was used by the threat actor SneakyChef in a recent campaign targeting government agencies in EMEA and Asia.

*   Cisco Talos discovered a new remote access trojan (RAT) dubbed SpiceRAT, used by the threat actor SneakyChef in a recent campaign targeting government agencies in EMEA and Asia. 
*   We observed that SneakyChef launched a phishing campaign, sending emails delivering SugarGh0st and SpiceRAT with the same email address. 
*   We identified two infection chains used to deliver SpiceRAT utilizing LNK and HTA files as the initial attack vectors. 

_Cisco Talos would like to thank the Yahoo! Paranoids Advanced Cyber Threats Team for their collaboration in this investigation._ 

**SneakyChef delivered SpiceRAT to target Angola government with lures from Turkmenistan news agency **

Talos recently revealed SneakyChef’s continuing campaign targeting government agencies across several countries in EMEA and Asia, delivering the SugarGh0st malware (read the corresponding research here). However, we found a new malware we dubbed “SpiceRAT” was also delivered in this campaign.  

SneakyChef is using a name "ala de Emissão do Edifício B Mutamba" and the email address “dtti.edb@\[redated\]” to send several phishing emails with at least 28 different RAR file attachments to deliver either SugarGh0st or SpiceRAT. 

One of the decoy PDFs that we analysed in this campaign was dropped by a RAR archive, delivered as an attachment in the emails likely targeted Angolan government agencies. The decoy PDF contained lures from the Turkmenistan state-owned news media “ТУРКМЕНСКАЯ ГОСУДАРСТВЕННАЯ ИЗДАТЕЛЬСКАЯ СЛУЖБА” (Neytralnyy Turkmenistan), indicating that the actor has likely downloaded the PDF from their official website. We also found that a similar decoy PDF from the same news agency was dropped by the RAR archive that delivered the SugarGh0st malware in this campaign, highlighting that SneakyChef has SugarGh0st RAT and SpiceRAT payloads in their arsenal.   

__Decoy PDF samples of SugarGh0st and SpiceRAT attacks.__

**Two infection chains **

Talos discovered two infection chains employed by SneakyChef to deploy SpiceRAT. Both infection chains involved multiple stages launched by an HTA or LNK file.  

**LNK-based infection chain  **

The LNK-based infection chain begins with a malicious RAR file that contains a Windows shortcut file (LNK) and a hidden folder. This folder contains multiple components, including a malicious executable launcher, a legitimate executable, a malicious DLL loader, an encrypted SpiceRAT masquerading as a legitimate help file (.HLP) and a decoy PDF. The table below shows an example of the components of this attack chain and the description. 

File Name 

Description 

2024-01-17.pdf.lnk 

Malicious shortcut file  

LaunchWlnApp.exe 

Windows EXE to open decoy PDF and run a legitimate EXE 

dxcap.exe 

Benign executable to side-load the malicious DLL 

ssMUIDLL.dll 

Malicious DLL loader 

CGMIMP32.HLP 

Encrypted SpiceRAT

Microsoftpdf.pdf 

Decoy PDF  

When the victim extracts the RAR file, it drops the LNK and a hidden folder on their machine. After a victim opens the shortcut file, which masqueraded as a PDF document, it executes an embedded command to run the malicious launcher executable from the dropped hidden folder.  

__Sample LNK file that starts the malicious launcher EXE.__

This malicious launcher executable is a 32-bit binary compiled on Jan. 2, 2024. When launched by the shortcut file, it reads the victim machine’s environment variable, the execution path of the legitimate executable and the path of the decoy PDF document and runs them using the API ShellExecuteW.  

__Sample function that starts the legitimate EXE and opens the decoy document.__

The legitimate file is one of the components of SpiceRAT infection, which will sideload the malicious DLL loader to decrypt and launch the SpiceRAT payload.  

**HTA-based infection chain **

The HTA-based infection chain also begins with a RAR archive delivered with the email. The RAR file contains a malicious HTA file. When the victim runs the malicious HTA file, the embedded malicious Visual Basic script executes and drops the embedded base64-encoded downloader binary into the victim’s user profile temporary folder, disguised as a text file named “Microsoft.txt.” 

After dropping the malicious downloader executable, the HTA file executes another function, which drops and executes a Windows batch file in the victim’s user profile temporary folder, named “Microsoft.bat.”  

The malicious batch file performs the following operations on the victim’s machine: 

*   The certutil command decodes the base64-encoded binary data from “Microsoft.txt” and saves it as “Microsoft.exe” in the victim’s user profile temporary folder.  

certutil -decode %temp%\\\\Microsoft.txt %temp%\\\\Microsoft.exe

*   It creates a Windows scheduled task that runs the malicious downloader every five minutes, supressing any warnings that it triggers when the same task name existed.  

schtasks /create /tn MicrosoftEdgeUpdateTaskMachineClSAN /tr %temp%\\\\Microsoft.exe /sc minute -mo 5 /F 

*   The batch script creates another Windows task named “MicrosoftDeviceSync” to run a downloaded legitimate executable “ChromeDriver.exe” every 10 minutes.  

schtasks /create /tn MicrosoftDeviceSync /tr C:\\\\ProgramData\\\\Chrome\\\\ChromeDirver.exe /sc minute -mo 10 /F 

*   After establishing persistence with the Windows scheduled task, the batch script runs three other commands to erase the infection markers. This includes deleting the Windows task named MicrosoftDefenderUpdateTaskMachineClSAN and removing the encoded downloader “Microsoft.txt,” the malicious HTA file, and any other contents unpacked from the RAR file attachment.  

schtasks /delete /f /tn MicrosoftDefenderUpdateTaskMachineClSAN 

del /f /q %temp%\\\\Microsoft.txt %temp%\\\\Microsoft.hta 

del %0 

The malicious downloader is a 32-bit executable compiled on March 5, 2024. After running on the victim’s machine through the Windows task MicrosoftEdgeUpdateTaskMachineClSAN, it downloads a malicious archive file “chromeupdate.zip” from an attacker-controlled server through a hardcoded URL and unpacks its contents into the folder at “C:\\ProgramData\\Chrome”. The unpacked files are the components of SpiceRAT.  

__A sample function of the malicious downloader.__

**Analysis of SpiceRAT **

Both infection chains eventually drop the SpiceRAT files into victim machines. The SpiceRAT files include four main components: a legitimate executable file, a malicious DLL loader, an encrypted payload and the downloaded plugins.  

**The loader components of SpiceRAT ****Legitimate executable **

The threat actor is using a legitimate executable (named “RunHelp.exe”) as a launcher to sideload the malicious DLL loader file (ssMUIDLL.dll). This legitimate executable is a Samsung RunHelp application signed with the certificate of "Samsung Electronics CO., LTD.” In some instances, it has been observed masquerading as “dxcap.exe,” a DirectX diagnostic included with Visual Studio, and “ChromeDriver.exe,” an executable that Selenium WebDriver uses to control the Google Chrome web browser. 

__File properties and digital signature details of the legitimate executable.__

The legitimate Samsung helper application typically loads a DLL called “ssMUIDLL.dll.” In this attack, the threat actor abuses the application by sideloading a malicious DLL loader that is masquerading as the legitimate DLL and executes its exported function GetFulllangFileNamew2. 

__Sample function that side-loads the malicious DLL.__

**Malicious DLL loader **

The malicious loader is a 32-bit DLL compiled on Jan. 2, 2024. When its exported function GetFullLangFileNameW2() is run, it copies the downloaded legitimate executable into the folder "C:\\Users\\<user>\\AppData\\Local\\data\\” as “dxcap.exe” along with the malicious DLL “ssMUIDLL.dll” and the encrypted SpiceRAT payload “CGMIMP32.HLP.”  

__A sample function copies the SpiceRAT components.__

It executes the schtasks command to create a Windows task named “Microsoft Update,” configured to run “dxcap.exe” every two minutes. This technique establishes persistence at multiple locations on the victim's machine to maintain resilience.    

schtasks  -CreAte -sC minute -mo 2 -tn "Microsoft Update" -tr "C:\\Users\\<User>\\AppData\\Local\\data\\dxcap.exe" 

__A sample function that creates Windows task.__

Then the loader DLL takes the snapshot of the running processes in the victim machine and checks if the legitimate executable that sideloads this malicious DLL is being debugged by querying its process information using “NtQueryInformationProcess.” 

The loader DLL executes another function that loads the encrypted file “CGMIMP32.HLP,” which is masquerading as a legitimate Windows help file into memory and decrypts it using the RC4 encryption algorithm. In one of the samples, we found that the DLL used a key phrase “{11AADC32-A303-41DC-BF82-A28332F36A2E}” for decrypting SpiceRAT in memory. After decryption, the loader DLL injects and runs the SpiceRAT from memory to its parent process “dxcap.exe.”  

__A sample function that decrypts the SpiceRAT in memory.__

**The SpiceRAT payloads **

Talos discovered that SneakyChef has employed SpiceRAT and its plugin as the payloads in this campaign. With the capability to download and run executable binaries and arbitrary commands, SpiceRAT significantly increases the attack surface on the victim’s network, paving the way for further attacks.  

SpiceRAT is a 32-bit Windows executable with three malicious export functions GetFullLangFileNameW2, WinHttpPostShare and WinHttpFreeShareFree. Initially, it executes the GetFullLangFileNameW2 function, creating a mutex as an infection marker on the victim machine. The mutex name is hardcoded in the RAT binary. We spotted two different mutex names among the SpiceRAT samples that we analyzed: 

*   {00866F68-6C46-4ABD-A8D6-2246FE482F99}  
*   {00861111-3333-4ABD-GGGG-2246FE482F99} 

After the Mutex is created, the RAT collects reconnaissance data from the victim’s machine, including the operating system’s version number, hostname, username, IP address and the system’s network card hardware address (MAC address). The reconnaissance data is then encrypted and stored in the machine’s memory. 

__A sample function that encrypts the reconnaissance data in memory.__

During runtime, the RAT loads the WININET.dll file and imports the addresses of its functions to prepare for C2 communication.  

__A sample function that loads the APIs of WININET.dll.__

Once the function addresses of WININET.dll are imported, the RAT executes the WinHttpPostShare function to communicate with the C2. It connects to the C2 server with a hardcoded URL in the binary and through the HTTP POST method.  

 

 

Then, it attempts to read and send the encrypted stream of reconnaissance data and user credentials from memory to the C2 server. The C2 server responds with an encrypted message enclosed with HTML tags in the format “<HTML><encrypted Response> </HTML>”. The RAT decrypts the response and writes them into the memory stream.  

We discovered that the C2 server sends an encrypted stream of binary to the RAT. The RAT decrypts the binary stream into a DLL file in the memory and executes its exported functions. The decrypted DLL functions as a plugin to the SpiceRAT.  

 __Sample function of SpiceRAT executing the export functions of plugin.__ 

**SpiceRAT plugin enables further attacks  **

SpiceRAT plugin is a 32-bit dynamic link library compiled on March 28, 2023. The plugin has an original filename “Moudle.dll” and has two export functions: Download and RunPE. 

The Download function of the plugin appears to access decrypted response data from the C2 server stored in the victim’s memory and writes them into a file on disk, likely as commanded by the C2.  

__The downloader function of SpiceRAT plugin.__

The RunPE function appears to execute arbitrary commands or binaries that were likely sent from C2 using the WinExec API.  

__A sample function to run a PE file.__ 

**C2 communications **

SneakyChef’s infrastructure includes the malware’s download and command and control (C2) servers. In one attack, the threat actor hosted a malicious ZIP archive on the server 45\[.\]144\[.\]31\[.\]57 and hardcoded the following URL in a malicious downloader executable.  

http://45[.]144[.]31[.]57:80/S1VRB0HpMXR79eStog35igWKVTsdbx/chromeupdate.zipservers

We observed that the threat actor used IP addresses and domain names to connect to the C2 servers in different samples of SpiceRAT in this campaign. Our research uncovered various C2 URLs hardcoded in SpiceRAT samples.  

*   hxxp\[://\]94\[.\]198\[.\]40\[.\]4/homepage/index.aspx 
*   hxxp\[://\]stock\[.\]adobe-service\[.\]net/homepage/index.aspx 
*   hxxp\[://\]app\[.\]turkmensk\[.\]org\[/\]homepage\[/\]index.aspx 

One of the C2 servers, 94\[.\]198\[.\]40\[.\]4, was found to be running Windows Server 2016 and hosted on the M247 network, which is frequently abused by APT groups. Passive DNS resolution data indicate that the IP address 94\[.\]198\[.\]40\[.\]4 resolved to the domain app\[.\]turkmensk\[.\]org and we found another SpiceRAT sample in the wild that communicated with this domain.  

Further analysis of the C2 server 94\[.\]198\[.\]40\[.\]4 uncovered a unique C2 communication pattern of SpiceRAT. The SpiceRAT initially sends the encrypted reconnaissance data to the C2 URL through the HTTP POST method. The C2 server then responds with an encrypted message embedded in the HTML tags.   

We observed that the SpiceRAT and its C2 servers use a three-byte prefix for their first three requests and responses, as shown in the table below. 

C2 server response prefix 

Our analysis suggests that the second request that SpiceRAT sends likely contains the encrypted stream of the victim’s machine user credentials. We found that for the third request that SpiceRAT sends from the victim machine, the C2 server responds with an encrypted stream of the SpiceRAT’s plugin binary. SpiceRAT then decrypts and injects the plugin DLL reflectively.  

Once the plugin is downloaded and implanted on the victim’s machine, SpiceRAT sends another request with the prefix “wG.” The C2 server responds with an unencrypted message “<HTML>D\_OK<HTML>”, likely to get a confirmation of successful payload download.  

**TTPs overlap with other malware campaigns  **

Talos assesses with medium confidence that the actor SneakyChef, using SpiceRAT and SugarGh0st RAT is a Chinese-speaking actor based of the language observed in the artifacts and overlapping TTPs with other malware campaigns.  

In this campaign, we saw that SpiceRAT leverages the sideloading technique, utilizing a legitimate loader alongside a malicious loader and the encrypted payload. Although sideloading is a widely adopted tactic, technique and procedure (TTP), the choice to use the Samsung helper application to sideload the malicious DLL masquerading “ssMUIDLL.dll” file is particularly notable. This method has been previously observed in the PlugX and SPIVY RAT campaigns. 

**Coverage **

 Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here. 

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center. 

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SID for this threat is 63538. 

ClamAV detections are also available for this threat: 

Win.Trojan.SpiceRAT-10031450-0 

Win.Trojan.SpiceRATPlugin-10031560-0 

Win.Trojan.SpiceRATLauncher-10031652-0 

Win.Trojan.SpiceRATLauncherEXE-10032013-0 

**Indicators of Compromise **

Indicators of Compromise associated with this threat can be found here.

Unveiling SpiceRAT: SneakyChef's latest tool targeting EMEA and Asia

Cisco Talos recently discovered an ongoing campaign from SneakyChef, a newly discovered threat actor using SugarGh0st malware, as early as August 2023.

Friday, June 21, 2024 08:00

*   Cisco Talos recently discovered an ongoing campaign from SneakyChef, a newly discovered threat actor using SugarGh0st malware, as early as August 2023.  
*   In the newly discovered campaign, we observed a wider scope of targets spread across countries in EMEA and Asia, compared with previous observations that mainly targeted South Korea and Uzbekistan.   
*   SneakyChef uses lures that are scanned documents of government agencies, most of which are related to various countries’ Ministries of Foreign Affairs or embassies. 
*   Beside the two infection chains disclosed by Talos in November, we discovered an additional infection chain using SFX RAR files to deliver SugarGh0st.  
*   The language used in the SFX sample in this campaign reinforces our previous assertion that the actor is Chinese speaking.   

_Cisco Talos would like to thank the Yahoo! Paranoids Advanced Cyber Threats Team for their collaboration in this investigation._ 

**SneakyChef actor profile **

In early August 2023, Talos discovered a campaign using the SugarGh0st RAT to target users in Uzbekistan and South Korea. We continued to observe new activities using the same malware to target users in a wider geographical location. Therefore, we created an actor profile for the group and dubbed them “SneakyChef.” 

Talos assesses with medium confidence that SneakyChef operators are likely Chinese-speaking based on their language preferences, the usage of the variants of Gh0st RAT — a popular malware among various Chinese-speaking actors — and the specific targets, which includes the Ministry of Foreign affairs of various countries and other government entities. Talos also discovered another RAT dubbed “SpiceRAT” used in the campaign. Read the corresponding research here.

**Targets across EMEA and Asia **

Talos assess with low confidence that the following government agencies are the potential targets in this campaign based on the contents of the decoy documents: 

*   Ministry of Foreign affairs of Angola 
*   Ministry of Fisheries and Marine Resources of Angola  
*   Ministry of Agriculture and Forestry of Angola 
*   Ministry of Foreign affairs of Turkmenistan 
*   Ministry of Foreign affairs of Kazakhstan 
*   Ministry of Foreign affairs of India 
*   Embassy of the Kingdom of Saudi Arabia in Abu Dhabi 
*   Ministry of Foreign affairs of Latvia  

Most of the decoy documents we found in this campaign are scanned documents of government agencies, which do not appear to be available on the internet. During our research, we observed and analyzed various decoy documents with government-and research conference-themed lures in this campaign. We are sharing a few samples of the decoy documents accordingly. 

**Lures targeting Southern African countries **

The threat actor has used decoy documents impersonating the Ministry of Foreign affairs of Angola. The lure content in one of the sample documents appeared to be a circular from the Angolan Ministry of Fisheries and Marine Resources about a debt conciliation meeting between the ministry authority and a financial advisory company.  

Another document contained information about a legal decree concerning state or public assets and their disposal. This document appealed to anyone interested in legal affairs and public heritage regimes and was addressed to the Ministry of Foreign Affairs – MIREX, a centralized institution in Luanda. 

 

 

**Lures targeting Central Asian countries **

The decoy documents used in the attacks likely targeting countries in Central Asia were either impersonating the Ministry of Foreign affairs of Turkmenistan or Kazakhstan. One of the lures is related to a meeting organized with the Turkmenistan embassy in Argentina and the heads of transportation and infrastructure of the Italian Republic. Another document was a report of planned events and the government-issued list of priorities to be addressed in the year 2024 that includes a formal proclamation-signing event between the Ministry of Defense of Uzbekistan and the Ministry of Defense of Kazakhstan. 

 

 

**Lures targeting Middle Eastern countries **

A decoy document we observed in the attack likely targeting Middle Eastern countries was an official circular regarding the declaration of an official holiday for the Founding Day of the Kingdom of Saudi Arabia.  

**Lures targeting Southern Asian countries **

We found another sample that was likely used to target the Indian Ministry of Foreign Affairs. It has decoy documents, including an Indian passport application form, along with a copy of an Aadhar card, a document that serves as proof of identity in India.  

 

 

One of the decoy Word documents we observed contained lures related to India-U.S. relations, including a list of events involving interactions between India’s prime minister and the U.S. president. 

**Lures targeting European countries **

A decoy document found in a sample likely targeting the Ministry of Foreign Affairs of Latvia was a circular impersonating the Embassy of Lithuania. It contained a lure document regarding an announcement of an ambassador’s absence and their replacement. 

**Other targets **

Along with the government-themed decoy document samples we analyzed, we observed a few other samples from these campaigns. These included decoys such as an application form to register for a conference run by the Universal Research Cluster (URC) and a research paper abstract of the ICCSE international conference. We also saw a few other decoys related to other conference invitations and details, including those for the Political Science and International Relations conference.   

 

 

Recently, Proofpoint researchers reported a SugarGh0st campaign targeting an organization in the U.S. involved in artificial intelligence across academia, the private technology sector, and government services, highlighting the wider adoption of SugarGh0st RAT in targeting various business verticals. 

**Threat actor continues to leverage old and new C2 domains **

After Talos’ initial disclosure of SugarGh0st campaign in November 2023, we are attributing the past attacks to the newly named threat actor SneakyChef. Despite our disclosure, SneakyChef continued to use the C2 domain we mentioned and deployed the new samples in the following months after our blog post. Most of the samples observed in this campaign communicate with the C2 domain account\[.\]drive-google-com\[.\]tk, consistent with their previous campaign. Based on Talos’ Umbrella records, resolutions to the C2 domain were still observed until mid-May.  

DNS requests for the SugarGh0st C2 domain. 

Talos also observed the new domain account\[.\]gommask\[.\]online, reported by Proofpoint as being used by SugarGh0st. The domain was created in March 2024, and queries were observed through April 21.  

**Infection chain abuse SFX RAR as the initial attack vector **

With Talos’ first reporting of the SugarGh0st campaign in November, we disclosed two infection chains that utilized a malicious RAR with an LNK file, likely delivered via phishing email. In the newly observed campaign, in addition to the old infection chains, we discovered a different technique from a few malicious RAR samples.  

The threat actor is using an SFX RAR as the initial vector in this attack. When a victim runs the executable, the SFX script executes to drop a decoy document, DLL loader, encrypted SugarGh0st, and a malicious VB script into the victim’s user profile temporary folder and executes the malicious VB script.  

The malicious VB script establishes persistence by writing the command to the registry key UserInitMprLogonScript which executes when a user belonging to either a local workgroup or domain logs into the system. 

HKCU\\Environment\\UserInitMprLogonScript 

regsvr32.exe /s %temp%\\update.dll 

When a user logs into the system, the command runs and launches the loader DLL “update.dll” using regsvr32.exe. The loader reads the encrypted SugarGg0st RAT “authz.lib”, decrypts it and injects it into a process. This technique is same as that of the SugarGh0st campaign disclosed by the Kazakhstan government in February. 

**Coverage **

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here. 

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center. 

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SID for this threat is 62647. 

ClamAV detections are also available for this threat: 

Win.Trojan.SugarGh0stRAT-10014937-0 

Win.Tool.DynamicWrapperX-10014938-0 

Txt.Loader.SugarGh0st\_Bat-10014939-0 

Win.Trojan.SugarGh0stRAT-10014940-0 

Lnk.Dropper.SugarGh0stRAT-10014941-0 

Js.Trojan.SugarGh0stRAT-10014942-1 

Win.Loader.Ramnit-10014943-1 

Win.Backdoor.SugarGh0stRAT-10014944-0 

Win.Trojan.SugarGh0st-10030525-0 

Win.Trojan.SugarGh0st-10030526-0 

**Orbital Queries **

Cisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this specific threat. For specific OSqueries related to this threat, please follow the links: 

*   SugarGh0st RAT file detected 
*   SugarGh0st RAT Registry key  

**Indicators of Compromise **

Indicators of Compromise associated with this threat can be found here

Tag

#cisco