Ubuntu Security Notice 7079-1 - Several security issues were discovered in the WebKitGTK Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution.

    ==========================================================================Ubuntu Security Notice USN-7079-1October 22, 2024webkit2gtk vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 24.04 LTS- Ubuntu 22.04 LTSSummary:Several security issues were fixed in WebKitGTK.Software Description:- webkit2gtk: Web content engine library for GTK+Details:Several security issues were discovered in the WebKitGTK Web and JavaScriptengines. If a user were tricked into viewing a malicious website, a remoteattacker could exploit a variety of issues related to web browser security,including cross-site scripting attacks, denial of service attacks, andarbitrary code execution.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 24.04 LTS  libjavascriptcoregtk-4.1-0      2.46.1-0ubuntu0.24.04.1  libjavascriptcoregtk-6.0-1      2.46.1-0ubuntu0.24.04.1  libwebkit2gtk-4.1-0             2.46.1-0ubuntu0.24.04.1  libwebkitgtk-6.0-4              2.46.1-0ubuntu0.24.04.1Ubuntu 22.04 LTS  libjavascriptcoregtk-4.0-18     2.46.1-0ubuntu0.22.04.3  libjavascriptcoregtk-4.1-0      2.46.1-0ubuntu0.22.04.3  libjavascriptcoregtk-6.0-1      2.46.1-0ubuntu0.22.04.3  libwebkit2gtk-4.0-37            2.46.1-0ubuntu0.22.04.3  libwebkit2gtk-4.1-0             2.46.1-0ubuntu0.22.04.3  libwebkitgtk-6.0-4              2.46.1-0ubuntu0.22.04.3This update uses a new upstream release, which includes additional bugfixes. After a standard system update you need to restart any applicationsthat use WebKitGTK, such as Epiphany, to make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-7079-1  CVE-2024-40866, CVE-2024-44187Package Information:  https://launchpad.net/ubuntu/+source/webkit2gtk/2.46.1-0ubuntu0.24.04.1  https://launchpad.net/ubuntu/+source/webkit2gtk/2.46.1-0ubuntu0.22.04.3

Ubuntu Security Notice USN-7079-1

Red Hat Security Advisory 2024-8329-03 - An update is now available for the Red Hat build of Cryostat 3 on RHEL 8.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8329.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat build of Cryostat security updateAdvisory ID:        RHSA-2024:8329-03Product:            CryostatAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:8329Issue date:         2024-10-23Revision:           03CVE Names:          CVE-2024-34155====================================================================Summary: An update is now available for the Red Hat build of Cryostat 3 on RHEL 8.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:An update is now available for the Red Hat build of Cryostat 3 on RHEL 8.Security Fix(es):* golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion (CVE-2024-34156)* golang: Calling Parse on a \"// +build\" build tag line with deeply nested expressions can cause a panic due to stack exhaustion (CVE-2024-34158)* golang: Calling any of the Parse functions containing deeply nested literals can cause a panic/stack exhaustion (CVE-2024-34155)* com.graphql-java/graphql-java: Allocation of Resources Without Limits or Throttling in GraphQL Java (CVE-2024-40094)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-34155References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2301456https://bugzilla.redhat.com/show_bug.cgi?id=2310527https://bugzilla.redhat.com/show_bug.cgi?id=2310528https://bugzilla.redhat.com/show_bug.cgi?id=2310529

Red Hat Security Advisory 2024-8329-03

Cyber attackers are using encoded JavaScript files to hide malware, abusing Microsoft’s Script Encoder to disguise harmful scripts…

Cyber attackers are using encoded JavaScript files to hide malware, abusing Microsoft’s Script Encoder to disguise harmful scripts in .jse files. ANY.RUN’s sandbox helps detect and decrypt these threats, enhancing security analysis efficiency.

Cyber attackers constantly innovate new ways to hide their malicious intentions. Recently, cybersecurity researchers at ANY.RUN came across a tactic used by attackers which involves the abuse of encoded JavaScript files. Attackers have been using the Microsoft Script Encoder to disguise harmful scripts within .jse files.

This tactic allows malware to remain hidden within seemingly legitimate scripts, posing a major threat to unsuspecting users and traditional security measures.

****Microsoft Script Encoder Exploited** **

Microsoft originally developed the Script Encoder to help developers obfuscate JavaScript and VBscript while keeping them executable with wscript and similar interpreters. This tool was initially designed to protect source code, but it has also become a valuable resource for malware developers.

By encoding JavaScript into a non-human-readable format, attackers can hide their malicious scripts. The latter can be delivered through phishing campaigns or drive-by-download attacks, where users unknowingly run the malicious script.

This obfuscation technique makes it difficult for traditional security tools to detect hidden threats. However, they can be detected faster with the help of tools, like ANY.RUN’s Script Tracer.

****How to Decrypt Encoded Malicious Scripts****

To view the log of the script execution, run the sample inside ANY.RUN’s sandbox. 

**View analysis session**

After running the sample, you can discover the behaviour of the script in an isolated environment using ANY.RUN’s Script Tracer:

*   **Obtain the length of the encrypted data**

Begin by identifying the length of the encoded portion of the script. While doing this, keep an eye out for the @ symbol, which serves as a key marker in the script. 

Encrypted data after the symbol @ is displayed in ANY.RUN’s sandbox

When you see @, it indicates that the next character has been modified using a specific algorithm.

*   **Substitute values in order**

With the encoded characters identified, begin the substitution process. This step involves replacing each encoded symbol with its corresponding decoded value. To decode each character in the script, follow the instructions in the image below:

Decoding the encoded JavaScript with ANY.RUN’s sandbox

*   **Obtain the decrypted value**

As you decode each character, you will start to uncover the readable form of the script. This step-by-step decoding reveals the underlying commands hidden within the encoded data.

*   **Insert the decrypted bytes into the buffer**

After decoding each character, store the decoded result in a buffer (a temporary space to hold the data). Continue adding decrypted characters until the entire script has been processed.

*   **Use the ord() function for character values**

Take the numeric value of each symbol using the ord() function, then retrieve the corresponding decoded character from the predefined encoding tuple using **PICK\_ENCODING**.

****Analyzing Malicious Scripts in a Safe Environment****

Manually decrypting encoded scripts can be complex and time-consuming. To make the decryption process easier and faster, you can use tools like ANY.RUN’s sandbox. 

It allows you to analyze malware behaviour in a secure environment, giving you the insights you need for detailed analysis.

Sign up for a 14-day free trial for unlimited malware analysis and see how it simplifies the process.

1.  Analysis of Top Infostealers: Redline, Vidar and Formbook
2.  PythonAnywhere Cloud Platform Abused for Hosting Ransomware
3.  OpenSSF Warns of Fake Maintainers Targeting JavaScript Projects
4.  ANY.RUN Upgrades Threat Intelligence to Identify Emerging Threats
5.  Visa warns of Baka JavaScript skimmer capable of evading detection

Attackers Use Encoded JavaScript to Deliver Malware

WarmCookie is a malware family that emerged in April 2024 and has been distributed via regularly conducted malspam and malvertising campaigns.

Wednesday, October 23, 2024 06:02

*   WarmCookie is a malware family that emerged in April 2024 and has been distributed via regularly conducted malspam and malvertising campaigns. 
*   WarmCookie, observed being used for initial access and persistence, offers a means for continuous long-term access to compromised environments and is used to facilitate delivery of additional malware such as CSharp-Streamer-RAT and Cobalt Strike. 
*   Post-compromise intrusion activity associated with WarmCookie overlaps with previously observed activity we attribute to TA866.  
*   We assess that WarmCookie was likely developed by the same threat actor(s) as Resident backdoor, a post-compromise implant previously deployed in intrusion activity that Cisco Talos attributes to TA866.  

**What is WarmCookie? **

WarmCookie, also known as BadSpace, is a malware family that has been distributed since at least April 2024. Throughout 2024, we have observed several distribution campaigns conducted using a variety of lure themes to entice victims to take actions that result in malware infection.  

These campaigns typically rely on malspam or malvertising to initiate the infection process that results in the delivery of WarmCookie. WarmCookie offers a variety of useful functionality for adversaries including payload deployment, file manipulation, command execution, screenshot collection and persistence, making it attractive to use on systems once initial access has been gained to facilitate longer-term, persistent access within compromised network environments.  

In previously analyzed intrusion activity involving WarmCookie, we have observed that it is used as an initial payload and that CSharp-Streamer-RAT and Cobalt Strike were delivered following the initial WarmCookie infection.  

While analyzing the campaigns, intrusion activity, and infrastructure associated with WarmCookie over the course of 2024, we also identified multiple overlaps with activity conducted by TA866 in 2023. 

**Typical infection chains **

As previously mentioned, we have observed WarmCookie campaigns being conducted since at least April 2024. These campaigns rely on malspam or malvertising to facilitate the delivery of malicious content.  

In the case of malspam, we have observed consistent use of invoice-related and job agency themes that entice victims to access hyperlinks present in either the email body, or within attached documents, such as PDFs.  

Examples of common message subjects observed in campaigns conducted between April and August 2024 are listed below. 

*   United Rentals Inc: Invoice# [0-9]{9}\-[0-9]{3} 
*   Invoice and Remittance

In a recent campaign conducted in August, the messages contained PDF attachments. The attachment filenames were randomized but typically use the following format. 

*   Attachment_[0-9]{3}\-[0-9]{3}\.pdf

While there have been variations over time, below is a representative example of one of these emails and the associated PDF attachment. 

__WarmCookie emails and attachments.__

The PDFs contain hyperlinks that direct victims to web servers hosting malicious JavaScript files that continue the infection process. 

We have also observed WarmCookie campaigns leveraging infrastructure associated with traffic distribution and malware delivery systems. In one early campaign, we observed the use of the LandUpdates808 cluster of infrastructure described here. In observed cases, malicious JavaScript downloaders were being hosted at the following paths on servers associated with the LandUpdates808 cluster of web servers. 

/wp-content/upgrade/update\[.\]php

Regardless of whether the delivery stage of the attack was conducted via malspam or malvertising, an obfuscated JavaScript downloader is delivered that is responsible for continuing the infection process. We have observed the use of ZIP archives to compress the JavaScript file and the delivery of the JavaScript file directly from the distribution infrastructure.  

When executed, it deobfuscates and executes a PowerShell command that uses Bitsadmin to retrieve and execute the WarmCookie DLL using syntax, like that shown below. 

__PowerShell execution.__

We have observed a relatively small number of distribution servers hosting WarmCookie DLLs compared to the infrastructure used in earlier stages of the infection chain.  

**WarmCookie **

The main WarmCookie payload has been extensively analyzed in prior reporting here and here. While performing this research, newly observed WarmCookie samples were reported on social media during September 2024. We observed significant additions and changes in this latest version that demonstrate the threat actor is continuing to improve their tooling.  

We observed changes to the way the malware is executed and how persistence is achieved on infected systems. As described in prior reporting, the malware is typically delivered and executed as a PE DLL or a PE EXE. If the payload is in the DLL format, it is typically executed with specific command-line parameters that determine whether persistence should be achieved.  

In previous WarmCookie samples the execution was consistent with the following: 

rundll32.exe <DLL\_Filename>,Start /p

In the latest samples analyzed, this command-line syntax has been modified as follows: 

rundll32.exe <DLL\_Filename>,Start /u

Additionally, the user agent used during C2 communications in previous WarmCookie samples featured extraneous spaces not consistent with normal user agent strings seen in the wild. This allowed for easy detection of WarmCookie C2 activity via network traffic inspection. In the latest WarmCookie samples, this mistake has been corrected. Below is a comparison between the old and new user agent strings used during C2 communications. 

Old User Agent: 

Mozilla / 4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;.NET CLR 1.0.3705)

New User Agent: 

Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0

We also observed the inclusion of a new self-updating mechanism that would enable an attacker to dynamically deliver updates to WarmCookie via the C2 server, however, this functionality did not appear to be fully implemented in the analyzed sample at the time. 

In the latest sample, changes were made to the sandbox detection mechanism present in the malware where some checks present in previous versions have been removed. 

__WarmCookie sandbox detection.__

Several changes to the C2 commands supported by the malware have also been made in the latest WarmCookie samples analyzed. The command to remove persistence and the malware itself has been deleted. New commands have been added as follows: 

*   **Command 0x8:** Supports the creation of a DLL file received from the C2 server that is assigned a temporary filename and then executed by WarmCookie.   
*   **Command 0xA**: Appears to be a prepared update command, it is like Command 0x8, but adds hardcoded parameters to the DLL:    
    C:\Windows\System32\rundll32.exe <tmpfilename.dll> Start /update
*   **Command 0xB**: Supports moving the malware to a temporary file name and location and deletes the previously scheduled task. It prepends the string ‘dat’ to the temporary filename. It also exits the C2 loop, leading to termination of the malware process. 

During the malware’s initialization and startup phase, the /update parameter of the Command 0xA is checked to determine if the parameter was set. Regardless of the result of this check, the same function is executed, as shown below. 

WarmCookie update parameter. 

Analysis suggests that the malware will continue to evolve moving forward as the threat actor continues to improve on it and adds additional functionality as needed. 

**Links to past intrusion activity **

While analyzing the distribution campaigns, infrastructure used, and post-compromise intrusion activity associated with WarmCookie, we identified multiple overlaps with previously observed malicious activity.  

In earlier WarmCookie distribution campaigns, threat actors relied on lures that appear as if they were associated with talent/job search agencies. As mentioned here, the lure documents and landing pages associated with this campaign are like those used by distributors of Ursnif in past campaigns.  

While analyzing intrusion activity associated with WarmCookie, we observed the deployment of CSharp-Streamer-RAT as a follow-on payload following the initial system compromise. CSharp-Streamer-RAT is a full-featured remote access trojan that offers robust functionality as described here.  

In this case, the sample reached out to a C2 server that was configured to use an SSL certificate that appeared to have been programmatically generated with several fields randomly populated. Using Regular Expressions to identify other servers with similar SSL characteristics, we identified three additional C2 servers, all previously associated with CSharp-Streamer-RAT samples. One of these C2 servers was observed being used by a CSharp-Streamer-RAT sample we identified in a previous intrusion that we assess with high confidence was conducted by TA866.  

The screenshot below shows the relevant fields present within the SSL certificate associated with the CSharp-Streamer-RAT C2 server observed in previous intrusion activity we attribute to TA866.  

__Previous CSharp-Streamer-RAT C2 SSL certificate.__

Below is an example of one of the SSL certificates associated with the CSharp-Streamer-RAT C2 server observed in recent WarmCookie intrusion activity. 

__Recent CSharp-Streamer-RAT C2 SSL certificate.__

Based on analysis of the system involved in this prior intrusion activity, we assess with high confidence that TA866/Asylum Ambuscade deployed CSharp-Streamer-RAT while directly operating on the system leading up to, during, and after its deployment. In the recent WarmCookie case, we also assess with high confidence that the attacker who deployed WarmCookie also deployed CSharp-Streamer-RAT following the initial compromise.

**WarmCookie vs. Resident backdoor **

As referenced here, and in prior reporting, TA866/Asylum Ambuscade has been observed delivering a post-compromise implant called Resident backdoor in prior intrusion activity. Prior reporting on WarmCookie has alluded to observed links between Resident backdoor and WarmCookie.

We performed a code and function level analysis of Resident backdoor samples from previous intrusion activity and WarmCookie samples from September 2024 and observed several notable similarities in the way core functionality has been implemented across both malware families. WarmCookie appears to contain much of the same functionality as Resident backdoor but has been significantly extended to support additional functionality.  

We assess that both were likely developed by the same entity based on the following analysis findings: 

*   The RC4 implementation is consistent across both malware families. 
*   The RC4 string decryption function implementation is consistent across both malware families. 
*   Mutex management is performed consistently across both malware families. 
*   Both malware families use GUID-like strings for the mutex. 
*   The way in which various functions were constructed and the coding conventions used is consistent. 
*   The definition of scheduled tasks to achieve persistence is consistent. 
*   Both malware families wait one minute before executing the scheduled task. 
*   The directory, file schema and parameters are similar in both malware families.  
*   The initial startup logic and command line parameter implementation are similar. 

**Code similarity analysis **

We conducted a similarity analysis of the code execution flow between both Resident backdoor and a recent WarmCookie sample that was shared on social media. We observed consistent implementation of core functionality across both as well as consistent use of coding conventions across both malware families. 

**Task Scheduler implementation **

If the malware is initially executed without supplying any parameters, both Resident and WarmCookie first determine if the initially launched application was a PE DLL or an PE EXE. Depending on the result, they either create a filename with the extension “.dll" or “.exe". Also based on the results of this test, they both create a scheduled task via the Windows Task Scheduler, which spawns a copy of the malware after waiting for 60 seconds. In the case that the initially launched application was a PE DLL, rundll32.exe is used to launch the malware. In the case of a PE EXE file, it is executed directly.  

They both attempt this in the %ALLUSERSPROFILE% directory, if that fails, they try it again in %ALLDATA% directory. 

__WarmCookie startup parameters.__

__WarmCookie persistence mechanism.__

__Resident backdoor startup parameters.__

__Resident backdoor persistence mechanism.__

__Resident backdoor persistence mechanism (cont’d).__

The overall startup logic is also the same in both Resident backdoor and WarmCookie. At the beginning of the startup process both check to determine if the malware was executed with a command line switch. In the case of the Resident backdoor, it is ‘/p’; in the case of WarmCookie it is ‘/u’. This parameter tells the application whether it is the first instance of itself or if the running version is the former copied version, which was previously made persistent via the Task Scheduler. This prevents multiple scheduled tasks from being created once the malware has achieved persistence.  

__WarmCooke startup logic.__

__Resident backdoor startup logic.__

One slight difference is that Resident uses the hardcoded string ‘RtlUpd’ to generate the filename for the scheduled task, whereas WarmCookie uses a hardcoded list of company names and randomly selects one, as shown below: 

__WarmCookie filename list.__

Based on our analysis of Resident backdoor and WarmCookie, we assess that they were likely developed by the same entity. While there are significant overlaps in the code and functionality implementations across Resident backdoor and WarmCookie, WarmCookie contains significantly more robust functionality and command support compared to Resident backdoor. Additionally, while WarmCookie has typically been deployed as an initial access payload in intrusion activity we have analyzed, Resident backdoor was deployed post-compromise following the deployment of several other components such as WasabiSeed, Screenshotter and AHK Bot.  

Given the differences in functionality and where each is encountered in the attack lifecycle, we classify Resident and WarmCookie as separate malware families that have been developed by the same threat actor. 

**Coverage **

Ways our customers can detect and block this threat are listed below. 

 Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here. 

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protection with context to your specific environment and threat data are available from the Firewall Management Center. 

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

The following Snort rule(s) have been developed to detect activity associated with this malicious activity.  

*   Snort 2 SIDs: 64139, 64140, 64141, 64142, 64143, 64144, 64145, 64146, 64147, 64148, 64149, 64150, 64151, 64152, 64153, 64154, 64155, 64156, 64157, 64158, 64159, 64160, 64161, 64162. 
*   Snort 3 SIDs: 64153, 64154, 64155, 64156, 64157, 64158, 64159, 64160, 64161, 64162, 301044, 301045, 301046, 301047, 301048, 301049, 301050.  

The following ClamAV signatures have been developed to detect activity associated with this malicious activity.  

*   Js.Downloader.Agent-10022279-0  
*   Vbs.Downloader.Agent-10022291-0  
*   Win.Trojan.WasabiSeed-10022304-0  
*   Js.Trojan.Screenshotter-10022306-0  
*   Js.Trojan.Agent-10022307-0  
*   Win.Trojan.Lazy-10022308-0  
*   Win.Trojan.Screenshotter-10022309-0  
*   PUA.Win.Tool.NetPing-10022493-0  
*   Win.Malware.CobaltStrike-10022494-0  
*   PUA.Win.Tool.AutoHotKey-10022305-1  
*   PUA.Win.Tool.RemoteUtilities-9869515-0  
*   PUA.Win.Tool.AdFind-9962378-0   
*   Txt.Downloader.AHKBot-10024463-0  
*   Ps1.Malware.CobaltStrike-10024466-0  
*   Win.Infostealer.Rhadamanthys-10024467-0  
*   Txt.Infostealer.Rhadamanthys-10024468-0  
*   Win.Backdoor.Agent-10025011-0  
*   Vbs.Trojan.Screenshotter-10025015-0  
*   Win.Malware.Warmcookie-10036688-0 
*   Win.Malware.CSsharpStreamer-10036641-0 

**Indicators of Compromise **

Indicators of compromise associated with WarmCookie/BadSpace activity can be found in our GitHub repository here.

Threat Spotlight: WarmCookie/BadSpace

TA866 (also known as Asylum Ambuscade) is a threat actor that has been conducting intrusion operations since at least 2020.

Highlighting TA866/Asylum Ambuscade Activity Since 2021

Lumma Stealer malware uses fake CAPTCHA to deceive victims. This information-stealing malware targets sensitive data like passwords and…

Lumma Stealer malware uses fake CAPTCHA to deceive victims. This information-stealing malware targets sensitive data like passwords and cryptocurrency details.

The Qualys Threat Research Unit (TRU) has discovered that Lumma Stealer, a malware available through a Malware-as-a-Service (MaaS) model, has evolved its tactics considerably to deceive users.

Qualys shared its findings with Hackread.com regarding an active Lumma Stealer campaign using fake CAPTCHA pages to trick users into executing a persistent payload. The attack uses multi-stage fileless techniques, making it deceptive and persistent.

****Fake CAPTCHA Verification****

Qualys TRU explained that users are lured to a fake CAPTCHA verification page, often through compromised legitimate software or public-facing applications. Clicking the “I’m not a robot” button triggers a malicious PowerShell command, which downloads an initial stager (malware downloader) onto the target machine. The downloaded payload is a crafted PE file with an obfuscated JavaScript code embedded within it. 

What happens is that clicking the verification button triggers a Base64-encoded PowerShell script download. This script leverages the trusted Windows tool “mshta.exe” to download a remote payload disguised as a legitimate Windows tool named “Dialer.exe.” This downloaded payload is a crafted PE file with an obfuscated JavaScript code embedded within it.

Interestingly, the embedded script utilizes a technique called polyglot, where valid HTA content is concealed within executable files. When triggered, the script downloads and executes another obfuscated JavaScript code using PowerShell. This script decrypts a final payload and downloads two archives containing the actual Lumma Stealer executable (Vectirfree.exe).

****Information Gathering and Evasion Techniques****

Vectirfree.exe employs process hollowing, a common malware tactic, to inject its malicious code into a legitimate program like “BitLockerToGo.exe.”  The malware drops files like “Killing.bat” and “Voyuer.pif” in the temporary directory that checks for and terminates antivirus processes to evade detection.

In the next stage of the attack, Lumma Stealer searches for sensitive files and data related to cryptocurrency and passwords. Stolen data is sent to a command and control (C2) server, typically using “.shop” top-level domains, to exfiltrate the stolen data.

Infection chain and a fake CAPTCHA page involved in the Lumma Stealer malware campaign (Via Qualys Threat Research Unit)

Lumma Stealer is a fileless malware that executes directly from memory without creating permanent files. It targets sensitive data like passwords, browser information, and cryptocurrency wallet details. By using techniques like polyglot and obfuscated scripts to hinder analysis, and process hollowing to hide its malicious activity within a legitimate process, the malware presents itself as a persistent threat. 

“Our analysis of its infection chain highlighted how the fileless malware exploits common tools like PowerShell and mshta.exe, as well as the critical role of embedded payloads and process injection in its operations,” researchers noted in the report.

By understanding the Lumma Stealer attack process and implementing robust security measures, organizations can effectively protect themselves against this evolving threat.

1.  Analysis of Top Infostealers: Redline, Vidar and Formbook
2.  LummaC2 Malware Variant Uses Obfuscation to Steal Data
3.  Fake League of Legends Download Ads Spread Lumma Stealer
4.  Hacked YouTube Channels Spread Lumma via Cracked Software
5.  PDiddySploit Malware Hidden in Files Revealing Deleted Diddy Posts

Fake CAPTCHA Pages Used by Lumma Stealer to Spread Fileless Malware

Russian-speaking users have become the target of a new phishing campaign that leverages an open-source phishing toolkit called Gophish to deliver DarkCrystal RAT (aka DCRat) and a previously undocumented remote access trojan dubbed PowerRAT.
"The campaign involves modular infection chains that are either Maldoc or HTML-based infections and require the victim's intervention to trigger the

Russian-speaking users have become the target of a new phishing campaign that leverages an open-source phishing toolkit called Gophish to deliver DarkCrystal RAT (aka DCRat) and a previously undocumented remote access trojan dubbed PowerRAT.

"The campaign involves modular infection chains that are either Maldoc or HTML-based infections and require the victim's intervention to trigger the infection chain," Cisco Talos researcher Chetan Raghuprasad said in a Tuesday analysis.

The targeting of Russian-speaking users is an assessment derived from the language used in the phishing emails, the lure content in the malicious documents, links masquerade as Yandex Disk ("disk-yandex\[.\]ru"), and HTML web pages disguised as VK, a social network predominantly used in the country.

Gophish refers to an open-source phishing framework that allows organizations to test their phishing defenses by leveraging easy-to-use templates and launch email-based campaigns that can then be tracked in near real-time.

The unknown threat actor behind the campaign has been observed taking advantage of the toolkit to send phishing messages to their targets and ultimately push DCRat or PowerRAT depending on the initial access vector used: A malicious Microsoft Word document or an HTML embedding JavaScript.

When the victim opens the maldoc and enables macros, a rogue Visual Basic (VB) macro is executed to extract an HTML application (HTA) file ("UserCache.ini.hta") and a PowerShell loader ("UserCache.ini").

The macro is responsible for configuring a Windows Registry key such that the HTA file is automatically launched every time a user logs into their account on the device.

The HTA file, for its part, drops a JavaScript file ("UserCacheHelper.lnk.js") that's responsible for executing the PowerShell Loader. The JavaScript is executed using a legitimate Windows binary named "cscript.exe."

"The PowerShell loader script masquerading as the INI file contains base64 encoded data blob of the payload PowerRAT, which decodes and executes in the victim's machine memory," Raghuprasad said.

The malware, in addition to performing system reconnaissance, collects the drive serial number and connects to remote servers located in Russia (94.103.85\[.\]47 or 5.252.176\[.\]55) to receive further instructions.

"\[PowerRAT\] has the functionality of executing other PowerShell scripts or commands as directed by the \[command-and-control\] server, enabling the attack vector for further infections on the victim machine."

In the event no response is received from the server, PowerRAT comes fitted with a feature that decodes and executes an embedded PowerShell script. None of the analyzed samples thus far have Base64-encoded strings in them, indicating that the malware is under active development.

The alternate infection chain that employs HTML files embedded with malicious JavaScript, in a similar vein, triggers a multi-step process that leads to the deployment of DCRat malware.

"When a victim clicks on the malicious link in the phishing email, a remotely located HTML file containing the malicious JavaScript opens in the victim machine's browser and simultaneously executes the JavaScript," Talos noted. "The JavaScript has a Base64-encoded data blob of a 7-Zip archive of a malicious SFX RAR executable."

Present within the archive file ("vkmessenger.7z") – which is downloaded via a technique called HTML smuggling – is another password-protected SFX RAR that contains the RAT payload.

It's worth noting that the exact infection sequence was detailed by Netskope Threat Labs in connection with a campaign that leveraged fake HTML pages impersonating TrueConf and VK Messenger to deliver DCRat. Furthermore, the use of a nested self-extracting archive has been previously observed in campaigns delivering SparkRAT.

"The SFX RAR executable is packaged with the malicious loader or dropper executables, batch file, and a decoy document in some samples," Raghuprasad said.

"The SFX RAR drops the GOLoader and the decoy document Excel spreadsheet in the victim machine user profile applications temporary folder and runs the GOLoader along with opening the decoy document."

The Golang-based loader is also designed to retrieve the DCRat binary data stream from a remote location through a hard-coded URL that points to a now-removed GitHub repository and save it as "file.exe" in the desktop folder on the victim's machine.

DCRat is a modular RAT that can steal sensitive data, capture screenshots and keystrokes, and provide remote control access to the compromised system and facilitate the download and execution of additional files.

"It establishes persistence on the victim machine by creating several Windows tasks to run at different intervals or during the Windows login process," Talos said. "The RAT communicates to the C2 server through a URL hardcoded in the RAT configuration file \[...\] and exfiltrates the sensitive data collected from the victim machine."

The development comes as Cofense has warned of phishing campaigns that incorporate malicious content within virtual hard disk (VHD) files as a way to avoid detection by Secure Email Gateways (SEGs) and ultimately distribute Remcos RAT or XWorm.

"The threat actors send emails with .ZIP archive attachments containing virtual hard drive files or embedded links to downloads that contain a virtual hard drive file that can be mounted and browsed through by a victim," security researcher Kahng An said. "From there, a victim can be misled into running a malicious payload."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Gophish Framework Used in Phishing Campaigns to Deploy Remote Access Trojans

GoDaddy flagged a ClickFix campaign that infected 6,000 sites in a one-day period, with attackers using stolen admin credentials to distribute malware.

Source: Primakov via Shutterstock

Threat actors have taken a campaign that uses fake browser updates to spread malware to a new level, weaponizing scores of WordPress plug-ins to deliver malicious infostealing payloads, after using stolen credentials to log in to and infect thousands of websites.

Domain registrar GoDaddy is warning that a new variant of malware disguised as a fake browser update known as ClickFix infected more than 6,000 WordPress sites in a one-day period from Sept. 2 to Sept. 3.

Threat actors used stolen WordPress admin credentials to infect compromised websites with malicious plug-ins as part of an attack chain unrelated "to any known vulnerabilities in the WordPress ecosystem," GoDaddy principal security engineer Denis Sinegubko wrote in a recent blog post.

"These seemingly legitimate plugins are designed to appear harmless to website administrators, but contain embedded malicious scripts that deliver fake browser update prompts to end users," he wrote.

The campaign leverages fake WordPress plug-ins that inject JavaScript leading to ClickFix fake browser updates, which use blockchain and smart contracts to obtain and deliver malicious payloads. Attackers use social engineering strategies to trick users into thinking they are updating their browser, but instead they are executing malicious code, "ultimately compromising their systems with various types of malware and information stealers," Sinegubko explained.

Related:Samsung Zero-Day Vuln Under Active Exploit, Google Warns

**Related, Yet Separate Campaigns**

It should be mentioned that ClearFake, widely identified in April, is another fake browser update activity cluster that compromises legitimate websites with malicious HTML and JavaScript. Initially it targeted Windows systems, but later spread to macOS as well.

Researchers have linked ClickFix to ClearFake, but the campaigns as described by various analysts have numerous differences and are likely separate activity clusters. GoDaddy claims to have been tracking ClickFix malware campaign since August 2023, spotting it on more than 25,000 compromised sites worldwide. Other analysts at Proofpoint detailed ClickFix for the first time earlier this year.

The new ClickFix variant as described by GoDaddy is spreading fake browser update malware via bogus WordPress plug-ins with generic names such as "Advanced User Manager" and "Quick Cache Cleaner," according to the post.

"These seemingly legitimate plugins are designed to appear harmless to website administrators but contain embedded malicious scripts that deliver fake browser update prompts to end users," Sinegubko wrote.

Related:Bad Actors Manipulate Red-Team Tools to Evade Detection

All information in the plug-in metadata is fake, including the plug-in name, URL, description, version, and author, but appears plausible at first glance and wouldn't raise suspicion immediately, according to GoDaddy.

**Automation Used to Scale Campaign**

Further analysis detected automation in the naming convention of the plug-ins, with researchers noting a JavaScript file naming pattern consisting of the first letter of each word in the plug-in name, appended with "-script.js."

For example, the Advanced User Manager plug-in contains the aum-script.js file, according to the researchers, who used this naming convention to detect other malicious plug-ins related to the campaign, such as Easy Themes Manager, Content Blocker, and Custom CSS Injector.

The plug-in and author URIs also frequently reference GitHub, but analysis showed that repositories associated with the plug-in don't actually exist. Moreover, the GitHub usernames followed a systematic naming convention linked to the plug-in names, which "indicates an automated process behind the creation of these malicious plugins," Sinegubko wrote.

Indeed, the researchers eventually discovered that the plug-ins are systematically generated using a common template, allowing "threat actors to rapidly produce a large number of plausible plugin names, complete with metadata and embedded code designed to inject JavaScript files into WordPress pages," Sinegubko wrote. This allowed attackers to scale their malicious operations and add an additional layer of complexity for detection.

Related:The Lingering 'Beige Desktop' Paradox

**Credential Theft as Initial Entry?**

GoDaddy isn't clear on how attackers acquired WordPress admin credentials to initiate the latest ClickFix campaign, but it noted that potential vectors include brute-force attacks and phishing campaigns aimed at acquiring legitimate passwords and usernames. 

Moreover, as the payloads of the campaign itself are the installation of various infostealers on compromised end-user systems, it's possible that the threat actors are collecting admin credentials in this way, Sinegubko observed.

"When talking about infostealers, many people think about bank credentials, crypto-wallets and other things of this nature, but many stealers can collect information and credentials from a much wider range of programs," he noted.

Another possible scenario is that the residential IP addresses from which the fake plug-ins were installed could belong to a botnet of infected computers that the attackers use as proxies to hack websites, according to GoDaddy.

Because the campaign includes the theft of legitimate credentials to log in to WordPress sites, people are urged to follow general best practices for protecting their passwords as well as avoid interacting with any unknown websites or messages that ask them to divulge private credentials.

GoDaddy also included a long list of indicators of compromise (IoCs) for the campaign — including names of plug-ins and malicious JavaScript files, endpoints to which smart contracts in the campaign connect, and associated GitHub accounts — in the blog post, so defenders can identify if a website has been compromised.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Swarms of Fake WordPress Plug-ins Infect Sites With Infostealers

Anti-bot services on the dark web allow phishers to bypass Google’s Red Page warnings, evading detection and making…

Anti-bot services on the dark web allow phishers to bypass Google’s Red Page warnings, evading detection and making phishing campaigns harder to stop. Tools like Otus Anti-Bot, Remove Red, and Limitless Anti-Bot are raising concerns among cybersecurity experts.

Cybercriminals are constantly innovating, and their latest weapon is a new breed of services called the anti-bot services, reveals the latest research from SlashNext. These services are advertised on the Dark Web to help phishers bypass Google’s “_Red Page_” warnings.

****The Power of Google’s Red Page****

Phishing attacks have become more sophisticated with the rise of PhaaS (phishing-as-a-service) platforms. These platforms make it easy for even inexperienced criminals to launch large-scale phishing campaigns. However, a major hurdle for phishers has been detection by security services like Google’s Safe Browsing.  

Google Red Page is a feature of Google Safe Browsing that warns users of potential dangers, such as phishing attempts. The page, displayed in red, warns users that a site they are navigating may be deceptive and advises them to avoid it. This can significantly limit the success of phishing attacks, as these campaigns rely on high click-through rates, which are significantly lowered when Google’s detection flags a phishing page and adds it to a blocklist.

****Anti-Bot Services: A New Challenge for Security Teams****

New anti-bot services aim to circumvent Google’s Red Page warnings. These services, including Otus Anti-Bot, Remove Red, and Limitless Anti-Bot, help phishers evade detection. Here is how these work:  

*   **Filtering Out Security Crawlers:** Anti-bot services analyze user-agent strings and IP addresses to identify and block security bots that scan for malicious websites.   
*   **Cloaking Techniques:** Some anti-bot services use techniques like JavaScript obfuscation or context-switching to serve different content to humans and bots. Real users see the phishing page, while security bots might see harmless content.  
*   **Geolocation-Based Targeting:** These services can restrict access to specific regions, ensuring the phishing site remains hidden from international security entities.
*   **CAPTCHAs and Challenges:** By introducing CAPTCHAs or challenge pages, anti-bot services block automated scanners that cannot solve them.

SlashNext researchers note that these services are effective against less sophisticated security bots. However, advanced security measures and manual analysis by security professionals can still detect these phishing sites.

Via SlastNext

“These services represent the latest evolution in the ongoing cat-and-mouse game between cybercriminals and security measures,” SlashNext researchers explained in the blog post.

Anti-bot services are constantly evolving to stay ahead of security measures. As new detection techniques emerge, these services will likely adapt to counter them. Cybersecurity teams must remain vigilant and adopt advanced threat detection methods to combat the growing sophistication of phishing attacks.

1.  EvilProxy Phishing Kit Hits 100+ Firms, Bypasses MFA
2.  Cybercriminals Beta Test New Attack to Bypass AI Security
3.  Trio Run “OTP Agency” Enabling Bank Fraud and 2FA Bypass
4.  Phishing Attacks Bypass Microsoft 365 Email Safety Warnings
5.  Unicode QR Code Phishing Scam Bypasses Traditional Security

Dark Web Anti-Bot Services Let Phishers Bypass Google’s Red Page

Debian Linux Security Advisory 5794-1 - Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5794-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffOctober 21, 2024                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : openjdk-17CVE ID         : CVE-2024-21208 CVE-2024-21210 CVE-2024-21217 CVE-2024-21235Several vulnerabilities have been discovered in the OpenJDK Java runtime,which may result in denial of service or information disclosure.For the stable distribution (bookworm), these problems have been fixed inversion 17.0.13+11-2~deb12u1.We recommend that you upgrade your openjdk-17 packages.For the detailed security status of openjdk-17 please refer toits security tracker page at:https://security-tracker.debian.org/tracker/openjdk-17Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmcWmOcACgkQEMKTtsN8TjYeZw/7BTQ3D6sDygG5LotB4JCo8QMyG1rx0XgX9dAgK4Xw0sp9jnYS2iebp8RhlbIDht+jchjLpbEPnzx11JM2b3e/x3JO1QRUSEDkTnQhuynR4wj7WKLXY4l36zkzG/73g9Tq/EM5t8vjuMWFFcsEIJ5c0erHaw/X5lAr9Gg0vs8LrLYyqOMod8Z8AZJpbKNJpGEDUu/i1lASkDnjJAl5+ybPG5xN++Ax+FvPhmlQKu39rVKrX140+LIkFcGJdLh+RMbLU66ryDR2rQQSgeDeZYZln5gsbykzRbfeZZil4bF0+aT3FCY0/nOA0aA82nrE9S6VU6kdxWyS/KTzRsVUw8IsIW/9KyD3hAGvEbHiD4hG/YrABOFdg4rvUPLnaBU6i+LnyrdcayoFP6cp72KiBOQxn4nUzUqhqynKatZ5ixZfgboaTFKBr2WxazoWTzrefjyH30GEeQ0dWFc2ujcOlMZSag9VdfgIoVg+F2l20UbmKnYtZGSXm5rD2ocG5l7gTb8uDcZO3P1HXGmrD7A8NLy9aRPT/dmNDLnAo8se61O4ctirgNQ3dIpwzeIEyjPNysY0lON5+7EE7XToW2C7dSYjHSVCNTqE+heRE66p7hDBxyeuhxhBK+Bd7DcAT97Kkp1BOZ0XSn9YjQ9zdyzQneOxMK7CbM6/PIETqGsY6aTIptI==PgDB-----END PGP SIGNATURE-----

Tag

#java