A new campaign is tricking users searching for the Meta Quest (formerly Oculus) application for Windows into downloading a new adware family called AdsExhaust.
"The adware is capable of exfiltrating screenshots from infected devices and interacting with browsers using simulated keystrokes," cybersecurity firm eSentire said in an analysis, adding it identified the activity earlier this month.
"

A new campaign is tricking users searching for the Meta Quest (formerly Oculus) application for Windows into downloading a new adware family called AdsExhaust.

"The adware is capable of exfiltrating screenshots from infected devices and interacting with browsers using simulated keystrokes," cybersecurity firm eSentire said in an analysis, adding it identified the activity earlier this month.

"These functionalities allow it to automatically click through advertisements or redirect the browser to specific URLs, generating revenue for the adware operators."

The initial infection chain involves surfacing the bogus website ("oculus-app\[.\]com") on Google search results pages using search engine optimization (SEO) poisoning techniques, prompting unsuspecting site visitors to download a ZIP archive ("oculus-app.EXE.zip") containing a Windows batch script.

The batch script is designed to fetch a second batch script from a command-and-control (C2) server, which, in turn, contains a command to retrieve another batch file. It also creates scheduled tasks on the machine to run the batch scripts at different times.

This step is followed by the download of the legitimate app onto the compromised host, while simultaneously additional Visual Basic Script (VBS) files and PowerShell scripts are dropped to gather IP and system information, capture screenshots, and exfiltrate the data to a remote server ("us11\[.\]org/in.php").

The response from the server is the PowerShell-based AdsExhaust adware that checks if Microsoft's Edge browser is running and determines the last time a user input occurred.

"If Edge is running and the system is idle and exceeds 9 minutes, the script can inject clicks, open new tabs, and navigate to URLs embedded in the script," eSentire said. "It then randomly scrolls up and down the opened page."

It's suspected that this behavior is intended to trigger elements such as ads on the web page, especially considering AdsExhaust performs random clicks within specific coordinates on the screen.

The adware is also capable of closing the opened browser if mouse movement or user interaction is detected, creating an overlay to conceal its activities to the victim, and searching for the word "Sponsored" in the currently opened Edge browser tab in order to click on the ad with the goal of inflating ad revenue.

Furthermore, it's equipped to fetch a list of keywords from a remote server and perform Google searches for those keywords by launching Edge browser sessions via the Start-Process PowerShell command.

"AdsExhaust is an adware threat that cleverly manipulates user interactions and hides its activities to generate unauthorized revenue," the Canadian company noted.

"It contains multiple techniques, such as retrieving malicious code from the C2 server, simulating keystrokes, capturing screenshots, and creating overlays to remain undetected while engaging in harmful activities."

The development comes as similar fake IT support websites surfaced via search results are being used to deliver Hijack Loader (aka IDAT Loader), which ultimately leads to a Vidar Stealer infection.

What makes the attack stand out is that the threat actors are also leveraging YouTube videos to advertise the phony site and using bots to post fraudulent comments, giving it a veneer of legitimacy to users looking for solutions to address a Windows update error (error code 0x80070643).

"This highlights the effectiveness of social engineering tactics and the need for users to be cautious about the authenticity of the solutions they find online," eSentire said.

The disclosure also comes on the heels of a malpsam campaign targeting users in Italy with invoice-themed ZIP archive lures to deliver a Java-based remote access trojan named Adwind (aka AlienSpy, Frutas, jRAT, JSocket, Sockrat, and Unrecom).

"Upon extraction the user is served with .HTML files such as INVOICE.html or DOCUMENT.html that lead to malicious .jar files," Broadcom-owned Symantec said.

"The final dropped payload is Adwind remote access trojan (RAT) that allows the attackers control over the compromised endpoint as well as confidential data collection and exfiltration."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Warning: New Adware Campaign Targets Meta Quest App Seekers

Cybersecurity researchers have shed light on a new phishing campaign that has been identified as targeting people in Pakistan using a custom backdoor.
Dubbed PHANTOM#SPIKE by Securonix, the unknown threat actors behind the activity have leveraged military-related phishing documents to activate the infection sequence.
"While there are many methods used today to deploy malware, the threat actors

Phishing Attack / Email Security

Cybersecurity researchers have shed light on a new phishing campaign that has been identified as targeting people in Pakistan using a custom backdoor.

Dubbed **PHANTOM#SPIKE** by Securonix, the unknown threat actors behind the activity have leveraged military-related phishing documents to activate the infection sequence.

"While there are many methods used today to deploy malware, the threat actors made use of ZIP files with a password-protected payload archive contained within," researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a report shared with The Hacker News.

The campaign is notable for its lack of sophistication and the use of simple payloads to achieve remote access to target machines.

The email messages come bearing a ZIP archive that purports to be meeting minutes related to the International Military-Technical Forum Army 2024, a legitimate event organized by the Ministry of Defense of the Russian Federation. It's set to be held in Moscow in mid-August 2024.

Present within the ZIP file is a Microsoft Compiled HTML Help (CHM) file and a hidden executable ("RuntimeIndexer.exe"), the former of which, when opened, displays the meeting minutes as well as a couple of images, but stealthily runs the bundled binary as soon as the user clicks anywhere on the document.

The executable is designed to function as a backdoor that establishes connections with a remote server over TCP in order to retrieve commands that are subsequently run on the compromised host.

In addition to passing along system information, it executes the commands via cmd.exe, gathers the output of the operation, and exfiltrates it back to the server. This includes running commands like systeminfo, tasklist, curl to extract the public IP address using ip-api\[.\]com, and schtasks to set up persistence.

"This backdoor essentially functions as a command line-based remote access trojan (RAT) that provides the attacker with persistent, covert, and secure access to the infected system," the researchers said.

"The ability to execute commands remotely and relay the results back to the C2 server allows the attacker to control the infected system, steal sensitive information or execute additional malware payloads."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Military-themed Email Scam Spreads Malware to Infect Pakistani Users

On June 11, 2024, a Microsoft Engineer posted information about a crash that inadvertently leaked internal data related to PlayReady and Warbird libraries.

    Hello All,On Jun 11, 2024 Microsoft engineer posted on a public foruminformation about a crash experienced with Apple TV service on aSurface Pro 9 device [1].The post had an attachment - a 771MB file (4GB unpacked), which leakedinternal code (260+ files [2]) pertaining to Microsoft PlayReady suchas the following:- Warbird configuration for building PlayReady library- Warbird library implementing code obfuscation functionality- static libraries with symbolic information either required orrelated to PlayReady client library building, this includes OEM,crypto, ARM TEE / HW related libs a preprocessed C++ header file withPlayReady constants, unpublished classes and their methods declarationIn general the above leaked key information related to PlayReadyinternals and implementation. Leaked data should be sufficient tocompletely reverse engineer Microsoft PlayReady operation (HW basedone in particular).As such, on Jun 12, 2024 we notified Microsoft PlayReady and MSRCabout the leak shortly following its discovery.We verified that it is possible to buildWindows.Media.Protection.PlayReady.dll  library (debug build andwithout Warbird encryption / obfuscation) from the leaked code. Afollow up post by another Microsoft engineer provided guidelines onhow to proceed with the building process [4] (this post has been alsoremoved).We also verified that Microsoft Symbol Server didn’t block request forPDB file corresponding to Microsoft internal warbird.dll binary(another leak / bug at Microsoft end).The leak violated Microsoft's own guidelines [5] for posting linkrepro information in public. These guidlines clearly state thefollowing among others:- "All information in reports and any comments and replies arepublicly visible by default"- "Don't put anything you want to keep private in the title or contentof the initial report, which is public"- "To maintain your privacy and keep your sensitive information out ofpublic view, be careful"The described leaks are yet another manifestation of what we have beenalready aware of - the problems and inconsistencies observed atMicrosoft end with respect to PlayReady security and the way secrecyof the implementation is implemented and/or maintained by the company.While Microsoft removed the post (within 12 hours from thenotification), the company hasn't removed the leak itself so far [3].There are some chances this post is to put Microsoft to action though...Thank you.Best Regards,Adam Gowdiak----------------------------------Security Explorations -AG Security Research Labhttps://security-explorations.com----------------------------------References:[1] MSPR leak (screenshot 1)    https://security-explorations.com/samples/mspr_leak_screenshot.png[2] MSPR leak (files list)    https://security-explorations.com/samples/mspr_leak_files.txt[3] MSPR leak (screenshot 2)    https://security-explorations.com/samples/mspr_leak_screenshot2.png[4] MSPR leak (screenshot 3)    https://security-explorations.com/samples/mspr_leak_screenshot3.png[5] How to report a problem with the Microsoft C++ toolset ordocumentation (Reports and privacy)    https://learn.microsoft.com/en-us/cpp/overview/how-to-report-a-problem-with-the-visual-cpp-toolset?view=msvc-170#reports-and-privacy

Microsoft PlayReady Data Leak

The new remote access trojan (RAT) dubbed SpiceRAT was used by the threat actor SneakyChef in a recent campaign targeting government agencies in EMEA and Asia.

*   Cisco Talos discovered a new remote access trojan (RAT) dubbed SpiceRAT, used by the threat actor SneakyChef in a recent campaign targeting government agencies in EMEA and Asia. 
*   We observed that SneakyChef launched a phishing campaign, sending emails delivering SugarGh0st and SpiceRAT with the same email address. 
*   We identified two infection chains used to deliver SpiceRAT utilizing LNK and HTA files as the initial attack vectors. 

_Cisco Talos would like to thank the Yahoo! Paranoids Advanced Cyber Threats Team for their collaboration in this investigation._ 

**SneakyChef delivered SpiceRAT to target Angola government with lures from Turkmenistan news agency **

Talos recently revealed SneakyChef’s continuing campaign targeting government agencies across several countries in EMEA and Asia, delivering the SugarGh0st malware (read the corresponding research here). However, we found a new malware we dubbed “SpiceRAT” was also delivered in this campaign.  

SneakyChef is using a name "ala de Emissão do Edifício B Mutamba" and the email address “dtti.edb@\[redated\]” to send several phishing emails with at least 28 different RAR file attachments to deliver either SugarGh0st or SpiceRAT. 

One of the decoy PDFs that we analysed in this campaign was dropped by a RAR archive, delivered as an attachment in the emails likely targeted Angolan government agencies. The decoy PDF contained lures from the Turkmenistan state-owned news media “ТУРКМЕНСКАЯ ГОСУДАРСТВЕННАЯ ИЗДАТЕЛЬСКАЯ СЛУЖБА” (Neytralnyy Turkmenistan), indicating that the actor has likely downloaded the PDF from their official website. We also found that a similar decoy PDF from the same news agency was dropped by the RAR archive that delivered the SugarGh0st malware in this campaign, highlighting that SneakyChef has SugarGh0st RAT and SpiceRAT payloads in their arsenal.   

__Decoy PDF samples of SugarGh0st and SpiceRAT attacks.__

**Two infection chains **

Talos discovered two infection chains employed by SneakyChef to deploy SpiceRAT. Both infection chains involved multiple stages launched by an HTA or LNK file.  

**LNK-based infection chain  **

The LNK-based infection chain begins with a malicious RAR file that contains a Windows shortcut file (LNK) and a hidden folder. This folder contains multiple components, including a malicious executable launcher, a legitimate executable, a malicious DLL loader, an encrypted SpiceRAT masquerading as a legitimate help file (.HLP) and a decoy PDF. The table below shows an example of the components of this attack chain and the description. 

File Name 

Description 

2024-01-17.pdf.lnk 

Malicious shortcut file  

LaunchWlnApp.exe 

Windows EXE to open decoy PDF and run a legitimate EXE 

dxcap.exe 

Benign executable to side-load the malicious DLL 

ssMUIDLL.dll 

Malicious DLL loader 

CGMIMP32.HLP 

Encrypted SpiceRAT

Microsoftpdf.pdf 

Decoy PDF  

When the victim extracts the RAR file, it drops the LNK and a hidden folder on their machine. After a victim opens the shortcut file, which masqueraded as a PDF document, it executes an embedded command to run the malicious launcher executable from the dropped hidden folder.  

__Sample LNK file that starts the malicious launcher EXE.__

This malicious launcher executable is a 32-bit binary compiled on Jan. 2, 2024. When launched by the shortcut file, it reads the victim machine’s environment variable, the execution path of the legitimate executable and the path of the decoy PDF document and runs them using the API ShellExecuteW.  

__Sample function that starts the legitimate EXE and opens the decoy document.__

The legitimate file is one of the components of SpiceRAT infection, which will sideload the malicious DLL loader to decrypt and launch the SpiceRAT payload.  

**HTA-based infection chain **

The HTA-based infection chain also begins with a RAR archive delivered with the email. The RAR file contains a malicious HTA file. When the victim runs the malicious HTA file, the embedded malicious Visual Basic script executes and drops the embedded base64-encoded downloader binary into the victim’s user profile temporary folder, disguised as a text file named “Microsoft.txt.” 

After dropping the malicious downloader executable, the HTA file executes another function, which drops and executes a Windows batch file in the victim’s user profile temporary folder, named “Microsoft.bat.”  

The malicious batch file performs the following operations on the victim’s machine: 

*   The certutil command decodes the base64-encoded binary data from “Microsoft.txt” and saves it as “Microsoft.exe” in the victim’s user profile temporary folder.  

certutil -decode %temp%\\\\Microsoft.txt %temp%\\\\Microsoft.exe

*   It creates a Windows scheduled task that runs the malicious downloader every five minutes, supressing any warnings that it triggers when the same task name existed.  

schtasks /create /tn MicrosoftEdgeUpdateTaskMachineClSAN /tr %temp%\\\\Microsoft.exe /sc minute -mo 5 /F 

*   The batch script creates another Windows task named “MicrosoftDeviceSync” to run a downloaded legitimate executable “ChromeDriver.exe” every 10 minutes.  

schtasks /create /tn MicrosoftDeviceSync /tr C:\\\\ProgramData\\\\Chrome\\\\ChromeDirver.exe /sc minute -mo 10 /F 

*   After establishing persistence with the Windows scheduled task, the batch script runs three other commands to erase the infection markers. This includes deleting the Windows task named MicrosoftDefenderUpdateTaskMachineClSAN and removing the encoded downloader “Microsoft.txt,” the malicious HTA file, and any other contents unpacked from the RAR file attachment.  

schtasks /delete /f /tn MicrosoftDefenderUpdateTaskMachineClSAN 

del /f /q %temp%\\\\Microsoft.txt %temp%\\\\Microsoft.hta 

del %0 

The malicious downloader is a 32-bit executable compiled on March 5, 2024. After running on the victim’s machine through the Windows task MicrosoftEdgeUpdateTaskMachineClSAN, it downloads a malicious archive file “chromeupdate.zip” from an attacker-controlled server through a hardcoded URL and unpacks its contents into the folder at “C:\\ProgramData\\Chrome”. The unpacked files are the components of SpiceRAT.  

__A sample function of the malicious downloader.__

**Analysis of SpiceRAT **

Both infection chains eventually drop the SpiceRAT files into victim machines. The SpiceRAT files include four main components: a legitimate executable file, a malicious DLL loader, an encrypted payload and the downloaded plugins.  

**The loader components of SpiceRAT ****Legitimate executable **

The threat actor is using a legitimate executable (named “RunHelp.exe”) as a launcher to sideload the malicious DLL loader file (ssMUIDLL.dll). This legitimate executable is a Samsung RunHelp application signed with the certificate of "Samsung Electronics CO., LTD.” In some instances, it has been observed masquerading as “dxcap.exe,” a DirectX diagnostic included with Visual Studio, and “ChromeDriver.exe,” an executable that Selenium WebDriver uses to control the Google Chrome web browser. 

__File properties and digital signature details of the legitimate executable.__

The legitimate Samsung helper application typically loads a DLL called “ssMUIDLL.dll.” In this attack, the threat actor abuses the application by sideloading a malicious DLL loader that is masquerading as the legitimate DLL and executes its exported function GetFulllangFileNamew2. 

__Sample function that side-loads the malicious DLL.__

**Malicious DLL loader **

The malicious loader is a 32-bit DLL compiled on Jan. 2, 2024. When its exported function GetFullLangFileNameW2() is run, it copies the downloaded legitimate executable into the folder "C:\\Users\\<user>\\AppData\\Local\\data\\” as “dxcap.exe” along with the malicious DLL “ssMUIDLL.dll” and the encrypted SpiceRAT payload “CGMIMP32.HLP.”  

__A sample function copies the SpiceRAT components.__

It executes the schtasks command to create a Windows task named “Microsoft Update,” configured to run “dxcap.exe” every two minutes. This technique establishes persistence at multiple locations on the victim's machine to maintain resilience.    

schtasks  -CreAte -sC minute -mo 2 -tn "Microsoft Update" -tr "C:\\Users\\<User>\\AppData\\Local\\data\\dxcap.exe" 

__A sample function that creates Windows task.__

Then the loader DLL takes the snapshot of the running processes in the victim machine and checks if the legitimate executable that sideloads this malicious DLL is being debugged by querying its process information using “NtQueryInformationProcess.” 

The loader DLL executes another function that loads the encrypted file “CGMIMP32.HLP,” which is masquerading as a legitimate Windows help file into memory and decrypts it using the RC4 encryption algorithm. In one of the samples, we found that the DLL used a key phrase “{11AADC32-A303-41DC-BF82-A28332F36A2E}” for decrypting SpiceRAT in memory. After decryption, the loader DLL injects and runs the SpiceRAT from memory to its parent process “dxcap.exe.”  

__A sample function that decrypts the SpiceRAT in memory.__

**The SpiceRAT payloads **

Talos discovered that SneakyChef has employed SpiceRAT and its plugin as the payloads in this campaign. With the capability to download and run executable binaries and arbitrary commands, SpiceRAT significantly increases the attack surface on the victim’s network, paving the way for further attacks.  

SpiceRAT is a 32-bit Windows executable with three malicious export functions GetFullLangFileNameW2, WinHttpPostShare and WinHttpFreeShareFree. Initially, it executes the GetFullLangFileNameW2 function, creating a mutex as an infection marker on the victim machine. The mutex name is hardcoded in the RAT binary. We spotted two different mutex names among the SpiceRAT samples that we analyzed: 

*   {00866F68-6C46-4ABD-A8D6-2246FE482F99}  
*   {00861111-3333-4ABD-GGGG-2246FE482F99} 

After the Mutex is created, the RAT collects reconnaissance data from the victim’s machine, including the operating system’s version number, hostname, username, IP address and the system’s network card hardware address (MAC address). The reconnaissance data is then encrypted and stored in the machine’s memory. 

__A sample function that encrypts the reconnaissance data in memory.__

During runtime, the RAT loads the WININET.dll file and imports the addresses of its functions to prepare for C2 communication.  

__A sample function that loads the APIs of WININET.dll.__

Once the function addresses of WININET.dll are imported, the RAT executes the WinHttpPostShare function to communicate with the C2. It connects to the C2 server with a hardcoded URL in the binary and through the HTTP POST method.  

 

 

Then, it attempts to read and send the encrypted stream of reconnaissance data and user credentials from memory to the C2 server. The C2 server responds with an encrypted message enclosed with HTML tags in the format “<HTML><encrypted Response> </HTML>”. The RAT decrypts the response and writes them into the memory stream.  

We discovered that the C2 server sends an encrypted stream of binary to the RAT. The RAT decrypts the binary stream into a DLL file in the memory and executes its exported functions. The decrypted DLL functions as a plugin to the SpiceRAT.  

 __Sample function of SpiceRAT executing the export functions of plugin.__ 

**SpiceRAT plugin enables further attacks  **

SpiceRAT plugin is a 32-bit dynamic link library compiled on March 28, 2023. The plugin has an original filename “Moudle.dll” and has two export functions: Download and RunPE. 

The Download function of the plugin appears to access decrypted response data from the C2 server stored in the victim’s memory and writes them into a file on disk, likely as commanded by the C2.  

__The downloader function of SpiceRAT plugin.__

The RunPE function appears to execute arbitrary commands or binaries that were likely sent from C2 using the WinExec API.  

__A sample function to run a PE file.__ 

**C2 communications **

SneakyChef’s infrastructure includes the malware’s download and command and control (C2) servers. In one attack, the threat actor hosted a malicious ZIP archive on the server 45\[.\]144\[.\]31\[.\]57 and hardcoded the following URL in a malicious downloader executable.  

http://45[.]144[.]31[.]57:80/S1VRB0HpMXR79eStog35igWKVTsdbx/chromeupdate.zipservers

We observed that the threat actor used IP addresses and domain names to connect to the C2 servers in different samples of SpiceRAT in this campaign. Our research uncovered various C2 URLs hardcoded in SpiceRAT samples.  

*   hxxp\[://\]94\[.\]198\[.\]40\[.\]4/homepage/index.aspx 
*   hxxp\[://\]stock\[.\]adobe-service\[.\]net/homepage/index.aspx 
*   hxxp\[://\]app\[.\]turkmensk\[.\]org\[/\]homepage\[/\]index.aspx 

One of the C2 servers, 94\[.\]198\[.\]40\[.\]4, was found to be running Windows Server 2016 and hosted on the M247 network, which is frequently abused by APT groups. Passive DNS resolution data indicate that the IP address 94\[.\]198\[.\]40\[.\]4 resolved to the domain app\[.\]turkmensk\[.\]org and we found another SpiceRAT sample in the wild that communicated with this domain.  

Further analysis of the C2 server 94\[.\]198\[.\]40\[.\]4 uncovered a unique C2 communication pattern of SpiceRAT. The SpiceRAT initially sends the encrypted reconnaissance data to the C2 URL through the HTTP POST method. The C2 server then responds with an encrypted message embedded in the HTML tags.   

We observed that the SpiceRAT and its C2 servers use a three-byte prefix for their first three requests and responses, as shown in the table below. 

C2 server response prefix 

Our analysis suggests that the second request that SpiceRAT sends likely contains the encrypted stream of the victim’s machine user credentials. We found that for the third request that SpiceRAT sends from the victim machine, the C2 server responds with an encrypted stream of the SpiceRAT’s plugin binary. SpiceRAT then decrypts and injects the plugin DLL reflectively.  

Once the plugin is downloaded and implanted on the victim’s machine, SpiceRAT sends another request with the prefix “wG.” The C2 server responds with an unencrypted message “<HTML>D\_OK<HTML>”, likely to get a confirmation of successful payload download.  

**TTPs overlap with other malware campaigns  **

Talos assesses with medium confidence that the actor SneakyChef, using SpiceRAT and SugarGh0st RAT is a Chinese-speaking actor based of the language observed in the artifacts and overlapping TTPs with other malware campaigns.  

In this campaign, we saw that SpiceRAT leverages the sideloading technique, utilizing a legitimate loader alongside a malicious loader and the encrypted payload. Although sideloading is a widely adopted tactic, technique and procedure (TTP), the choice to use the Samsung helper application to sideload the malicious DLL masquerading “ssMUIDLL.dll” file is particularly notable. This method has been previously observed in the PlugX and SPIVY RAT campaigns. 

**Coverage **

 Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here. 

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center. 

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SID for this threat is 63538. 

ClamAV detections are also available for this threat: 

Win.Trojan.SpiceRAT-10031450-0 

Win.Trojan.SpiceRATPlugin-10031560-0 

Win.Trojan.SpiceRATLauncher-10031652-0 

Win.Trojan.SpiceRATLauncherEXE-10032013-0 

**Indicators of Compromise **

Indicators of Compromise associated with this threat can be found here.

Unveiling SpiceRAT: SneakyChef's latest tool targeting EMEA and Asia

A malvertising campaign is leveraging trojanized installers for popular software such as Google Chrome and Microsoft Teams to drop a backdoor called Oyster (aka Broomstick and CleanUpLoader).
That's according to findings from Rapid7, which identified lookalike websites hosting the malicious payloads that users are redirected to after searching for them on search engines like Google and Bing.
The

A malvertising campaign is leveraging trojanized installers for popular software such as Google Chrome and Microsoft Teams to drop a backdoor called Oyster (aka Broomstick and CleanUpLoader).

That's according to findings from Rapid7, which identified lookalike websites hosting the malicious payloads that users are redirected to after searching for them on search engines like Google and Bing.

The threat actors are luring unsuspecting users to fake websites purporting to contain legitimate software. But attempting to download the setup binary launches a malware infection chain instead.

Specifically, the executable serves as a pathway for a backdoor called Oyster, which is capable of gathering information about the compromised host, communicating with a hard-coded command-and-control (C2) address, and supporting remote code execution.

While Oyster has been observed in the past being delivered by means of a dedicated loader component known as Broomstick Loader (aka Oyster Installer), the latest attack chains entail the direct deployment of the backdoor. The malware is said to be associated with ITG23, a Russia-linked group behind the TrickBot malware.

The execution of the malware is followed by the installation of the legitimate Microsoft Teams software in an attempt to keep up the ruse and avoid raising red flags. Rapid7 said it also observed the malware being used to spawn a PowerShell script responsible for setting up persistence on the system.

The disclosure comes as a cybercrime group known as Rogue Raticate (aka RATicate) has been attributed as behind an email phishing campaign that employs PDF decoys to entice users into clicking on a malicious URL and deliver NetSupport RAT.

"If a user is successfully tricked into clicking on the URL, they will be led via a Traffic Distribution System (TDS) into the rest of the chain and in the end, have the NetSupport Remote Access Tool deployed on their machine," Symantec said.

It also coincides with the emergence of a new phishing-as-a-service (PhaaS) platform called the ONNX Store that allows customers to orchestrate phishing campaigns using embedded QR codes in PDF attachments that lead victims to credential harvesting pages.

ONNX Store, which also offers Bulletproof hosting and RDP services via a Telegram bot, is believed to be a rebranded version of the Caffeine phishing kit, which was first documented by Google-owned Mandiant in October 2022, with the service maintained by an Arabic-speaking threat actor named MRxC0DER.

Besides using Cloudflare's anti-bot mechanisms to evade detection by phishing website scanners, the URLs distributed via the quishing campaigns come embedded with encrypted JavaScript that's decoded during page load in order to collect victims' network metadata and relay 2FA tokens.

"ONNX Store has a two-factor authentication (2FA) bypass mechanism that intercepts \[two-factor authentication\] requests from victims," EclecticIQ researcher Arda Büyükkaya said. "The phishing pages look like real Microsoft 365 login interfaces, tricking targets into entering their authentication details."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Oyster Backdoor Spreading via Trojanized Popular Software Downloads

More on the recent Snowflake breach, MFA bypass techniques and more.

Thursday, June 20, 2024 14:00

I think we can all agree that tabletop exercises are a good thing. They allow organizations of all sizes to test their incident response plans without the potentially devastating effects of a real-world cyber attack or intrusion. 

As part of my role at Talos, I’ve read hundreds of tabletop exercises for Cisco Talos Incident Response customers, and the knowledge and recommendations contained in each of them are invaluable. No matter how strong your incident response plan seems on paper, there is always something that can be improved, and a tabletop exercise can help your organization identify potential holes or areas of improvement.  

But as I was catching up on the news of the past week, I saw that these exercises may be flying too close to the sun — literally.  

The U.S. National Science Foundation recently released a study on possible outer space cyberattacks with the help of researchers at the California Polytechnic State University.  

The report outlines several possible cyber attack scenarios that could take place in outer space or affect our society’s activities outside of Earth’s atmosphere. One such hypothetical involved adversaries carrying out a distributed denial-of-service attack, disabling electronic door controls on a lunar settlement, trapping the residents inside of a physical structure and locking others out on the unforgiving surface of Earth’s moon.  

Researchers behind the report wrote that the hope is these types of scenarios help encourage private companies and the U.S. government to consider the security needs of any activities in space, including “running tabletop simulation or wargaming exercises.” 

I guess it never hurts to be overly prepared for anything, and we can never be too careful with these scenarios, but I also feel like we may be getting too far over our skis with this one. Recent tabletop exercises from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) testing possible AI-powered cyber attacks are at least a more prescient issue, even though I have my own reservations about how much of a boost adversaries are getting from AI tools currently.  

Some of the space-based scenarios Cal Poly outlined were admittedly stated as not likely to happen in at least 20 or more years, while others could occur in the next five years. But I also can’t help but ask “why?” when we still can’t even get users on Earth to patch to the most recent version of Microsoft Office, let alone keep their space network protected in a lunar colony (and if we’ve advanced that far, I hope we’re able to develop a better alternative to PowerPoint while we’re at it).  

I recommend at least skimming the entire 95-page report, maybe not necessarily to fuel your next tabletop exercise, but at least to help you feel like a poor password policy on some of your machines isn’t going to deprive anyone of oxygen.  

**The one big thing **

Explore trends on when (and how) attackers will try their 'push-spray' MFA attacks, as well as how adversaries are using social engineering to try and bypass MFA altogether in the latest blog post on multi-factor authentication from Talos. The issues we’re seeing now are mostly down to attacker creativity to try and bypass MFA, and overall poor implementation of the solution (for example, not installing it on public-facing applications or EOL software). Our report highlights what types of MFA bypass techniques are most popular, the timing around these attacks, users who are targeted, and much more.  

**Why do I care? **

In the latest Cisco Talos Incident Response Quarterly Trends report, instances related to multi-factor authentication (MFA) were involved in nearly half of all security incidents that our team responded to in the first quarter of 2024. In 25% of engagements, the underlying cause was users accepting fraudulent MFA push notifications that originated from an attacker. In 21% of engagements, the underlying cause for the incident was a lack of proper implementation of MFA. MFA is used in all sorts of web applications, login credentials and even access to services that are critical to day-to-day work. The fact that adversaries continue to target MFA should be monitored and stay top-of-mind for defenders.  

**So now what? **

Consider implementing number-matching in MFA applications such as Cisco Duo to provide an additional layer of security to prevent users from accepting malicious MFA push notifications.  Implement MFA on all critical services including all remote access and identity access management (IAM) services. MFA will be the most effective method for the prevention of remote-based compromises. It also prevents lateral movement by requiring all administrative users to provide a second form of authentication. There are more recommendations in Talos’ blog.  

**Top security headlines of the week **

**The threat actor behind the wide-reaching Snowflake breach is putting pressure on victims and requesting increasing ransom payments to avoid leaking their data.** According to a new report, as many as 10 companies are still under pressure to hand over monetary payments, with requests from adversaries ranging between $300,000 and $5 million. The hacking scheme, which affects more than 160 companies, now seems to be entering a new phase where the attackers are trying to figure out how to profit from the breach. The perpetrators also publicly speak about how the breach came about, telling Wired that they stole terabytes of data by first breaching a third-party contractor that works with Snowflake. They could then access data companies have stored on their Snowflake instances, such as Ticketmaster. The attackers are also expected to list the stolen data for sale on dark web forums where it may be sold to the highest bidder. (Wired, Bloomberg) 

**Dutch military officials warned this week that a cyber espionage campaign from Chinese state-sponsored actors was more wide-reaching than previously known.** Officials disclosed the campaign in February, warning that adversaries exploited a critical FortiOS/FortiProxy remote code execution vulnerability (CVE-2022-42475) in 2022 and 2023 to deploy malware on vulnerable Fortigate network security appliances. Now, they’ve expanded the number of affected devices to more than 20,000 after the Dutch Military Intelligence and Security Service (MIVD) first estimated that around 14,000 devices were hit. These targets reportedly include dozens of government agencies, international organizations and defense contractors. The MIVD released a renewed warning about the vulnerability because it believes the Chinese actors still have access to many victims’ networks. The Coathanger malware used in this attack is difficult to detect, as it intercepts system calls to avoid alerting users of its presence. It also survives operating system firmware upgrades. “The NCSC and the Dutch intelligence services have been seeing a trend for some time that vulnerabilities in publicly accessible edge devices such as firewalls, VPN servers, routers and email servers are being exploited,” the MIVD said in its updated statement. (Bleeping Computer, Decipher) 

**U.S. federal agents have shut down and charged two individuals with running a popular dark web marketplace called “Empire Market.”** The site helped generate and organize more than $430 million worth of sales, including illegal drug trades, counterfeit money and stolen credit card data. Federal prosecutors charged Thomas Pavey, also known as "Dopenugget” and Raheim Hamilton, also known as "Sydney" and "Zero Angel," for running Empire Market between 2018 and 2020. The indictment, announced earlier this week, reveals that the two individuals used to advertise these services and stolen data on a site known as AlphaBay before that was shut down in 2017, at which point they launched Empire Market. The site only accepted cryptocurrency for payments to conceal the nature of the transactions, as well as the identities of Empire Market administrators, moderators, buyers and sellers. At the time of the arrest, federal officials seized more than $75 million worth of cryptocurrency and other valuable items. (CBS News, Bloomberg) 

**Can’t get enough Talos? **

*   Android malware used in six-year Pakistan-linked campaign against Indian government 
*   Pakistani Threat Actors Caught Targeting Indian Gov Entities 
*   CyberScoop Safe Mode podcast: Keeping Ukraine’s grid up and running amid war; Snowflake customers under attack 
*   Exploring malicious Windows drivers (Part 2): the I/O system, IRPs, stack locations, IOCTLs and more 
*   Only one critical issue disclosed as part of Microsoft Patch Tuesday 
*   Talos Takes Ep. #187: The many shades of LilacSquid 

**Upcoming events where you can find Talos **

**_Cisco Connect U.K._** **_(June 25)_**

_London, England_

> _In a fireside chat, Cisco Talos experts Martin Lee and Hazel Burton discuss the most prominent cybersecurity threat trends of the near future, how these are likely to impact UK organizations in the coming years, and what steps we need to take to keep safe._

**_BlackHat USA_** **_(Aug. 3 – 8)_** 

_Las Vegas, Nevada_ 

**_Defcon_** **_(Aug. 8 – 11)_** 

_Las Vegas, Nevada_ 

**_BSides Krakow_** **_(Sept. 14)_**  

_Krakow, Poland_ 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**MD5:** 7bdbd180c081fa63ca94f9c22c457376  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.33515991

**SHA 256:** 9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202   
**MD5:** e4acf0e303e9f1371f029e013f902262   
**Typical Filename:** FileZilla\_3.67.0\_win64\_sponsored2-setup.exe   
**Claimed Product:** FileZilla   
**Detection Name:** W32.Application.27hg.1201 

**SHA 256:** a024a18e27707738adcd7b5a740c5a93534b4b8c9d3b947f6d85740af19d17d0   
**MD5:** b4440eea7367c3fb04a89225df4022a6   
**Typical Filename:** Pdfixers.exe   
**Claimed Product:** Pdfixers   
**Detection Name:** W32.Superfluss:PUPgenPUP.27gq.1201 

**SHA 256:** 2d1a07754e76c65d324ab8e538fa74e5d5eb587acb260f9e56afbcf4f4848be5   
**MD5:** d3ee270a07df8e87246305187d471f68   
**Typical Filename:** iptray.exe   
**Claimed Product:** Cisco AMP   
**Detection Name:** Generic.XMRIGMiner.A.A13F9FCC

**SHA 256:** 9b2ebc5d554b33cb661f979db5b9f99d4a2f967639d73653f667370800ee105e   
**MD5:** ecbfdbb42cb98a597ef81abea193ac8f   
**Typical Filename:** N/A   
**Claimed Product:** MAPIToolkitConsole.exe   
**Detection Name:** Gen:Variant.Barys.460270

Tabletop exercises are headed to the next frontier: Space

Microsoft Edge Channel

Microsoft Edge Version

Date Released

Based on Chromium Version

Stable

126.0.2592.68

6/20/2024

126.0.6478.114/115

Tag

#microsoft