Latest campaigns are a break from its usual financially motivated attacks and appear aligned with Russian interests, security researchers say.

In a break from precedent, Russia's hitherto purely financially motivated Trickbot threat group has systematically been attacking targets in Ukraine over the past three months, apparently in support of Russian government interests in the region.

Researchers from IBM's X-Force threat intelligence group this week said they had uncovered two campaigns — and analyzed four others that Ukraine’s Computer Emergency Response Team (CERT-UA) disclosed — where Trickbot went after targets in Ukraine. The campaigns began after Russia’s invasion of Ukraine in February and have targeted Ukrainian state authorities, government organizations, specific individuals, and the general population. Several of the attacks have involved phishing emails with various themes designed to grab the attention of Ukrainian users — included some that are war-related.

The attacks highlight an unprecedented shift for Trickbot, and it's notable because threat groups in former Soviet Union states have typically avoided attacking targets in each other’s countries, IBM said.

Prior to the Russian invasion, ITG23, which is the name by which IBM tracks Trickbot, had not been known to target Ukraine. "Much of the group's malware was even configured to not execute on systems if the Ukrainian language was detected," IBM said in a report summarizing its findings this week. "ITG23's campaigns against Ukraine are notable due to the extent to which this activity differs from historical precedent and the fact that these campaigns appeared specifically aimed at Ukraine with some payloads that suggest a higher degree of target selection."

**Multiple Malware Tools**

IBM said it has observed Trickbot distributing several known malware tools such as IcedID, Cobalt Strike, AnchorMail, and Meterpreter in its attacks on Ukrainian targets. Some of the attacks involved the use of new tools such as a malicious Excel downloader, a self-extracting archive for dropping various malware payloads and a new malware encryption and obfuscation tool.

One of the two Trickbot campaigns that IBM uncovered was in early May. In those attacks, IBM observed the threat actor using a weaponized Excel file to download its AnchorMail backdoor on compromised systems. AnchorMail is a revamped version of Trickbot’s AnchorDNS, a backdoor that members of the closely affiliated Conti group have been using to deploy Conti ransomware. IBM X-Force researchers have previously described the malware as notable for communicating with its command-and-control (C2) server using the DNS protocol.

The second recent Trickbot campaign that IBM X-Force researchers spotted occurred likely in late May or early June. In that campaign, Trickbot actors used an ISO image file — or archive file containing the contents of an optical disk — as part of an attack chain to drop the Cobalt Strike post-exploit attack kit on target system. In June, Trickbot users were observed exploiting the so-called “Follina” zero-day bug in the Windows Microsoft Support Diagnostic Tool (MSDT) to deploy Cobalt Strike.

The campaigns that CERT-UA disclosed, and which IBM X-Force researchers analyzed, involved Trickbot attempts to deploy IcedID, a banking Trojan turned malware distributor; Metasploit attack payload, Meterpreter; and Cobalt Strike. In five of the six observed campaigns, Trickbot actors directly downloaded Cobalt Strike, AnchorMail, or Meterpreter on target systems — another break from their usual habit of deploying these tools as secondary payloads. IBM said the switch suggests "these attacks are part of targeted campaigns during which ITG23 is willing to immediately deploy higher-value backdoors."

IBM described the new malicious Excel downloader that Trickbot is using in the Ukrainian attacks as designed to download malware from a hard-coded URL. The downloader is stored as a macro within the Excel file and runs automatically if the file is opened — provided the user has macros enabled. The new dropper for AnchorMail that IBM observed is in the form of a WinRAR Self Extracting Archive. The dropper is rigged to extract and execute a script for building and configuring AnchorMail on infected systems.

Trickbot is a highly successful threat group that has been around since at least 2016. The group initially used its eponymously named malware to steal credentials to banking accounts. Over the years, the group evolved into a sort of initial access broker and a distributor for several ransomware and malware tools, most notably Conti and Ryuk and Emotet. Trickbot is used variously for stealing data, enabling cryptomining, enumerating systems, and other malicious activities.

Court documents in connection with the arrest of a key member of the group last year showed that nearly 20 cybercriminals — including several malware experts — collaborated in building the malware. A massive 2020 international law enforcement operation to take the threat actor down temporarily disrupted its activities but failed to stop them.

In Switch, Trickbot Group Now Attacking Ukrainian Targets

Acronyms serve as a gatekeeper — if you don't sling the lingo, you don't belong. So here's a quick guide to the letter salad of cloud cybersecurity.

**Question: There are so many cloud security acronyms nobody seems to be spelling out. What do they mean?**

**Answer:** Acronyms are confusing jargon that can often serve as a gatekeeper — if you don't sling the lingo, the thinking goes, you don't belong. But if you're reading this, you _do_ belong in cybersecurity, which has to become more welcoming if we ever hope to close the talent gap. So here's a quick guide to some of the acronyms you may come across when talking about cloud security.

**CDR – Cloud detection and response.** These tools continuously aggregate, normalize, and analyze data provided by SaaS (software-as-a-service) and cloud services about accounts, privileges, configurations, and activity to power insights, situational knowledge, and threat alerts. It provides single-pane visibility into cloud environments while maintaining user context.

**CIEM – Cloud infrastructure entitlement management.** Such tools address the issue of excessive permissions and entitlements to cloud resources. They detect over-permissioned accounts and roles and unused permissions and accounts. Note that this is distinct from SIEM (security information and event management), which analyzes alerts in real time, and CIAM (customer identity and access management), which aims to give users secure access to resources.

**CNAPP – Cloud-native application protection platform.** CNAPP addresses the inevitable increased number of moving parts and interlocking systems in cloud-native applications. Using a modular approach, existing CI/CD (continuous integration and continuous delivery) pipelines and runtime platforms can be extended and updated as better methods are discovered. Leveraging a CNAPP gives you in-depth, multilayered, agent-based, and agentless coverage across all aspects of your environment — everything from proactive validation of workloads to auditing policies on the public cloud platform you're running on. Providing more than just convergence of CIEM, CWPP, and CSPM (read on for more about the latter two), CNAPP allows CISOs (chief information security officers) to see the value that cloud security suites deliver, as opposed to a series of disjoint point solutions needing painstaking integration.

**CSPM – Cloud security posture management.** This refers to a set of controls that detect when your deployed accounts and resources deviate from best practices. CSPM tools embed a variety of standards that allow you to continuously evaluate all cloud accounts and workloads and quickly identify areas of drift and misconfiguration.

**CWPP – Cloud workload protection platform.** These protect workloads and focus on securing the entire application life cycle, providing cloud-based security solutions that protect instances on AWS, Google Cloud Platform, Microsoft Azure, and other cloud vendors' platforms. CWPP focuses on specific application use cases, such as runtime detection, system hardening, vulnerability management, network security, compliance, and incident response.

**SSPM – SaaS security posture management.** Such tools monitor security risks in SaaS applications. SSPM looks for and surfaces misconfigurations, compliance risks, unnecessary or defunct user accounts, excessive user permissions, and other cloud security issues so that security personnel can resolve them.

What Do All of Those Cloud Cybersecurity Acronyms Mean?

Dark Reading's digest of the other don't-miss stories of the week, including a new ransomware targeting QNAP gear, and a destructive attack against the College of the Desert that lingers on.

Cybercrime never sleeps — but editors do. To cap off this short Fourth of July week, Dark Reading's editors are collecting all of the interesting threat intelligence and cyber-incident stories that we just didn't get to earlier but would be remiss to not cover.  

We're talking a critical Cisco vulnerability, a Microsoft alert on upgrades to the Hive ransomware, QNAP issues, and a pair of cyberattacks.

In this week's "in case you missed it" (ICYMI) digest, read on for more about the following:

*   **Critical Cisco Security Vulnerability Allows Root Access to OS**
*   **Hive Ransomware Gets a Rust-y Upgrade**
*   **QNAP Warns on "Checkmate" Ransomware Attacks**
*   **"SHI-eesh": IT Giant Knocked Offline in Coordinated Cyberattack**
*   **California College Remains Offline After Ransomware Hit**

**Critical Cisco Security Vulnerability Allows Root Access to OS**

Cisco has rolled out patches for 10 security bugs, including a critical flaw that could allow cyberattackers to manipulate application source code, or configuration and critical system files.

The critical issue (CVE-2022-20812, CVSS severity score of 9.0) is a path-traversal vulnerability affecting the Cisco Expressway Series software and Cisco TelePresence VCS software, if they are in the default

"A vulnerability in the cluster database API of Cisco Expressway Series and Cisco TelePresence VCS could allow an authenticated, remote attacker with Administrator read-write privileges on the application to conduct absolute path traversal attacks on an affected device and overwrite files on the underlying operating system as a root user," according to the advisory, the latest since Cisco's last bug disclosure in May.

The vulnerability arises thanks to insufficient input validation of user-supplied command arguments, the networking giant noted.

"An attacker could exploit this vulnerability by authenticating to the system as an administrative read-write user and submitting crafted input to the affected command."

**Hive Ransomware Gets a Rust-y Upgrade**

The ransomware-as-a-service (RaaS) offering known as Hive has overhauled its infrastructure, using the programming language Rust.

That's the buzz from Microsoft, whose security researchers noted that Hive is an exemplar of adapting to the rapid change found in the underground economy.

"With its latest variant carrying several major upgrades, Hive also proves it’s one of the fastest-evolving ransomware families, exemplifying the continuously changing ransomware ecosystem," researchers said in a post this week. "The most notable changes include a full code migration to another programming language \[from GoLang to Rust\] and the use of a more complex encryption method."

Rust, a language also used by the BlackCat ransomware, allows advances in coding control, memory usage, resistance to reverse engineering, and access to a range cryptographic libraries, the researchers said.

As for the encryption, "the new Hive variant uses string encryption that can make it more evasive," according to the advisory. “The constants that are used to decrypt the same string sometimes differ across samples, making them an unreliable basis for detection.”

**QNAP Warns on "Checkmate" Ransomware Attacks**

QNAP, the network-attached storage (NAS) vendor, is flagging activity against its devices that results in the execution of the Checkmate ransomware.

The cyberattackers are specifically targeting SMB file-sharing services exposed to the Internet, using a dictionary attack to break accounts with weak passwords.

"Once the attacker successfully logs in to a device, they encrypt data in shared folders and leave a ransom note with the file name '!CHECKMATE\_DECRYPTION\_README' in each folder," according to QNAP's advisory this week. It added, "We are thoroughly investigating the case and will provide further information as soon as possible."

Customers of the Taiwan-based appliance maker have been suffering ongoing, relentless ransomware activity — which Dark Reading broke down earlier this week (along with potential defenses) in an extensive roundtable of experts.

To protect their businesses and avoid a ransomware checkmate, users should avoid exposing the SMB service to the internet and should employ strong passwords in any event.

**"SHI-eesh": IT Giant Knocked Offline in Coordinated Cyberattack**

IT-supplier bigwig SHI International said this week that it was the target of "a coordinated and professional malware attack."

The New Jersey-based vendor, which has 5,000 employees and 15,000 customers around the world, said that it moved quickly to stop the infection and minimize the impact on SHI’s systems and operations. That meant that some systems, such as SHI’s public websites and email, were knocked offline "while the attack was investigated and the integrity of those systems was assessed."

The SHI staff regained access to email, but as of Thursday the main website was still not operational. The company said in a website notice that IT teams continue to work to bring other systems back online.

It's unclear what the cyberattackers' goal was, but some researchers noted that a supply chain compromise attempt is a real possibility.

“Apart from being a large enterprise, SHI is a major software and hardware provider to several Fortune 500 companies, and while there is no evidence regarding third-party suppliers getting breached or customer data getting exfiltrated, this is certainly too close for comfort for many of their customers," Rajiv Pimplaskar, CEO at Dispersive Holdings, said via email.

**California College Remains Offline After Ransomware Hit**

As the latest example of what happens when IT isn't prepared for a hit, the 12,500-student College of the Desert, a community college in Palm Desert, Calif., remains offline after suffering which researchers suspect was a ransomware attack.

The cyberattack brought down the school's online services and campus phone lines on July 4. As of late Thursday, the school's website still returned a notice that it "is currently experiencing a system-wide outage of most services," including the ability for students to request transcripts, add or drop classes, or register for classes.

"Educational institutions have continued to be a prime target for ransomware groups over the last couple of years," says Josh Rickard, senior security solutions architect at Swimlane, noting that this is the second time College of the Desert has been hit with a malware attack; the first incident took place in August 2020. "To prevent similar attacks in the future and ensure that operations continue to run smoothly, education institutions such as College of the Desert need to devote more resources to information security teams, tools, processes, and products."

Rickard suspects the incident was ransomware due to the severe operational disruption, but it should be noted that College of the Desert has not confirmed that, admitting only to a "computer network disruption."

ICYMI: Critical Cisco RCE Bug, Microsoft Breaks Down Hive, SHI Cyberattack

Five months after announcing plans to disable Visual Basic for Applications (VBA) macros by default in the Office productivity suite, Microsoft appears to have rolled back its plans.
"Based on feedback received, a rollback has started," Microsoft employee Angela Robertson said in a July 6 comment. "An update about the rollback is in progress. I apologize for any inconvenience of the rollback

Five months after announcing plans to disable Visual Basic for Applications (VBA) macros by default in the Office productivity suite, Microsoft appears to have rolled back its plans.

"Based on feedback received, a rollback has started," Microsoft employee Angela Robertson said in a July 6 comment. "An update about the rollback is in progress. I apologize for any inconvenience of the rollback starting before the update about the change was made available."

In February 2022, the tech giant said it was disabling macros by default across its products, including Word, Excel, PowerPoint, Access, and Visio, for documents downloaded from the web in an attempt to mitigate potential attacks that abuse the functionality for deploying malware.

"Bad actors send macros in Office files to end users who unknowingly enable them, malicious payloads are delivered, and the impact can be severe including malware, compromised identity, data loss, and remote access," Microsoft noted at the time.

It's not immediately clear what the "feedback" was or what prompted Redmond to reverse course without any official notice. We have reached out to Microsoft for further comment, and we will update the story if we hear back.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Quietly Rolls Back Plan to Block Office VBA Macros by Default

In what's being described as an "unprecedented twist," the operators of the TrickBot malware have resorted to systematically targeting Ukraine since the onset of the war in late February 2022.
The group is believed to have orchestrated at least six phishing campaigns aimed at targets that align with Russian state interests, with the emails acting as lures for delivering malicious software such

In what's being described as an "unprecedented twist," the operators of the TrickBot malware have resorted to systematically targeting Ukraine since the onset of the war in late February 2022.

The group is believed to have orchestrated at least six phishing campaigns aimed at targets that align with Russian state interests, with the emails acting as lures for delivering malicious software such as IcedID, CobaltStrike, AnchorMail, and Meterpreter.

Tracked under the names ITG23, Gold Blackburn, and Wizard Spider, the financially motivated cybercrime gang is known for its development of the TrickBot banking trojan and was subsumed into the now-discontinued Conti ransomware cartel earlier this year.

But merely weeks later, the actors associated with the group resurfaced with a revamped version of the AnchorDNS backdoor called AnchorMail that uses SMTPS and IMAP protocols for command-and-control communications.

"ITG23's campaigns against Ukraine are notable due to the extent to which this activity differs from historical precedent and the fact that these campaigns appeared specifically aimed at Ukraine with some payloads that suggest a higher degree of target selection," IBM Security X-Force analyst Ole Villadsen said in a technical report.

A noticeable shift in the campaigns involves the use of never-before-seen Microsoft Excel downloaders and the deployment of CobaltStrike, Meterpreter, and AnchorMail as first-stage payloads. The attacks are said to have commenced in mid-April 2022.

Interestingly, the threat actor leveraged the specter of nuclear war in its email ruse to spread the AnchorMail implant, a tactic that would be repeated by the Russian nation-state group tracked as APT28 two months later to spread data-stealing malware in Ukraine.

What's more, the Cobalt Strike sample deployed as part of a May 2022 campaign utilized a new crypter dubbed Forest to evade detection, the latter of which has also been used in conjunction with the Bumblebee malware, lending credence to theories that the loader is being operated by the TrickBot gang.

"Ideological divisions and allegiances have increasingly become apparent within the Russian-speaking cybercriminal ecosystem this year," Villadsen noted. "These campaigns provide evidence that Ukraine is in the crosshairs of prominent Russian cybercriminal groups."

The development comes as Ukrainian media outlets have been targeted with phishing messages containing malware-laced documents that exploit the Follina vulnerability to drop the DarkCrystal RAT on compromised systems.

The Computer Emergency Response Team of Ukraine (CERT-UA) has also warned of intrusions conducted by a group called UAC-0056 that involves striking state organizations with staffing-themed lures to drop Cobalt Strike Beacons on the hosts.

The agency, last month, further pointed out the use of Royal Road RTF weaponizer by a China-based actor codenamed the Tonto Team (aka Karma Panda) to target scientific and technical enterprises and state bodies located in Russia with the Bisonal malware.

Attributing these attacks with medium confidence to the advanced persistent threat (APT) group, SentinelOne said the findings demonstrate "a continued effort" on the part of the Chinese intelligence apparatus to target a wide range of Russian-linked organizations.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

TrickBot Malware Shifted its Focus on "Systematically" Targeting Ukraine

The latest criminal use of a legitimate red-teaming tool helps attackers stay under the radar and better access living-off-the-land binaries.

In a fresh campaign that takes a page from the advanced persistent threat known as APT29, hackers are shifting away from the Cobalt Strike post-exploitation toolkit, instead embracing Brute Ratel C4 (BRc4).

BRc4 is the latest upstart in the red-team tooling world; like Cobalt Strike, it's an adversarial attack simulation tool designed for penetration testers. It’s a command-and-control (C2) framework that's not easily detected by endpoint detection and response (EDR) technology or other anti-malware tools.

A report from Palo Alto Networks' Unit 42 research team found evidence of attackers subverting Brute Ratel's free licensing protections and utilizing the tool to run criminal attack campaigns.

The infrastructure they uncovered is extensive, researchers noted.

"In terms of C2, we found that the sample called home to an Amazon Web Services (AWS) IP address located in the United States over port 443," they explained. "Further, the X.509 certificate on the listening port was configured to impersonate Microsoft with an organization name of 'Microsoft' and organization unit of 'Security.'"

Pivoting on the certificate and other artifacts, "we identified a total of 41 malicious IP addresses, nine BRc4 samples, and an additional three organizations across North and South America who have been impacted by this tool so far," they added.

**Living-Off-the-Land Techniques**

Unit 42 said the sample utilizing BRc4 uses known APT29 techniques, including well-known cloud storage and online collaboration applications. In this case, the sample studied was packaged up as a self-contained ISO that included a Windows shortcut LNK file, a malicious payload library, and a legitimate copy of Microsoft OneDrive Updater.

"Attempts to execute the benign application from the ISO-mounted folder resulted in the loading of the malicious payload as a dependency through a technique known as DLL search order hijacking," the report explained.

This technique of using legitimate tools and native utilities is known as "living off the land," and threat actors are increasingly using living-off-the-land binaries (LOLBins) to drop malicious payloads.

Last week for instance, researchers with Cyble reported an uptick in LNK file-based builders growing in popularity on Dark Web marketplaces, as various malware families lean on them for payload delivery.

"We have observed a steadily increasing number of high-profile threat actors shifting back to .LNK files to deliver their payloads," the Cyble researchers wrote. "Typically, threat actors use LOLBins in such infection mechanisms because it makes detecting malicious activity significantly harder."

**Where Red Team Tools Fit In**

Tools like Cobalt Strike and BRc4 aren't purely living-off-the-land approaches, "since you still have to introduce a piece of malware onto the system as opposed to using the operating systems built in tooling," explains Tim McGuffin, director of adversarial engineering at LARES Consulting.

However, these tools are nevertheless popular with attackers for their ability to evade detection mechanisms, fundamentally for the same reason as a living-off-the-land attack works — because they're otherwise viewed as legitimate software.

"Brute Ratel is an otherwise legitimate tool that might be present in victim networks," explains John Bambenek, principal threat hunter at Netenrich. "Since its use is likely whitelisted, it allows for attackers to operate more discretely than they would otherwise be able to do."

This is an unfortunate cycle that the security world has seen occur for a long time, as attackers are drawn to red-team tools like flies to honey.

According to Ivan Righi, senior cyber threat intelligence analyst for Digital Shadows, it's no surprise that BRc4 makes for an attractive tool. Not only does it have offensive security capabilities similar to Cobalt Strike that can be abused for malicious purpose, but it is also less known than Cobalt Strike.

"Many security solutions may not yet detect Brute Ratel as malicious, as opposed to Cobalt Strike, which is generally more well-known for being used for malicious purposes," Righi says.

According to McGuffin, security practitioners should be concerned about all toolkits like these, whether open source, commercial, or custom. But he believes that they shouldn't get caught up in the whack-a-mole game of detecting the framework or the tooling itself. Instead, they should focus on hardening their systems.

"An emphasis on endpoint hardening can be placed on prevention against any C2 tooling. An example is Microsoft's Attack Surface Reduction 'Application Allow-listing' guidance," he says. "The setting prevents unknown binaries from being introduced, and network egress hardening to prevent C2 callbacks to Command-and-Control servers."

Stealthy Cyber-Campaign Ditches Cobalt Strike for Rival 'Brute Ratel' Pen Test Tool

File upload vulnerability in GFI Mail Archiver versions up to and including 15.1 via insecure implementation of Telerik Web UI plugin which is affected by CVE-2014-2217, and CVE-2017-11317.

CVE-2021-29281: Unrestricted File Upload | OWASP Foundation

Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-30192, CVE-2022-33638, CVE-2022-33639.

CVE-2022-33680

In a significant spike of activity, the state-sponsored group is going after intelligence on Russian government agencies.

Representing a significant increase in activity, a campaign linked to China started targeting Russia-linked organizations in June with malware designed to collect intelligence on government activities, according to analyses by security firms and Ukraine's Computer Emergency Response Team (CERT).   

The attacks use purported government advisories sent as Rich Text Files (RTFs) in an attempt to convince victims to open the documents, thus allowing a remote code execution (RCE) exploit in Microsoft Office to be run. That's according to endpoint security firm SentinelOne, which stated in an analysis published on Thursday that the contents of the documents appear as security warnings written in Russian. They claim to warn agencies and infrastructure providers of potential attacks and advise them of compliance requirements under Russian law.

**Escalating Cyberattacks Against Russia**

While China has targeted Russia in the past, and vice versa, the pace of attacks — especially by the purported threat actor, Tonto Team — has grown following the Russian invasion of Ukraine, says Tom Hegel, a senior threat researcher at SentinelOne.

"Tonto Team, like other Chinese actors, has a long history of targeting Russia," he says. "What we're seeing here is a potential Chinese government increase in intelligence collection requirements from inside Russia. Perhaps an increased prioritization or expansion of resources assigned to such tasking."

The reported increase in Chinese cyber operations comes as Russia has strengthened diplomatic relations with China in the face of sanctions from Western nations. While the two major nations are not formal allies, they have expanded trade and defense ties over the past decade as a way to foil the expansion of Western alliances.

    

Delivery timing of the malicious documents in latest Tonto Team attacks. Source: SentinelOne

In addition, they have different approaches to pursuing their foreign policy goals. Russia has tacitly allowed cybercriminal gangs to operate in its territory and has also widely used cyber operations to steal intelligence and attack infrastructure, as well as an adjunct to military operations. For example, Russia has used disinformation campaigns, infrastructure attacks, and espionage operations in its conflict with Ukraine.

China, which has profited significantly from economic relations with Western nations, has mainly pursued non-military approaches to international relations and used cyber operations for acquiring intellectual property and conducting espionage. Treating Russia as any other adversary just shows consistency, says SentinelOne's Hegel.

This is "simply China looking out for itself in uncertain times," he says. "Like any well-resourced nation, they seek to support their own agenda through cyber, and the state of affairs in Russia may be adjusting just what they prioritize."

**Technical Breadcrumbs Point to China**

The recent campaigns have used two pieces of malware linked to Chinese advanced persistent threats (APTs): a toolkit used to build malicious documents known as Royal Road and a custom remote access Trojan (RAT) known as Bisonal used by Chinese actors. The Tonto Team — also known as Karma Panda and Bronze Huntley — traditionally has focused on other Asian nations, such as South Korea and Japan, as well as the United States and Taiwan. Recently, the group has increased its operations to Russia, Pakistan, and other nations.

While false flag operations, where one adversary attempts to disguise their operations as another attacker, have happened, a variety of evidence links the attacks to China.

At least seven threat groups — all linked to China — use Royal Road to create malicious documents as part of the initial attack aimed at gaining access to targeted systems. In April, for example, cyberthreat intelligence firm DomainTools analyzed an document created with the Royal Road malware building toolkit that had the hallmarks of a Chinese espionage campaign and targeted a Russian underwater research and weapons development organization.

"Combined with the sensitive targeting and the attempts at hardening the ultimate payload, it appears the adversary went to some effort to evade analysis of their activity as well," the analysis stated. "Although this campaign appears specifically targeted to an entity in the Russian Federation, the underlying behaviors of this campaign — from malicious document usage through binary execution guardrails and controls — provide helpful insight into adversary tradecraft from which all defenders can learn valuable lessons."

In addition, Bisonal is used exclusively by Chinese groups, according to the advisories.

Companies should take note that nation-state attacks can often affect private businesses. The SentinelOne advisory has indicators of compromise (IoCs) for the latest campaigns, and DomainTools highlights various countermeasures for detecting and blunting cyber-espionage attacks.

Organizations should use the intelligence to check their own defenses against similar attacks, says SentinelOne's Hegel.

"Targets of espionage or disruption in today's world are not isolated to government networks but can overflow or directly hit private business simply because of their stance on a political issue or where they operate," he says. "As we observed when Ukraine was invaded, things can shift overnight — so CISOs should remain aware of this activity as we continue to live with such geopolitical tension."

China's Tonto Team APT Ramps Up Spy Operations Against Russia

A memory corruption in Hex Rays Ida Pro v6.6 allows attackers to cause a Denial of Service (DoS) via a crafted file. Related to Data from Faulting Address controls subsequent Write Address starting at msvcrt!memcpy+0x0000000000000056.

Last time during one of the "Night Fuzzing Sessions" I found few bugs in IdaPro 6.6. I decided to continue this adventure but with a 'new approach'. So I changed my _input files_. ;) Below you will find the details about it. Here we go... 

This time we'll start here:

Just like during the previous part - I used similar environment (and settings for the FOE2 fuzzer) as I did before. Only thing I changed here was:

\- run Kali VM and  

\- prepare 'payload/input file' using _msfvenom_.

If you're not familiar with _msfvenom_ I will always recommend you to read the fantastic manual:

My goal was to prepare a "reverse shell" for various "platforms" (linux/bsd/macos and so on...) and run it in the same way I did before with IdaPro:

 

**TL;DR:**  

After a while we should be somewhere here:

For example:

**Case #01:**

\---<cut>---

(...)  
Microsoft (R) Windows Debugger Version 6.11.0001.404 X86  
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: "C:\\Program Files\\IDA 6.6\\idaq.exe" -B -A -a- -c C:\\FOE2\\fuzzdir\\campaign\_ijatnp\\iteration\_m\_yrvq\\foe-crash-l0mnvu\\sf\_0d75862d5d90166274cc61a363c74828-576.exe  
(...)  
Executable search path is:  
ModLoad: 00090000 003a3000   idaq.exe  
(...)  
(12a0.1334): Access violation - code c0000005 (first chance)  
First chance exceptions are reported before any exception handling.  
This exception may be expected and handled.  
eax=00000000 ebx=07de0ba8 ecx=00000007 edx=00000000 esi=02532fe8 edi=005bc114  
eip=77559966 esp=005bbdf4 ebp=005bbdfc iopl=0         nv up ei ng nz ac pe cy  
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010297  
msvcrt!memcpy+0x56:  
77559966 8b448efc        mov     eax,dword ptr \[esi+ecx\*4-4\] ds:0023:02533000=????????

0:000> r;r;!exploitable -v;kb;r;q  
eax=00000000 ebx=07de0ba8 ecx=00000007 edx=00000000 esi=02532fe8 edi=005bc114  
eip=77559966 esp=005bbdf4 ebp=005bbdfc iopl=0         nv up ei ng nz ac pe cy  
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010297  
msvcrt!memcpy+0x56:  
77559966 8b448efc        mov     eax,dword ptr \[esi+ecx\*4-4\] ds:0023:02533000=????????  
eax=00000000 ebx=07de0ba8 ecx=00000007 edx=00000000 esi=02532fe8 edi=005bc114  
eip=77559966 esp=005bbdf4 ebp=005bbdfc iopl=0         nv up ei ng nz ac pe cy  
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010297  
msvcrt!memcpy+0x56:  
77559966 8b448efc        mov     eax,dword ptr \[esi+ecx\*4-4\] ds:0023:02533000=????????

!exploitable 1.6.0.0  
HostMachine\\HostUser  
Executing Processor Architecture is x86  
Debuggee is in User Mode  
Debuggee is a live user mode debugging session on the local machine  
Event Type: Exception  
Exception Faulting Address: 0x2533000  
First Chance Exception Type: STATUS\_ACCESS\_VIOLATION (0xC0000005)  
Exception Sub-Type: Read Access Violation

Faulting Instruction:77559966 mov eax,dword ptr \[esi+ecx\*4-4\]

Basic Block:  
    77559966 mov eax,dword ptr \[esi+ecx\*4-4\]  
       Tainted Input operands: 'ecx','esi'  
    7755996a mov dword ptr \[edi+ecx\*4-4\],eax  
       Tainted Input operands: 'eax','ecx'  
    7755996e lea eax,\[ecx\*4\]  
       Tainted Input operands: 'ecx'  
    77559975 add esi,eax  
       Tainted Input operands: 'eax','esi'  
    77559977 add edi,eax  
       Tainted Input operands: 'eax'  
    77559979 jmp dword ptr msvcrt!memcpy+0xa8 (775599b8)\[edx\*4\]

Exception Hash (Major/Minor): 0x17cc121f.0x62867b4b

 Hash Usage : Stack Trace:  
Major+Minor : msvcrt!memcpy+0x56  
Major+Minor : dbghelp!StackWalk64+0x1bba  
Major+Minor : dbghelp!SymGetModuleInfoW64+0x549  
Major+Minor : dbghelp!FindExecutableImage+0x80e  
Major+Minor : dbghelp!StackWalk64+0x2a85  
Minor       : dbghelp!StackWalk64+0x2cff  
Minor       : dbghelp!SymLoadModuleEx+0x44  
Minor       : dbghelp!SymLoadModule64+0x23  
Minor       : pdb+0x1a8d7  
Minor       : IDA!run\_plugin+0x3a  
Minor       : dbg+0x8277  
Minor       : dbg+0x9f2f  
Minor       : SYSFER+0x45b1b  
Minor       : SYSFER+0x45b1b  
Minor       : SYSFER+0x45a1c  
Minor       : idaq+0x70000  
Minor       : idaq+0x70000  
Minor       : idaq+0x70000  
Minor       : dbg+0xa175  
Instruction Address: 0x0000000077559966

Description: Data from Faulting Address controls subsequent Write Address  
Short Description: TaintedDataControlsWriteAddress  
Exploitability Classification: PROBABLY\_EXPLOITABLE  
Recommended Bug Title: Probably Exploitable - Data from Faulting Address controls subsequent Write Address starting at msvcrt!memcpy+0x0000000000000056 (Hash=0x17cc121f.0x62867b4b)

The data from the faulting address is later used as the target for a later write.  
ChildEBP RetAddr  Args to Child                
WARNING: Stack unwind information not available. Following frames may be wrong.  
005bbdfc 66345b61 005bc114 02532fe8 0000001c msvcrt!memcpy+0x56  
005bbe10 66341059 07de0ba8 00000000 02520000 dbghelp!StackWalk64+0x1bba  
005bc1bc 66368036 07de0ba8 00000002 00000000 dbghelp!SymGetModuleInfoW64+0x549  
005bc1d4 66346a2c 07de0ba8 3be9e1ee 00000000 dbghelp!FindExecutableImage+0x80e  
005bc664 66346ca6 beeffeed 07ddb518 00400000 dbghelp!StackWalk64+0x2a85  
005bcac8 66363a0e beeffeed 07ddb430 00000000 dbghelp!StackWalk64+0x2cff  
005bcb28 66363aa4 beeffeed 00000000 07ddb430 dbghelp!SymLoadModuleEx+0x44  
005bcb54 70cea8d7 beeffeed 00000000 02f74320 dbghelp!SymLoadModule64+0x23  
005bcc28 66ad515a 00000001 00000010 03108d70 pdb+0x1a8d7  
005bceb0 726a8277 03108d70 0000004a 00000001 IDA!run\_plugin+0x3a  
005bcee0 726a9f2f 66bff840 00000000 3bf980a6 dbg+0x8277  
005bcf04 753d5b1b 00000006 753d5b1b 0000077f dbg+0x9f2f  
005bcf0c 753d5b1b 0000077f 031596a0 3fe84430 SYSFER+0x45b1b  
005bcf44 753d5a1c 00000006 3fe844c4 0000000f SYSFER+0x45b1b  
005bcfc0 00100000 00001000 00000000 00000010 SYSFER+0x45a1c  
005bd0b0 00100000 00001000 00100000 00001000 idaq+0x70000  
005bd0b8 00100000 00001000 00000000 00000010 idaq+0x70000  
005bd174 726aa175 66bff840 000000e8 031597c0 idaq+0x70000  
00000000 00000000 00000000 00000000 00000000 dbg+0xa175  
eax=00000000 ebx=07de0ba8 ecx=00000007 edx=00000000 esi=02532fe8 edi=005bc114  
eip=77559966 esp=005bbdf4 ebp=005bbdfc iopl=0         nv up ei ng nz ac pe cy  
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010297  
msvcrt!memcpy+0x56:  
77559966 8b448efc        mov     eax,dword ptr \[esi+ecx\*4-4\] ds:0023:02533000=????????

  

\---<cut>---

Next case below.  

**Case #02:**

\---<cut>---

(...)

Microsoft (R) Windows Debugger Version 6.11.0001.404 X86  
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: "C:\\Program Files\\IDA 6.6\\idaq.exe" -B -A -a- -c C:\\FOE2\\fuzzdir\\campaign\_ijatnp\\iteration\_uw\_mli\\foe-crash-reinn3\\sf\_0d75862d5d90166274cc61a363c74828-492.exe  
(...)  
Executable search path is:  
ModLoad: 013c0000 016d3000   idaq.exe  
(...)  
(15a8.12b8): Access violation - code c0000005 (first chance)  
First chance exceptions are reported before any exception handling.  
This exception may be expected and handled.  
eax=06bac1fc ebx=08250ba8 ecx=00000007 edx=00000000 esi=06bac1e0 edi=0025be54  
eip=77559dbd esp=0025bb34 ebp=0025bb3c iopl=0         nv up ei ng nz ac pe cy  
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010297  
msvcrt!malloc+0xcf:  
77559dbd 8b448ee4        mov     eax,dword ptr \[esi+ecx\*4-1Ch\] ds:0023:06bac1e0=????????

0:000> r;r;!exploitable -v;kb;r;q  
eax=06bac1fc ebx=08250ba8 ecx=00000007 edx=00000000 esi=06bac1e0 edi=0025be54  
eip=77559dbd esp=0025bb34 ebp=0025bb3c iopl=0         nv up ei ng nz ac pe cy  
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010297  
msvcrt!malloc+0xcf:  
77559dbd 8b448ee4        mov     eax,dword ptr \[esi+ecx\*4-1Ch\] ds:0023:06bac1e0=????????  
eax=06bac1fc ebx=08250ba8 ecx=00000007 edx=00000000 esi=06bac1e0 edi=0025be54  
eip=77559dbd esp=0025bb34 ebp=0025bb3c iopl=0         nv up ei ng nz ac pe cy  
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010297  
msvcrt!malloc+0xcf:  
77559dbd 8b448ee4        mov     eax,dword ptr \[esi+ecx\*4-1Ch\] ds:0023:06bac1e0=????????

!exploitable 1.6.0.0  
HostMachine\\HostUser  
Executing Processor Architecture is x86  
Debuggee is in User Mode  
Debuggee is a live user mode debugging session on the local machine  
Event Type: Exception  
Exception Faulting Address: 0x6bac1e0  
First Chance Exception Type: STATUS\_ACCESS\_VIOLATION (0xC0000005)  
Exception Sub-Type: Read Access Violation

Faulting Instruction:77559dbd mov eax,dword ptr \[esi+ecx\*4-1ch\]

Basic Block:  
    77559dbd mov eax,dword ptr \[esi+ecx\*4-1ch\]  
       Tainted Input operands: 'ecx','esi'  
    77559dc1 mov dword ptr \[edi+ecx\*4-1ch\],eax  
       Tainted Input operands: 'eax','ecx'  
    77559dc5 jmp msvcrt!memset+0x8a (7755981a)

Exception Hash (Major/Minor): 0xa95bda97.0x1ca78871

 Hash Usage : Stack Trace:  
Excluded    : msvcrt!malloc+0xcf  
Major+Minor : dbghelp!StackWalk64+0x1bba  
Major+Minor : dbghelp!SymGetModuleInfoW64+0x549  
Major+Minor : dbghelp!FindExecutableImage+0x80e  
Major+Minor : dbghelp!StackWalk64+0x2a85  
Major+Minor : dbghelp!StackWalk64+0x2cff  
Minor       : dbghelp!SymLoadModuleEx+0x44  
Minor       : dbghelp!SymLoadModule64+0x23  
Minor       : pdb+0x1a8d7  
Minor       : IDA!run\_plugin+0x3a  
Minor       : dbg+0x8277  
Minor       : dbg+0x9f2f  
Minor       : SYSFER+0x45b1b  
Minor       : SYSFER+0x45b1b  
Minor       : SYSFER+0x45a1c  
Instruction Address: 0x0000000077559dbd

Description: Data from Faulting Address controls subsequent Write Address  
Short Description: TaintedDataControlsWriteAddress  
Exploitability Classification: PROBABLY\_EXPLOITABLE  
Recommended Bug Title: Probably Exploitable - Data from Faulting Address controls subsequent Write Address starting at msvcrt!malloc+0x00000000000000cf called from dbghelp!StackWalk64+0x0000000000001bba (Hash=0xa95bda97.0x1ca78871)

The data from the faulting address is later used as the target for a later write.  
ChildEBP RetAddr  Args to Child                
WARNING: Stack unwind information not available. Following frames may be wrong.  
0025bb3c 679a5b61 0025be54 06bac1e0 0000001c msvcrt!malloc+0xcf  
0025bb50 679a1059 08250ba8 00000000 06790000 dbghelp!StackWalk64+0x1bba  
0025befc 679c8036 08250ba8 00000002 00000000 dbghelp!SymGetModuleInfoW64+0x549  
0025bf14 679a6a2c 08250ba8 4794d435 00000000 dbghelp!FindExecutableImage+0x80e  
0025c3a4 679a6ca6 beeffeed 0824b518 00400000 dbghelp!StackWalk64+0x2a85  
0025c808 679c3a0e beeffeed 0824b430 00000000 dbghelp!StackWalk64+0x2cff  
0025c868 679c3aa4 beeffeed 00000000 0824b430 dbghelp!SymLoadModuleEx+0x44  
0025c894 6a26a8d7 beeffeed 00000000 033aa130 dbghelp!SymLoadModule64+0x23  
0025c968 6677515a 00000001 00000010 03359768 pdb+0x1a8d7  
0025cbf0 70ce8277 03359768 0000004a 00000001 IDA!run\_plugin+0x3a  
0025cc20 70ce9f2f 6689f840 00000000 4795787b dbg+0x8277  
0025cc44 753d5b1b 00000006 753d5b1b fffffffe dbg+0x9f2f  
0025cc4c 753d5b1b fffffffe 0333aa21 47653451 SYSFER+0x45b1b  
0025cc84 753d5a1c 00000006 47653425 0000000f SYSFER+0x45b1b  
0025ccfc 00000000 00100000 00001000 00000000 SYSFER+0x45a1c  
eax=06bac1fc ebx=08250ba8 ecx=00000007 edx=00000000 esi=06bac1e0 edi=0025be54  
eip=77559dbd esp=0025bb34 ebp=0025bb3c iopl=0         nv up ei ng nz ac pe cy  
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010297  
msvcrt!malloc+0xcf:  
77559dbd 8b448ee4        mov     eax,dword ptr \[esi+ecx\*4-1Ch\] ds:0023:06bac1e0=????????

  

\---<cut>---

Another variant below.

**Case #03:**

\---<cut>---

(...)  
Microsoft (R) Windows Debugger Version 6.11.0001.404 X86  
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: "C:\\Program Files\\IDA 6.6\\idaq.exe" -B -A -a- -c C:\\FOE2\\fuzzdir\\campaign\_egm\_o8\\iteration\_j1fril\\foe-crash-oxqtdm\\sf\_76ffd62a1f8250f56b56d8aa211b31a9-252  
(...)  
Executable search path is:  
ModLoad: 000f0000 00403000   idaq.exe  
(...)  
ModLoad: 69020000 6904c000   C:\\Program Files\\IDA 6.6\\loaders\\macho.ldw  
(1594.1f2c): Access violation - code c0000005 (first chance)  
First chance exceptions are reported before any exception handling.  
This exception may be expected and handled.  
eax=03b8bba0 ebx=0a00001c ecx=02800007 edx=00000000 esi=f9b8bb84 edi=086a0020  
eip=68ee1ed7 esp=0050d234 ebp=0050d23c iopl=0         nv up ei pl nz ac pe nc  
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010216  
MSVCR100!memcpy+0x57:  
68ee1ed7 f3a5            rep movs dword ptr es:\[edi\],dword ptr \[esi\]

0:000> r;r;!exploitable -v;kb;r;q  
eax=03b8bba0 ebx=0a00001c ecx=02800007 edx=00000000 esi=f9b8bb84 edi=086a0020  
eip=68ee1ed7 esp=0050d234 ebp=0050d23c iopl=0         nv up ei pl nz ac pe nc  
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010216  
MSVCR100!memcpy+0x57:  
68ee1ed7 f3a5            rep movs dword ptr es:\[edi\],dword ptr \[esi\]  
eax=03b8bba0 ebx=0a00001c ecx=02800007 edx=00000000 esi=f9b8bb84 edi=086a0020  
eip=68ee1ed7 esp=0050d234 ebp=0050d23c iopl=0         nv up ei pl nz ac pe nc  
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010216  
MSVCR100!memcpy+0x57:  
68ee1ed7 f3a5            rep movs dword ptr es:\[edi\],dword ptr \[esi\]

!exploitable 1.6.0.0  
HostMachine\\HostUser  
Executing Processor Architecture is x86  
Debuggee is in User Mode  
Debuggee is a live user mode debugging session on the local machine  
Event Type: Exception  
Exception Faulting Address: 0xfffffffff9b8bb84  
First Chance Exception Type: STATUS\_ACCESS\_VIOLATION (0xC0000005)  
Exception Sub-Type: Read Access Violation

Faulting Instruction:68ee1ed7 rep movs dword ptr es:\[edi\],dword ptr \[esi\]

Exception Hash (Major/Minor): 0x37d7dcd9.0xba787c31

 Hash Usage : Stack Trace:  
Major+Minor : MSVCR100!memcpy+0x57  
Major+Minor : macho+0xd468  
Major+Minor : macho+0x106e9  
Instruction Address: 0x0000000068ee1ed7

Description: Read Access Violation on Block Data Move  
Short Description: ReadAVonBlockMove  
Exploitability Classification: PROBABLY\_EXPLOITABLE  
Recommended Bug Title: Probably Exploitable - Read Access Violation on Block Data Move starting at MSVCR100!memcpy+0x0000000000000057 (Hash=0x37d7dcd9.0xba787c31)

This is a read access violation in a block data move, and is therefore classified as probably exploitable.  
ChildEBP RetAddr  Args to Child                
WARNING: Stack unwind information not available. Following frames may be wrong.  
0050d23c 6902d468 086a0020 f9b8bb84 0a00001c MSVCR100!memcpy+0x57  
0050d26c 690306e9 f9b8bb84 0a00001c 6dc29131 macho+0xd468  
00000000 00000000 00000000 00000000 00000000 macho+0x106e9  
eax=03b8bba0 ebx=0a00001c ecx=02800007 edx=00000000 esi=f9b8bb84 edi=086a0020  
eip=68ee1ed7 esp=0050d234 ebp=0050d23c iopl=0         nv up ei pl nz ac pe nc  
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010216  
MSVCR100!memcpy+0x57:  
68ee1ed7 f3a5            rep movs dword ptr es:\[edi\],dword ptr \[esi\]

  

\---<cut>---

I think it should be enough to start your own 'Night Fuzzing Session' ;)

"Probably" _nihil novi_ here... ;>  

 

... "but" maybe you'll find it useful. ;)  

If you'll have any questions or comments \- feel free to ping me.

Have a nice weekend! 

Cheers

Tag

#microsoft