[CyberLand News] Weekly #7 - Threats and Malware

Last news on threats, malware and vulnerabilties in the cyber land

Apr 01, 2023

Supply Chain Attack to 3CX
KEYPLUG Backdoor to attack Microsoft and Linux systems
Exchange Server Access via Critical Microsoft Outlook Vulnerability
iCloud keychain stealer
New IcedID malware variants

Supply Chain Attack to 3CX

3CX is currently working on a software update for its desktop app in response to a supply chain attack that has been flagged by several cybersecurity vendors. The attack involves the use of digitally signed and rigged installers for the popular voice and video conferencing software, which are then used to target downstream customers. The threat actor behind this campaign, known as SmoothOperator, has been active since February 2022 and may have launched an attack as recently as March 22, 2023.

3CXDesktopApp, which is developed by 3CX and has over 600,000 customers and 12 million users in 190 countries, is the target of the attack. While the 3CX PBX client is available for various platforms, the attacks observed so far appear to be limited to the Windows Electron client (versions 18.12.407 and 18.12.416) and macOS versions of the PBX phone system.

The attack uses the DLL side-loading technique to load a rogue DLL (ffmpeg.dll), which is designed to retrieve an ICO payload. The final payload is an information stealer that can collect system information and sensitive data stored in popular browsers such as Google Chrome, Microsoft Edge, Brave, and Mozilla Firefox.

The macOS sample (a 381 MB file) carries a valid signature and is notarized by Apple, allowing it to be run without the operating system blocking it. The malicious app also contains a Mach-O binary named libffmpeg.dylib that reaches out to an external server "pbxsources[.]com" to download and execute a file named UpdateAgent. However, the server is currently offline.

According to Huntress, there are 242,519 publicly exposed 3CX phone management systems. Symantec, which is now owned by Broadcom, noted in its advisory that "the information gathered by this malware presumably allowed the attackers to gauge if the victim was a candidate for further compromise."

In response to this attack, 3CX is working on a software update for its desktop app. Users of the affected versions are advised to update their software as soon as possible to avoid falling victim to this attack. Additionally, users should exercise caution when downloading and installing software, especially if it is from an unfamiliar source. Finally, it is recommended to have a reliable and up-to-date antivirus software installed to detect and prevent such attacks.

More details in “3CX VoIP Software Compromise & Supply Chain Threats“
Additional details in “3CX DesktopApp Security Alert“
Additional details in “3CX users under DLL-sideloading attack: What you need to know“

KEYPLUG Backdoor to attack Microsoft and Linux systems

Recorded Future's Insikt Group has revealed that RedGolf, a Chinese state-sponsored hacking group, has been using a custom backdoor called KEYPLUG to infiltrate Windows and Linux networks.

The group has been active for many years and has targeted various industries around the world. RedGolf has a history of developing and utilizing custom malware, and has demonstrated the ability to weaponize newly reported vulnerabilities quickly.

In 2021 and 2022, the group targeted US state government entities using KEYPLUG, a custom and modular Linux backdoor. RedGolf's recent activity has not been attributed to any specific victims, and they have also used other tools such as Cobalt Strike and PlugX in addition to KEYPLUG. The hacking group's operational infrastructure is codenamed GhostWolf, consisting of 42 IP addresses used as commands and controls for KEYPLUG. RedGolf gains initial access to targets' networks by rapidly exploiting vulnerabilities in externally facing enterprise appliances.

More details in “With KEYPLUG, China’s RedGolf Spies On, Steals From Wide Field of Targets“
Additional details in “Winnti APT group docks in Sri Lanka for new campaign“

Exchange Server Access via Critical Microsoft Outlook Vulnerability

Recently, Microsoft published a guide to help customers discover Indicators of Compromise (IoCs) associated with a vulnerability in Outlook. The flaw, identified as CVE-2023-23397, had a CVSS score of 9.8 and was deemed critical. Threat actors were exploiting the vulnerability to steal NTLM hashes, which they could then reuse to execute a relay attack without any user interaction. The attackers used malicious emails to exploit the flaw and manipulate the victim's connection to gain control of an untrusted location. The vulnerability was fixed in Microsoft's March 2023 Patch Tuesday updates, but it had already been used as a weapon by Russian threat actors against government, transportation, energy, and military sectors in Europe.

Microsoft's incident response team had found evidence of the vulnerability being exploited in April 2022. A Net-NTLMv2 Relay attack allowed an attacker to gain unauthorized access to an Exchange Server, modify mailbox folder permissions, and maintain persistent access. The attacker used the compromised email account to extend their access by sending additional malicious messages through the same organization to other members. If organizations do not implement a comprehensive threat-hunting strategy, the CVE-2023-23397 vulnerability can lead to credential compromise.

Outlook users can open multiple mailboxes at the same time, and messages received through one of the other services can still trigger the vulnerability if the user configured Outlook to open mailboxes from multiple services. If users wish to move a message to a local file, they can do so. In some cases, evidence of a prior compromise may be found in Archived messages. To avoid being affected by the vulnerability, organizations should implement a comprehensive threat-hunting strategy and apply the necessary patches and updates promptly.

More details in “Microsoft Mitigates Outlook Elevation of Privilege Vulnerability“
Additional info in “MS CVE-2023-23397“

iCloud keychain stealer

A new info-stealing malware called MacStealer is affecting Mac users by stealing their credentials stored in iCloud KeyChain and web browsers, cryptocurrency wallets, and sensitive files.

The malware is being distributed as a malware-as-a-service (MaaS) where the developer sells premade builds for $100, allowing purchasers to spread the malware in their campaigns. MacStealer can run on macOS Catalina and up to the latest version of Apple's OS, Ventura.

The malware is distributed as an unsigned DMG file that poses as something the victim is tricked into executing on their macOS. Once executed, it collects the user's account passwords, cookies, and credit card details, extracts the Keychain database, and collects system information.

MacStealer sends all the stolen data to remote command and control servers to be collected by the threat actor. Mac users should remain vigilant and avoid downloading files from untrustworthy websites to avoid the threat.

More details in “MacStealer: New macOS-based Stealer Malware Identified“
Additional info in “PureLand — A Fake Project Related to the Sandbox Malspam“

New IcedID malware variants

Proofpoint researchers have identified two new variants of the IcedID loader, called “Lite” and “Forked”. These new versions of the malware have been seen being used by three different threat actors in seven campaigns since late 2022, with a focus on payload delivery, especially ransomware. Unlike previous versions of IcedID, these new variants do not have any online banking fraud functionality and have been designed to be stealthier and leaner, making them harder to detect. The “Lite” variant, first seen in November 2022, was delivered as a second-stage payload on Emotet-infected systems. In February 2023, the “Forked” version was distributed via thousands of personalized invoice-themed phishing emails. The malware loads a decoy PDF while fetching IcedID from a remote resource.

It is important to note that while some threat actors use new variants of the IcedID malware, others still choose to deploy the “Standard” variant. However, these new variants signify a shift towards specializing the bot to payload delivery. The “Forked” version is 64KB smaller than the “Standard” bot, and is basically the same malware without the web injects system, the AiTM functions, and the backconnect capabilities that give threat actors remote access to infected devices. The “Lite” loader variant is lighter, at 20KB, and does not exfiltrate host information to the C2. While most threat actors will continue to use the “Standard” variant, the deployment of new IcedID versions will likely grow, and more variants may pop up later in 2023.