Threat Simulator: September 2023 Update
Cyberattacks are on the rise, and so is the cost of a data breach. According to IBM and the Ponemon Institute, the cost of data breaches has reached an all-time high globally, averaging $4.35 million per incident. Therefore, it's important for you to stay one step ahead and protect what matters most.
To assist you, our global Application and Threat Intelligence Research (ATI) group has developed several new simulations for Threat Simulator. These include new endpoint assessments, such as Malware emulation for LockBit 3, and new network audits for MOVEit Transfer. Additionally, we have created a significant number of Threat Campaigns, covering everything from Adobe ColdFusion vulnerabilities to Emotet malware exploits on Microsoft and DarkGate Loader Malware delivered via Microsoft Teams.
Keysight’s Threat Simulator allows you to create threat simulations within hours of discovering new threats, enabling you to rapidly identify, remediate, and validate exploitable security vulnerabilities before experiencing the pain and costs of a data breach.
Read about these new simulations and learn how you can stay safe from the latest threats.
New Endpoint Assessments
Endpoint - Malware Emulation: LockBit 3 July 2023
This assessment emulates the activity of the malware sample identified with the SHA256 hash: a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e.
LockBit 3, also known as LockBit Black, is a Ransomware-as-a-Service (RaaS) group that was first observed in 2022. It is a continuation of previous versions of the ransomware, LockBit 2.0, and LockBit. Starting from 2020, LockBit ransomware has operated as a variant that relies on affiliates. These affiliates, who utilize the LockBit RaaS, employ diverse tactics, techniques, and procedures (TTPs) to target a broad spectrum of businesses and critical infrastructure organizations. This wide-ranging approach poses challenges for effectively defending and mitigating computer network attacks.
This assessment emulates the infection and will not execute the actual malware. The emulation binary is generated on-demand, for each assessment run.
Endpoint - Malware Emulation: SunCrypt June 2023
This assessment emulates the activity of the malware sample identified with the SHA256 hash: 282a84c7a65b50555c71d5afbabc00b54c28ecc7789a51e41c9b3b17396f818b.
SunCrypt is a Ransomware-as-a-Service (RaaS) group that was first observed in 2019. It was reported as active by multiple entities during 2022, as its operators continued to add new capabilities to the malware.
This assessment emulates the infection and will not execute the actual malware. The emulation binary is generated on-demand, for each assessment run.
Endpoint - Malware Emulation: GandCrab V5 September 2022
This assessment emulates the activity of the malware sample identified with the SHA256 hash: e0edd00203acc80dfeb3121dfe150c1fa5cbc6341b3cdeb1e8271adbc9d7be5c.
GandGrab (also known as GrandCab) is a Ransomware-as-a-Service (RaaS) first seen in January, 2018. Although the ransomware campaign was very active in 2018, new variants were observed recently. Observed infection vectors include spam/phishing emails and exploit kits. The malware is usually downloaded from compromised domains.
This assessment emulates the infection and will not execute the actual malware. The emulation binary is generated on-demand, for each assessment run.
New Network Audits
Progress MOVEit Transfer SILCertToUser SQL Injection; TACTIC TA0001, Technique T1190, CVE: 2023-35036
This audit exploits an SQL injection vulnerability in MOVEit Transfer. This vulnerability is due to insufficient input validation in the 'X-IPSGW-ClientCert' header of the request sent to the endpoint /certtousergw.aspx. A remote, unauthenticated attacker could exploit this vulnerability by injecting SQL injection payload in the issuer or the subject field of the certificate in the request. A successful attack may result in arbitrary SQL command execution against the database on the target server.
Progress MOVEit Transfer moveitisapi SQL Injection, TACTIC TA0001, Technique T1190, CVE: 2023-34362
This audit exploits an SQL injection vulnerability for MOVEit Transfer. This vulnerability is due to lack of input validation sent to the endpoints /MOVEitISAPI.dll and /guestaccess.aspx. A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted request to the target server. A successful attack may result in arbitrary SQL command execution against the database on the target server.
Citrix ADC formsso Remote Code Execution, TACTIC TA0001, Technique T1190, CVE: 2023-3519
A remote code execution vulnerability exists in Citrix Application Delivery Controller (ADC). The remote code execution is possible using a buffer overflow vulnerability, due to improper sanitization of HTTP request path. The flaw may be exploited by an unauthenticated attacker to execute arbitrary commands on the target server.
New Threat Campaigns
Multiple Threats Target Adobe ColdFusion Vulnerabilities
Fortinet has released a report regarding attacks on Adobe's Coldfusion solution, exploiting it's vulnerabilities and injecting different kinds of malwares.
Firstly, the threat actors try to inject their payload using the Coldfusion API, through a POST request. Moreover, they use reverse shell in order to access the victim's computer and distribute their malicious software.
From the reported malwares, we can observe XMRig Miner and RudeMiner, which are softwares used to mine cryptocurrency, exploiting hijacked CPUs. Another type of malware distributed is Satan DDoS/Lucifer which combines cryptojacking and DDoS, having the capacity to connect to a C2 server and receive different kind of commands from it. The last type of malware is BillGates/Setag backdoor which is a known hijacking tool for initiating attacks.
Why LaZagne Makes D-Bus API Vigilance Crucial
Unit42 has published a report about the use of LaZagne malware in combination with the D-Bus mechanism in order to extract sensitive data from running applications.
Threat actors have chosen D-Bus APIs as a target because they facilitate communication between applications and services, potentially exposing sensitive data which can be later exploited with different hacktools. They used LaZagne stealer in order to fetch account credentials from those APIs, being a tool with high effectiveness in capturing passwords and enabling further exploitation.
Threat Actor Interplay | Good Day’s Victim Portals and Their Ties to Cloak
SentinelOne has published a report on a ransomware campaign using Good Day variant from the ARCrypter ransomware family, which leads the victims to a known Cloak extortion site, each target having a individual TOR-based portal.
Good Day ransomware victims are greeted with a 'Good Day' message with instructions to open their individually made TOR portal. There they are being threatened with having their data leaked or sold on the Cloak website, and those victim chats remain publicly accessible.
A Good Day sample is masked as a Microsoft Windows Update executable. Once run, it asks for elevate privileges and then afterwards it starts to encrypt files and remove volume shadow copies.
Earth Estries Targets Government, Tech for Cyberespionage
TrendMicro released a report regarding a new threat group called Earth Estries, which shares similarities with FamousSparrow, that started cyber espionage campaigns in multiple countries.
Earth Estries members designed attacks by utilizing previously compromised administrator accounts from which they deployed penetration testing tools and frameworks such as Cobalt Strike and Metaplosit.
Afterwards, once persistence and C2 communication are achieved, attackers deployed several backdoor and information stealer malware such as Zingdoor, TrillClient and HemiGate.
Most of these malicious programs are executed via DLL sideloading techniques.
From Hidden Bee to Rhadamanthys – The Evolution of Custom Executable Formats
CheckPoint Research presented a very highly intelligent threat actor which built the Rhadamanthys infostealer together with their own executable file formats in order to bypass defensive mechanisms.
Rhadamanthys shares numerous similarities with Hidden Bee coin miner. Since both use totally different executable file formats than the Windows PE standard, these malware applications cannot be run by the default Windows loader component.
The threat actor employed the use of custom kernel loader modules compatible with their malicious file formats or the use of self-loading components.
In addition, Rhadamanthys is highly customizable and extendible and uses various countermeasures to evade analysis, or to load modules agnostic to the system architecture using the Heaven’s Gate technique.
ICYMI: Emotet Reappeared Early This Year, Unfortunately
Trellix published an article regarding the return of Emotet malware which now exploits Microsoft Word macros and OneNote files with embedded scripts.
The initial infection vector is through email phishing or thread hijack, in which previously compromised email accounts, now added to the botnet, impersonate legitimate users.
An intricate method to evade detection is the use of bloating malicious macros, with useless information, to the point of making them too big to be analyzed by antivirus products.
Emotet has a complex behavior and is capable of gathering data about the victim system, communicating with C2 servers and compromising computers for further use in spreading operations.
Tracking Fileless Malware Distributed Through Spam Mails
Ahnlab has published a report about a malware that is being distributed via spam emails and is contained in a .hta script file. When run, it automatically executes malware strains, without creating a file into the user PC.
The threat actor starts by sending emails to victims that contain an ISO file with the malicious payload. When run, it executes Powershell commands by mshta.exe, using a fileless method that does not create a binary into a PE file, but executes it in the memory area of PowerShell.
In the end, the malware connects to a C2 server from which it downloads remote access tools as the final binary in the phishing campaign.
Distribution of Backdoor via Malicious LNK: RedEyes (ScarCruft)
Ahnlab has published a report about ScarCruft malware that is now distributed in LNK format, a slightly modified version from the previously detected CHM one.
Firstly, the threat actor distributes this malware as a zip file uploaded on a regular websites, and it contains an LNK with normal Excel document data and a malicious script code. When run, this file creates a normal .xlsx document and a malicious .bat script, which, after execution, it locks itself into a registry and runs a PowerShell command that connects the victim to a C2 server.
After connection, the threat actor sends different commands to the malware, which can collect information from the victim or download additional files. By looking at those commands, it is suspected that the attacker is continuously modifying the script code.
RedEyes (ScarCruft)’s CHM Malware Using the Topic of Fukushima Wastewater Release
AhnLab warned about phishing emails which falsely contain information about the Fukushima Wastewater incident.
The initial infection vector is through a Microsoft Compiled HTML Help (CHM) file spread by phishing emails. Once opened, the file executes a PowerShell script embedded into it which gains persistence and runs the main malware after a reboot.
The main malware is fetched from a URL specified in the CHM file and it is represented by a JavaScript module able to further download files from attacker-controlled servers or upload local file as an exfiltration method.
Chae$ 4: New Chaes Malware Variant Targeting Financial and Logistics Customers
Morphisec released a report regarding the Chae$4 malware being able to steal banking account credentials, intercept confidential network traffic and hijack cryptocurrency transactions.
The Chae$4 is a Python-based modular malware being delivered as a fake Windows installer package (MSI). Once executed, it gains persistence on the system and executes initialization PowerShell commands in a stealthy way.
The Python modules deployed are being decrypted only at runtime and are responsible with gathering credentials Mercado e-commerce platform, Caixa bank and gather metadata from WhatsApp. In addition, it can replace crypto wallets addresses, stored temporarily in clipboard memory, with attacker-controlled ids in order to hijack future transactions.
New Agent Tesla Variant Being Spread by Crafted Excel Document
Fortinet has published an article explaining how attackers exploit vulnerabilities found 5 years ago in Excel documents, to run arbitrary code and install Agent Tesla information stealer.
The vulnerabilities are CVE-2017-11882 and CVE-2018-0802 and allow attacker to run a payload embedded in a specifically crafted equation. These Excel documents come from phishing operations.
The secret payload downloads a .NET application which further downloads Agent Tesla and executes it by pausing and emptying a genuine process of its executable contents while replacing them with malicious ones.
Agent Tesla is capable of keylogging, taking screenshots and gathering credentials stored in browsers. Critical information is further exfiltrated through email communication with the attacker-controlled inboxes.
Technical Analysis of HijackLoader
Zscaler ThreatLabz presented a detailed analysis regarding the innerworkings of a popular malware loader called HijackLoader.
This malware has a modular architecture perfect for adding further behavioral features. As a loader, it does not present any destructive features, its only responsibility being to prepare the victim system for further malicious payloads such as Danabot, SytemBC or RedLine Stealer.
HijackLoader presents anti-analysis techniques such as delaying code execution or different behavior based on what antivirus product is present.
In order to load further malware, it hijacks genuine DLLs by injecting malicious code or by tampering and patching internal process metadata.
New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware
IBM Security X-Force discovered that a threat group (Hive0129) is targeting individuals associated with different industries via a phishing campaign where the threat actor sends fake emails imitating an electronic conscription by the Russian Ministry of Defence.
The campaign starts with a fake email which includes multiple images along with logos of the official coat of arms of the Russian Ministry of Defense. Each of them contains an archive attachement with an executable that ultimately installs DarkWatchman malware.
After installation, it proceeds to contact different domains in order to download additional encrypted malicious files. When executed, the backdoor creates a scheduled task to run with elevated permissions and after startup, the malware will perform some preliminary steps and then connect to the C2 server.
In the end, it collects information such as computer name, username, smartcard reader driver, which can indicate that the threat actor performs compromise operations on different entities.
macOS MetaStealer | New Family of Obfuscated Go Infostealers Spread in Targeted Attacks
SentinelOne has published a report about a new information stealer malware written in Go which affects macOS devices.
This malware is distributed by threat actors via malicious application bundles contained in disk image format with names such that they are meant to easily trick business users. Those disk images contain an icon image and an executable that can only be run on Intel versions of Apple products.
In the end, after the executable is run, the MetaStealer connects to a C2 server and targets Telegram and Meta services.
BlueShell Used in APT Attacks Against Korean and Thai Targets
Ahnlab has published a report about some attack cases against Korean and Thai companies using BlueShell, a backdoor malware written in Go language which supports TLS encryption and bypasses network detection.
One of the main advantages of being written in Go is the fact that it is easy to develop and offers cross-platform support. Because of that, multiple attacks on Windows and Linux have been observed, targeting vulnerable servers to breach information or encrypt files and demand money. On the Windows version, in one case, the threat actor used Lsass dump tool in order to steal account credentials and fscan tool to scan the internal network.
Regarding the Linux systems, there has been observed that a modified version of BlueShell was used, with the help of a dropper. It is responsible for creating and executing BlueShell like an ordinary dropper, but it uses a new environment variable, which contains encrypted connection data to a C2 server, used later by the BlueShell malware itself.
Analyzing a Facebook Profile Stealer Written in Node.js
TrendMicro discovered that an information stealer packed as a NodeJS application is being spread through Facebook advertisements.
If a victim is deceived to click on such ads, they would be redirected to third-party websites hosting malicious archives. Once unarchived, the malware packed with all software dependencies and with the NodeJS runtime is executed.
Finally, the stealer gathers Facebook, Gmail and Outlook credentials, session cookies, Facebook account details such as username, email and access tokens. The information is exfiltrated through a Telegram bot or to a C2 server through GraphQL messages and API.
DarkGate Loader Malware Delivered via Microsoft Teams
Truesec released a report on a Microsoft Teams campaign spreading DarkGate Loader Malware via social engineering.
DarkGate Loader related malware spam campaigns have become more frequent since June 2023, when its author started advertising it on cybercrime forums as Malware-as-a-Service.
Until recently, DarkGate Loader was traditionally delivered through email phishing campaigns. However, the incident presented in this report involved the delivery of DarkGate Loader via HR-related social engineering Microsoft Teams chat messages.
PSA: Ongoing Webex malvertising campaign drops BatLoader
Malwarebytes has published a report about a new malvertising campaign, which uses a malicious ad for Webex on Google search, in order to install Batloader and drop the DanaBot malware.
The ad is made to look legitimate, using the official Webex logo and website. The threat actor exploited a loophole knows as the tracking problem, where it created a Firebase URL as a tracking template and performed a number of checks to determine if there is a pontential victim.
When the ad is clicked, the user is redirected to a malicious website, which is very similar to Webex official website. From there, the downloaded file is a MSI file which installs the BatLoader. In the end, from the BatLoader, the DanaBot malware is dropped on the victim's computer.
3AM: New Ransomware Family Used As Fallback in Failed LockBit Attack
Symantec has published a report on a completely new ransomware written in Rust that is used by threat actors when the LockBit ransomware was blocked.
This malware was deployed on the victim's network and it is a rust executable which has multiple parameters. After it is executed, it tries tu run different commands which attempt to stop various security and backup related software. In the end, it deletes the original files and Volume Shadow (VSS) copies, leaving the user only with the encrypted ones.
Analysis of Andariel’s New Attack Activities
Ahnlab has published a report regarding the activity of Andariel threat actor which includes an analysis of previous attacks and the correlation between them and recent attacks on Korean institutions.
The past attacks done by Andariel group feature different tools such as Innorix Agent, Volgmer, Andardoor or 1th Troy, all of them being backdoor strains which connect to a C2 server and receive commands from the threat actor. Attacks on Korean corporations were also noted. In this cases, the attackers used remote access tools, such as TigerRAT, Black RAT or NukeSped.
As for the recent attacks, aside from the fact that Innorix was used and analysis showed that there was a connection between strains, there have been found new cases of attacks similar to those done in the past on Korean universities. Besides that, the attacker used new tools such as AndarLoader, written in .NET, and DurianBeacon, with versions in Go and Rust, both malware strains having backdoor and remote access capacities.
New MidgeDropper Variant
Fortinet has published a report on a new dropper malware variant, MidgeDropper, which has a complex infection chain with different layers of obfuscation.
It starts with a .RAR arhive, presumably distributed as an attachment for a phishing email. This archive contains a .pdf file that when opened shows the victim a windows saying that it could not open, and an .exe file which drops different decoy and malicious files. The process continues, as every executable continues to create malicious obfuscated files or scripts, such as .dll or .xml files.
OriginBotnet Spreads via Malicious Word Document:
Fortinet found various Microsoft Office documents which deploy different malicious payloads such as OriginBotnet, RedLine Clipper and AgentTesla.
The Word document is distributed as attachment via a phishing email. It contains an embedded malicious link from which the initial loader is acquired. When run, this file goes through different stages of decryption until the ultimate payload is obtained.
RedLine Clipper is a cryptocurrency stealer which uses the user's system clipboard activities to substitute the destination wallet address with one belonging to the attacker. AgentTesla and OriginBotnet are two similar malwares which scan the disk to uncover credentials and collect data, in order to connect and transmit them to a C2 server.
Diving Deep into UNC4841 Operations Following Barracuda ESG Zero-Day Remediation (CVE-2023-2868)
Mandiant released a follow-up report regarding the Chinese threat actor identified as UNC4841, which showcase new methods to exploit the CVE-2023-2868 vulnerability in the Barracuda Email Security Gateway (ESG).
It has been observed that the threat actor has used selective deployment of specific malware tools for different targets. These tools are SKIPJACK, DEPTHCHARGE, and FOXTROT / FOXGLOVE
SKIPJACK is a passive backdoor that works by injecting Lua code into Barracuda ESG, setting up a listener to monitor designated email headers and subjects, and then decoding and executing the content of them. It also has the most variants from the all three and is the most widely deployed.
DEPTHCHARGE is a backdoor malware packed as a Linux shared object library, pre-loaded into the Barracuda SMTP. It can connect through TCP to the C2 server and executes commands from received from it, having backdoor capability as a Linux daemon. In was discovered that the malware execution chain contains a file that defines a malicious trigger in the MySQL database and in some instances, the threat actor was harvesting credentials from the database.
FOXGLOVE is a launcher written in C that executes the FOXTROT (written in C++) backdoor. It communicates via TCP and is able to be used as a proxy, receiving commands from a C2 server. It was not specifically designed for Barracuda ESGs.
It was discovered that the threat actor tried to move laterally to Active Directory and OWA from impacted ESG appliances. It employed different methods, such as log in to mailboxes from users within the victim organization or harvesting credentials using their data. In one case it managed to access Windows Server Update using a domain administrator account.
SapphireStealer: Open-source information stealer enables credential and data theft
Talos announced the apparition of a new open-source information stealer labeled as SaphireStealer, which was modified or enhanced using other malicious tools by numerous attackers.
SaphireStealer is a .NET malware capable of gathering system and hardware information, take screenshots, capture cached browser credentials and inspect file contents. The exfiltration data process is through Simple Mail Transfer Protocol (SMTP) in which SaphireStaler send emails to attacker-controlled inboxes.
Other modifications observed by Talos, regarding the exfiltration, are the use of Discord or Telegram API. In addition, a malware variant was deployed using a .NET malicious tool called FUD-Loader.
Peach Sandstorm password spray campaigns enable intelligence collection at high-value targets
Microsoft has published a report about a threat actor that has conducted password spray campaigns against thousands of organizations in order to collect valuable informations from defense, satellite and pharmaceutical sectors.
The threat actor used a single password or a list of commonly-used passwords to authenticate to many different accounts, reducing the chances of account lockout. After authentication, they used different tools such as AzureHound or Roadtools to conduct reconnaissance and collect data from the victims. In some cases, the threat actor installed the Azure Arc client in the compromised environment and connected it to an Azure subscription controlled by them.
During the campaign, the threat actor attempted to exploit vulnerabilities (CVE-2022-47966 and CVE-2022-26134) with a public proof-of-concept (POC) in Zoho ManageEngine or Confluence.
Earth Lusca Employs New Linux Backdoor, Uses Cobalt Strike for Lateral Movement
TrendMicro has released a report about a threat actor targeting the public-facing servers of its victims, exploiting N-day vulnerabilities in order to deploy backdoors and collect documents or account credentials.
It starts with binary file containing an encrypted payload for a loader, developed with a publicly available Linux ELF injector called mandibule. It sets up the second stage of the attack, loading the malicious file and decrypting it.
This file connects to a C2 server from which it receives encrypted messages via TCP. Afterwards, it implements several backdoor commands such as collecting system information, starting an interactive shell, uploading, downloading, deleting, renaming files and others.
Behind the Scenes of BBTok: Analyzing a Banker’s Server Side Components
CheckPoint researchers presented an update regarding new features of a banking trojan called BBTok, impersonating over 40 banks and targeting users in Mexico and Brazil.
The attacks start from a phishing site which tricks victims into downloading archives told to contain PDF documents. The phishing server gathers the IP of an incoming victim and geo-locates it using third party websites. Only users from Mexico and Brazil are allowed to download such the malicious archives.
The infection chain is specifically tailored for the victim’s Windows version. The malicious BBTok is enriched with malicious payloads based on the target system particularities.
BBTok is written in Delphi and creates graphical windows impersonating various login screens from banking websites. Account credentials and two-factor authentication tokens are smuggled through this fake interface.
Ransomware Roundup - Retch and S.H.O.
Fortinet released a report regarding 2 ransomware applications called Retch and S.H.O.
Retch is a ransomware targeting consumers rather than enterprises based on the small ransom fee. Because the malware generates 2 different files explaining how to recover affected files with different fees and different wallet addresses, it is believed that threat actors copied the open-source Hidden Tear ransomware without any modifications from their part.
S.H.O encrypts only files having a particular extension and ignores folders hosting critical Windows binaries. Once encryption finishes, the desktop background is replaced with a message stating that the system has been compromised.
The initial infection step for both malware has not been found or disclosed.
Sandman APT | A Mystery Group Targeting Telcos with a LuaJIT Toolkit
SentinelOne published a detailed article regarding a new modular backdoor, LuaDream which is created by the Sandman threat group, that leverages lateral movement and stealthy techniques in its behavior.
The initial infection step is done by intercepting password hashes in the context of NTLM authentication protocol dialogue. The attacker then hijacks a genuine DLL found in Windows with a malicious payload and waits for internal Windows services, that use the targeted DLL, to reboot in order to continue the attack. Thus by not forcing service restart and manual loading of the hijacked DLL, attackers can bypass security solutions.
Afterwards, the Lua runtime environment is installed and ready to execute Lua payloads which are modular components of the LuaDream backdoor.
Finally, the backdoor can both initiate connections with C2 servers or listen for incoming commands issued by attackers. Communication can be done through various protocols such as TCP, HTTPS, WebSocket or QUIC. The data exfiltrated is user and system information.
New ShroudedSnooper actor targets telecommunications firms in the Middle East with novel Implants
Cisco Talos has published a report about a threat actor targeting telecommunications companies in the Middle East in order to interface with Windows HTTP kernel drivers and devices to listen to incoming requests and execute content on the infected endpoint.
These attacks come in two variants, HTTPSnoop and PipeSnoop. The first one relies on DLL hijacking in benign applications and services. This variant proceeds to make numerous calls to kernel devices in order to set up a web server endpoint for its backdoor.
PipeSnoop is similar to HTTPSnoop but it is intended for use against targets considered more valuable or high-priority. It will simply attempt to connect to a pre-existing named pipe on the system
#StopRansomware: Snatch Ransomware
CISA and FBI published a report regarding the Snatch threat group operating a Ransomware-as-a-Service business.
Malicious users utilizing Snatch ransomware variants infect victims through brute-forcing administrator credentials in Remote Desktop Protocol. Other incidents were not related to brute-forcing but to previously stolen credentials which were sold on various criminal forums.
The malware gains persistence by running itself as a Windows service. Threat actors also maintained network connection with infected systems and tried to move laterally through the affected network.
In addition, Snatch ransomware forces the system to reboot in Safe Mode in order to close security products.
Finally, files are encrypted and backup memory volumes are deleted.
HiddenGh0st Malware Attacking MS-SQL Servers
Ahnlab has published a report about Gh0st RAT malware affecting poorly managed MS-SQL servers in order to perform different operations and steal credentials.
Gh0st RAT source code is public on Github and is mainly used by threat actors based in China. It contains a config file with multiple configurations, such as the C2 server, installation method, path or file names. There are multiple methods of installation. If the configuration data is set to "service", the data is copied and registered as a service, which after being run, will proceed to the installation process. Otherwise, the malware will copy itself to a startup folder and run instead of registering as a service.
After installation, the malware connects to the C2 server from which it starts to receive different commands. HiddenGh0st has a feature that installs Mimikatz, allowing it to steal account credentials from infected systems.
If specified, Gh0st RAT variant can also install a rootkit which will be classified as HiddenGh0st. It can perform basic operations, hide files and provides a process protection feature.
CoinMiner Distribution Process within Infiltrated Systems (Detected by EDR)
Ahnlab has published a report about a process after which CoinMiners are installed on victim's computers via injection.
The malware is installed by a PowerShell script executed as a PowerShell command through the CMD process. It can receive data files from a distribution site, decrypt and inject them.
Threat Actors Exploit the Tensions Between Azerbaijan and Armenia
Fortinet found how an unknown threat actor, possibly from Colombia, spreading malicious documents that deploy a custom information stealer.
The initial document is an HTML file containing hidden binary payloads which drop an archive on the victim system. Such archive contains both genuine images and a link file which once executed downloads a malicious Microsoft Installer package (MSI).
The main malware is written in Rust and is capable of gathering information such as names of existing users and IP addresses of all network adapters in the victim machine. Furthermore, if the victim system is used as a proxy server, the information stealer, copies all network traffic flowing through it and sends the copied data back to the C2 server.
In order to be stealthier, the malware is running outside office hours.
People, process and technology are never perfect all the time. Designing, deploying and operating security solutions is a never-ending challenge and regardless of the skills of your people, how well thought out your processes or the quality of your vendors, your organization will eventually run into issues that affect cybersecurity. Many problems and issues are preventable with the appropriate test strategies.
Security issues are often hidden until it's too late. Don't become headline news and lean on Keysight and our award-winning Threat Simulator to better protect you and your customers from preventative issues.
Keysight can help you by providing the proactive capabilities for you to rapidly find, remediate, and validate exploitable security vulnerabilities before they become headline news.
For more information on Threat Simulator visit Keysight Threat Simulator
To sign up our MSSP program visit Keysight MSSP Partner Program