Apr 05, 2024NewsroomMalware / Endpoint Security

Bogus installers for Adobe Acrobat Reader are being used to distribute a new multi-functional malware dubbed Byakugan.

The starting point of the attack is a PDF file written in Portuguese that, when opened, shows a blurred image and asks the victim to click on a link to download the Reader application to view the content.

According to Fortinet FortiGuard Labs, clicking the URL leads to the delivery of an installer (“Reader_Install_Setup.exe”) that activates the infection sequence. Details of the campaign were first disclosed by the AhnLab Security Intelligence Center (ASEC) last month.

The attack chain leverages techniques like DLL hijacking and Windows User Access Control (UAC) bypass to load a malicious dynamic-link library (DLL) file named “BluetoothDiagnosticUtil.dll,” which, in turn, loads unleashes the final payload. It also deploys a legitimate installer for a PDF reader like Wondershare PDFelement.

The binary is equipped to gather and exfiltrate system metadata to a command-and-control (C2) server and drop the main module (“chrome.exe”) from a different server that also acts as its C2 for receiving files and commands.

“Byakugan is a node.js-based malware packed into its executable by pkg,” security researcher Pei Han Liao said. “In addition to the main script, there are several libraries corresponding to features.”

This includes setting up persistence, monitoring the victim’s desktop using OBS Studio, capturing screenshots, downloading cryptocurrency miners, logging keystrokes, enumerating and uploading files, and grabbing data stored in web browsers.

“There is a growing trend to use both clean and malicious components in malware, and Byakugan is no exception,” Fortinet said. “This approach increases the amount of noise generated during analysis, making accurate detections more difficult.”

The disclosure comes as ASEC revealed a new campaign that propagates the Rhadamanthys information stealer under the guise of an installer for groupware.

“The threat actor created a fake website to resemble the original website and exposed the site to the users using the ad feature in search engines,” the South Korean cybersecurity firm said. “The malware in distribution uses the indirect syscall technique to hide from the eyes of security solutions.”

It also follows a discovery that a manipulated version of Notepad++ is being employed by unidentified threat actors to propagate the WikiLoader malware (aka WailingCrab).

Jan 10, 2024NewsroomPatch Management / Threat Intelligence

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added six security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

This includes CVE-2023-27524 (CVSS score: 8.9), a high-severity vulnerability impacting the Apache Superset open-source data visualization software that could enable remote code execution. It was fixed in version 2.1.

Details of the issue first came to light in April 2023, with Horizon3.ai’s Naveen Sunkavally describing it as a “dangerous default configuration in Apache Superset that allows an unauthenticated attacker to gain remote code execution, harvest credentials, and compromise data.”

It’s currently not known how the vulnerability is being exploited in the wild. Also added by CISA are five other flaws –

• CVE-2023-38203 (CVSS score: 9.8) – Adobe ColdFusion Deserialization of Untrusted Data Vulnerability
• CVE-2023-29300 (CVSS score: 9.8) – Adobe ColdFusion Deserialization of Untrusted Data Vulnerability
• CVE-2023-41990 (CVSS score: 7.8) – Apple Multiple Products Code Execution Vulnerability
• CVE-2016-20017 (CVSS score: 9.8) – D-Link DSL-2750B Devices Command Injection Vulnerability
• CVE-2023-23752 (CVSS score: 5.3) – Joomla! Improper Access Control Vulnerability

It’s worth noting that CVE-2023-41990, patched by Apple in iOS 15.7.8 and iOS 16.3, was used by unknown actors as part of Operation Triangulation spyware attacks to achieve remote code execution when processing a specially crafted iMessage PDF attachment.

Federal Civilian Executive Branch (FCEB) agencies have been recommended to apply fixes for the aforementioned bugs by January 29, 2024, to secure their networks against active threats.