“Test files” associated with the XZ Utils backdoor have made their way to a Rust crate known as liblzma-sys, new findings from Phylum reveal.

liblzma-sys, which has been downloaded over 21,000 times to date, provides Rust developers with bindings to the liblzma implementation, an underlying library that is part of the XZ Utils data compression software. The impacted version in question is 0.3.2.

“The current distribution (v0.3.2) on Crates.io contains the test files for XZ that contain the backdoor,” Phylum noted in a GitHub issue raised on April 9, 2024.

“The test files themselves are not included in either the .tar.gz nor the .zip tags here on GitHub and are only present in liblzma-sys_0.3.2.crate that is installed from Crates.io.”

Following responsible disclosure, the files in question (“tests/files/bad-3-corrupt_lzma2.xz” and “tests/files/good-large_compressed.lzma”) have since been removed from liblzma-sys version 0.3.3 released on April 10. The previous version of the crate has been pulled from the registry.

“The malicious tests files were committed upstream, but due to the malicious build instructions not being present in the upstream repository, they were never called or executed,” Snyk said in an advisory of its own.

The backdoor in XZ Utils was discovered in late March when Microsoft engineer Andres Freund identified malicious commits to the command-line utility impacting versions 5.6.0 and 5.6.1 released in February and March 2024, respectively. The popular package is integrated into many Linux distributions.

The code commits, made by a now-suspended GitHub user named JiaT75 (aka Jia Tan), essentially made it possible to circumvent authentication controls within SSH to execute code remotely, potentially allowing the operators to take over the system.

“The overall compromise spanned over two years,” SentinelOne researchers Sarthak Misraa and Antonio Pirozzi said in an analysis published this week. “Under the alias Jia Tan, the actor began contributing to the xz project on October 29, 2021.”

“Initially, the commits were innocuous and minor. However, the actor gradually became a more active contributor to the project, steadily gaining reputation and trust within the community.”

According to Russian cybersecurity company Kaspersky, the trojanized changes take the form of a multi-stage operation.

“The source code of the build infrastructure that generated the final packages was slightly modified (by introducing an additional file build-to-host.m4) to extract the next stage script that was hidden in a test case file (bad-3-corrupt_lzma2.xz),” it said.

“These scripts in turn extracted a malicious binary component from another test case file (good-large_compressed.lzma) that was linked with the legitimate library during the compilation process to be shipped to Linux repositories.”

The payload, a shell script, is responsible for the extraction and the execution of the backdoor, which, in turn, hooks into specific functions – RSA_public_decrypt, EVP_PKEY_set1_RSA, and RSA_get0_key – that will allow it to monitor every SSH connection to the infected machine.

The primary goal of the backdoor slipped into liblzma is to manipulate Secure Shell Daemon (sshd) and monitor for commands sent by an attacker at the start of an SSH session, effectively introducing a way to achieve remote code execution.

While the early discovery of the backdoor averted what could have been a widespread compromise of the Linux ecosystem, the development is once again a sign that open-source package maintainers are being targeted by social engineering campaigns with the goal of staging software supply chain attacks.

In this case, it materialized in the form of a coordinated activity that presumably featured several sockpuppet accounts that orchestrated a pressure campaign aimed at forcing the project’s longtime maintainer to bring on board a co-maintainer to add more features and address issues.

“The flurry of open source code contributions and related pressure campaigns from previously unknown developer accounts suggests that a coordinated social engineering campaign using phony developer accounts was used to sneak malicious code into a widely used open-source project,” ReversingLabs said.

SentinelOne researchers revealed that the subtle code changes made by JiaT75 between versions 5.6.0 and 5.6.1 suggest that the modifications were engineered to enhance the backdoor’s modularity and plant more malware.

As of April 9, 2024, the source code repository associated with XZ Utils has been restored on GitHub, nearly two weeks after it was disabled for a violation of the company’s terms of service.

The attribution of the operation and the intended targets are currently unknown, although in light of the planning and sophistication behind it, the threat actor is suspected to be a state-sponsored entity.

“It’s evident that this backdoor is highly complex and employs sophisticated methods to evade detection,” Kaspersky said.

Apr 03, 2024NewsroomWeb Security / Vulnerability

A critical security flaw impacting the LayerSlider plugin for WordPress could be abused to extract sensitive information from databases, such as password hashes.

The flaw, designated as CVE-2024-2879, carries a CVSS score of 9.8 out of a maximum of 10.0. It has been described as a case of SQL injection impacting versions from 7.9.11 through 7.10.0.

The issue has been addressed in version 7.10.1 released on March 27, 2024, following responsible disclosure on March 25. “This update includes important security fixes,” the maintainers of LayerSlider said in their release notes.

LayerSlider is a visual web content editor, a graphic design software, and a digital visual effects that allows users to create animations and rich content for their websites. According to its own site, the plugin is used by “millions of users worldwide.”

The flaw discovered in the tool stems from a case of insufficient escaping of user supplied parameters and the absence of wpdb::prepare(), enabling unauthenticated attackers to append additional SQL queries and glean sensitive information, Wordfence said.

The development follows the discovery of an unauthenticated stored cross-site scripting (XSS) flaw in the WP-Members Membership Plugin (CVE-2024-1852, CVSS score: 7.2) that could facilitate the execution of arbitrary JavaScript code. It has been resolved in version 3.4.9.3.

The vulnerability, due to insufficient input sanitization and output escaping, “makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page which is the edit users page,” the WordPress security company said.

Should the code be executed in the context of an administrator’s browser session, it can be used to create rogue user accounts, redirect site visitors to other malicious sites, and carry out other attacks, it added.

Over the past few weeks, security vulnerabilities have also been disclosed in other WordPress plugins such as Tutor LMS (CVE-2024-1751, CVSS score: 8.8) and Contact Form Entries (CVE-2024-2030, CVSS score: 6.4) that could be exploited for information disclosure and inject arbitrary web scripts, respectively.

Mar 19, 2024NewsroomEmail Security / Social Engineering

Threat actors are leveraging digital document publishing (DDP) sites hosted on platforms like FlipSnack, Issuu, Marq, Publuu, RelayTo, and Simplebooklet for carrying out phishing, credential harvesting, and session token theft, once again underscoring how threat actors are repurposing legitimate services for malicious ends.

“Hosting phishing lures on DDP sites increases the likelihood of a successful phishing attack, since these sites often have a favorable reputation, are unlikely to appear on web filter blocklists, and may instill a false sense of security in users who recognize them as familiar or legitimate,” Cisco Talos researcher Craig Jackson said last week.

While adversaries have used popular cloud-based services such as Google Drive, OneDrive, Dropbox, SharePoint, DocuSign, and Oneflow to host phishing documents in the past, the latest development marks an escalation designed to evade email security controls.

DDP services allow users to upload and share PDF files in a browser-based interactive flipbook format, adding page flip animations and other skeuomorphic effects to any catalog, brochure, or magazine.

Threat actors have been found to abuse the free tier or a no-cost trial period offered by these services to create multiple accounts and publish malicious documents.

Besides exploiting their favorable domain reputation, the attackers take advantage of the fact that DDP sites facilitate transient file hosting, thereby allowing published content to automatically become unavailable after a predefined expiration date and time.

What’s more, productivity features baked into DDP sites like Publuu could act as a deterrent, preventing the extraction and detection of malicious links in phishing messages.

In the incidents analyzed by Cisco Talos, DDP sites are integrated into the attack chain in the secondary or intermediate stage, typically by embedding a link to a document hosted on a legitimate DDP site in a phishing email.

The DDP-hosted document serves as a gateway to an external, adversary-controlled site either directly by clicking on a link included in the decoy file, or through a series of redirects that also require solving CAPTCHAs to thwart automated analysis efforts.

The final landing page is a bogus site mimicking the Microsoft 365 login page, thus allowing the attackers to steal credentials or session tokens.

“DDP sites could represent a blind spot for defenders, because they are unfamiliar to trained users and unlikely to be flagged by email and web content filtering controls,” Jackson said.

“DDP sites create advantages for threat actors seeking to thwart contemporary phishing protections. The same features and benefits that attract legitimate users to these sites can be abused by threat actors to increase the efficacy of a phishing attack.”

Feb 03, 2024NewsroomCyber Attack / Software Security

Remote desktop software maker AnyDesk disclosed on Friday that it suffered a cyber attack that led to a compromise of its production systems.

The German company said the incident, which it discovered following a security audit, is not a ransomware attack and that it has notified relevant authorities.

“We have revoked all security-related certificates and systems have been remediated or replaced where necessary,” the company said in a statement. “We will be revoking the previous code signing certificate for our binaries shortly and have already started replacing it with a new one.”

Out of an abundance of caution, AnyDesk has also revoked all passwords to its web portal, my.anydesk[.]com, and it’s urging users to change their passwords if the same passwords have been reused on other online services.

It’s also recommending that users download the latest version of the software, which comes with a new code signing certificate.

AnyDesk did not disclose when and how its production systems were breached. It’s currently not known if any information was stolen following the hack. However, it emphasized there is no evidence that any end-user systems have been affected.

Earlier this week, Günter Born of BornCity disclosed that AnyDesk had been under maintenance on January 29. The issue was addressed on February 1. Previously, on January 24, the company also alerted users of “intermittent timeouts” and “service degradation” with its Customer Portal.

AnyDesk boasts over 170,000 customers, including Amedes, AutoForm Engineering, LG Electronics, Samsung Electronics, Spidercam, and Thales.

The disclosure comes a day after Cloudflare said it was breached by a suspected nation-state attacker using stolen credentials to gain unauthorized access to its Atlassian server and ultimately access some documentation and a limited amount of source code.

Jan 22, 2024NewsroomBrowser Security / Cyber Threat

Cybersecurity researchers have discovered a new Java-based “sophisticated” information stealer that uses a Discord bot to exfiltrate sensitive data from compromised hosts.

The malware, named NS-STEALER, is propagated via ZIP archives masquerading as cracked software, Trellix security researcher Gurumoorthi Ramanathan said in an analysis published last week.

The ZIP file contains within it a rogue Windows shortcut file (“Loader GAYve”), which acts as a conduit to deploy a malicious JAR file that first creates a folder called “NS-<11-digit_random_number>” to store the harvested data.

To this folder, the malware subsequently saves screenshots, cookies, credentials, and autofill data stolen from over two dozen web browsers, system information, a list of installed programs, Discord tokens, Steam and Telegram session data. The captured information is then exfiltrated to a Discord Bot channel.

“Considering the highly sophisticated function of gathering sensitive information and using X509Certificate for supporting authentication, this malware can quickly steal information from the victim systems with [Java Runtime Environment],” Ramanathan said.

“The Discord bot channel as an EventListener for receiving exfiltrated data is also cost-effective.”

The development comes as the threat actors behind the Chaes (aka Chae$) malware have released an update (version 4.1) to the information stealer with improvements to its Chronod module, which is responsible for pilfering login credentials entered in web browsers and intercepting crypto transactions.

Infection chains distributing the malware, per Morphisec, leverage legal-themed email lures written in Portuguese to deceive recipients into clicking on bogus links to deploy a malicious installer to activate Chae$ 4.1.

But in an interesting twist, the developers also left behind messages for security researcher Arnold Osipov – who has extensively analyzed Chaes in the past – expressing gratitude for helping them improve their “software” directly within the source code.

Jan 19, 2024NewsroomMalware / Endpoint Security

Pirated applications targeting Apple macOS users have been observed containing a backdoor capable of granting attackers remote control to infected machines.

“These applications are being hosted on Chinese pirating websites in order to gain victims,” Jamf Threat Labs researchers Ferdous Saljooki and Jaron Bradley said.

“Once detonated, the malware will download and execute multiple payloads in the background in order to secretly compromise the victim’s machine.”

The backdoored disk image (DMG) files, which have been modified to establish communications with actor-controlled infrastructure, include legitimate software like Navicat Premium, UltraEdit, FinalShell, SecureCRT, and Microsoft Remote Desktop.

The unsigned applications, besides being hosted on a Chinese website named macyy[.]cn, incorporate a dropper component called “dylib” that’s executed every time the application is opened.

The dropper then acts as a conduit to fetch a backdoor (“bd.log”) as well as a downloader (“fl01.log”) from a remote server, which is used to set up persistence and fetch additional payloads on the compromised machine.

The backdoor – written to the path “/tmp/.test” – is fully-featured and built atop an open-source post-exploitation toolkit called Khepri. The fact that it is located in the “/tmp” directory means it will be deleted when the system shuts down.

That said, it will be created again at the same location the next time the pirated application is loaded and the dropper is executed.

On the other hand, the downloader is written to the hidden path “/Users/Shared/.fseventsd,” following which it creates a LaunchAgent to ensure persistence and sends an HTTP GET request to an actor-controlled server.

While the server is no longer accessible, the downloader is designed to write the HTTP response to a new file located at /tmp/.fseventsds and then launch it.

Jamf said the malware shares several similarities with ZuRu, which has been observed in the past spreading via pirated applications on Chinese sites.

“It’s possible that this malware is a successor to the ZuRu malware given its targeted applications, modified load commands and attacker infrastructure,” the researchers said.

Dec 19, 2023NewsroomMalvertising / Browser Security

The malware loader known as PikaBot is being distributed as part of a malvertising campaign targeting users searching for legitimate software like AnyDesk.

“PikaBot was previously only distributed via malspam campaigns similarly to QakBot and emerged as one of the preferred payloads for a threat actor known as TA577,” Malwarebytes’ Jérôme Segura said.

The malware family, which first appeared in early 2023, consists of a loader and a core module that allows it to operate as a backdoor as well as a distributor for other payloads.

This enables the threat actors to gain unauthorized remote access to compromised systems and transmit commands from a command-and-control (C2) server, ranging from arbitrary shellcode, DLLs, or executable files, to other malicious tools such as Cobalt Strike.

One of the threat actors leveraging PikaBot in its attacks is TA577, a prolific cybercrime threat actor that has, in the past, delivered QakBot, IcedID, SystemBC, SmokeLoader, Ursnif, and Cobalt Strike.

Last month, it emerged that PikaBot, along with DarkGate, is being propagated via malspam campaigns mirror that of QakBot. “Pikabot infection led to Cobalt Strike on 207.246.99[.]159:443 using masterunis[.]net as its domain,” Palo Alto Networks Unit 42 disclosed recently.

The latest initial infection vector is a malicious Google ad for AnyDesk that, when clicked by a victim from the search results page, redirects to a fake website named anadesky.ovmv[.]net that points to a malicious MSI installer hosted on Dropbox.

It’s worth pointing out that the redirection to the bogus website only occurs after fingerprinting the request, and only if it’s not originating from a virtual machine.

“The threat actors are bypassing Google’s security checks with a tracking URL via a legitimate marketing platform to redirect to their custom domain behind Cloudflare,” Segura explained. “At this point, only clean IP addresses are forwarded to the next step.”

Interestingly, a second round of fingerprinting takes place when the victim clicks on the download button on the website, likely in an added attempt to ensure that it’s not accessible in a virtualized environment.

Malwarebytes said the attacks are reminiscent of previously identified malvertising chains employed to disseminate another loader malware known as FakeBat (aka EugenLoader).

“This is particularly interesting because it points towards a common process used by different threat actors,” Segura said. “Perhaps, this is something akin to ‘malvertising-as-a-service’ where Google ads and decoy pages are provided to malware distributors.”

The disclosure comes as the cybersecurity company said it detected a spike in malicious ads through Google searches for popular software like Zoom, Advanced IP Scanner, and WinSCP to deliver a previously never-before-seen loader called HiroshimaNukes as well as FakeBat.

“[HiroshimaNukes] uses several techniques to bypass detection from DLL side-loading to very large payloads,” Segura said. “Its goal is to drop additional malware, typically a stealer followed by data exfiltration.”

The rise in malvertising is indicative of how browser-based attacks act as channels for infiltrating target networks. This also includes a new Google Chrome extension framework codenamed ParaSiteSnatcher, which allows threat actors to “monitor, manipulate, and exfiltrate highly sensitive information from multiple sources.”

Specifically designed to compromise users in Latin America, the rogue extension is noteworthy for its use of the Chrome Browser API to intercept and exfiltrate all POST requests containing sensitive account and financial information. It’s downloaded through a VBScript downloader hosted on Dropbox and Google Cloud and installed onto an infected system.

“Once installed, the extension manifests with the help of extensive permissions enabled through the Chrome extension, allowing it to manipulate web sessions, web requests, and track user interactions across multiple tabs using the Chrome tabs API,” Trend Micro said last month.

“The malware includes various components that facilitate its operation, content scripts that enable malicious code injection into web pages, monitor Chrome tabs, and intercept user input and web browser communication.”