Apr 10, 2024The Hacker NewsWebinar / Identity Security

We all know passwords and firewalls are important, but what about the invisible threats lurking beneath the surface of your systems?

Identity Threat Exposures (ITEs) are like secret tunnels for hackers – they make your security way more vulnerable than you think.

Think of it like this: misconfigurations, forgotten accounts, and old settings are like cracks in your digital fortress walls. Hackers exploit these weaknesses to steal login information, gain sneaky access, and move around your systems unnoticed, whether they’re in the cloud or on-site.

This upcoming webinar, “Today’s Top 4 Identity Security Threat Exposures: Are You Vulnerable?“ isn’t just for tech experts—it’s about protecting your business.

We’ll use real-world examples and insights from Silverfort’s latest report to show you the hidden dangers of ITEs. You’ll learn about:

• The Top 4 Identity Threats You Might Be Overlooking: We’ll name them and explain why they’re so dangerous.
• Shadow Admins: The Secret Superusers in Your SaaS: How these hidden accounts can put your data at risk.
• Service Accounts: Your Biggest Weakness? Why they’re so easy to exploit, and how to fix it.
• Actionable Steps To Find and Fix Your Weak Spots: Practical, easy-to-follow advice you can start using right away.

Don’t Let Hackers Win. Register for our free webinar and take control of your identity security.

This webinar is a wake-up call. We’ll help you uncover the unseen risks lurking in the shadows and give you the tools to fight back. Think of it as an X-ray vision for your digital security!

Your digital identity is your most important asset. Protect it with the knowledge you’ll gain in this webinar.

Apr 05, 2024NewsroomAdvanced Persistent Threat

Multiple China-nexus threat actors have been linked to the zero-day exploitation of three security flaws impacting Ivanti appliances (CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893).

The clusters are being tracked by Mandiant under the monikers UNC5221, UNC5266, UNC5291, UNC5325, UNC5330, and UNC5337. Another group linked to the exploitation spree is UNC3886.

The Google Cloud subsidiary said it has also observed financially motivated actors exploiting CVE-2023-46805 and CVE-2024-21887, likely in an attempt to conduct cryptocurrency mining operations.

“UNC5266 overlaps in part with UNC3569, a China-nexus espionage actor that has been observed exploiting vulnerabilities in Aspera Faspex, Microsoft Exchange, and Oracle Web Applications Desktop Integrator, among others, to gain initial access to target environments,” Mandiant researchers said.

The threat actor has been linked to post-exploitation activity leading to the deployment of the Sliver command-and-control (C2) framework, a variant of the WARPWIRE credential stealer, and a new Go-based backdoor dubbed TERRIBLETEA that comes with command execution, keylogging, port scanning, file system interaction, and screen capturing functions.

UNC5330, which has been observed combining CVE-2024-21893 and CVE-2024-21887 to breach Ivanti Connect Secure VPN appliances at least since February 2024, has leveraged custom malware such as TONERJAM and PHANTOMNET for facilitating post-compromise actions –

• PHANTOMNET – A modular backdoor that communicates using a custom communication protocol over TCP and employs a plugin-based system to download and execute additional payloads
• TONERJAM – A launcher that’s designed to decrypt and execute PHANTOMNET

Besides using Windows Management Instrumentation (WMI) to perform reconnaissance, move laterally, manipulate registry entries, and establish persistence, UNC5330 is known to compromise LDAP bind accounts configured on the infected devices in order to domain admin access.

Another notable China-linked espionage actor is UNC5337, which is said to have infiltrated Ivanti devices as early as January 2024 using CVE-2023-46805 and CVE-2024 to deliver a custom malware toolset known as SPAWN that comprises four distinct components that work in tandem to function as a stealthy and persistent backdoor –

• SPAWNSNAIL – A passive backdoor that listens on localhost and is equipped to launch an interactive bash shell as well as launch SPAWNSLOTH
• SPAWNMOLE – A tunneler utility that’s capable of directing malicious traffic to a specific host while passing benign traffic unmodified to the Connect Secure web server
• SPAWNANT – An installer that’s responsible for ensuring the persistence of SPAWNMOLE and SPAWNSNAIL by taking advantage of a coreboot installer function
• SPAWNSLOTH – A log tampering program that disables logging and log forwarding to an external syslog server when the SPAWNSNAIL implant is running

Mandiant has assessed with medium confidence that UNC5337 and UNC5221 are one and the same threat group, noting the SPAWN tool is “designed to enable long-term access and avoid detection.”

UNC5221, which was previously attributed to web shells such as BUSHWALK, CHAINLINE, FRAMESTING, and LIGHTWIRE, has also unleashed a Perl-based web shell referred to as ROOTROT that’s embedded into a legitimate Connect Secure .ttc file located at “/data/runtime/tmp/tt/setcookie.thtml.ttc” by exploiting CVE-2023-46805 and CVE-2024-21887.

A successful deployment of the web shell is followed by network reconnaissance and lateral movement, in some cases, resulting in the compromise of a vCenter server in the victim network by means of a Golang backdoor called BRICKSTORM.

“BRICKSTORM is a Go backdoor targeting VMware vCenter servers,” Mandiant researchers explained. “It supports the ability to set itself up as a web server, perform file system and directory manipulation, perform file operations such as upload/download, run shell commands, and perform SOCKS relaying.”

The last among the five China-based groups tied to the abuse of Ivanti security flaws is UNC5291, which Mandiant said likely has associations with another hacking group UNC3236 (aka Volt Typhoon), primarily owing to its targeting of academic, energy, defense, and health sectors.

“Activity for this cluster started in December 2023 focusing on Citrix Netscaler ADC and then shifted to focus on Ivanti Connect Secure devices after details were made public in mid-Jan. 2024,” the company said.

The findings once again underscore the threat faced by edge appliances, with the espionage actors utilizing a combination of zero-day flaws, open-source tooling, and custom backdoors to tailor their tradecraft depending on their targets to evade detection for extended periods of time.

Mar 29, 2024NewsroomNetwork Security / IoT Security

A botnet previously considered to be rendered inert has been observed enslaving end-of-life (EoL) small home/small office (SOHO) routers and IoT devices to fuel a criminal proxy service called Faceless.

“TheMoon, which emerged in 2014, has been operating quietly while growing to over 40,000 bots from 88 countries in January and February of 2024,” the Black Lotus Labs team at Lumen Technologies said.

Faceless, detailed by security journalist Brian Krebs in April 2023, is a malicious residential proxy service that’s offered its anonymity services to other threat actors for a negligible fee that costs less than a dollar per day.

In doing so, it allows the customers to route their malicious traffic through tens of thousands of compromised systems advertised on the service, effectively concealing their true origins.

The Faceless-backed infrastructure has been assessed to be used by operators of malware such as SolarMarker and IcedID to connect to their command-and-control (C2) servers to obfuscate their IP addresses.

That being said, a majority of the bots are used for password spraying and/or data exfiltration, primarily targeting the financial sector, with more than 80% of the infected hosts located in the U.S.

Lumen said it first observed the malicious activity in late 2023, the goal being to breach EoL SOHO routers and IoT devices and, deploy an updated version of TheMoon, and ultimately enroll the botnet into Faceless.

The attacks entail dropping a loader that’s responsible for fetching an ELF executable from a C2 server. This includes a worm module that spreads itself to other vulnerable servers and another file called “.sox” that’s used to proxy traffic from the bot to the internet on behalf of a user.

In addition, the malware configures iptables rules to drop incoming TCP traffic on ports 8080 and 80 and allow traffic from three different IP ranges. It also attempts to contact an NTP server from a list of legitimate NTP servers in a likely effort to determine if the infected device has internet connectivity and it is not being run in a sandbox.

The targeting of EoL appliances to fabricate the botnet is no coincidence, as they are no longer supported by the manufacturer and become susceptible to security vulnerabilities over time. It’s also possible that the devices are infiltrated by means of brute-force attacks.

Additional analysis of the proxy network has revealed that more than 30% of the infections lasted for over 50 days, while about 15% of the devices were part of the network for 48 hours or less.

“Faceless has become a formidable proxy service that rose from the ashes of the ‘iSocks’ anonymity service and has become an integral tool for cyber criminals in obfuscating their activity,” the company said. “TheMoon is the primary, if not the only, supplier of bots to the Faceless proxy service.”

Mar 19, 2024NewsroomEmail Security / Social Engineering

Threat actors are leveraging digital document publishing (DDP) sites hosted on platforms like FlipSnack, Issuu, Marq, Publuu, RelayTo, and Simplebooklet for carrying out phishing, credential harvesting, and session token theft, once again underscoring how threat actors are repurposing legitimate services for malicious ends.

“Hosting phishing lures on DDP sites increases the likelihood of a successful phishing attack, since these sites often have a favorable reputation, are unlikely to appear on web filter blocklists, and may instill a false sense of security in users who recognize them as familiar or legitimate,” Cisco Talos researcher Craig Jackson said last week.

While adversaries have used popular cloud-based services such as Google Drive, OneDrive, Dropbox, SharePoint, DocuSign, and Oneflow to host phishing documents in the past, the latest development marks an escalation designed to evade email security controls.

DDP services allow users to upload and share PDF files in a browser-based interactive flipbook format, adding page flip animations and other skeuomorphic effects to any catalog, brochure, or magazine.

Threat actors have been found to abuse the free tier or a no-cost trial period offered by these services to create multiple accounts and publish malicious documents.

Besides exploiting their favorable domain reputation, the attackers take advantage of the fact that DDP sites facilitate transient file hosting, thereby allowing published content to automatically become unavailable after a predefined expiration date and time.

What’s more, productivity features baked into DDP sites like Publuu could act as a deterrent, preventing the extraction and detection of malicious links in phishing messages.

In the incidents analyzed by Cisco Talos, DDP sites are integrated into the attack chain in the secondary or intermediate stage, typically by embedding a link to a document hosted on a legitimate DDP site in a phishing email.

The DDP-hosted document serves as a gateway to an external, adversary-controlled site either directly by clicking on a link included in the decoy file, or through a series of redirects that also require solving CAPTCHAs to thwart automated analysis efforts.

The final landing page is a bogus site mimicking the Microsoft 365 login page, thus allowing the attackers to steal credentials or session tokens.

“DDP sites could represent a blind spot for defenders, because they are unfamiliar to trained users and unlikely to be flagged by email and web content filtering controls,” Jackson said.

“DDP sites create advantages for threat actors seeking to thwart contemporary phishing protections. The same features and benefits that attract legitimate users to these sites can be abused by threat actors to increase the efficacy of a phishing attack.”

Mar 11, 2024NewsroomRansomware / Vulnerability

The threat actors behind the BianLian ransomware have been observed exploiting security flaws in JetBrains TeamCity software to conduct their extortion-only attacks.

According to a new report from GuidePoint Security, which responded to a recent intrusion, the incident “began with the exploitation of a TeamCity server which resulted in the deployment of a PowerShell implementation of BianLian’s Go backdoor.”

BianLian emerged in June 2022, and has since pivoted exclusively to exfiltration-based extortion following the release of a decryptor in January 2023.

The attack chain observed by the cybersecurity firm entails the exploitation of a vulnerable TeamCity instance using CVE-2024-27198 or CVE-2023-42793 to gain initial access to the environment, followed by creating new users in the build server and executing malicious commands for post-exploitation and lateral movement.

It’s currently not clear which of the two flaws were weaponized by the threat actor for infiltration.

BianLian actors are known to implant a custom backdoor tailored to each victim written in Go, as well as drop remote desktop tools like AnyDesk, Atera, SplashTop, and TeamViewer. The backdoor is tracked by Microsoft as BianDoor.

“After multiple failed attempts to execute their standard Go backdoor, the threat actor pivoted to living-off-the-land and leveraged a PowerShell implementation of their backdoor, which provides an almost identical functionality to what they would have with their Go backdoor,” security researchers Justin Timothy, Gabe Renfro, and Keven Murphy said.

The obfuscated PowerShell backdoor (“web.ps1”) is designed to establish a TCP socket for additional network communication to an actor-controlled server, allowing the remote attackers to conduct arbitrary actions on an infected host.

“The now-confirmed backdoor is able to communicate with the [command-and-control] server and asynchronously execute based on the remote attacker’s post-exploitation objectives,” the researchers said.

The disclosure comes as VulnCheck detailed fresh proof-of-concept (PoC) exploits for a critical security flaw impacting Atlassian Confluence Data Center and Confluence Server (CVE-2023-22527) that could lead to remote code execution in a fileless manner and load the Godzilla web shell directly into memory.

The flaw has since been weaponized to deploy C3RB3R ransomware, cryptocurrency miners and remote access trojans over the past two months, indicating widespread exploitation in the wild.

“There’s more than one way to reach Rome,” VulnCheck’s Jacob Baines noted. “While using freemarker.template.utility.Execute appears to be the popular way of exploiting CVE-2023-22527, other more stealthy paths generate different indicators.”

Cybercriminals are using a network of hired money mules in India using an Android-based application to orchestrate a massive money laundering scheme.

The malicious application, called XHelper, is a “key tool for onboarding and managing these money mules,” CloudSEK researchers Sparsh Kulshrestha, Abhishek Mathew, and Santripti Bhujel said in a report.

Details about the scam first emerged in late October 2023, when Chinese cyber criminals were found to take advantage of the fact that Indian Unified Payments Interface (UPI) service providers operate without coverage under the Prevention of Money Laundering Act (PMLA) to initiate illegal transactions under the guise of offering an instant loan.

The ill-gotten proceeds from the operation are transferred to other accounts belonging to hired mules, who are recruited from Telegram in return for commissions ranging from 1-2% of the total transaction amounts.

“Central to this operation are Chinese payment gateways exploiting the QR code feature of UPI with precision,” the cybersecurity company noted at the time.

“The scheme leveraged a network exceeding hundreds of thousands of compromised ‘money mule’ accounts to funnel illicit funds through fraudulent payment channels, ultimately transferring them back to China.”

These mules are efficiently managed using XHelper, which also facilitates the technology behind fake payment gateways used in pig butchering and other scams. The app is distributed via websites masquerading as legitimate businesses under the guise of “Money Transfer Business.”

The app further offers the capability for mules to track their earnings and streamline the whole process of payouts and collection. This involves an initial setup process where they are asked to register their unique UPI IDs in a particular format and configure online banking credentials.

While payouts mandate the swift transfer of funds to pre-designated accounts within 10 minutes, collection orders are more passive in nature, with the registered accounts receiving incoming funds from other scammers utilizing the platform.

“Money mules activate order intake within the XHelper app, enabling them to receive and fulfill money laundering tasks,” the researchers said. “The system automatically assigns orders, potentially based on predetermined criteria or mule profiles.”

Once an illicit fund transfer is executed using the linked bank account, mules are also expected to upload proof of the transaction in the form of screenshots, which are then validated in exchange for financial rewards, thereby incentivizing continued participation.

XHelper’s features also extend to inviting others to join as agents, who are in charge of recruiting the mules. It manifests as a referral system that allows them to get bonuses for each new recruit, thus driving an ever-expanding network of agents and mules.

“This referral system follows a pyramid-like structure, fueling mass recruitment of both agents and money mules, amplifying the reach of illicit activities,” the researchers said. “Agents, in turn, recruit more mules and invite additional agents, perpetuating the growth of this interconnected network.”

Another of XHelper’s notable functions is to help train mules to efficiently launder stolen funds using a Learning Management System (LMS) that offers tutorials on opening fake corporate bank accounts (which have higher transaction limits), the different workflows, and ways to earn more commission.

Besides favoring the UPI feature built into legitimate banking apps for conducting the transfers, the platform acts as a hub for finding ways to get around account freezes to enable mules to continue their illegal activities. They are also given training to handle customer support calls made by banks for verifying suspicious transactions.

“While XHelper serves as a concerning example, it’s crucial to recognize this isn’t an isolated incident,” CloudSEK said, adding it discovered a “growing ecosystem of similar applications facilitating money laundering across various scams.”

In December 2023, Europol announced that 1,013 individuals were arrested in the second half of 2023 as part of a global effort to tackle money laundering. The international law enforcement operation also led to the identification of 10,759 money mules and 474 recruiters (aka herders).

The disclosure comes as Kaspersky revealed that malware, adware, and riskware attacks on mobile devices rose steadily from February 2023 until the end of the year.

“Android malware and riskware activity surged in 2023 after two years of relative calm, returning to early 2021 levels by the end of the year,” the Russian security vendor noted. “Adware accounted for the majority of threats detected in 2023.”

Feb 29, 2024NewsroomLinux / Network Security

Threat hunters have discovered a new Linux malware called GTPDOOR that’s designed to be deployed in telecom networks that are adjacent to GPRS roaming exchanges (GRX)

The malware is novel in the fact that it leverages the GPRS Tunnelling Protocol (GTP) for command-and-control (C2) communications.

GPRS roaming allows subscribers to access their GPRS services while they are beyond the reach of their home mobile network. This is facilitated by means of a GRX that transports the roaming traffic using GTP between the visited and the home Public Land Mobile Network (PLMN).

Security researcher haxrob, who discovered two GTPDOOR artifacts uploaded to VirusTotal from China and Italy, said the backdoor is likely linked to a known threat actor tracked as LightBasin (aka UNC1945), which was previously disclosed by CrowdStrike in October 2021 in connection with a series of attacks targeting the telecom sector to steal subscriber information and call metadata.

“When run, the first thing GTPDOOR does is process-name stomps itself – changing its process name to ‘[syslog]’ – disguised as syslog invoked from the kernel,” the researcher said. “It suppresses child signals and then opens a raw socket [that] will allow the implant to receive UDP messages that hit the network interfaces.”

Put differently, GTPDOOR allows a threat actor that already has established persistence on the roaming exchange network to contact a compromised host by sending GTP-C Echo Request messages with a malicious payload.

This magic GTP-C Echo Request message acts as a conduit to transmit a command to be executed on the infected machine and return the results back to the remote host.

GTPDOOR “Can be covertly probed from an external network to elicit a response by sending a TCP packet to any port number,” the researcher noted. “If the implant is active a crafted empty TCP packet is returned along with information if the destination port was open/responding on the host.”

“This implant looks like it is designed to sit on compromised hosts that directly touch the GRX network – these are the systems that communicate to other telecommunication operator networks via the GRX.”

At least two different suspected China-linked cyber espionage clusters, tracked as UNC5325 and UNC3886, have been attributed to the exploitation of security flaws in Ivanti Connect Secure VPN appliances.

UNC5325 abused CVE-2024-21893 to deliver a wide range of new malware called LITTLELAMB.WOOLTEA, PITSTOP, PITDOG, PITJET, and PITHOOK, as well as maintain persistent access to compromised appliances, Mandiant said.

The Google-owned threat intelligence firm has assessed with moderate confidence that UNC5325 is associated with UNC3886 owing to source code overlaps in LITTLELAMB.WOOLTEA and PITHOOK with malware used by the latter.

It’s worth pointing out that UNC3886 has a track record of leveraging zero-day flaws in Fortinet and VMware solutions to deploy a variety of implants like VIRTUALPITA, VIRTUALPIE, THINCRUST, and CASTLETAP.

“UNC3886 has primarily targeted the defense industrial base, technology, and telecommunication organizations located in the U.S. and [Asia-Pacific] regions,” Mandiant researchers said.

The active exploitation of CVE-2024-21893 – a server-side request forgery (SSRF) vulnerability in the SAML component of Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA – by UNC5325 is said to have occurred as early as January 19, 2024, targeting a limited number of devices.

The attack chain entails combining CVE-2024-21893 with a previously disclosed command injection vulnerability tracked as CVE-2024-21887 to gain unauthorized access to susceptible appliances, ultimately leading to the deployment of a new version of BUSHWALK.

Some instances have also involved the misuse of legitimate Ivanti components, such as SparkGateway plugins, to drop additional payloads. This includes the PITFUEL plugin to load a malicious shared object codenamed LITTLELAMB.WOOLTEA, which comes with capabilities to persist across system upgrade events, patches, and factory resets.

It further acts as a backdoor that supports command execution, file management, shell creation, SOCKS proxy, and network traffic tunneling.

Also observed is another malicious SparkGateway plugin dubbed PITDOG that injects a shared object known as PITHOOK in order to persistently execute an implant referred to as PITSTOP that’s designed for shell command execution, file write, and file read on the compromised appliance.

Mandiant described the threat actor as having demonstrated a “nuanced understanding of the appliance and their ability to subvert detection throughout this campaign” and using living-off-the-land (LotL) techniques to fly under the radar.

The cybersecurity firm said it expects “UNC5325 as well as other China-nexus espionage actors to continue to leverage zero day vulnerabilities on network edge devices as well as appliance-specific malware to gain and maintain access to target environments.”

Links Found Between Volt Typhoon and UTA0178

The disclosure comes as industrial cybersecurity company Dragos attributed China-sponsored Volt Typhoon (aka Voltzite) to reconnaissance and enumeration activities aimed at multiple U.S.-based electric companies, emergency services, telecommunication providers, defense industrial bases, and satellite services.

“Voltzite’s actions towards U.S. electric entities, telecommunications, and GIS systems signify clear objectives to identify vulnerabilities within the country’s critical infrastructure that can be exploited in the future with destructive or disruptive cyber attacks,” it said.

Volt Typhoon’s victimology footprint has since expanded to include African electric transmission and distribution providers, with evidence connecting the adversary to UTA0178, a threat activity group linked to the zero-day exploitation of Ivanti Connect Secure flaws in early December 2023.

The cyber espionage actor, which heavily relies on LotL methods to sidestep detection, joins two other new groups, namely Gananite and Laurionite, that came to light in 2023, conducting long-term reconnaissance and intellectual property theft operations targeting critical infrastructure and government entities.

“Voltzite uses very minimal tooling and prefers to conduct their operations with as little a footprint as possible,” Dragos explained. “Voltzite heavily focuses on detection evasion and long-term persistent access with the assessed intent of long-term espionage and data exfiltration.”

Feb 16, 2024NewsroomRansomware / Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a now-patched security flaw impacting Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software to its Known Exploited Vulnerabilities (KEV) catalog, following reports that it’s being likely exploited in Akira ransomware attacks.

The vulnerability in question is CVE-2020-3259 (CVSS score: 7.5), a high-severity information disclosure issue that could allow an attacker to retrieve memory contents on an affected device. It was patched by Cisco as part of updates released in May 2020.

Late last month, cybersecurity firm Truesec said it found evidence suggesting that it has been weaponized by Akira ransomware actors to compromise multiple susceptible Cisco Anyconnect SSL VPN appliances over the past year.

“There is no publicly available exploit code for […] CVE-2020-3259, meaning that a threat actor, such as Akira, exploiting that vulnerability would need to buy or produce exploit code themselves, which requires deep insights into the vulnerability,” security researcher Heresh Zaremand said.

According to Palo Alto Networks Unit 42, Akira is one of the 25 groups with newly established data leak sites in 2023, with the ransomware group publicly claiming nearly 200 victims. First observed in March 2023, the group is believed to share connections with the notorious Conti syndicate based on the fact that it has sent the ransom proceeds to Conti-affiliated wallet addresses.

In the fourth quarter of 2023 alone, the e-crime group listed 49 victims on its data leak portal, putting it behind LockBit (275), Play (110), ALPHV/BlackCat (102), NoEscape (76), 8Base (75), and Black Basta (72).

Federal Civilian Executive Branch (FCEB) agencies are required to remediate identified vulnerabilities by March 7, 2024, to secure their networks against potential threats.

CVE-2020-3259 is far from the only flaw to be exploited for delivering ransomware. Earlier this month, Arctic Wolf Labs revealed the abuse of CVE-2023-22527 – a recently uncovered shortcoming in Atlassian Confluence Data Center and Confluence Server – to deploy C3RB3R ransomware, as well as cryptocurrency miners and remote access trojans.

The development comes as the U.S. State Department announced rewards of up to $10 million for information that could lead to the identification or location of BlackCat ransomware gang key members, in addition to offering up to $5 million for information leading to the arrest or conviction of its affiliates.

The ransomware-as-a-service (RaaS) scheme, much like Hive, compromised over 1,000 victims globally, netting at least $300 million in illicit profits since its emergence in late 2021. It was disrupted in December 2023 following an international coordinated operation.

The ransomware landscape has become a lucrative market, attracting the attention of cybercriminals looking for quick financial gain, leading to the rise of new players such as Alpha (not to be confused with ALPHV) and Wing.

The U.S. Government Accountability Office (GAO), in a report published towards the end of January 2024, called for enhanced oversight into recommended practices for addressing ransomware, specifically for organizations from critical manufacturing, energy, healthcare and public health, and transportation systems sectors.

Feb 05, 2024NewsroomMalware / Financial Security

The threat actors behind the Mispadu banking Trojan have become the latest to exploit a now-patched Windows SmartScreen security bypass flaw to compromise users in Mexico.

The attacks entail a new variant of the malware that was first observed in 2019, Palo Alto Networks Unit 42 said in a report published last week.

Propagated via phishing mails, Mispadu is a Delphi-based information stealer known to specifically infect victims in the Latin American (LATAM) region. In March 2023, Metabase Q revealed that Mispadu spam campaigns harvested no less than 90,000 bank account credentials since August 2022.

It’s also part of the larger family of LATAM banking malware, including Grandoreiro, which was dismantled by Brazilian law enforcement authorities last week.

The latest infection chain identified by Unit 42 employs rogue internet shortcut files contained within bogus ZIP archive files that leverage CVE-2023-36025 (CVSS score: 8.8), a high-severity bypass flaw in Windows SmartScreen. It was addressed by Microsoft in November 2023.

“This exploit revolves around the creation of a specifically crafted internet shortcut file (.URL) or a hyperlink pointing to malicious files that can bypass SmartScreen’s warnings,” security researchers Daniela Shalev and Josh Grunzweig said.

“The bypass is simple and relies on a parameter that references a network share, rather than a URL. The crafted .URL file contains a link to a threat actor’s network share with a malicious binary.”

Mispadu, once launched, reveals its true colors by selectively targeting victims based on their geographic location (i.e., Americas or Western Europe) and system configurations, and then proceeds to establish contact with a command-and-control (C2) server for follow-on data exfiltration.

In recent months, the Windows flaw has been exploited in the wild by multiple cybercrime groups to deliver DarkGate and Phemedrone Stealer malware in recent months.

Mexico has also emerged as a top target for several campaigns over the past year that have been found to propagate information stealers and remote access trojans like AllaKore RAT, AsyncRAT, Babylon RAT. This constitutes a financially-motivated group dubbed TA558 that has attacked the hospitality and travel sectors in the LATAM region since 2018.

The development comes as Sekoia detailed the inner workings of DICELOADER (aka Lizar or Tirion), a time-tested custom downloader used by the Russian e-crime group tracked as FIN7. The malware has been observed delivered via malicious USB drives (aka BadUSB) in the past.

“DICELOADER is dropped by a PowerShell script along with other malware of the intrusion set’s arsenal such as Carbanak RAT,” the French cybersecurity firm said, calling out its sophisticated obfuscation methods to conceal the C2 IP addresses and the network communications.

It also follows AhnLab’s discovery of two new malicious cryptocurrency mining campaigns that employ booby-trapped archives and game hacks to deploy miner malware that mine Monero and Zephyr.