Mar 19, 2024NewsroomSocial Engineering / Email Security

A new phishing campaign is targeting U.S. organizations with the intent to deploy a remote access trojan called NetSupport RAT.

Israeli cybersecurity company Perception Point is tracking the activity under the moniker Operation PhantomBlu.

“The PhantomBlu operation introduces a nuanced exploitation method, diverging from NetSupport RAT’s typical delivery mechanism by leveraging OLE (Object Linking and Embedding) template manipulation, exploiting Microsoft Office document templates to execute malicious code while evading detection,” security researcher Ariel Davidpur said.

NetSupport RAT is a malicious offshoot of a legitimate remote desktop tool known as NetSupport Manager, allowing threat actors to conduct a spectrum of data gathering actions on a compromised endpoint.

The starting point is a Salary-themed phishing email that purports to be from the accounting department and urges recipients to open the attached Microsoft Word document to view the “monthly salary report.”

A closer analysis of the email message headers – particularly the Return-Path and Message-ID fields – shows that the attackers use a legitimate email marketing platform called Brevo (formerly Sendinblue) to send the emails.

The Word document, upon opening, instructs the victim to enter a password provided in the email body and enable editing, followed by double-clicking a printer icon embedded in the doc to view the salary graph.

Doing so opens a ZIP archive file (“Chart20072007.zip”) containing one Windows shortcut file, which functions as a PowerShell dropper to retrieve and execute a NetSupport RAT binary from a remote server.

“By using encrypted .docs to deliver the NetSupport RAT via OLE template and template injection, PhantomBlu marks a departure from the conventional TTPs commonly associated with NetSupport RAT deployments,” Davidpur said, adding the updated technique “showcases PhantomBlu’s innovation in blending sophisticated evasion tactics with social engineering.”

Growing Abuse of Cloud Platforms and Popular CDNs

The development comes as Resecurity revealed that threat actors are increasingly abusing public cloud services like Dropbox, GitHub, IBM Cloud, and Oracle Cloud Storage, as well as Web 3.0 data-hosting platforms built on the InterPlanetary File System (IPFS) protocol such as Pinata to generate fully undetectable (FUD) phishing URLs using phishing kits.

Such FUD links are offered on Telegram by underground vendors like BulletProofLink, FUDLINKSHOP, FUDSENDER, ONNX, and XPLOITRVERIFIER for prices starting at $200 per month as part of a subscription model. These links are further secured behind antibot barriers to filter incoming traffic and evade detection.

Also complementing these services are tools like HeartSender that make it possible to distribute the generated FUD links at scale. The Telegram group associated with HeartSender has nearly 13,000 subscribers.

“FUD Links represent the next step in [phishing-as-a-service] and malware-deployment innovation,” the company said, noting attackers are “repurposing high-reputation infrastructure for malicious use cases.”

“One recent malicious campaign, which leveraged the Rhadamanthys Stealer to target the oil and gas sector, used an embedded URL that exploited an open redirect on legitimate domains, primarily Google Maps and Google Images. This domain-nesting technique makes malicious URLs less noticeable and more likely to entrap victims.”

Feb 14, 2024NewsroomSoftware Security / Vulnerability

Cybersecurity researchers have found that it’s possible for threat actors to exploit a well-known utility called command-not-found to recommend their own rogue packages and compromise systems running Ubuntu operating system.

“While ‘command-not-found’ serves as a convenient tool for suggesting installations for uninstalled commands, it can be inadvertently manipulated by attackers through the snap repository, leading to deceptive recommendations of malicious packages,” cloud security firm Aqua said in a report shared with The Hacker News.

Installed by default on Ubuntu systems, command-not-found suggests packages to install in interactive bash sessions when attempting to run commands that are not available. The suggestions include both the Advanced Packaging Tool (APT) and snap packages.

When the tool uses an internal database (“/var/lib/command-not-found/commands.db”) to suggest APT packages, it relies on the “advise-snap” command to suggest snaps that provide the given command.

Thus, should an attacker be able to game this system and have their malicious package recommended by the command-not-found package, it could pave the way for software supply chain attacks.

Aqua said it found a potential loophole wherein the alias mechanism can be exploited by the threat actor to potentially register the corresponding snap name associated with an alias and trick users into installing the malicious package.

What’s more, an attacker could claim the snap name related to an APT package and upload a malicious snap, which then ends up being suggested when a user types in the command on their terminal.

“The maintainers of the ‘jupyter-notebook’ APT package had not claimed the corresponding snap name,” Aqua said. “This oversight left a window of opportunity for an attacker to claim it and upload a malicious snap named ‘jupyter-notebook.'”

To make matters worse, the command-not-found utility suggests the snap package above the legitimate APT package for jupyter-notebook, misleading users into installing the fake snap package.

As many as 26% of the APT package commands are vulnerable to impersonation by malicious actors, Aqua noted, presenting a substantial security risk, as they could be registered under an attacker’s account.

A third category entails typosquatting attacks in which typographical errors made by users (e.g., ifconfigg instead of ifconfig) are leveraged to suggest bogus snap packages by registering a fraudulent package with the name “ifconfigg.”

In such a case, command-not-found “would mistakenly match it to this incorrect command and recommend the malicious snap, bypassing the suggestion for ‘net-tools’ altogether,” Aqua researchers explained.

Describing the abuse of the command-not-found utility to recommend counterfeit packages as a pressing concern, the company is urging users to verify the source of a package before installation and check the maintainers’ credibility.

Developers of APT and snap packages have also been advised to register the associated snap name for their commands to prevent them from being misused.

“It remains uncertain how extensively these capabilities have been exploited, underscoring the urgency for heightened vigilance and proactive defense strategies,” Aqua said.

The ransomware group known as Kasseika has become the latest to leverage the Bring Your Own Vulnerable Driver (BYOVD) attack to disarm security-related processes on compromised Windows hosts, joining the likes of other groups like Akira, AvosLocker, BlackByte, and RobbinHood.

The tactic allows “threat actors to terminate antivirus processes and services for the deployment of ransomware,” Trend Micro said in a Tuesday analysis.

Kasseika, first discovered by the cybersecurity firm in mid-December 2023, exhibits overlaps with the now-defunct BlackMatter, which emerged in the aftermath of DarkSide’s shutdown.

There is evidence to suggest that the ransomware strain could be the handiwork of an experienced threat actor that acquired or purchased access to BlackMatter, given that the latter’s source code has never publicly leaked post its demise in November 2021.

Attack chains involving Kasseika commence with a phishing email for initial access, subsequently dropping remote administration tools (RATs) to gain privileged access and move laterally within the target network.

The threat actors have been observed utilizing Microsoft’s Sysinternals PsExec command-line utility to execute a malicious batch script, which checks for the existence of a process named “Martini.exe,” and if found, terminates it ensure there is only one instance of the process running the machine.

The executable’s main responsibility is to download and run the “Martini.sys” driver from a remote server in order to disable 991 security tools. It’s worth noting that “Martini.sys” is a legitimate signed driver named “viragt64.sys” that has been added to Microsoft’s vulnerable driver blocklist.

“If Martini.sys does not exist, the malware will terminate itself and not proceed with its intended routine,” the researchers said, indicating the crucial role played by the driver in defense evasion.

Following this step, “Martini.exe” launches the ransomware payload (“smartscreen_protected.exe”), which takes care of the encryption process using ChaCha20 and RSA algorithms, but not before killing all processes and services that are accessing Windows Restart Manager.

A ransom note is then dropped in every directory that it has encrypted and the computer’s wallpaper is modified to display a note demanding a 50 bitcoin payment to a wallet address within 72 hours, or risk paying an extra $500,000 every 24 hours once the deadline elapses.

On top of that, the victims are expected to post a screenshot of the successful payment to an actor-controlled Telegram group to receive a decryptor.

The Kasseika ransomware also has other tricks up its sleeves, which includes wiping traces of the activity by clearing the system’s event logs using the wevtutil.exe binary.

“The command wevutil.exe efficiently clears the Application, Security, and System event logs on the Windows system,” the researchers said. “This technique is used to operate discreetly, making it more challenging for security tools to identify and respond to malicious activities.”

The development comes as Palo Alto Networks Unit 42 detailed BianLian ransomware group’s shift from double extortion scheme to encryptionless extortion attacks following the release of a free decryptor in early 2023.

BianLian has been an active and prevalent threat group since September 2022, predominantly singling out healthcare, manufacturing, professional, and legal services sectors in the U.S., the U.K., Canada, India, Australia, Brazil, Egypt, France, Germany, and Spain.

Stolen Remote Desktop Protocol (RDP) credentials, known security flaws (e.g., ProxyShell), and web shells act as the most common attack routes adopted by BianLian operators to infiltrate corporate networks.

What’s more, the cybercrime crew shares a custom .NET-based tool with another ransomware group tracked as Makop, suggesting potential connections between the two.

“This .NET tool is responsible for retrieving file enumeration, registry, and clipboard data,” security researcher Daniel Frank said in a new overview of BianLian.

“This tool contains some words in the Russian language, such as the numbers one to four. The use of such a tool indicates that the two groups might have shared a tool set or used the services of the same developers in the past.”