Feb 14, 2024NewsroomMalware / Cybercrime

The infamous malware loader and initial access broker known as Bumblebee has resurfaced after a four-month absence as part of a new phishing campaign observed in February 2024.

Enterprise security firm Proofpoint said the activity targets organizations in the U.S. with voicemail-themed lures containing links to OneDrive URLs.

“The URLs led to a Word file with names such as “ReleaseEvans#96.docm” (the digits before the file extension varied),” the company said in a Tuesday report. “The Word document spoofed the consumer electronics company Humane.”

Opening the document leverages VBA macros to launch a PowerShell command to download and execute another PowerShell script from a remote server that, in turn, retrieves and runs the Bumblebee loader.

Bumblebee, first spotted in March 2022, is mainly designed to download and execute follow-on payloads such as ransomware. It has been put to use by multiple crimeware threat actors that previously observed delivering BazaLoader (aka BazarLoader) and IcedID.

It’s also suspected to be developed by threat actors the Conti and TrickBot cybercrime syndicate as a replacement for BazarLoader. In September 2023, Intel 471 disclosed a Bumblebee distribution campaign that employed Web Distributed Authoring and Versioning (WebDAV) servers to disseminate the loader.

The attack chain is notable for its reliance on macro-enabled documents in the attack chain, especially considering Microsoft began blocking macros in Office files downloaded from the internet by default starting July 2022, prompting threat actors to modify and diversify their approaches.

The return of Bumblebee also coincides with the reappearance of new variants of QakBot, ZLoader, and PikaBot, with samples of QakBot distributed in the form of Microsoft Software Installer (MSI) files.

“The .MSI drops a Windows .cab (Cabinet) archive, which in turn contains a DLL,” cybersecurity firm Sophos said on Mastodon. “The .MSI extracts the DLL from the .cab, and executes it using shellcode. The shellcode causes the DLL to spawn a second copy of itself and inject the bot code into the second instance’s memory space.”

The latest QakBot artifacts have been found to harden the encryption used to conceal strings and other information, including employing a crypter malware called DaveCrypter, making it more challenging to analyze. The new generation also reinstates the ability to detect whether the malware was running inside a virtual machine or sandbox.

Another crucial modification includes encrypting all communications between the malware and the command-and-control (C2) server using AES-256, a stronger method than was used in versions prior to the dismantling of QakBot’s infrastructure in late August 2023.

“The takedown of the QakBot botnet infrastructure was a victory, but the bot’s creators remain free, and someone who has access to QakBot’s original source code has been experimenting with new builds and testing the waters with these latest variants,” Andrew Brandt, principal researcher at Sophos X-Ops, said.

“One of the most notable changes involve a change to the encryption algorithm the bot uses to conceal default configurations hardcoded into the bot, making it more difficult for analysts to see how the malware operates; the attackers are also restoring previously deprecated features, such as virtual machine (VM) awareness, and testing them out in these new versions.”

QakBot has also emerged as the second most prevalent malware for January 2024, trailing behind FakeUpdates (aka SocGholish) but ahead of other families like Formbook, Nanocore, AsyncRAT, Remcos RAT, and Agent Tesla.

The development comes as Malwarebytes revealed a new campaign in which phishing sites mimicking financial institutions like Barclays trick potential targets into downloading legitimate remote desktop software like AnyDesk to purportedly resolve non-existent issues and ultimately allow threat actors to gain control of the machine.

Jan 27, 2024NewsroomMalware / Software Update

Mexican financial institutions are under the radar of a new spear-phishing campaign that delivers a modified version of an open-source remote access trojan called AllaKore RAT.

The BlackBerry Research and Intelligence Team attributed the activity to an unknown Latin American-based financially motivated threat actor. The campaign has been active since at least 2021.

“Lures use Mexican Social Security Institute (IMSS) naming schemas and links to legitimate, benign documents during the installation process,” the Canadian company said in an analysis published earlier this week.

“The AllaKore RAT payload is heavily modified to allow the threat actors to send stolen banking credentials and unique authentication information back to a command-and-control (C2) server for the purposes of financial fraud.”

The attacks appear to be designed to particularly single out large companies with gross revenues over $100 million. Targeted entities span retail, agriculture, public sector, manufacturing, transportation, commercial services, capital goods, and banking sectors.

The infection chain begins with a ZIP file that’s either distributed via phishing or a drive-by compromise, which contains an MSI installer file that drops a .NET downloader responsible for confirming the Mexican geolocation of the victim and retrieving the altered AllaKore RAT, a Delphi-based RAT first observed in 2015.

“AllaKore RAT, although somewhat basic, has the potent capability to keylog, screen capture, upload/download files, and even take remote control of the victim’s machine,” BlackBerry said.

The new functions added to the malware by the threat actor include support for commands related to banking fraud, targeting Mexican banks and crypto trading platforms, launching a reverse shell, extracting clipboard content, and fetching and executing additional payloads.

The threat actor’s links to Latin America come from the use of Mexico Starlink IPs used in the campaign, as well as the addition of Spanish-language instructions to the modified RAT payload. Furthermore, the lures employed only work for companies that are large enough to report directly to the Mexican Social Security Institute (IMSS) department.

“This threat actor has been persistently targeting Mexican entities for the purposes of financial gain,” the company said. “This activity has continued for over two years, and shows no signs of stopping.”

The findings come as IOActive said it identified three vulnerabilities in the Lamassu Douro bitcoin ATMs (CVE-2024-0175, CVE-2024-0176, and CVE-2024-0177) that could allow an attacker with physical access to take full control of the devices and steal user assets.

The attacks are made possible by exploiting the ATM’s software update mechanism and the device’s ability to read QR codes to supply their own malicious file and trigger the execution of arbitrary code. The issues were fixed by the Swiss company in October 2023.

Jan 25, 2024NewsroomFileless Malware / Endpoint Security

Cybersecurity researchers have uncovered an updated version of a backdoor called LODEINFO that’s distributed via spear-phishing attacks.

The findings come from Japanese company ITOCHU Cyber & Intelligence, which said the malware “has been updated with new features, as well as changes to the anti-analysis (analysis avoidance) techniques.”

LODEINFO (versions 0.6.6 and 0.6.7) was first documented by Kaspersky in November 2022, detailing its capabilities to execute arbitrary shellcode, take screenshots, and exfiltrate files back to an actor-controlled server.

A month later, ESET disclosed attacks targeting Japanese political establishments that led to the deployment of LODEINFO.

The backdoor is the work of a Chinese nation-state actor known as Stone Panda (aka APT10, Bronze Riverside, Cicada, Earth Tengshe, MirrorFace, and Potassium), which has a history of orchestrating attacks targeting Japan since 2021.

Attack chains commence with phishing emails bearing malicious Microsoft Word documents that, when opened, execute VBA macros to launch downloader shellcode capable of ultimately executing the LODEINFO implant.

LODEINFO infection paths in 2023 have also been observed making use of remote template injection methods to retrieve and execute malicious macros hosted on the adversary’s infrastructure every time the victim opens a lure Word document containing the template.

What’s more, checks are said to have been added sometime around June 2023 to verify the language settings of Microsoft Office to determine if it’s Japanese, only for it to be removed a month later in attacks leveraging LODEINFO version 0.7.1.

“In addition, the filename of the maldoc itself has been changed from Japanese to English,” ITOCHU noted. “From this, we believe that v0.7.1 was likely used to attack environments in languages other than Japanese.”

Another notable change in attacks delivering LODEINFO version 0.7.1 is the introduction of a new intermediate stage that involves the shellcode downloader fetching a file that masquerades as a Privacy-Enhanced Mail (PEM) from a C2 server, which, in turn, loads the backdoor directly in memory.

The downloader shares similarities with a known fileless downloader dubbed DOWNIISSA based on the self-patching mechanism to conceal malicious code, encoding method for command-and-control (C2) server information, and the structure of the data decrypted from the fake PEM file.

“LODEINFO backdoor shellcode is a fileless malware that allows attackers to remotely access and operate infected hosts,” the company said, with samples found in 2023 and 2024 incorporating extra commands. The latest version of LODEINFO is 0.7.3.

“As a countermeasure, since both the downloader shellcode and the backdoor shellcode of LODEINFO are fileless malware, it is essential to introduce a product that can scan and detect malware in memory in order to detect it,” it added.

Jan 25, 2024NewsroomRemote Access Trojan

Cybersecurity researchers have shed light on the command-and-control (C2) server of a known malware family called SystemBC.

“SystemBC can be purchased on underground marketplaces and is supplied in an archive containing the implant, a command-and-control (C2) server, and a web administration portal written in PHP,” Kroll said in an analysis published last week.

The risk and financial advisory solutions provider said it has witnessed an increase in the use of malware throughout Q2 and Q3 2023.

SystemBC, first observed in the wild in 2018, allows threat actors to remote control a compromised host and deliver additional payloads, including trojans, Cobalt Strike, and ransomware. It also features support for launching ancillary modules on the fly to expand on its core functionality.

A standout aspect of the malware revolves around its use of SOCKS5 proxies to mask network traffic to and from C2 infrastructure, acting as a persistent access mechanism for post-exploitation.

Customers who end up purchasing SystemBC are provided with an installation package that includes the implant executable, Windows and Linux binaries for the C2 server, and a PHP file for rendering the C2 panel interface, alongside instructions in English and Russian that detail the steps and commands to run.

The C2 server executables — “server.exe” for Windows and “server.out” for Linux — are designed to open up no less than three TCP ports for facilitating C2 traffic, inter-process communication (IPC) between itself and the PHP-based panel interface (typically port 4000), and one for each active implant (aka bot).

The server component also makes use of three other files to record information regarding the interaction of the implant as a proxy and a loader, as well as details pertaining to the victims.

The PHP-based panel, on the other hand, is minimalist in nature and displays a list of active implants at any given point of time. Furthermore, it acts as a conduit to run shellcode and arbitrary files on a victim machine.

“The shellcode functionality is not only limited to a reverse shell, but also has full remote capabilities that can be injected into the implant at runtime, while being less obvious than spawning cmd.exe for a reverse shell,” Kroll researchers said.

The development comes as the company also shared an analysis of an updated version of DarkGate (version 5.2.3), a remote access trojan (RAT) that enables attackers to fully compromise victim systems, siphon sensitive data, and distribute more malware.

“The version of DarkGate that was analyzed shuffles the Base64 alphabet in use at the initialization of the program,” security researcher Sean Straw said. “DarkGate swaps the last character with a random character before it, moving from back to front in the alphabet.”

Kroll said it identified a weakness in this custom Base64 alphabet that makes it trivial to decode the on-disk configuration and keylogging outputs, which are encoded using the alphabet and stored within an exfiltration folder on the system.

“This analysis enables forensic analysts to decode the configuration and keylogger files without needing to first determine the hardware ID,” Straw said. “The keylogger output files contain keystrokes stolen by DarkGate, which can include typed passwords, composed emails and other sensitive information.”