Overview

Cyble Research & Intelligence Labs (CRIL) has investigated key ICS vulnerabilities this week, providing critical insights issued by the Cybersecurity and Infrastructure Security Agency (CISA), focusing on multiple flaws in several ICS products.

During this reporting period, CISA issued four security advisories targeting vulnerabilities across various Industrial Control Systems, including those from ICONICS, Mitsubishi Electric, VIMESA, iniNet Solutions, and Deep Sea Electronics. These advisories pinpoint ICS vulnerabilities that security teams should prioritize for immediate patching to mitigate potential risks.

The recent vulnerability assessment has revealed a high-severity path traversal vulnerability in SpiderControl SCADA. The Deep Sea Electronics DSE855 has also been identified as susceptible to a configuration disclosure vulnerability. This issue enables unauthorized access to stored credentials via an HTTP GET request directed at the Backup.bin file.

ICS Vulnerabilities Overview

The Cyble Research & Intelligence Labs (CRIL) analysis details several critical vulnerabilities, providing essential information to help organizations prioritize their mitigation efforts. The following vulnerabilities were identified as the most vulnerable ones to look out for and patch immediately, if susceptible:

• CVE-2024-7587: This vulnerability affects the ICONICS Suite, including products like GENESIS64 and Hyper Historian. This vulnerability is categorized as an issue of incorrect default permissions, which poses a high-severity risk to control systems such as DCS, SCADA, and BMS. A patch is available for this vulnerability.
• CVE-2024-9692: This vulnerability relates to the Blue Plus Transmitter from VIMESA. It involves improper access control and is rated as medium severity, impacting communication units and transmitters. A link to the patch is provided for this issue as well. 
• CVE-2024-10313: This vulnerability highlights a path traversal vulnerability in the SpiderControl HMI Editor from iniNet Solutions. This vulnerability is also classified as high severity and affects human-machine interface systems. A corresponding patch is accessible.
• CVE-2024-5947: The last vulnerability, CVE-2024-5947, is related to DSE855 from Deep Sea Electronics. This medium-severity vulnerability is characterized by missing authentication, affecting communication units and transmitters. A patch link is available for users to address this vulnerability.

The severity overview reveals that all disclosed vulnerabilities fall into medium and high severity categories but need urgent attention.

Recommendations and Mitigations

To effectively address the identified vulnerabilities and upgrade defenses, organizations should consider the following best practices:

1. Staying informed about security/patch advisories from vendors and regulatory bodies is crucial for timely updates.
2. Organizations should implement a risk-based vulnerability management strategy to minimize the potential for exploitation.
3. Threat intelligence analysts should actively monitor critical vulnerabilities published in CISA’s Known Exploited Vulnerabilities (KEV) catalog, especially those that are being actively exploited in the wild.
4. Effective network segmentation can prevent attackers from conducting reconnaissance and lateral movements, thereby reducing the exposure of critical assets.
5. Frequent vulnerability assessments and penetration testing are essential for identifying and rectifying security weaknesses.
6. Implement physical barriers to prevent unauthorized access to devices and networks.
7. An effective incident response plan outlines procedures for detecting, responding to, and recovering from security incidents. Regular testing and updates ensure its relevance to current threats.
8. Ongoing cybersecurity training for all employees, particularly those with access to OT systems, is crucial. Training should cover recognizing phishing attempts, proper authentication practices, and adherence to security protocols.

Conclusion

The vulnerabilities identified in this ICS vulnerability intelligence report call for urgent prioritization from organizations to take apt cybersecurity measures. With threats continuously evolving and exploits discussed in underground forums, staying vigilant and proactive is essential.

Implementing the recommendations outlined above will help organizations protect their critical infrastructure and maintain system integrity, ultimately reducing the risk of potential exploitation of ICS vulnerabilities.

Sources: https://www.cisa.gov/news-events/alerts/2024/10/31/cisa-releases-four-industrial-control-systems-advisories

The post ICS Vulnerability Intelligence Report: Key Insights and Recommendations appeared first on Cyble.

Blog – Cyble – ​Read More

Clearly, the sooner malicious actions come to the attention of security solutions and experts, the more effectively they’re able to minimize, or even prevent damage. Therefore, while working on new detection rules for our SIEM system named the Kaspersky Unified Monitoring and Analysis Platform, we pay special attention to identifying attackers’ activity at the very initial stage of an attack, when they try to collect information about infrastructure. We’re talking about activity related to the discovery tactics according to the Enterprise Matrix MITRE ATT&CK Knowledge Base classification.

Modern attackers are increasingly paying attention to containerization infrastructure, which is where rather dangerous vulnerabilities are sometimes found. For example, our May report on exploits and vulnerabilities describes the CVE-2024-21626 vulnerability, which allows for a container escape. That’s why in our Q3 2024 SIEM system update, among the rules for identifying atypical behavior that may indicate attacker activity at the initial data collection stage, we’ve added detection rules that catch (i) attempts to collect data on the containerization infrastructure, and (ii) traces of various attempts to manipulate the containerization system itself.

This was done by adding detection rules R231, R433, and R434, which are already available to Kaspersky Unified Monitoring and Analysis Platform users through the rule update system. In particular, they’re used to detect and correlate the following events:

• access to credentials inside a container;
• launching a container on a non-container system;
• launching a container with excessive privileges;
• launching a container with access to host resources;
• collecting information about containers using standard tools;
• searching for weak spots in containers using standard tools;
• searching for security vulnerabilities in containers using special utilities.

Considering the above-described update, there are now more than 659 rules available on the platform, including 525 rules with direct detection logic.

We continue to align our detection rules with the Enterprise Matrix MITRE ATT&CK Knowledge Base, which today describes 201 techniques, 424 sub-techniques, and thousands of procedures. As of today our solution covers 344 MITRE ATT&CK techniques and sub-techniques.

In addition, we’ve improved many old rules by correcting or adjusting conditions – for example, to reduce the number of false positives.

New and improved normalizers

In the latest update, we’ve also added to our SIEM system normalizers that allow you to work with the following event sources:

• [OOTB] OpenLDAP
• [OOTB] Avaya Aura Communication Manager syslog
• [OOTB] Orion soft Termit syslog
• [OOTB] Postfix
• [OOTB] Barracuda Web Security Gateway syslog
• [OOTB] Parsec ParsecNET
• [OOTB] NetApp SnapCenter file
• [OOTB] CommuniGate Pro
• [OOTB] Kaspersky Industrial CyberSecurity for Networks 4.2 syslog
• [OOTB] Yandex Cloud
• [OOTB] Barracuda Cloud Email Security Gateway syslog

Our experts have also improved normalizers for these sources:

• [OOTB] Yandex Browser
• [OOTB] Citrix NetScaler syslog
• [OOTB] KSC from SQL
• [OOTB] Microsoft Products for KUMA 3
• [OOTB] Gardatech Perimeter syslog
• [OOTB] KSC PostgreSQL
• [OOTB] Linux auditd syslog for KUMA 3.2
• [OOTB] Microsoft Products via KES WIN
• [OOTB] PostgreSQL pgAudit syslog
• [OOTB] ViPNet TIAS syslog

You can find the full list of supported event sources in the Kaspersky Unified Monitoring and Analysis Platform version 3.2 in the technical support section of our web site, where you can also get more information about correlation rules. We’ll continue to write about improvements to our SIEM system in future posts that can be found via the SIEM tag.

Kaspersky official blog – ​Read More

Overview

Cyble Research and Intelligence Labs (CRIL) researchers investigated 17 vulnerabilities and nine dark web exploits during the period of Oct. 23-29, and highlighted seven vulnerabilities that merit high-priority attention from security teams.

This week’s IT vulnerability report affects an unusually high number of exposed devices and instances: Vulnerabilities in Fortinet, SonicWall, and Grafana Labs can be found in more than 1 million web-facing assets, and a pair of 10.0-severity vulnerabilities in CyberPanel have already been mass-exploited in ransomware attacks.

Security teams should assess which of these vulnerabilities are present in their environments and the risks they pose and apply patches and mitigations promptly.

The Week’s Top IT Vulnerabilities

Here are the top IT vulnerabilities identified by Cyble threat intelligence researchers this week.

CVE-2024-40766: SonicWall SonicOS

CVE-2024-40766 is a 9.8-severity improper access control vulnerability in the administrative interface and controls in the SonicOS operating system used for managing SonicWall’s network security appliances and firewalls. Managed security firm Arctic Wolf has reported that Fog and Akira ransomware operators are increasingly exploiting this vulnerability in SSL VPN environments to gain an initial foothold to compromise networks. 

Cyble has detected more than 486,000 internet-exposed devices with this vulnerability, making it a critically important priority for security teams.

CVE-2024-47575 and CVE-2024-23113: Fortinet FortiOS and FortiManager

Fortinet environments are under attack from threat actors exploiting a pair of recent 9.8-severity vulnerabilities: CVE-2024-47575, also known as “FortiJump,” is a vulnerability in Fortinet FortiManager that allows an attacker to execute arbitrary code or commands via specially crafted requests. Recently, researchers disclosed that the threat actor tracked as UNC5820 has been exploiting the flaw since at least June 27, 2024.

For more than a week before the October 23 disclosure of CVE-2024-47575, security researchers were concerned that Fortinet was slow in disclosing a FortiManager zero-day known to be under exploitation. However, it appears that a week before the CVE was released, Fortinet notified customers of a FortiManager vulnerability and provided some recommended mitigations. Some FortiManager customers reported that they didn’t get that communication, suggesting a need for a clearer advisory process. Fortinet update its guidance on the vulnerability yesterday.

Cyble researchers also observed threat actors on a cybercrime forum discussing exploits of CVE-2024-23113, a critical vulnerability in multiple versions of FortiOS, FortiProxy, FortiPAM, and FortiSwitchManager that allows remote, unauthenticated attackers to execute arbitrary code through specially crafted requests.

Cyble has identified 62,000 exposed instances of the FortiManager vulnerability, and 427,000 internet-facing Fortinet devices exposed to CVE-2024-23113 (see graphic below).

CVE-2024-9264: Grafana Labs

CVE-2024-9264 is a 9.4-severity vulnerability in the SQL Expressions experimental feature of Grafana, an open-source analytics and monitoring platform developed by Grafana Labs. It is designed to visualize and analyze data from various sources through customizable dashboards. This feature allows for the evaluation of ‘duckdb’ queries containing user input. These queries are insufficiently sanitized before being passed to ‘duckdb,’ leading to a command injection and local file inclusion vulnerability.

Cyble reported 209,000 internet-facing Grafana instances exposed to the vulnerability.

CVE-2024-51567 and CVE-2024-51568: CyberPanel

CVE-2024-51567 and CVE-2024-51568  are critical vulnerabilities in CyberPanel, an open-source web hosting control panel designed to simplify server management, particularly for those using the LiteSpeed web server. NVD has yet to rate the vulnerabilities, but MITRE has assigned them each a 10.0. CVE-2024-51567 is a flaw in upgrademysqlstatus in databases/views.py, which allows remote attackers to bypass authentication and execute arbitrary commands via /dataBases/upgrademysqlstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters in the statusfile property, and was exploited in the wild in October in a massive PSAUX ransomware attack.

CVE-2024-51568 is a command Injection flaw via completePath in the ProcessUtilities.outputExecutioner() sink.

Nearly 33,000 CyberPanel instances are exposed to these vulnerabilities, more than half of which have been targeted in mass ransomware and cryptominer attacks.

CVE-2024-46483: Xlight FTP Server

CVE-2024-46483 is a critical integer overflow vulnerability still undergoing analysis that affects Xlight FTP Server, a high-performance file transfer server for Windows designed to facilitate secure and efficient FTP and SFTP (SSH2) file transfers. The flaw lies in the packet parsing logic of the SFTP server, which can lead to a heap overflow with attacker-controlled content. Multiple organizations across various sectors use this server because of its Active Directory and LDAP integration functionalities. Cyble assesses that attackers could leverage this vulnerability in campaigns due to the availability of public Proof of Concepts (PoC).

Vulnerabilities and Exploits on Underground Forums

CRIL researchers observed multiple Telegram channels and cybercrime forums where channel administrators shared or discussed exploits weaponizing a number of vulnerabilities, some of which were discussed above. Others include:

CVE-2024-9464: A critical OS command injection vulnerability found in Palo Alto Networks’ Expedition tool, which allows an attacker to execute arbitrary OS commands as root, potentially leading to the disclosure of sensitive information.

CVE-2024-42640: A critical vulnerability affecting the angular-base64-upload library, specifically in versions prior to v0.1.21. This vulnerability allows remote code execution (RCE) through the demo/server.php endpoint, enabling attackers to upload arbitrary files to the server.

CVE-2024-3656: A high-risk vulnerability affecting Keycloak versions prior to 24.0.5. The vulnerability allows low-privilege users to access certain endpoints in Keycloak’s admin REST API, enabling them to perform actions reserved for administrators.

CVE-2024-9570: A critical buffer overflow vulnerability in the D-Link DIR-619L B1 router, specifically in firmware version 2.06, occurs in the ‘formEasySetTimezone’ function. The issue arises when the ‘curTime’ argument is manipulated, leading to a situation where an attacker can execute arbitrary code remotely.

CVE-2024-46538: A critical cross-site scripting (XSS) vulnerability in pfSense version 2.5.2 allows attackers to execute arbitrary web scripts or HTML by injecting a ‘crafted payload’ into the $pconfig variable, specifically through the ‘interfaces_groups_edit.php’ file.

CVE-2024-21305: A vulnerability identified as a Hypervisor-Protected Code Integrity (HVCI) Security Feature Bypass allows attackers to circumvent HVCI protections, enabling the execution of unauthorized code on affected systems running versions of Windows and Windows Server OS.

CVE-2024-23692: A critical vulnerability affecting the Rejetto HTTP File Server (HFS) that allows unauthenticated remote code execution (RCE) through a command injection flaw.

Cyble Recommendations

To protect against these vulnerabilities and exploits, organizations should implement the following best practices:

• To mitigate vulnerabilities and protect against exploits, regularly update all software and hardware systems with the latest patches from official vendors.
• Develop a comprehensive patch management strategy that includes inventory management, patch assessment, testing, deployment, and verification. Automate the process where possible to ensure consistency and efficiency.
• Divide your network into distinct segments to isolate critical assets from less secure areas. Use firewalls, VLANs, and access controls to limit access and reduce the attack surface exposed to potential threats.
• Create and maintain an incident response plan that outlines procedures for detecting, responding to, and recovering from security incidents. Regularly test and update the plan to ensure its effectiveness and alignment with current threats.
• Implement comprehensive monitoring and logging solutions to detect and analyze suspicious activities. Use SIEM (Security Information and Event Management) systems to aggregate and correlate logs for real-time threat detection and response.
• Subscribe to security advisories and alerts from official vendors, CERTs, and other authoritative sources. Regularly review and assess the impact of these alerts on your systems and take appropriate actions.
• Conduct regular vulnerability assessment and penetration testing (VAPT) exercises to identify and remediate vulnerabilities in your systems. Complement these exercises with periodic security audits to ensure compliance with security policies and standards.

Conclusion

These vulnerabilities highlight the urgent need for security teams to prioritize patching critical vulnerabilities in major products and those that could be weaponized as entry points for wider attacks. With increasing discussions of these exploits on dark web forums, organizations must stay vigilant and proactive. Implementing strong security practices is essential to protect sensitive data and maintain system integrity.

The post IT Vulnerability Report: Fortinet, SonicWall, Grafana Exposures Top 1 Million appeared first on Cyble.

Blog – Cyble – ​Read More

Cisco Talos’ Vulnerability Research team recently discovered five Nvidia out-of-bounds access vulnerabilities in shader processing, as well as eleven LevelOne router vulnerabilities spanning a range of possible exploits.

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website. 

NVIDIA Graphics remote out-of-bounds execution vulnerabilities

Discovered by Piotr Bania.

NVIDIA Graphics drivers are software for NVIDIA Graphics GPU installed on the PC. They are used to communicate between the operating system and the GPU device. This software is required in most cases for the hardware device to function properly.

Talos discovered multiple out-of-bounds read vulnerabilities in Nvidia that could be triggered remotely in virtualized environments, via web browser, potentially leading to disclosure of sensitive information and further memory corruption. Researchers used RemoteFX; while recently deprecated by Microsoft, some older machines may still use this software.

Advisories related to these vulnerabilities:
TALOS-2024-1955 (CVE-2024-0121)
TALOS-2024-2012 (CVE-2024-0117)
TALOS-2024-2013 (CVE-2024-0118)
TALOS-2024-2014 (CVE-2024-0120)
TALOS-2024-2015 (CVE-2024-0119)

LevelOne wireless SOHO router vulnerabilities

Discovered by Patrick DeSantis and Francesco Benvenuto.

Eleven vulnerabilities of different types were discovered in the LevelOne WBR-6012 SOHO router.

The LevelOne WBR-6012 is a low-cost wireless SOHO router, marketed as an easy-to-configure and operate internet gateway for homes and small offices.

Talos discovered these vulnerabilities in the R0.30e6 version of the router:

TALOS-2024-1979 (CVE-2024-28875,CVE-2024-31151): Hard-coded credentials exist in the web service, allowing attackers to gain unauthorized access during the first 30 seconds post-boot. Used with other vulnerabilities that force a reboot, time restrictions for exploitation can be greatly reduced. An undocumented user account with hard-coded credentials also exists.

TALOS-2024-1981 (CVE-2024-24777): A cross-site request forgery vulnerability exists in the web application, and a specially crafted HTTP request can lead to unauthorized access. An attacker can stage a malicious web page to trigger this vulnerability.

TALOS-2024-1982 (CVE-2024-31152): An improper resource allocation vulnerability exists due to improper resource allocation within the web application. A series of HTTP requests can cause a reboot, which could lead to network service interruptions and access to a backdoor account.

TALOS-2024-1983 (CVE-2024-32946): A cleartext transmission vulnerability exists, and sensitive information is transmitted via FTP and HTTP services, exposing it to network sniffing attacks.

TALOS-2024-1984 (CVE-2024-33699): A weak authentication vulnerability exists in the web application firmware, which allows attackers to change the administrator password to gain higher privileges without knowing the current administrator password.

TALOS-2024-1985 (CVE-2024-33603): An information disclosure in the web application allows unauthenticated users to access an undocumented verbose system log page and obtain sensitive data, such as memory addresses and IP addresses for login attempts. This flaw could lead to session hijacking due to the device’s reliance on IP addresses for authentication.

TALOS-2024-1986 (CVE-2024-33626): A web application information disclosure vulnerability can reveal sensitive information, such as the Wi-Fi WPS PIN, through a hidden page accessible by an HTTP request. Disclosure of this information could enable attackers to connect to the device’s Wi-Fi network.

TALOS-2024-1996 (CVE-2024-23309): An authentication bypass vulnerability results from the web application’s reliance on client IP addresses for authentication. Attackers can spoof an IP address to gain unauthorized access without a session token.

TALOS-2024-1997 (CVE-2024-28052): A buffer overflow vulnerability can be caused by specially crafted HTTP POST requests with URIs containing 1,454 or more characters, not starting with “upn” or “upg”.

TALOS-2024-1998 (CVE-2024-33700): An improper input validation within the FTP functionality can enable attackers to cause denial of service through a series of malformed FTP commands.

TALOS-2024-2001 (CVE-2024-33623): A denial-of-service vulnerability, triggered by multiple types of specially crafted HTTP POST requests, will cause the router to crash.

Cisco Talos Blog – ​Read More

• Cisco Talos has observed an unknown threat actor conducting a phishing campaign targeting Facebook business and advertising account users in Taiwan. 
• The decoy email and fake PDF filenames are designed to impersonate a company’s legal department, attempting to lure the victim into downloading and executing malware. 
• This campaign abuses Google’s Appspot[.]com domains, a short URL and Dropbox service, to deliver an information stealer onto the target’s machine to avoid network security product detections. 
• Talos also observed the threat actor using multiple techniques to evade antivirus detection and sandbox analysis, such as code obfuscation, shellcode encryption, hiding malicious code in resource data to expand the file size to over 700 MB, and embedding LummaC2 or Rhadamanthys information stealers into legitimate binaries. 

Phishing email campaign targets Taiwan 

Talos observed an unknown threat actor conducting a malicious phishing campaign targeting victims in Taiwan since at least July 2024. The campaign specifically targets victims whose Facebook accounts are used for business or advertising purposes. 

The initial vector of the campaign is a phishing email containing a malware download link. The phishing email uses traditional Chinese in decoy templates and the fake PDF files, suggesting the target is likely traditional Chinese speakers. Some of the fake PDF filenames that we observed during our analysis are: 

• IMAGE COPYRIGHTED.exe 
• [Redacted] 的影片內容遭到侵犯版權.exe (translates to “[Redacted]’s video content has been copyright infringed.exe”) 
• 版權侵權信息- [Redacted] Media Co Ltd.exe (translates to “Copyright Infringement Information – [Redacted] Media Co Ltd.exe”) 
• 版權侵權信息- [Redacted] Media Group Inc.exe (translates to “Copyright Infringement Information – [Redacted] Media Group Inc.exe”) 
• 版權侵權信息- [Redacted] Technology Group.exe (translates to “Copyright Infringement Information – [Redacted] Technology Group.exe”) 
• 版權侵權信息- [Redacted] Co. Ltd.exe (translates to “Copyright Infringement Information – [Redacted] Co. Ltd.exe”) 
• [Redacted] Online -宣布侵權.exe (translates to “[Redacted] Online – declare infringement.exe”) 

The decoy email and fake PDF filenames are designed to impersonate a company’s legal department, attempting to lure the victim into downloading and executing malware. Another observation we found is that the fake PDF malware uses the names of well-known technology and media companies in Taiwan and Hong Kong. This provides strong evidence that the threat actor conducted thorough research before launching this campaign. 

Additionally, we observed two phishing emails masquerading as notices from a well-known industrial motor manufacturer and a famous online shopping store in Taiwan. The emails claim that the company’s legal representatives have issued a notice to a Facebook page administrator alleging copyright infringement due to the unauthorized use of their images and videos for product promotion. The emails demand the removal of the infringing content within 24 hours, cessation of further use without written permission, and warn of potential legal action and compensation claims for non-compliance. Last but not least, with these two emails, we can easily identify that the threat actor uses the same template with minor modifications, such as changing the company name, legal department information, address, and website.  

Phishing email impersonating a well-known industrial motor manufacturer. 

Phishing email impersonating a famous online shopping store. 

Attribution 

Talos observed an unknown image printing EPS file within the encrypted archive, with the filename “Support.” Based on the file name and file size, it is likely that all encrypted archives we found on VirusTotal, which we have not been able to decrypt, contain the same EPS files inside. Pivoting off the EPS file metadata and its preview image on a search engine, we found an identical image with the same file name on a Vietnamese-language website. However, there is no strong evidence that it was created by an author from that region.   

Support EPS file metadata. 

The support EPS file preview image in this campaign (left) and the image we found from the internet (right). 

Actor infrastructure 

The threat actor is abusing Google’s Appspot.com domains, a short URL and Dropbox service, to deliver an information stealer onto the target’s machine. Appspot.com is a cloud computing platform for developing and hosting web applications in Google-managed data centers. When the victim clicks on the download link, it initially connects to Appspot.com, then redirects to a short URL created by a third-party service, and finally redirects to Dropbox to download the malicious archive. The actor is using the third-party data storage service as a download server to deceive network defenders.  

Malware download link. 

We also discovered that the actor is using multiple command and control (C2) domains in the campaign. The DNS requests for the domains during our analysis period are shown in the graph, indicating the campaign is ongoing.  

C2 domain DNS requests. 

Malware infection summary 

The infection chain begins with a phishing email containing a malicious download link. When the victim downloads the malicious RAR file, they will need a specific password to extract it, revealing a fake PDF executable malware and an image printing file. Once the malware is decrypted and the fake PDF executable is run, it will execute the embedded LummaC2 or Rhadamanthys information stealer, which then collects the victim’s credentials and data, sending them back to the C2 server. 

The malicious RAR file usually contains a fake PDF executable malware and an image printing file, but we observed a few malicious RAR files that contain an additional DLL file. However, without the correct password, we are not able to extract the malicious RAR file and analyze it. 

The RAR file contains a fake PDF and an image printing file.  

The RAR file contains a fake PDF, an image printing file, and additional DLL file. 

The fake PDF executable malware variant was delivered as a payload in this campaign. This malware will embed LummaC2 or Rhadamanthys information stealers into legitimate binary and the legitimate binary including iMazing Converter, foobar2000, Punto Switcher, PDF Visual Repair, LedStatusApp, and PrivacyEraser. Below shows one of the file details of the fake PDF executable. 

Fake PDF file detail information. 

LummaC2 stealer and its loader 

LummaC2 Stealer is a type of malware designed to exfiltrate sensitive information from compromised systems. It can target system details, web browsers, cryptocurrency wallets, and browser extensions. Written in C, this malware is sold on underground forums. To avoid detection and analysis, it employs various obfuscation methods. The malware connects to a C2 server to receive instructions and transmit the stolen data. 

The loader for LummaC2 changes the execution flow of the binary malware, causing it to invoke an unknown library to execute the malicious code functions. This strategic modification complicates detection and analysis efforts. Once these malicious functions are invoked, the malware utilizes the CreateFileMappingA API to write the payload into a mapped memory block, effectively hiding it within the system’s memory. After successfully mapping the payload, the malware then executes it. 

Call to an unknown library to execute the malicious code functions. 

When the malware begins executing the shellcode in memory, it first decrypts the second half of the program block, which contains part of the shellcode loader and the LummaC2 malware execution file. Once the decryption is complete, it will call the VirtualAllocate API to allocate a memory block, write the information stealer’s execution file to that block, and then execute it.   

Jump code to shellcode block. 

Encrypted shellcode (left side) and decrypted shellcode (right side). 

We also collected all of the build IDs of the LummaC2 in this campaign and below are the screenshots of the LummaC2 stealer alert message box and its POST message. 

Alert message shown to the user when executing LummaC2. 

POST message with act=life and url path /api. 

Build ID: 

• sTDsFx–Socks 
• iAlMAC–ghost 

Rhadamanthys stealer and its loader 

Rhadamanthys is a sophisticated information stealer that emerged in 2022 and is sold on underground forums. This comprehensive stealer malware is capable of gathering system information, credentials, cryptocurrency wallets, browser passwords, cookies, and data from various other applications. It employs numerous anti-analysis techniques, complicating analysis efforts and hindering its execution in sandbox environments. 

We observed the Rhadamanthys loader in this campaign contains 10 sections in its binary structure. Despite the presence of multiple sections, the threat actor specifically targets the .rsrc section to insert the malicious code. This section is heavily obfuscated to conceal the malicious activities and make analyses more challenging. The choice of the .rsrc section is strategic, as it is typically associated with resource data like icons and menus, making it less likely to raise immediate suspicion.  

The loader of Rhadamanthys binary structure sections. 

After analysis, we discovered that the Rhadamanthys loader employs several sophisticated techniques to ensure its persistence and evasion. Initially, the loader copies itself and writes the file to “C:Users[user]DocumentslumuiUpdaterffUpdaar.exe”. In order to avoid detection by antivirus programs and sandbox environments, it expands the file size to over 700 MB. This significant increase in file size is intended to bypass heuristic and signature-based detection mechanisms commonly used by security products, which may struggle to process such large files effectively. 

The loader copies itself to the lumuiUpdater folder. 

Furthermore, the loader is configured to start automatically by modifying the Windows Registry. It writes an entry to “HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun” and key name value “sausageLoop”, a registry key that specifies programs to be launched during the system startup. This registry modification ensures that the malicious loader is executed every time the victim’s computer restarts, thereby maintaining its persistence on the infected system. 

The loader is configured to start automatically. 

Finally, the loader executes the legitimate system process “%Systemroot%system32dialer.exe” and injects Rhadamanthys’ payload into it. This process injection technique allows the malware to run its malicious code within the context of a legitimate system process, further evading detection. Additionally, it uses mutex objects to ensure that only one instance of the malware runs on the infected host. Below is the list of mutex names we observed in this campaign, which has also been disclosed in previous reporting by other. 

• GlobalMSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
• Session1MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
• Session2MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
• Session3MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
• Session4MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
• Session5MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
• Session6MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
• Session7MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
• Session8MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 

Coverage 

 

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here. 

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protection with context to your specific environment and threat data are available from the Firewall Management Center. 

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are 64167-64169. 

IOC 

IOCs for this research can also be found at our GitHub repository here. 

Cisco Talos Blog – ​Read More