The Cybersecurity and Infrastructure Security Agency (CISA) added a critical vulnerability, CVE-2024-49138, to its Known Exploited Vulnerabilities (KEV) catalog based on evidence that this flaw is being actively exploited. The vulnerability, identified in the Microsoft Windows Common Log File System (CLFS), is a heap-based buffer overflow issue that has the potential to allow attackers to escalate privileges on vulnerable systems. As part of Microsoft’s Patch Tuesday release, this flaw was patched alongside other critical vulnerabilities.
CVE-2024-49138 is a heap-based buffer overflow vulnerability in the CLFS driver. This driver is used by both user-mode and kernel-mode software in Windows for general-purpose logging. This vulnerability affects several versions of Microsoft Windows operating systems, including Windows 10 and 11, as well as several Windows Server versions.
Heap-based buffer overflow vulnerabilities, like CVE-2024-49138, are common attack vectors for cybercriminals. These flaws can result in system crashes, denial of service, or even allow malicious actors to execute arbitrary code. In the case of CVE-2024-49138, it allows attackers to escalate their privileges to the SYSTEM level, enabling them to take full control of a compromised system.
This issue was actively exploited in the wild before it was addressed by Microsoft, which makes it particularly dangerous. The flaw has been assigned a CVSSv3.1 score of 7.8 (high severity).
CVE-2024-49138 Impact on Affected Systems
The vulnerability affects a broad range of Windows operating systems. Specifically, it impacts Windows 11 versions 22H2, 23H2, and 24H2 for both x64 and ARM64-based systems. In addition, Windows 10 versions from 1607 to 22H2 are vulnerable, including x64, ARM64, and 32-bit systems.
Furthermore, several Windows Server versions are also impacted, spanning from 2008 to 2025. This includes versions such as Windows Server 2012, 2016, 2019, and 2022, with both Core and full installations being affected. These widespread vulnerabilities increase the potential for exploitation across various systems in both personal and enterprise environments.
Active Exploitation and Patch Release
Given that CVE-2024-49138 was actively exploited before the patch was released, Microsoft’s Patch Tuesday update for December 2024 was critical in addressing the issue. Microsoft rated this vulnerability as important, reflecting the immediate threat posed to organizations and users who have not yet applied the patch.
An official security update was issued for all affected systems, and users are encouraged to install it as soon as possible to mitigate the risk of attack. CISA’s inclusion of CVE-2024-49138 in its Known Exploited Vulnerabilities Catalog highlights the growing focus on vulnerabilities that attackers are actively targeting.
By cataloging such issues, CISA aims to increase awareness and ensure that organizations prioritize the application of patches for vulnerabilities that are under active exploitation.
Recommendations and Mitigation Strategies
To protect systems from CVE-2024-49138, organizations, and individual users should follow these best practices:
The Microsoft Patch Tuesday update for December 2024 addresses CVE-2024-49138. Ensure that all affected systems are updated with the latest patches. Microsoft provides an official patch link for direct updates.
Implement a consistent patch management strategy to ensure all vulnerabilities are patched as soon as updates are available. Automating patching processes can reduce the risk of missed updates, especially for critical vulnerabilities like CVE-2024-49138.
Organizations should use Security Information and Event Management (SIEM) systems to detect unusual activities associated with privilege escalation. Monitoring network traffic and system logs can help identify attempts to exploit CVE-2024-49138 before damage occurs.
An effective incident response plan is essential. Organizations should regularly test their response procedures for various vulnerabilities, including those that target Microsoft Windows components like the CLFS driver.
Users running older, unsupported versions of Windows should prioritize upgrading to supported versions to reduce their exposure to vulnerabilities such as CVE-2024-49138.
Conclusion
CISA’s inclusion of this flaw in its Known Exploited Vulnerabilities Catalog emphasizes the urgency of applying the December 2024 Patch Tuesday update. Organizations should adopt automated patch management, use SIEM systems for early detection, and have an incident response plan in place. Users running outdated Windows versions should upgrade to reduce vulnerability.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png2024-12-11 13:06:492024-12-11 13:06:49CISA Adds CVE-2024-49138 to the Known Exploited Vulnerabilities Catalog, Urgency for Microsoft Users
New Zealand’s National Cyber Security Centre (NCSC) has revealed its Cyber Security Insights Report for Q3 2024, offering a detailed overview of the cyber threats impacting New Zealand. The third-quarter report highlights an increase in cyber incidents, providing a deeper understanding of threat actors targeting individuals, businesses, and organizations across the country.
According to the NCSC’s Cyber Security Insights Report, the number of reported incidents surged to 1,905 in Q3 2024, marking a 58% increase compared to the previous quarter. While this rise might initially seem disconcerting, the NCSC noted that such an increase is actually a positive development. It reflects more New Zealanders and businesses taking proactive steps by reporting cyber incidents, thereby contributing to the country’s overall security posture.
The report stresses several key trends, with incidents of unauthorized access almost doubling. Additionally, phishing and credential harvesting incidents jumped by 70%, illustrating the heightened efforts of cybercriminals trying to trick victims into clicking malicious links.
Overview of the NCSC’s Cyber Security Insights Report
The NCSC’s report highlighted various online threats that New Zealanders faced in Q3-2024. Threat Actors have increasingly targeted routers, attempting to break into home and business networks.
Another threat identified is the Adversary-in-the-Middle (AitM) phishing attack, which compromises session cookies to bypass traditional security measures. Furthermore, the report introduces dynamic CVVs—a new technology aimed at curbing online fraud and offering more security for card transactions.
As the holiday season approaches, the NCSC also warns of common scams designed to steal personal information and money. New Zealanders are encouraged to visit the NCSC’s Own Your Online website for additional guidance on recognizing and avoiding these scams.
Financial Impact and Incident Breakdown
The NCSC’s analysis of financial losses in Q3 2024 reveals a 19% decrease compared to the previous quarter, with reported direct financial losses totaling $5.5 million. However, 25% of all incidents reported still resulted in some form of financial loss.
A closer look at the types of incidents shows that phishing and credential harvesting continue to be the most prevalent types of cybercrime. These incidents accounted for 43% of all reported incidents. Other categories include scams and fraud (31%) and unauthorized access (16%).
Here is the breakdown of incidents by category for Q3 2024:
The Phishing Disruption Service (PDS), a free service provided by the NCSC, continues to play an important role in protecting New Zealanders. By collecting and analyzing phishing links reported by the public, the NCSC actively publishes verified phishing indicators for organizations to block. In Q3 2024, the NCSC processed over 20,500 phishing indicators, with more than 6,200 of those being added to the PDS.
In Q3 2024, postage and shipping services were the industries most commonly impersonated by phishing scammers, reflecting an increasing trend in scams targeting the e-commerce and logistics sectors.
Conclusion
The NCSC Q3 2024 report highlights 98 incidents affecting national organizations, ranging from minor to notable in severity. No incidents are categorized as highly national emergencies.
The rising number of cyber incidents emphasizes the need for improved cybersecurity measures as cybercriminals adapt their tactics. Phishing attacks and unauthorized access continue to be prominent threats, highlighting the importance of strong security practices like multi-factor authentication and advanced threat detection.
Editor’s note: The current article is authored by Mostafa ElSheimy, a malware reverse engineer and threat intelligence analyst. You can find Mostafa on X and LinkedIn.
In this malware analysis report, we will delve into Nova, a newly discovered fork of the Snake Keylogger family. This variant has been observed employing even more sophisticated tactics, signaling the continued adaptation and persistence of the Snake malware family in the cybersecurity landscape.
Overview of Snake Keylogger
Snake Keylogger, a .NET-based malware first identified in November 2020, is infamous for its credential-stealing and keylogging capabilities.
It primarily spreads through phishing and spearphishing campaigns, where malicious Office documents or PDFs are used to deliver downloader scripts via PowerShell. Once executed, Snake Keylogger captures keystrokes, steals saved credentials, takes screenshots, and extracts clipboard data.
As of 2024, Snake Keylogger has continued to evolve, adopting advanced evasion techniques such as process hollowing and heavily obfuscated code to avoid detection.
This variant uses a suspended child process to inject its payload, which makes it more difficult for security software to identify and neutralize. Furthermore, reports indicate that Snake Keylogger has grown more prevalent, with significant spikes in zero-day detections, suggesting its ongoing threat to both personal and corporate cybersecurity.
Technical Analysis Using ANY.RUN Sandbox
Let’s run a sandbox analysis session using ANY.RUN’s Interactive Sandbox to discover the technical details of this malware.
Nova scans the registry keys and their subkeys, checking for entries containing email or password data.
If such entries are found, Nova attempts to decrypt the password using the decryptOutlookPassword method.
4. Decrypting passwords
The decryptOutlookPassword method performs the following actions:
Takes the encrypted Outlook password as a byte array.
Removes the first byte from the array.
Decrypts the remaining data and converts it to a readable string.
Strips any null characters from the resulting string before returning it.
Striping null characters
5. Retrieving account details
It retrieves the email value and converts it to a byte array using GetBytes.
Then, it retrieves the SMTP server value, if available and adds the recovered account details to the list.
Account details retrieval
Extracting and Decrypting Browser Login Information
Various functions exist for extracting browser login credentials. For this analysis, we will focus on Chrome_Speed, which targets Google Chrome’s saved login data.
The process of extracting browser login credentials
1. Locating the Login Data file
Chrome_Speed constructs the path to the Login Data SQLite file, where Chrome stores saved login credentials. Then verifies the existence of the Login Data file before proceeding.
2. Retrieving Login entries
It loops through each login entry, retrieving the origin_url, username_value, and password_value.
3. Decrypting passwords
If passwords are stored in Version 10 format, it uses the master key for decryption. For older formats, an alternative decryption method, Decrypttttt, is employed.
Learn to analyze cyber threats
See a detailed guide to using ANY.RUN’s Interactive Sandbox for malware and phishing analysis
Read full guide
Key Methods Analyzed
Let’s analyze GetMasterKey and Decrypttttt methods:
1. GetMasterKey
GetMasterKey retrieves and decrypts the master key used by Google Chrome to protect saved passwords. It reads the encrypted master key from the Local State file located in the Chrome user data directory, then decrypts it for further use.
Use of GetMasterKey method
The process begins by constructing the path to the Local State file, which stores the encrypted master key.
It first checks for the existence of the Local State file; if the file is absent, the method returns null.
Upon confirming the file’s presence, the contents are read, and a regular expression is employed to extract the encrypted master key.
The method iterates through the matches to convert the encrypted key from a Base64 string into a byte array.
Notably, a new byte array is created that excludes the first five bytes of the original array, as these bytes do not form part of the actual key.
Finally, the method attempts to decrypt the trimmed key using the ProtectedData.Unprotect method, which is designed to decrypt data that has been secured with the ProtectedData.Protect method.
The Unprotect method is a function that decrypts data protected by the Windows Data Protection API (DPAPI). It first checks if the input data is valid and compatible with NT-based systems.
The method then pins the memory of the encrypted data and any optional entropy to avoid issues during decryption.
It calls CryptUnprotectData to decrypt the data and handles errors by throwing exceptions when needed.
Finally, it clears sensitive data from memory before releasing resources.
2. Decrypttttt
Decrypttttt method is a function that decrypts a byte array using the Windows Data Protection API (DPAPI).
It begins by initializing data structures to hold the encrypted data and the decrypted output.
The method pins the input byte array in memory to prevent the garbage collector from moving it during decryption.
After setting up the necessary structures, it calls CryptUnprotectData API to perform the decryption.
Once the data is decrypted, the method copies the output into a new byte array, converts it to a string, and removes any trailing null characters.
Finally, it returns the decrypted string, ensuring proper handling of sensitive data throughout the process.
Use of Decrypttttt method
Let’s get back to Chrome_Speed function
It combines the URL, username, and password into a formatted string:
"rn============X============rnURL: "
"rnUsername: "
"rnPassword: "
"rnApplication: Google Chromern=========================rn "
The formatted string is appended to a collection of stored credentials for further use or exfiltration.
Extracting Windows Product Key
The process of extracting the Windows product key involves accessing the system registry and decoding the DigitalProductID. Here’s a detailed breakdown:
Accessing the registry
First it opens “Software\Microsoft\Windows NT\CurrentVersion” registry key
Fetching DigitalProductID
Then, the DigitalProductID is fetched from the registry as a byte array. This ID is used to generate the Windows product key.
Extracting relevant bytes
A specific portion of the DigitalProductID is copied into a new byte array.
The product key is derived from bytes starting at index 52 in the sourceArray.
Decoding the product key
The outer loop runs 25 times (from 0 to 24) to form the product key. The inner loop processes each byte in reverse (from 14 to 0) to decode and generate the corresponding characters.
The process of accessing the system registry and decoding the DigitalProductID
Formatting the product key
The method returns the formatted product key as a string (e.g., XXXXX-XXXXX-XXXXX-XXXXX-XXXXX)
Getting Victim’s Info
The process gathers key information about the victim, including:
IP Address
Country
PC Name
Date and Time
It gets the victim’s IP by making a request to: hxxp[://]checkip[.]dyndns[.]org/
The country information is retrieved by querying: hxxps[://]reallyfreegeoip[.]org/xml/
Data format
The collected information is structured in a formatted string for further use:
Getting Clipboard Data
The process of extracting data from the clipboard involves the following steps:
IsClipboardFormatAvailable checks if the clipboard contains text in Unicode format
OpenClipboard opens the clipboard to allow examination and retrieval of data
GetClipboardData retrieves the data handle from the clipboard in the specified format
Retriaval of Clipboard data
Exfiltration
Nova supports three data exfiltration methods: FTP, SMTP, or Telegram, depending on the configuration set by the malware author.
It compares the UltraSpeed.QJDFjPqkSr value against specific flags:
“#FTPEnabled”: If true, data is exfiltrated via FTP.
“#SMTPEnabled”: If true, data is exfiltrated via SMTP.
“#TGEnabled”: If true, data is exfiltrated via Telegram.
UltraSpeed.QJDFjPqkSr value compared against specific flags
In this particular sample, the exfiltration method is Telegram:
As we see, there are no credentials provided for SMTP and FTP servers:
Telegram Exfiltration
The code responsible for exfiltration through Telegram includes details about the bot and its endpoint for sending data:
Telegram exfiltration
Telegram API endpoint: hxxps[://]api[.]telegram[.]org/bot7479124552:AAELHYVLYxHEQdxzK-H17KRix-YKXifzKCI
Process communication with Telegram detected by ANY.RUN sandbox
Try all features of ANY.RUN’s Interactive Sandbox for free
The provided images showcase JSON responses retrieved from the Telegram Bot API. These responses contain detailed information about bots that are directly associated with the NOVA family of malware.
Information about a bot with the username “skullsnovabot”
Information about a bot with the username “onumenbot”
Information about a bot with the username “santigeebot”
Code Reference to “NOVA”
The malware’s source code explicitly mentions “NOVA”, reinforcing its attribution to this specific malware family.
Conclusion
The Nova variant of the Snake Keylogger represents a significant evolution of its predecessor, with advanced evasion techniques and a broader array of data exfiltration capabilities.
Written in VB.NET, Nova leverages obfuscation methods such as Net Reactor Obfuscator and utilizes process hollowing to evade detection, making it a more persistent and stealthy threat. Through its sophisticated techniques, including credential harvesting from a wide variety of browsers, email clients, and other sensitive data, Nova demonstrates its ability to target both personal and corporate systems effectively.
The malware is capable of extracting a wide range of valuable information, including saved passwords, credit card details, and system keys, from both browsers and email clients. In addition, its ability to gather data from a victim’s clipboard and exfiltrate it via multiple channels—such as FTP, SMTP, or Telegram—demonstrates its adaptability and versatility.
While the use of Telegram as the exfiltration method in this specific sample shows a shift towards more covert communication, the ability to switch exfiltration methods allows the malware to avoid detection by security systems that might block certain channels. The malware’s integration with popular tools like Telegram also indicates its use in large-scale, automated cybercrime activities, making it a serious threat to organizations and individuals alike.
About ANY.RUN
ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.
With ANY.RUN you can:
Detect malware in seconds
Interact with samples in real time
Save time and money on sandbox setup and maintenance
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png2024-12-11 11:06:382024-12-11 11:06:38Analysis of Nova: A Snake Keylogger Fork
The Patch Tuesday for December of 2024 includes 72 vulnerabilities, including four that Microsoft marked as “critical.” The remaining vulnerabilities listed are classified as “important.”
Microsoft assessed that exploitation of the four “critical” vulnerabilities is “less likely.”
CVE-2024-49112 is the most serious of this bunch, with a CVSS severity score of 9.8 out of 10. An attacker could exploit this vulnerability in Windows Lightweight Directory Access Protocol (LDAP) calls to execute arbitrary code within the context of the LDAP service. Additionally, CVE-2024-49124 and CVE-2024-49127 permit an unauthenticated attacker to send a specially crafted request to a vulnerable LDAP server, potentially executing the attacker’s code if they succeed in a “race condition.” Although the above vulnerabilities are marked as “critical” and with high CVSS, Microsoft has determined that exploitation is “less likely.”
CVE-2024-49126 – Windows Local Security Authority Subsystem Service (LSASS) remote code execution vulnerability. An attacker with no privileges could target the server accounts and execute malicious code on the server’s account through a network call. Despite being considered “critical”, the successful exploitation of this vulnerability requires an attacker to win a “race condition” which complexity is high, Microsoft has determined that exploitation is “less likely.”
CVE-2024-49105 is a “critical” remote code execution vulnerability in a remote desktop client. Microsoft has assessed exploitation of this vulnerability as “less likely”. An authenticated attacker could exploit by triggering remote code execution on the server via a remote desktop connection using Microsoft Management Console (MMC). It has not been detected in the wild.
CVE-2024-49117 is a remote code execution vulnerability in Windows Hyper-V. Although marked as “critical,” Microsoft has determined that exploitation is “less likely.” The exploit needs an authenticated attacker and locally on a guest VM to send specially crafted file operation requests on the VM to hardware resources on the VM and trigger remote code execution on the host server. Microsoft has not detected active exploitation of this vulnerability in the wild.
CVE-2024-49106, CVE-2024-49108, CVE-2024-49115, CVE-2024-49119 and CVE-2024-49120, CVE-2024-49123, CVE-2024-49132, CVE-2024-49116, CVE-2024-49128 are remote code execution vulnerabilities in Windows Remote Desktop Gateway (RD Gateway) Service. An attacker could exploit this by connecting to a system with the Remote Desktop Gateway role, triggering the “race condition” to create a “use-after-free” scenario, and then leveraging the execute arbitrary code. Although marked as “critical,” Microsoft has determined that exploitations are “less likely” and the attack complexity considered “high.” Microsoft has not detected active exploitation of these vulnerabilities in the wild.
CVE-2024-49122 and CVE-2024-49118 are remote code execution vulnerabilities in Microsoft Message Queuing (MSMQ) which is a queue manager in Microsoft Windows system. An attacker would need to send a specially crafted malicious MSMQ packet to a MSMQ server and win the “race condition” that is able to exploit on the server side which also means the attack complexity is “high”. While considered “critical” those were determined that exploitation is “less likely” and not been detected in the wild.
CVE-2024-49138 is an elevation of privilege vulnerability in Windows Common Log File System Driver, and while it only has a 7.8 out of 10 CVSS score, it has been actively exploited in the wild.
Cisco Talos would also like to highlight several vulnerabilities that are only rated as “important,” but Microsoft lists as “more likely” to be exploited:
CVE-2024-49070 – Microsoft SharePoint Remote Code Execution Vulnerability
CVE-2024-49093 – Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability
CVE-2024-49114 – Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page. In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
The rules included in this release that protect against the exploitation of many of these vulnerabilities are 64308, 64309, 64310, 64311, 64313, 64314, 63874, 63875, 64312, 64306, 64307. There are also these Snort 3 rules 301085, 301086, 301087, 300987, 64312, 301084
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png2024-12-10 21:06:422024-12-10 21:06:42Microsoft Patch Tuesday for December 2024 contains four critical vulnerabilities
From the perspective of information security, wireless networks are typically perceived as something that can be accessed only locally — to connect to them, an attacker needs to be physically close to the access point. This significantly limits their use in attacks on organizations, and so they are perceived as relatively risk-free. It’s easy to think that some random hacker on the internet could never simply connect to a corporate Wi-Fi network. However, the newly emerged Nearest Neighbor attack tactic demonstrates that this perception is not entirely accurate.
Even a well-protected organization’s wireless network can become a convenient entry point for remote attackers if they first compromise another, more vulnerable company located in the same building or a neighboring one. Let’s delve deeper into how this works and how to protect yourself against such attacks.
A remote attack on an organization’s wireless network
Let’s imagine a group of attackers planning to remotely hack into an organization. They gather information about the given company, investigate its external perimeter, and perhaps even find employee credentials in databases of leaked passwords. But they find no exploitable vulnerabilities. Moreover, they discover that all of the company’s external services are protected by two-factor authentication, so passwords alone aren’t sufficient for access.
One potential penetration method could be the corporate Wi-Fi network, which they could attempt to access using those same employee credentials. This applies especially if the organization has a guest Wi-Fi network that’s insufficiently isolated from the main network — such networks rarely use two-factor authentication. However, there’s a problem: the attackers are on the other side of the globe and can’t physically connect to the office Wi-Fi.
This is where the Nearest Neighbor tactic comes into play. If the attackers conduct additional reconnaissance, they’ll most likely discover numerous other organizations whose offices are within the Wi-Fi signal range of the target company. And it’s possible that some of those neighboring organizations are significantly more vulnerable than the attackers’ initial target.
This may simply be because these organizations believe their activities are less interesting to cyberattack operators — leading to less stringent security measures. For example, they might not use two-factor authentication for their external resources. Or they may fail to update their software promptly — leaving easily exploitable vulnerabilities exposed.
One way or another, it’s easier for the attackers to gain access to one of these neighboring organizations’ networks. Next, they need to find within the neighbor’s infrastructure a device connected to the wired network and equipped with a wireless module, and compromise it. By scanning the Wi-Fi environment through such a device, the attackers can locate the SSID of the target company’s network.
Using the compromised neighboring device as a bridge, the attackers can then connect to the corporate Wi-Fi network of their actual target. In this way, they get inside the perimeter of the target organization. Having achieved this initial objective, the attackers can proceed with their main goals — stealing information, encrypting data, monitoring employee activity, and more.
How to protect yourself against the Nearest Neighbor attack
It’s worth noting that this tactic has already been used by at least one APT group, so this isn’t just a theoretical threat. Organizations that could be targeted by such attacks should start treating the security of their wireless local area networks as seriously as the security of their internet-connected resources.
To protect against the Nearest Neighbor attack, we recommend the following:
Ensure that the guest Wi-Fi network is truly isolated from the main network.
Strengthen the security of corporate Wi-Fi access — for instance, by using two-factor authentication with one-time codes or certificates.
Enable two-factor authentication — not only for external resources but also for internal ones, and, in general, adopt the Zero Trust security model.
Cyble Research and Intelligence Labs (CRIL) has identified a campaign associated with the infamous group Head Mare aimed at targeting Russians.
This campaign involves a ZIP archive containing both a malicious LNK file and an executable. The executable is cleverly disguised as an archive file to deceive users and facilitate its malicious operations.
The LNK file contains commands designed to extract and execute the disguised, which has been identified as PhantomCore.
PhantomCore is a backdoor utilized by the hacktivist group Head Mare. It has been active since 2023 and is known for consistently targeting Russia.
In previous attacks, GoLang-compiled PhantomCore binaries were used. However, in this campaign, the threat actor (TA) is using C++-compiled PhantomCore binaries instead.
TA also integrated the Boost.Beast library into PhantomCore to enable communication with the command-and-control (C&C) server.
PhantomCore collects the victim’s information, including the public IP address, to gain detailed insights into the target before deploying the final-stage payload or executing additional commands on the compromised system.
PhantomCore is known to deploy ransomware payloads such as LockBit and Babuk, inflicting significant damage on the victim’s systems.
Overview
On 2nd September 2024, Kaspersky released a blog about the Head Mare group, which first emerged in 2023. Head Mare is a hacktivist group targeting organizations in Russia and Belarus with the goal of causing maximum damage rather than financial gain. They use up-to-date tactics, such as exploiting the CVE-2023-38831 vulnerability in WinRAR, to gain initial access and deliver malicious payloads. The group maintains a public presence on X, where they disclose information about their victims.
Their targets span various industries, including government, transportation, energy, manufacturing, and entertainment. Unlike other groups, Head Mare also demands ransom for data decryption.
Figure 1 – Threat Actor profile
CRIL recently identified a campaign targeting Russians linked to the notorious Head Mare group. While the initial infection vector remains unknown, the group typically reaches users via spam emails. In this campaign, a ZIP archive named “Doc.Zip” was discovered, containing a malicious LNK file, an executable disguised as “Doc.zip” identified as the PhantomCore, and a corrupted PDF.
Upon executing the LNK file, it extracts the “Doc.Zip” archive into the “C:/ProgramData” directory and executes the file “Doc.zip” using cmd.exe. Once executed, the malware gathers the victim’s information, such as the public IP address, windows version username, etc., and sends it to a command-and-control (C&C) server controlled by the TA. It then awaits further commands from the C&C server to execute additional malicious activities. The figure below shows the infection chain.
Figure 2 – Infection chain
Earlier, PhantomCore samples were developed using GoLang. However, in the latest campaign, the threat actor is using C++-compiled PhantomCore binaries. Additionally, the C++ version of PhantomCore incorporates the Boost.Beast library, which facilitates communication between the infected system and the command-and-control (C&C) server through HTTP WebSockets.
Technical Analysis
The ZIP archive “Doc.zip,” downloaded from the file-sharing website hxxps://filetransfer[.]io/data-package/AiveGg6u/download, is suspected to have been delivered to the victim via a spam email. The email likely carried a social engineering theme, designed to appear legitimate, such as an invoice for goods or similar financial documents. This theme was intended to deceive the recipient into interacting with the malicious attachment, ultimately leading to the delivery of the malicious payload.
The zip archive contains multiple files, including two LNK files, a corrupted lure PDF file, and an executable camouflaged as a “.zip” file extension. All the files within the archive are notably in Russian, as detailed in the table below.
Actual file names
Translated names
Список товаров и услуг.pdf.lnk
List of goods and services.pdf.lnk
Счет-фактура.pdf.lnk
Invoice.pdf.lnk
Контактные данные для оплаты.pdf
Contact details for payment.pdf
The LNK file is configured to execute a PowerShell command that locates and extracts the “Doc.zip” archive into the “C:ProgramData” directory. Once extracted, the “Doc.zip” archive, which contains an executable, is launched using the cmd.exe start command. The figure below illustrates the contents of the LNK file.
Figure 3 – Contents of Список товаров и услуг.pdf.lnk
Upon execution, the Doc.zip file sets both the input and output code pages to OEM Russian (Cyrillic) using the SetConsoleCP and SetConsoleOutputCP Win32 APIs. Additionally, it sets the locale language of the victim machine to “ru_RU.UTF-8” to configure the system to use the Russian locale with UTF-8 encoding.
Figure 4 – Sets locale to Russia
After configuring the locale settings, the malware attempts to connect to the C&C server at 45.10.247[.]152 using the User-Agent string “Boost.Beast/353”. It retries the connection until successful, sleeping for 10 seconds between each attempt.
Figure 5 – Connect request
After a successful connection is established, the malware gathers the victim’s information, including the Buildname, Windows version, public IP address, computer name, username, and domain details. The Buildname, which can vary (e.g., ZIP, URL), may indicate the infection vector. This collected data is then sent to the C&C server via the “init” endpoint, as illustrated in the figure below.
After sending the initial request containing the victim details and UUID, the malware waits for a response from the TA. However, during our analysis, we were unable to capture the response. Nevertheless, code analysis indicates that the typical response from the TA follows a format similar to the one shown below.
Figure 8 – TA’s response
Moreover, the TA can execute commands on the victim’s machine and download additional payloads from the C&C server. This enables them to escalate the compromise, conduct further malicious activities, or expand the attack by deploying specific commands and payloads. The malware uses the following endpoints for its C&C communication and to receive commands
hxxp:// [C&C IP Address]/connect
hxxp:// [C&C IP Address]/init
hxxp:// [C&C IP Address]/check
hxxp:// [C&C IP Address]/command
The TA uses the following methods to execute commands and deploy additional payloads.
Command Execution through Pipes
The execution process involves creating a pipe and redirecting the WritePipe handle to the standard output (stdout) and standard error (stderr). A new process is then launched using the command “cmd.exe /c” to execute the specified command. After the command is executed, the output is retrieved by reading from the pipe using the “ReadFile” API and the ReadPipe handle. Additionally, a log is generated to monitor and track the success or failure of the pipe creation and command execution.
The following code demonstrates the TA’s ability to execute commands through a pipe, read the command output, and parse the commands for execution via the pipe.
Figure 9 – PIPE creation
Creating new process
The malware can also create a new process based on the input from the calling function. If successful, it closes the process and thread handles, updates the log with a success message, and sets a flag to notify the calling process. In case of failure, it logs an error message and sets a different flag to indicate the failure.
Figure 10 – New Process Creation
The Head Mare group has been known to deploy ransomware in previous attacks, targeting a variety of systems and environments. This includes the use of widely recognized ransomware strains such as LockBit for Windows machines and Babuk for ESXi (VMware) environments. These ransomware strains are notorious for their ability to encrypt valuable data and demand ransom payments from victims in exchange for decryption keys.
Yara and Sigma rules to detect this campaign are available for download from the linked Github repository.
Conclusion
The Head Mare group’s campaign continues to target Russian organizations using the PhantomCore backdoor and evolving tactics, including using C++-compiled binaries and social engineering techniques. The group’s ability to collect victim data and deploy additional payloads, including ransomware, highlights the ongoing threat it poses. Organizations must stay vigilant and strengthen their security measures to defend against such attacks.
Recommendations
Avoid opening unexpected or suspicious email attachments, particularly ZIP or LNK files. Train employees to identify phishing attempts and verify file origins before interacting with downloads. Implement email security solutions that detect and block malicious attachments.
Ensure all software, including WinRAR and operating systems, is updated with the latest security patches. Vulnerabilities like CVE-2023-38831 can be exploited in outdated software, making patch management critical for prevention.
Deploy endpoint detection and response (EDR) tools to monitor suspicious activities such as unauthorized PowerShell execution. Use intrusion detection/prevention systems (IDS/IPS) to block connections to known malicious C&C servers like the one observed in this attack.
Limit user permissions to execute potentially dangerous commands or files. Use application whitelisting to allow only trusted programs to run and disable unnecessary scripting tools like PowerShell on non-administrative systems.
Continuously monitor network traffic for anomalies, such as unusual locale settings or repeated connection attempts to unknown IP addresses. Create an incident response plan to quickly isolate and remediate affected systems in case of compromise.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png2024-12-10 14:06:552024-12-10 14:06:55Head Mare Group Intensifies Attacks on Russia with PhantomCore Backdoor
In response to the growing threat of cyber and financial crimes targeting individuals and organizations, INTERPOL has launched a new campaign called “Think Twice.” The campaign aims to raise awareness about the dangers of increasingly complex online threats, urging people to pause and think before making decisions online. The campaign highlights five key cyber threats: ransomware attacks, malware attacks, phishing, generative AI scams, and romance baiting.
With these crimes becoming more advanced and widespread, the campaign serves as a timely reminder of the importance of vigilance and careful decision-making in the digital world.
The Rising Threat of Cybercrime
Cybercrime is on the rise, with criminals using more advanced techniques to exploit vulnerable individuals and organizations. According to INTERPOL’s findings, ransomware attacks have increased by 70 percent, and malware attacks have risen by over 30 percent in just the past year.
Fostering a culture of cyber-awareness in the workforce is the first and last line of defense against cybercrime, as employees form the backbone of any cybersecurity strategy.
Phishing attacks have also evolved, becoming increasingly difficult to detect. Cybercriminals are now using sophisticated methods, including generative AI, to manipulate voices, images, and text, creating ultra-realistic human avatars to deceive victims. These scams are gaining traction, with scammers targeting victims worldwide using tactics that were once unimaginable. Another rising threat is romance baiting, where criminals use fake online profiles to form relationships with victims, only to later ask for money.
The “Think Twice” campaign, which will run from December 3 to December 19, 2024, emphasizes the importance of making informed choices online. By raising awareness of these growing threats, INTERPOL hopes to empower individuals and organizations to take proactive steps in safeguarding themselves against cybercrime.
Key Threats Highlighted by the “Think Twice” Campaign
The campaign focuses on five major threats that have been identified as rapidly growing concerns in the online space:
Ransomware Attacks: Ransomware continues to be one of the most disruptive forms of cybercrime. It involves criminals encrypting a victim’s data and demanding a ransom to unlock it. The rise of ransomware attacks has been staggering, with a 70 percent increase in the past year alone.
Malware Attacks: Malware attacks involve malicious software designed to infiltrate and damage computers or networks. Over 30 percent of malware attacks have increased in the past year, often spreading through emails, links, or infected files.
Phishing: Phishing scams involve tricking individuals into revealing sensitive information, such as passwords or financial data, through deceptive emails or messages. Phishing has become more sophisticated, with cybercriminals using AI-generated content to make their scams harder to detect.
Generative AI Scams: Generative AI scams involve using AI technology to create fake human avatars, voices, and images to deceive victims. These scams are gaining traction, with cybercriminals using realistic content to manipulate and steal money from victims.
Romance Baiting Scams: Romance baiting is a growing form of fraud where criminals create fake online profiles to form emotional connections with victims. After gaining their trust, they ask for money, often claiming to be in a financial emergency or need.
The “Think Twice” Campaign: Empowering Individuals and Organizations
The primary objective of the “Think Twice” campaign is to encourage individuals to pause and think before acting on digital content. INTERPOL urges people to verify the authenticity of messages, links, and requests before taking any action. This two-week awareness campaign will primarily run through social media channels, reaching individuals globally and educating them about the risks associated with cybercrime.
INTERPOL emphasizes the importance of adopting a mindset of caution and awareness when interacting with digital content. The campaign encourages individuals to:
Pause and evaluate: Take a moment to verify the authenticity of any unsolicited emails, links, or messages.
Check for credibility: Ensure the sources of information are legitimate, especially if you’re asked for personal or financial information.
Verify identities: Even if a request seems to come from a familiar contact, always verify their identity through multiple channels.
Stay informed: Learn about the latest cybercrime tactics and how to recognize them.
Be cautious with online relationships: Especially when money is involved, approach online relationships with skepticism.
Taking Action Against Cybercrime: What Can You Do?
INTERPOL’s campaign is not just about raising awareness; it also provides a practical checklist for reducing the risks of cybercrime. Here are some simple steps that individuals and organizations can take to protect themselves:
Be cautious of unsolicited requests: Always be wary of emails or messages from unfamiliar sources. Avoid clicking on suspicious links or attachments.
Implement a cybersecurity culture: Businesses should foster a culture of cybersecurity awareness among employees, providing training and guidelines on handling potential threats.
Verify identities: If you receive a request for money or sensitive information from a known person, verify their identity before acting.
Use in-person verification: For high-risk situations, like online transactions or relationships, consider verifying details through face-to-face meetings or phone calls.
Stay informed: Cybercrime tactics are constantly evolving, so it’s crucial to stay updated on the latest scams and threats.
Conclusion
As cyber and financial crimes continue to grow in scale, INTERPOL’s “Think Twice” campaign serves as an essential reminder for individuals and organizations to remain vigilant. By pausing to consider their digital actions and verifying the authenticity of online content, people can reduce their exposure to threats like phishing, malware, and romance baiting.
As INTERPOL’s Secretary General Valdecy Urquiza said, cybersecurity is a shared responsibility. Through proactive measures and informed decisions, we can help build a safer digital world for everyone.
Cyble Research and Intelligence Labs (CRIL) has identified a campaign associated with the infamous group Head Mare aimed at targeting Russians.
This campaign involves a ZIP archive containing both a malicious LNK file and an executable. The executable is cleverly disguised as an archive file to deceive users and facilitate its malicious operations.
The LNK file contains commands designed to extract and execute the disguised, which has been identified as PhantomCore.
PhantomCore is a Remote Access Trojan (RAT) utilized by the hacktivist group Head Mare. It has been active since 2023 and is known for consistently targeting Russia.
In previous attacks, GoLang-compiled PhantomCore binaries were used. However, in this campaign, the threat actor (TA) is using C++-compiled PhantomCore binaries instead.
TA also integrated the Boost.Beast library into PhantomCore to enable communication with the command-and-control (C&C) server.
PhantomCore collects the victim’s information, including the public IP address, to gain detailed insights into the target before deploying the final-stage payload or executing additional commands on the compromised system.
PhantomCore RAT is known to deploy ransomware payloads such as LockBit and Babuk, inflicting significant damage on the victim’s systems.
Overview
On 2nd September 2024, Kaspersky released a blog about the Head Mare group, which first emerged in 2023. Head Mare is a hacktivist group targeting organizations in Russia and Belarus with the goal of causing maximum damage rather than financial gain. They use up-to-date tactics, such as exploiting the CVE-2023-38831 vulnerability in WinRAR, to gain initial access and deliver malicious payloads. The group maintains a public presence on X, where they disclose information about their victims.
Their targets span various industries, including government, transportation, energy, manufacturing, and entertainment. Unlike other groups, Head Mare also demands ransom for data decryption.
Figure 1 – Threat Actor profile
CRIL recently identified a campaign targeting Russians linked to the notorious Head Mare group. While the initial infection vector remains unknown, the group typically reaches users via spam emails. In this campaign, a ZIP archive named “Doc.Zip” was discovered, containing a malicious LNK file, an executable disguised as “Doc.zip” identified as the PhantomCore RAT, and a corrupted PDF.
Upon executing the LNK file, it extracts the “Doc.Zip” archive into the “C:ProgramData” directory and executes the file “Doc.zip” using cmd.exe. Once executed, the malware gathers the victim’s information, such as the public IP address, windows version username, etc., and sends it to a command-and-control (C&C) server controlled by the TA. It then awaits further commands from the C&C server to execute additional malicious activities. The figure below shows the infection chain.
Figure 2 – Infection chain
Earlier, PhantomCore samples were developed using GoLang. However, in the latest campaign, the threat actor is using C++-compiled PhantomCore binaries. Additionally, the C++ version of PhantomCore incorporates the Boost.Beast library, which facilitates communication between the infected system and the command-and-control (C&C) server through HTTP WebSockets.
Technical Analysis
The ZIP archive “Doc.zip,” downloaded from the file-sharing website hxxps://filetransfer[.]io/data-package/AiveGg6u/download, is suspected to have been delivered to the victim via a spam email. The email likely carried a social engineering theme, designed to appear legitimate, such as an invoice for goods or similar financial documents. This theme was intended to deceive the recipient into interacting with the malicious attachment, ultimately leading to the delivery of the malicious payload.
The zip archive contains multiple files, including two LNK files, a corrupted lure PDF file, and an executable camouflaged as a “.zip” file extension. All the files within the archive are notably in Russian, as detailed in the table below.
Actual file names
Translated names
Список товаров и услуг.pdf.lnk
List of goods and services.pdf.lnk
Счет-фактура.pdf.lnk
Invoice.pdf.lnk
Контактные данные для оплаты.pdf
Contact details for payment.pdf
Doc.zip
Doc.zip
The LNK file is configured to execute a PowerShell command that locates and extracts the “Doc.zip” archive into the “C:ProgramData” directory. Once extracted, the “Doc.zip” archive, which contains an executable, is launched using the cmd.exe start command. The figure below illustrates the contents of the LNK file.
Figure 3 – Contents of Список товаров и услуг.pdf.lnk
Upon execution, the Doc.zip file sets both the input and output code pages to OEM Russian (Cyrillic) using the SetConsoleCP and SetConsoleOutputCP Win32 APIs. Additionally, it sets the locale language of the victim machine to “ru_RU.UTF-8” to configure the system to use the Russian locale with UTF-8 encoding.
Figure 4 – Sets locale to Russia
After configuring the locale settings, the malware attempts to connect to the C&C server at 45.10.247.152 using the User-Agent string “Boost.Beast/353”. It retries the connection until successful, sleeping for 10 seconds between each attempt.
Figure 5 – Connect request
After a successful connection is established, the malware gathers the victim’s information, including the Buildname, Windows version, public IP address, computer name, username, and domain details. The Buildname, which can vary (e.g., ZIP, URL), may indicate the infection vector. This collected data is then sent to the C&C server via the “init” endpoint, as illustrated in the figure below.
After sending the initial request containing the victim details and UUID, the malware waits for a response from the TA. However, during our analysis, we were unable to capture the response. Nevertheless, code analysis indicates that the typical response from the TA follows a format similar to the one shown below.
Figure 8 – TA’s response
Moreover, the TA can execute commands on the victim’s machine and download additional payloads from the C&C server. This enables them to escalate the compromise, conduct further malicious activities, or expand the attack by deploying specific commands and payloads. The RAT uses the following endpoints for its C&C communication and to receive commands
hxxp:// [C&C IP Address]/connect
hxxp:// [C&C IP Address]/init
hxxp:// [C&C IP Address]/check
hxxp:// [C&C IP Address]/command
The TA uses the following methods to execute commands and deploy additional payloads.
Command Execution through Pipes
The execution process involves creating a pipe and redirecting the WritePipe handle to the standard output (stdout) and standard error (stderr). A new process is then launched using the command “cmd.exe /c” to execute the specified command. After the command is executed, the output is retrieved by reading from the pipe using the “ReadFile” API and the ReadPipe handle. Additionally, a log is generated to monitor and track the success or failure of the pipe creation and command execution.
The following code demonstrates the TAs ability to execute commands through a pipe, read the command output, and parse the commands for execution via the pipe.
Figure 9 – PIPE creation
Creating new process
The malware can also create a new process based on the input from the calling function. If successful, it closes the process and thread handles, updates the log with a success message, and sets a flag to notify the calling process. In case of failure, it logs an error message and sets a different flag to indicate the failure.
Figure 10 – New Process Creation
The Head Mare group has been known to deploy ransomware in previous attacks, targeting a variety of systems and environments. This includes the use of widely recognized ransomware strains such as LockBit for Windows machines and Babuk for ESXi (VMware) environments. These ransomware strains are notorious for their ability to encrypt valuable data and demand ransom payments from victims in exchange for decryption keys.
Yara and Sigma rules to detect this campaign are available for download from the linked Github repository.
Conclusion
The Head Mare group’s campaign continues to target Russian organizations using the PhantomCore RAT and evolving tactics, including using C++-compiled binaries and social engineering techniques. The group’s ability to collect victim data and deploy additional payloads, including ransomware, highlights the ongoing threat it poses. Organizations must stay vigilant and strengthen their security measures to defend against such attacks.
Recommendations
Avoid opening unexpected or suspicious email attachments, particularly ZIP or LNK files. Train employees to identify phishing attempts and verify file origins before interacting with downloads. Implement email security solutions that detect and block malicious attachments.
Ensure all software, including WinRAR and operating systems, is updated with the latest security patches. Vulnerabilities like CVE-2023-38831 can be exploited in outdated software, making patch management critical for prevention.
Deploy endpoint detection and response (EDR) tools to monitor suspicious activities such as unauthorized PowerShell execution. Use intrusion detection/prevention systems (IDS/IPS) to block connections to known malicious C&C servers like the one observed in this attack.
Limit user permissions to execute potentially dangerous commands or files. Use application whitelisting to allow only trusted programs to run and disable unnecessary scripting tools like PowerShell on non-administrative systems.
Continuously monitor network traffic for anomalies, such as unusual locale settings or repeated connection attempts to unknown IP addresses. Create an incident response plan to quickly isolate and remediate affected systems in case of compromise.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png2024-12-10 13:06:462024-12-10 13:06:46Head Mare Group Intensifies Attacks on Russia with PhantomCore RAT
The TP-Link Archer C50 V4, a popular dual-band wireless router designed for small office and home office (SOHO) networks, has been found to contain multiple security vulnerabilities that could expose users to a range of cyber threats.
These TP-Link Archer router vulnerabilities, identified under the CVE-2024-54126 and CVE-2024-54127 identifiers, affect all firmware versions prior to Archer C50(EU)_V4_240917. The Indian Computer Emergency Response Team (CERT-In) flagged these vulnerabilities and the security of TP-Link Archer routers.
The vulnerabilities identified in the TP-Link Archer C50 V4 wireless router could allow attackers to exploit critical security holes in the device, leading to unauthorized access and potentially damaging consequences. Two specific issues have been highlighted: a flaw in the firmware upgrade process and the exposure of sensitive Wi-Fi credentials.
Details of the TP-Link Archer Router Vulnerabilities
The TP-Link Archer router vulnerabilities have been classified as medium risk. While the immediate impact may not be critical, the potential for exploitation remains a threat to network security. CVE-2024-54126 and CVE-2024-54127 were reported by Khalid Markar, Amey Chavekar, Sushant Mane, and Dr. Faruk Kazi from CoE-CNDS Lab, VJTI, Mumbai.
Vulnerability Details in TP-Link Archer Router
Insufficient Integrity Verification During Firmware Upgrade (CVE-2024-54126)
One of the key vulnerabilities in the TP-Link Archer C50 router arises from an improper signature verification mechanism in the firmware upgrade process. This issue is present in the web interface of the router, which could be exploited by an attacker with administrative privileges. If the attacker is within the Wi-Fi range of the router, they could upload and execute malicious firmware, allowing them to compromise the device completely.
The absence of adequate integrity checks during firmware updates could enable an attacker to introduce backdoors or malicious code into the router. This would allow the attacker to control the device, manipulate network traffic, or even hijack the entire system, posing a serious security risk for users relying on this router for their home or business networks.
Exposure of Wi-Fi Credentials in Plaintext (CVE-2024-54127)
The second vulnerability is related to the lack of proper access control on the serial interface of the TP-Link Archer C50 router. An attacker with physical access to the device could exploit this weakness by accessing the Universal Asynchronous Receiver-Transmitter (UART) shell. Once inside, the attacker could easily extract Wi-Fi credentials, including the network name (SSID) and password, which would give them unauthorized access to the targeted network.
This vulnerability in TP-Link Archer routers is particularly malicious because obtaining Wi-Fi credentials allows attackers to infiltrate the network, potentially exposing sensitive data, intercepting communications, or launching further attacks on connected devices. The ability to obtain such information without the need for remote access makes this vulnerability especially dangerous in situations where physical access to the device is possible.
Impact of the TP-Link Archer Vulnerability
The presence of these vulnerabilities in the TP-Link Archer C50 V4 router could lead to significant security risks, including:
Compromise of the router: Malicious firmware uploads could enable attackers to control the device, potentially disrupting network operations or using it as a platform for launching further attacks.
Exposure of sensitive information: The vulnerability related to the exposure of Wi-Fi credentials allows attackers to access the network and all connected devices. This could lead to data breaches, unauthorized surveillance, and even identity theft.
Potential system compromise: Once the attacker gains access to the router or the Wi-Fi network, they may leverage this foothold to exploit other vulnerabilities in the network infrastructure, leading to a larger-scale attack.
Given that many home and small office networks rely on TP-Link Archer routers for wireless connectivity, these vulnerabilities have the potential to affect a large number of users. The impact could be particularly severe for businesses or individuals who store sensitive information or rely on secure communications.
Mitigating the Vulnerability in TP-Link Archer Router
To mitigate the risks associated with these vulnerabilities, TP-Link has released a firmware update designed to address the issues. The solution is available for download through the official TP-Link website and should be applied as soon as possible to protect the router from potential attacks. Some of the recommended actions include:
Update Firmware: Users of the TP-Link Archer C50 V4 router are advised to upgrade to the latest firmware version, Archer C50(EU)_V4_240917. This update fixes the vulnerabilities by enhancing the integrity checks during the firmware upgrade process and securing access to the serial interface to prevent unauthorized access to Wi-Fi credentials.
Firmware Upgrade Instructions: To ensure a smooth upgrade, users should follow the specific instructions provided by TP-Link, which include verifying the hardware version of the router, downloading the correct firmware, and ensuring the router is not powered off during the upgrade process. It is also recommended to use a wired connection during the upgrade to avoid any issues with wireless disconnections.
Conclusion
The discovery of vulnerabilities in the TP-Link Archer router highlights the critical need for users to stay updated with the latest firmware releases and security patches. The vulnerabilities in the TP-Link Archer C50 V4, including the insufficient integrity verification during firmware upgrades and the exposure of Wi-Fi credentials, present an ongoing security risks that could lead to unauthorized access and system compromise.
By upgrading to the latest firmware version, users can mitigate the risks associated with these vulnerabilities and protect their networks from potential exploitation. TP-Link Archer router users should take immediate action to secure their devices and ensure their networks remain safe from attackers seeking to exploit these flaws.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png2024-12-10 13:06:462024-12-10 13:06:46Security Risks in TP-Link Archer Router Could Lead to Unauthorized Access
The manufacturing industry has long been a target of cybercriminals. While data encryption has been a prevalent tactic in recent years, threat actors are now increasingly focusing on stealing sensitive information and gaining control over critical infrastructure.
One of the latest campaigns on record involves the use of Lumma and Amadey malware.
Campaign Uses Fake LogicalDOC URLs
This campaign heavily leverages Living Off the Land (LOLBAS) techniques to deliver malware as part of its operations.
Threat actors distribute phishing emails with URLs leading targets to download LNK files disguised as PDFs. These files are accessed via a domain name masquerading as one belonging to LogicalDOC, a service for managing documentation widely utilized in the manufacturing industry.
Attack Involves Scripts to Aid Infection
The malicious LNK file, once activated, initiates PowerShell via an ssh.exe command. Following a chain of scripts, a CPL file is downloaded from berb[.]fitnessclub-filmfanatics[.]com as a ZIP archive.
The malware utilizes both PowerShell and Windows Management Instrumentation (WMI) commands to collect detailed information about the victim’s system. This includes:
Data such as language settings
Antivirus software
Operating system versions
Hardware specifications
This reconnaissance allows attackers to tailor subsequent attacks and enhances their credibility when sending follow-up malicious emails within the targeted organization.
DLL Sideloading Ensures Evasion
Attackers run malicious code in memory without leaving traces and abuse standard Windows tools to blend in with regular system activities. The downloaded ZIP file contains several malicious files used to carry out DLL sideloading.
Key Objective
The primary purpose of this attack is to:
Steal important information with Lumma Stealer
Maintain control over the infected systems with Amadey Bot
Aattackers gain the ability to continuously monitor and manipulate their targets, which poses a significant threat to manufacturing businesses.
Why Businesses Need to Pay Attention
For manufacturing companies, the consequences of such attacks can be severe and include:
Theft of intellectual property
Disruption of operations
Financial losses and compliance violations
Understanding and preparing for these threats is crucial for protecting valuable assets, maintaining operational integrity, and ensuring the safety of employees and customers.
Analysis of the Attack with ANY.RUN Sandbox
To proactively identify malicious files belonging to this and other malware attacks, analyze them in the safe environment of ANY.RUN’s Interactive Sandbox that offers:
Real-time Insights: In-depth view of malicious activities as they occur.
Interactivity: Test threat responses in a live system.
Comprehensive Reporting: Detailed reports on IOCs, malware families, and more.
Analysis of a malicious LNK file inside ANY.RUN’s Sandbox
By uploading a malicious LNK file to the sandbox and executing it we can observe how the entire chain of infection plays out.
Collect Threat Intelligence on Lumma and Amadey Attacks
With TI Lookup, ANY.RUN’s searchable database of the latest threat intelligence, you can find more info on malware and phishing campaigns. TI Lookup provides:
Fresh Data: Latest samples from a global network of security professionals.
Actionable Indicators: IOCs from traffic, memory dumps, and manual collection.
Contextual Information: Links to full sandbox analysis sessions with detailed data.
Use the following query, consisting of the name of the threat and the path to one of the malicious files used in the attack, for your search:
TI Lookup lets you collect threat data and view relevant sandbox sessions
The service provides a list of files matching the query along with sandbox sessions featuring analysis of samples belonging to the same campaign that you can explore in detail.
Collect information on the latest cyber attacks with TI Lookup
ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png2024-12-10 12:06:382024-12-10 12:06:38Manufacturing Companies Targeted with New Lumma and Amadey Campaign