Cybersecurity Wiretap #20: From KeyLoggers to Web3 Heists with Focus on MacroPack & VSCode Abuse (week of 09/02/2024)

Welcome to the weekly digest about the Cybersecurity & Threats in the wild. Below you will find a very subjective summary of Cybersecurity events for the prior week.

1.CYFIRMA RESEARCH : POWERSHELL KEYLOGGER by @CyfirmaR

  • uses Command & Scripting Interpreter technique to execute commands via PowerShell without direct user interaction
  • utilizes a cloud server as a proxy hosted in Finland and Onion server on Tor network for data exfiltration & command-and-control (C2) communication
  • includes function to capture and save screenshots, indicating its capability to monitor visual data on the system
  • uses Base64 encoding to securely transmit commands, which are decoded and executed in memory, making detection more challenging
  • keylogger is implemented using embedded C# code to interface with the Windows API, continuously recording and logging keystrokes for potential exfiltration

https://www.cyfirma.com/research/cyfirma-research-powershell-keylogger/

2.AILUROPHILE STEALER by @CyfirmaR

  • places Portable Executable (PE) files in the startup folder to ensure they run automatically with each system boot
  • seeks to collect and exfiltrate browser data (browsing history & passwords)
  • attempts to load any missing Dynamic Link Libraries (DLLs) that may be essential for its operation or to enhance its functionality

https://www.cyfirma.com/research/ailurophile-stealer/

3.Earth Lusca Uses KTLVdoor Backdoor for Multiplatform Intrusion by @TrendMicro

  • new multiplatform backdoor written in Golang, has both Microsoft Windows and Linux versions
  • highly obfuscated malware that masquerades as different system utilities, allowing attackers to carry out variety of tasks including file manipulation, command execution, and remote port scanning
  • scale of attack campaign: 50+ C&C servers found hosted at a China-based company

https://www.trendmicro.com/en_us/research/24/i/earth-lusca-ktlvdoor.html

4.Banking Trojans: Mekotio Looks to Expand Targets, BBTok Abuses Utility Command by @TrendMicro

  • rise in phishing scams that drop banking Trojans such as notorious Mekotio, BBTok, and Grandoreiro in the Latin America
  • Cybercriminals behind these known banking Trojans are using judicial-related phishing emails apart from the tried and tested business lures to target victims

https://www.trendmicro.com/en_us/research/24/i/banking-trojans-mekotio-looks-to-expand-targets–bbtok-abuses-ut.html

5.DeFied Expectations — Examining Web3 Heists by @Mandiant

  • rapid growth of Web3 has presented new opportunities for threat actors, especially in decentralized finance (DeFi), where the heists are larger and more numerous than anything seen in the traditional finance sector
  • While social engineering, crypto drainers, rug pulls (scams), and frauds abound, the most impactful Web3 incidents typically involve theft of crypto wallet keys from organizations (e.g., crypto exchanges), smart contract exploits, and occasionally web frontend attacks that divert user funds.

https://cloud.google.com/blog/topics/threat-intelligence/examining-web3-heists

6.Chinese APT Abuses VSCode to Target Government in Asia by #PaloAlto‘s #Unit42

  • used Visual Studio Code’s embedded reverse shell feature to gain a foothold in target networks
  • to abuse Visual Studio Code for malicious purposes, an attacker can use the portable version of code.exe (the executable file for Visual Studio Code), or an already installed version of the software.
  • by running the command code.exe tunnel, an attacker receives a link that requires them to log into GitHub with their own account.

https://unit42.paloaltonetworks.com/stately-taurus-abuses-vscode-southeast-asian-espionage/

7.BlindEagle Targets Colombian Insurance Sector with BlotchyQuasar by @Threatlabz

  • attacks have originated with phishing emails impersonating the Colombian tax authority.
  • blindEagle has leveraged a version of BlotchyQuasar for attacks, which is heavily protected by several nested obfuscation layers.

https://www.zscaler.com/blogs/security-research/blindeagle-targets-colombian-insurance-sector-blotchyquasar

8.LummaC2 Malware and Malicious Chrome Extension Delivered via DLL Side-Loading by @esthreat

  • case of LummaC2 stealer malware and the malicious Google Chrome browser infections involving a drive-by download that delivered a malicious ZIP archive named “x64~x32~installer___.zip” containing an MSI app packaging file

https://www.esentire.com/blog/lummac2-malware-and-malicious-chrome-extension-delivered-via-dll-side-loading

9.Emansrepo Stealer: Multi-Vector Attack Chains by #FORTIGUARD LABS

  • python infostealer distributed via emails that include fake purchase orders and invoices
  • compresses data from the victim’s browsers and files in specific paths into a zip file and sends it to the attacker’s email
  • attacker sent phishing mail containing an HTML file, which was redirected to the download link for Emansrepo, packaged by PyInstaller so it can run on a computer without Python.

https://www.fortinet.com/blog/threat-research/emansrepo-stealer-multi-vector-attack-chains

10.Threat Actors Exploit GeoServer Vulnerability CVE-2024-36401 by #FORTIGUARD LABS

  • Multiple OGC request parameters allow remote code execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions
  • shortcoming has been addressed in versions 2.23.6, 2.24.4, and 2.25.2.

https://www.fortinet.com/blog/threat-research/threat-actors-exploit-geoserver-vulnerability-cve-2024-36401

11.Threat actors using MacroPack to deploy Brute Ratel, Havoc and PhantomCore payloads by @TalosSecurity

  • MacroPack – framework designated for Red Team exercises & also used by threat actors to deploy malicious payloads
  • the most recent documents uploaded to VirusTotal from different sources and countries, including China, Pakistan, Russia and the U.S. are uncovering connections between payloads and motivations for creating these docs
  • files deliver multiple payloads, including the Havoc and Brute Ratel post-exploitation frameworks and new variant of the PhantomCore RAT

https://blog.talosintelligence.com/threat-actors-using-macropack/

12.Vulnerability in Tencent WeChat custom browser could lead to remote code execution by @TalosSecurity

  • WeChat versions up to 8.0.42 (the latest version on Google Play store for Android devices before June 14, 2024) contain type confusion vulnerability CVE-2023-3420 that could allow an adversary to execute remote code
  • issue was disclosed & patched in the V8 engine in Jun 2023, WeChat Webview component was not updated, and still remained vulnerable

https://blog.talosintelligence.com/vulnerability-in-tencent-wechat-custom-browser-could-lead-to-remote-code-execution/

Thanks a lot for reading.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.