Top Three Most Active Malware in January 2024

-


In January, the cybersecurity landscape has been particularly troubled by the sophistication of malware such as the Phemedrone Stealer, Androxgh0st, and the NSPX30 backdoor, all of which have demonstrated advanced techniques for evasion, data harvesting, and exploiting network vulnerabilities. These threats underline the critical need for up-to-date defenses against sophisticated malware campaigns that can bypass standard security protocols and compromise sensitive information.


CVE-2023-36025: Phemedrone Malware Campaign Targets Microsoft Defender SmartScreen Vulnerability
The Phemedrone Stealer campaign has been leveraging CVE-2023-36025, a vulnerability that allows bypassing Windows Defender SmartScreen, to conduct defense evasion and payload delivery since its discovery. This vulnerability enables attackers to execute malicious scripts without triggering SmartScreen's warning mechanisms, a critical security feature in Windows environments designed to block unrecognized applications and files that may be harmful.
The exploitation process of CVE-2023-36025 by the Phemedrone Stealer is outlined as follows:Attackers craft malicious .url files that exploit CVE-2023-36025 to bypass SmartScreen protections.
  • These .url files, hosted on cloud services, are designed to entice users into downloading and executing them.
  • Upon execution, the .url file downloads a .cpl file from an attacker-controlled server, avoiding detection by SmartScreen.
  • The .cpl file executes a DLL, which then uses PowerShell to download and execute the next stage of the malware from GitHub.
  • Phemedrone Stealer harvests sensitive information from the compromised system, including data from web browsers, cryptocurrency wallets, and various messaging applications.
  • The stolen data is prepared for exfiltration and sent to the attackers through Telegram, utilizing validated API tokens for secure communication.
The discovery of CVE-2023-36025's exploitation highlights the sophistication of the Phemedrone Stealer campaign and its ability to bypass advanced security measures like Windows Defender SmartScreen. Microsoft issued a patch for CVE-2023-36025 in November 2023, and the vulnerability was subsequently added to the Known Exploited Vulnerabilities (KEV) list by CISA, emphasizing the importance of timely updates and patches in defending against such threats. Users and organizations are advised to ensure their systems are updated to mitigate the risk posed by CVE-2023-36025 and similar vulnerabilities.

Androxgh0st Malware Is Targeting Cloud Services

The Cybersecurity and Infrastructure Security Agency (CISA) alerted organizations to the threat posed by Androxgh0st malware on January 16, 2024 . This malware specifically targets .env files, which are often used to store sensitive configuration data for cloud services such as AWS, Office 365, SendGrid, and Twilio. Androxgh0st exploits critical vulnerabilities to further compromise web applications and establish botnets.
Key exploits utilized by Androxgh0st include the PHPUnit CVE-2017-9841, allowing arbitrary command execution through malicious HTTP POST requests, the Laravel CVE-2018-15133, which enables remote code execution by abusing XSRF token values, and the Apache CVE-2021-41773, a path traversal vulnerability used to access credentials and execute code remotely.
The malware is known for extracting sensitive information from Laravel .env files, deploying webshells, and exploiting exposed credentials and APIs. To protect against these threats, organizations are urged to patch the identified vulnerabilities in PHPUnit, Laravel, and Apache. Additionally, it is recommended to secure .env files, ensure Laravel applications are not in debug mode, remove sensitive information from .env files, and revoke any exposed credentials.

Sophisticated NSPX30 Backdoor Being Used by BlackWood APT Group

The Blackwood APT, a Chinese-aligned cyberespionage group, has been utilizing sophisticated malware known as NSPX30 to target entities within China, Japan, and the United Kingdom. Blackwood's method of attack is particularly insidious as it involves hijacking the update mechanisms of legitimate software. This adversary-in-the-middle approach allows the group to substitute authentic software updates with malicious payloads. NSPX30 is not just a singular piece of malware but a multistage implant that encompasses a dropper, installer, loaders, orchestrator, and a backdoor, each playing a role in the infection chain and ensuring persistence on the compromised systems.
The malware's capabilities are extensive, including traditional spying functions like keylogging and screenshot capture, as well as advanced functionalities such as whitelisting itself in anti-malware solutions prevalent in China. The infection process typically starts with the malware masquerading as an update from a legitimate server. For example, an update request by Tencent QQ software is intercepted, leading to the downloading of "Tencentdl.exe," which in turn writes the "minibrowser_shell.dll" dropper to disk. This dropper then loads additional malicious components that facilitate further exploitation and data exfiltration.
Despite the malware's complexity and the stealth with which it operates, the initial delivery mechanism of NSPX30 by Blackwood APT remains elusive. ESET researchers speculate that the group might employ network implants on vulnerable network appliances, like routers, to breach target networks initially. This technique bears resemblance to other China-aligned threat actors and suggests a high level of sophistication in Blackwood's operational tactics. As the malware can use legitimate network infrastructure, such as Baidu's, to download components or exfiltrate data, it cleverly camouflages its malicious traffic, thereby complicating efforts to track and mitigate its activities.

M.H

Comments

Post a Comment

Popular posts from this blog

CISA and ENISA enhance their Cooperation

-
Image
  The European Union Agency for Cybersecurity (ENISA) has signed a Working Arrangement with the Cybersecurity and Infrastructure Security Agency (CISA) of the US, in the areas of capacity-building, best practices exchange and boosting situational awareness. Geopolitics have shaped the cyber threat landscape, bringing like-minded partners closer together in the wake of common cyber challenges and advances in digital technologies. Today at the EU-US Cyber Dialogue, ENISA and CISA announced the signing of their Working Arrangement as an important milestone in the overall cooperation between the United States and the European Union in the field of cybersecurity, also following the Joint Statement of European Commissioner Thierry Breton and U.S. Secretary for Homeland Security Alejandro Mayorkas of January 2023. ENISA’s International Strategy directs the Agency to be selective in engaging with international partners and to limit its overall approach in international cooperation to those are
Read more

The Imperva Content Delivery Network (CDN) to Improve website experience globally

-
Image
Today’s website visitors expect a fast and efficient user experience with no delays or site performance issues. However, high traffic volumes and global reaching websites mean website managers are faced with the challenge of added latency and slow page load times, which can result in lost business. According to WebSiteBuilderExpert.com, 1 in 4 site visitors would abandon a website that takes more than 4 seconds to load. And 46% of site visitors do not revisit poorly performing websites, according to Unbounce.com. A strong Content Delivery Network   (CDN) is critical for website managers and businesses that rely on their websites for success, and here are ten reasons why. Improve your engagement Faster site speed times and more responsive websites bring results in more conversions. As little as a  one-second delay  in page load time can reduce customer satisfaction by 16%. Slow page load times According to  Unbounce , ‘Nearly 70% of consumers admit that page speed influences their likel
Read more

SmartScreen Vulnerability: CVE-2024-21412 Facts and Fixes

-
Image
On Feb. 13, 2024, Microsoft issued a  patch  for CVE-2024-21412, a  Microsoft Defender SmartScreen  vulnerability revolving around internet shortcuts. Previously, we discovered that an advanced persistent threat (APT) group we track under the name Water Hydra has been exploiting CVE-2024-21412 in a sophisticated campaign targeting financial market traders, allowing the group to bypass Microsoft Defender SmartScreen and infect its victims with the DarkMe remote access trojan (RAT). Threat actors are constantly finding new ways of identifying and exploiting gaps to bypass security measures. We found that the bypass of CVE-2023-36025 (a previously patched SmartScreen vulnerability) led to the discovery and exploitation of CVE-2024-21412. This highlights how threat actors can circumvent patches by identifying new vectors of attack around a patched software component. It is important that organizations are able to identify and mitigate vulnerabilities, especially zero-days, in a timely mann
Read more