Top Three Most Active Malware in January 2024


In January, the cybersecurity landscape has been particularly troubled by the sophistication of malware such as the Phemedrone Stealer, Androxgh0st, and the NSPX30 backdoor, all of which have demonstrated advanced techniques for evasion, data harvesting, and exploiting network vulnerabilities. These threats underline the critical need for up-to-date defenses against sophisticated malware campaigns that can bypass standard security protocols and compromise sensitive information.


CVE-2023-36025: Phemedrone Malware Campaign Targets Microsoft Defender SmartScreen Vulnerability
The Phemedrone Stealer campaign has been leveraging CVE-2023-36025, a vulnerability that allows bypassing Windows Defender SmartScreen, to conduct defense evasion and payload delivery since its discovery. This vulnerability enables attackers to execute malicious scripts without triggering SmartScreen's warning mechanisms, a critical security feature in Windows environments designed to block unrecognized applications and files that may be harmful.
The exploitation process of CVE-2023-36025 by the Phemedrone Stealer is outlined as follows:Attackers craft malicious .url files that exploit CVE-2023-36025 to bypass SmartScreen protections.
  • These .url files, hosted on cloud services, are designed to entice users into downloading and executing them.
  • Upon execution, the .url file downloads a .cpl file from an attacker-controlled server, avoiding detection by SmartScreen.
  • The .cpl file executes a DLL, which then uses PowerShell to download and execute the next stage of the malware from GitHub.
  • Phemedrone Stealer harvests sensitive information from the compromised system, including data from web browsers, cryptocurrency wallets, and various messaging applications.
  • The stolen data is prepared for exfiltration and sent to the attackers through Telegram, utilizing validated API tokens for secure communication.
The discovery of CVE-2023-36025's exploitation highlights the sophistication of the Phemedrone Stealer campaign and its ability to bypass advanced security measures like Windows Defender SmartScreen. Microsoft issued a patch for CVE-2023-36025 in November 2023, and the vulnerability was subsequently added to the Known Exploited Vulnerabilities (KEV) list by CISA, emphasizing the importance of timely updates and patches in defending against such threats. Users and organizations are advised to ensure their systems are updated to mitigate the risk posed by CVE-2023-36025 and similar vulnerabilities.

Androxgh0st Malware Is Targeting Cloud Services

The Cybersecurity and Infrastructure Security Agency (CISA) alerted organizations to the threat posed by Androxgh0st malware on January 16, 2024 . This malware specifically targets .env files, which are often used to store sensitive configuration data for cloud services such as AWS, Office 365, SendGrid, and Twilio. Androxgh0st exploits critical vulnerabilities to further compromise web applications and establish botnets.
Key exploits utilized by Androxgh0st include the PHPUnit CVE-2017-9841, allowing arbitrary command execution through malicious HTTP POST requests, the Laravel CVE-2018-15133, which enables remote code execution by abusing XSRF token values, and the Apache CVE-2021-41773, a path traversal vulnerability used to access credentials and execute code remotely.
The malware is known for extracting sensitive information from Laravel .env files, deploying webshells, and exploiting exposed credentials and APIs. To protect against these threats, organizations are urged to patch the identified vulnerabilities in PHPUnit, Laravel, and Apache. Additionally, it is recommended to secure .env files, ensure Laravel applications are not in debug mode, remove sensitive information from .env files, and revoke any exposed credentials.

Sophisticated NSPX30 Backdoor Being Used by BlackWood APT Group

The Blackwood APT, a Chinese-aligned cyberespionage group, has been utilizing sophisticated malware known as NSPX30 to target entities within China, Japan, and the United Kingdom. Blackwood's method of attack is particularly insidious as it involves hijacking the update mechanisms of legitimate software. This adversary-in-the-middle approach allows the group to substitute authentic software updates with malicious payloads. NSPX30 is not just a singular piece of malware but a multistage implant that encompasses a dropper, installer, loaders, orchestrator, and a backdoor, each playing a role in the infection chain and ensuring persistence on the compromised systems.
The malware's capabilities are extensive, including traditional spying functions like keylogging and screenshot capture, as well as advanced functionalities such as whitelisting itself in anti-malware solutions prevalent in China. The infection process typically starts with the malware masquerading as an update from a legitimate server. For example, an update request by Tencent QQ software is intercepted, leading to the downloading of "Tencentdl.exe," which in turn writes the "minibrowser_shell.dll" dropper to disk. This dropper then loads additional malicious components that facilitate further exploitation and data exfiltration.
Despite the malware's complexity and the stealth with which it operates, the initial delivery mechanism of NSPX30 by Blackwood APT remains elusive. ESET researchers speculate that the group might employ network implants on vulnerable network appliances, like routers, to breach target networks initially. This technique bears resemblance to other China-aligned threat actors and suggests a high level of sophistication in Blackwood's operational tactics. As the malware can use legitimate network infrastructure, such as Baidu's, to download components or exfiltrate data, it cleverly camouflages its malicious traffic, thereby complicating efforts to track and mitigate its activities.

M.H

Comments

Popular posts from this blog

CISA and ENISA enhance their Cooperation

Top Five Most Exploited Vulnerabilities in January 2024

SmartScreen Vulnerability: CVE-2024-21412 Facts and Fixes