APT28 uses fake ‘Windows Update’ guides to steal information

SISA Weekly Threat Watch - 08 May 2023

The evolving threat landscape poses a significant challenge to enterprises, as cybercriminals continue to deploy advanced techniques to evade detection and steal sensitive information. This past week, researchers highlighted a continued risk posed by new malicious software toolkits, advanced persistent threats (APTs), remote access trojans (RATs), and new variants of Linux malware used in various cyberespionage activities. To maintain a strong defense against these intrusions, proactive measures and a comprehensive security approach are essential.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Decoy Dog: A sophisticated malware threat targeting enterprises

Researchers have discovered a new malicious software toolkit known as “Decoy Dog” which targets businesses. Decoy Dog employs advanced techniques like domain aging and DNS query dribbling to avoid detection by conventional security measures. Further investigation revealed that several C2 domains utilized DNS tunnels exhibiting characteristics indicative of Pupy RAT, a remote access trojan deployed by the Decoy Dog toolkit.

The multiple-part DNS signature provided strong evidence that the correlated domains were not only employing Pupy RAT but were all part of the broader Decoy Dog toolkit. The researchers also discovered a distinct DNS beaconing behavior across all Decoy Dog domains, following a specific pattern of infrequent but periodic DNS request generation. It is recommended to deploy a robust DNS-based security solution that can analyze DNS traffic and detect suspicious activity. To contain the impact of an attack and prevent adversaries from gaining unauthorized access to critical systems, implement network segmentation and access controls to limit lateral movement within the network.

2. APT28 uses fake ‘Windows Update’ guides to target Ukrainian govt

According to the Computer Emergency Response Team of Ukraine (CERT-UA), Russian hackers, attributed to APT28, are targeting various government bodies in the country with malicious emails containing instructions on ‘how to update Windows as a defense against cyberattacks’. The attackers created @outlook.com email addresses using real employee names acquired via unknown means in the preparatory stages of the attack.

The malicious emails advise the recipients to run a PowerShell command, which downloads a PowerShell script on the computer, simulating a Windows updating process while downloading a second PowerShell payload in the background. The second-stage payload, a basic information harvesting tool, abuses the ‘tasklist’ and ‘systeminfo’ commands to gather data and send them to a Mocky service API via an HTTP request. It is recommended that system administrators restrict the ability to launch PowerShell on critical computers and monitor network traffic for connections to the Mocky service API or any other suspicious connections. Additionally, install software updates to prevent hackers from exploiting known issues or vulnerabilities.

3. LOBSHOT: The stealthy info stealer unleashed through Google Ads

According to researchers, Google Ads have been exploited to distribute a new remote access trojan (RAT) called LOBSHOT. The malware campaign utilized ads promoting the legitimate AnyDesk remote management software but redirected users to a fake website, amydeecke[.]website. The site delivered a malicious MSI file that executed a PowerShell command to download a DLL from download-cdn[.]com, a domain previously associated with the TA505/Clop ransomware gang.

Upon execution, the downloaded DLL file, which is the LOBSHOT malware, is saved in the C:ProgramData folder and run through RunDLL32.exe. If Defender is not present, LOBSHOT proceeds to configure Registry entries for automatic startup during Windows login and collects system information, including running processes, from the infected device. Additionally, the malware scans for various cryptocurrency wallet extensions in popular browsers such as Chrome, Edge, and Firefox. It is recommended to regularly apply security patches and updates to operating systems, applications, and software and implement reliable antivirus, anti-malware, and intrusion detection/prevention systems to detect and block malicious activities.

4. Apache, TP-Link, Oracle flaws actively exploited in the wild

Based on evidence of active exploitation, CISA has recently added 3 flaws in its KEV (Known Exploited Vulnerabilities) catalog, namely, TP-Link Archer AX-21 Command Injection Vulnerability, Apache Log4j2 Deserialization of Untrusted Data Vulnerability and Oracle WebLogic Server Unspecified Vulnerability.

TP-Link Archer AX-21 Command Injection Vulnerability (CVE-2023-1389) could be exploited to achieve remote code execution. This flaw was abused in recent attacks to distribute a new variant of the Mirai botnet onto the compromised devices. Apache Log4j2 Deserialization of Untrusted Data Vulnerability (CVE-2021-45046) is an information leak and remote code execution vulnerability and around 30% of the Log4j library remains vulnerable to the flaw. Oracle WebLogic Server Unspecified Vulnerability (CVE-2023-21839) allows an unauthenticated attacker with network access via T3, IIOP, to compromise Oracle WebLogic Server. It is strongly recommended to implement patches and fixes provided by the vendors, if not applied yet.

5. New variants of Linux malware being utilized for cyberespionage campaigns

New variants of Linux malware are being utilized by hackers in their cyberespionage activities. These include a recently discovered variant of PingPull, a remote access trojan (RAT), as well as a previously unknown backdoor named ‘Sword2033.’  The Linux version of PingPull is an ELF file that currently goes undetected by most antivirus vendors, with only three out of 62 vendors flagging it as malicious. The commands sent by the C2 server to the malware are represented by a single uppercase character in the HTTP parameter, and the malware returns the results to the server through a base64-encoded request.

A new ELF backdoor called Sword2023 communicates with the same C2 server as PingPull. This backdoor is a simpler tool with basic functions such as file uploading, file exfiltration, and command execution. It is recommended to regularly apply patches and updates to operating systems, applications, and security software to ensure known vulnerabilities are addressed. Additionally, enforce the principle of least privilege, granting users only the permissions necessary to perform their tasks.

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.

For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.

SISA’s Latest
close slider