SISA Weekly Threat Watch – October 31st, 2022

Multiple malwares appear to be entering a new backdoor phase, based on a number of sophisticated and effective malicious campaigns. Threat actors can remain undetected by employing targeted attack techniques such as remote code execution (RCE), PowerShell scripts, password-protected archive files, and cryptominers. This makes it easier for attackers to launch a variety of attacks, such as cryptojacking, data theft, and ransomware. In the future, such threat actors are expected to incorporate additional novel defense evasion methods to breach the networks.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. DiceyF: Rolling and ruling with GamePlayerFramework malware

Kaspersky researchers have discovered a mystery series of APT activities by a group going by the name of DiceyF that have been focused on Southeast Asian online casino development and operations for a while. It has been observed that the DiceyF APT group modifies its codebase over time and develops functionality while performing intrusions. The attackers used a security package deployment service and an employee monitoring system to direct their virus delivery.

The group distributed malware called GamePlayerFramework, which comes with downloaders, launchers, and a variety of plugins. Attackers also used legal software artefacts from NVIDIA, Mango, and other programmes to mask their tracks, including service names, file locations, stolen digital signing certificates, and others. To better hide their logging and monitoring operations, DiceyF developers have added more powerful encryption capabilities over the course of several months.

2. A novel ‘fully undetectable’ PowerShell backdoor discovered

A novel fully undetectable (FUD) PowerShell backdoor has been detected which disguises itself as part of Windows update process. According to SafeBreach, the attack starts with a malicious Word document, which includes a macro that launches an unknown PowerShell script. The macro drops updater.vbs and creates a scheduled task pretending to be part of a Windows update, which will execute the updater.vbs script from a fake update folder.

Prior to executing the scheduled task, the malware creates two PowerShell scripts which are designed to connect to a remote command-and-control (C2) server and retrieve a command to be launched on the compromised machine. The reason these scripts go undetected is that their content gets obfuscated and stored in text boxes within the Word file and gets saved to the fake update directory. Due to this, the scripts do not get detected in VirusTotal. To detect suspicious script execution in PowerShell, Command line logging must be configured and regularly monitored.

3. Emotet botnet distributing self-unlocking RAR files to drop malware

A recent wave of malspam campaigns that use password-protected archive files to install CoinMiner and Quasar RAT on infected PCs have been linked to the infamous Emotet botnet. The ZIP or ISO attachment, which was disguised as an invoice, held a nested self-extracting (SFX) package. To spread malware, self-extracting archives are frequently utilized. An archive becomes executable when it is set to SFX. This archive type is convenient because the content may be opened without the use of any archiving software.

A threat called CoinMiner uses the resources of the infected system to mine cryptocurrencies. Due to its ability to access Microsoft Outlook profiles and read user data from web browsers, this malware can also display credential stealing behavior. Installing software updates to prevent hackers from exploiting known issues or vulnerabilities is critical for organizations. It is also recommended to never open any email attachments that are unexpected or suspicious as they might run false software that could steal confidential data.

4. Multiple malware campaigns exploit VMware vulnerability

A now-patched vulnerability in VMware Workspace ONE Access has been observed which is being exploited to deliver both cryptocurrency miners and ransomware on affected machines. The remote code execution vulnerability is caused due to server-side template injection. It allows attackers to inject a payload and achieve remote code execution on VMware Workspace ONE Access and Identity Manager.

Most of the payloads focus on probing a victim’s sensitive data, for example, passwords, hosts file, etc. There are a few payloads that have an intention of deploying Mirai targeting exposed networking devices running Linux, RAR1ransom that leverages legitimate WinRAR to deploy encryption, and GuardMiner that is a variant of xmrig used to “mine” Monero, a cryptocurrency. To remediate this vulnerability, apply the patches listed by VMware and ensure that all the systems are updated. It is also recommended to avoid software updates while using untrusted networks and enable automatic software updates whenever possible.

5. Ursnif malware switches from bank account theft to initial access

A new iteration of the Ursnif malware, also known as Gozi, has emerged as a backdoor that lacks the functionality of a typical banking trojan. This modification might be a sign that the developers of the new version are focusing on ransomware spread. The malware can avoid detection since it is signed with genuine certificates, wrapped in portable executable crypters, and comes in DLL format.

Upon execution, it establishes a user and a system ID to fetch and run various commands on the host system and collects system service information from the Windows registry. The LDR4 variant is being spread by Ursnif operators using email traps masquerading as job opportunities. The operators were also discovered using an accounting app lure to deliver the payload. Keeping software up to date, using strong passwords, enforcing multi-factor authentication, and conducting regular backups is recommended to stay secure from such attacks.