SISA Weekly Threat Watch – September 12th, 2022

This past week saw the emergence of a new phishing platform for automated attacks and multiple new malwares backed by state-sponsored groups and organizations. Persistent usage of a wide range of tools and modified techniques like cryptocurrency mining, PowerShell commands and polymorphic encoding for attacks indicated that threat groups have access to an extensive range of resources and diverse skills. This certainly cannot be overlooked by security professionals and network administrators.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Microsoft: Russian malware hijacks ADFS to log in as anyone in Windows

Microsoft has identified that the Russian hacker group APT29 (also known as NOBELIUM, Cozy Bear) is deploying a brand-new piece of malware called MagicWeb, that enables anyone in a compromised network to authenticate. The tool modifies user authentication certificates and claims passed in tokens created by the infected server by swapping out a legitimate DLL used by ADFS for a malicious one.

The Microsoft.IdentityServer.Diagnostics.dll is modified by NOBELIUM with a backdoored version that has an extra section in the “TraceLog” class. Four genuine ADFS functions – Build, GetClientCertificate, EndpointConfiguration, and ProcessClaims—are hooked using the function to carry out various operations inside the targeted network. Microsoft advises to adhere to their report’s hunting recommendations and use 365 Defender to hunt the Global Assembly Cache (GAC) for unsigned DLLs.

2. Iranian MuddyWater abuses Log4Shell in SysAid apps

The Log4Shell vulnerability in SysAid apps is being exploited by Mercury APT, also known as MuddyWater, a group sponsored by the Iranian government. Earlier in 2022, the group used Log4j 2 exploits against VMware apps, and they are currently abusing a similar vulnerability in SysAid programmes.m. To communicate with their C2 server, the attackers have used a variety of techniques, notably PowerShell along with eHorus – a tool for remote monitoring, and vpnui.exe – a special version of Ligolo.

After entering the target network, attackers establish persistence, move laterally across the organization, and steal credentials. Even though SysAid patched the Log4Shell flaw after it was made public, some organizations have not used the patch yet. To reduce the risk of credentials being compromised, it is recommended to enable multi-factor authentication (MFA) and ensure that it is enforced for any remote connectivity.

3. Windows malware delays Coinminer installation by a month to evade detection

A new malware campaign spreading cryptocurrency mining malware across 11 countries was discovered to be masquerading as Google Translate or MP3 downloaders, propagated through reputable free software sites. According to research by Check Point, the malware was developed by a firm called “Nitrokod,” which at first sight appears clean of malware and offers the stated functionality.

The user receives a password protected RAR that avoids antivirus detection and contains an executable with the same name as the app selected. On the fifth day of the infection, the malware activates a dropper from another encrypted RAR file and uses PowerShell commands to purge all system logs. The software loads the last dropper after 15 days, which retrieves another RAR file containing the XMRig mining malware, its controller, and a “.sys” file before dropping the final payload. To prevent such attacks, it is advised to avoid installing apps that claim features that have not been officially announced by the developer, like a desktop Google Translate tool.

4. New EvilProxy service lets all hackers use advanced phishing tactics

EvilProxy is a reverse-proxy phishing-as-a-service (PaaS) platform that claims to be able to steal authentication tokens from sites such as Apple, Google, Facebook, Microsoft, Twitter, GitHub, GoDaddy, and even PyPI to get past multi-factor authentication (MFA). The service makes it possible for low-skill threat actors to steal internet accounts that are otherwise well-protected because they do not know how to set up reverse proxies.

The reverse proxy shows the genuine login form, forwards requests, and returns responses from the business website when the victim connects to a phishing page. The threat actors then log in to the website using the authentication cookie as the user. Resecurity says that each user organizes their personal payment for the service through Telegram. Conducting regular backups, using strong passwords, enforcing MFA, and implementing DLP solution on computers is highly recommended to stay protected from phishing attacks.

5. Shikitega – New stealthy malware targeting Linux

Shikitega, a new stealthy Linux malware, has been discovered to infect computers and IoT devices with extra payloads. The malware launches a cryptocurrency miner on infected devices after adding persistence to the host via crontab and exploiting vulnerabilities to gain privileges. Shikitega malware uses a polymorphic encoder and distributes its payload gradually, with each stage exposing only a portion of the payload, according to AT&T’s report.

The malware uses the encoder to run through multiple decode loops, in which each loop decodes the next layer until the final shellcode payload is decoded and executed. The shellcode is then executed to communicate with the malware’s command and control servers (C2) and obtain additional shellcode (commands). The final stage payload, a bitcoin miner, is downloaded as root by Mettle using a smaller ELF file which exploits PwnKit vulnerability. It is recommended to keep the software up to date along with enforcing MFA and using strong passwords to protect systems from being compromised.