Published Advisories

3CX
Desktop App Report

 

Several cybersecurity vendors expressed concerns on March 29th 2023, about a potential supply chain attack involving tampered 3CX installers that had been digitally signed. The attack aimed to compromise downstream customers. 3CX’s CEO confirmed that the desktop app was compromised with malware and advised customers to uninstall it and switch to the PWA client. This new malware has the ability to gather system information and steal stored credentials and data from user profiles of Chrome, Edge, Brave, and Firefox.

Affected platforms: The following platforms are known to be affected:

Windows users: versions 18.12.407 & 18.12.416 of the 3CX Desktop App Electron application shipped in Update 7  

macOS users: versions 18.11.1213, 18.12.402, 18.12.407, and 18.12.416 of the 3CX Desktop App Electron application   

BellaCiao
IRGC

 

An Iranian state-sponsored hacking group known as APT35/APT42 or Mint Sandstorm has been identified as deploying a new strain of malware named BellaCiao, which has targeted victims in various countries, including the U.S., Europe, India, Turkey, and others. The campaign aims to exploit vulnerabilities in Microsoft Exchange servers to gain unauthorized access and deploy malicious payloads for espionage, data theft, and potentially ransomware attacks.

BellaCiao is a dropper malware designed to deliver additional malicious payloads to compromised devices based on instructions from the threat actors. Its primary objective is to establish persistence and maintain stealth while awaiting further instructions. The malware is customized for each victim (including hardcoded information such as company name, specially crafted subdomains, or associated public IP address) ensuring tailored implants and evading detection mechanisms.

BiBi
Wiper Malware

 

In a recent surge of cyber threats, Israeli computers are increasingly facing data-wiping attacks perpetrated by variants of the BiBi malware family. Researchers have identified these destructive elements affecting both Linux and Windows systems. The attacks are part of a broader cyber offensive targeting various sectors in Israel, notably in education and technology.

The Security Joes’ Incident Response team recently uncovered ‘BiBi-Linux,’ a malware strain designed for irreversible data corruption and operational disruption. Following this discovery, ESET researchers confirmed on October 31,2023 that a Windows variant of the same malware, linked to a hacktivist group named BiBiGun, was identified. This group is associated with Hamas, indicating a coordinated effort in deploying the malware for potential cyber-attacks and disruptions.

CMoon
USB Worm

 

A new USB worm, identified as “CMoon,” has emerged, specifically targeting Russian individuals and organizations. The malware is designed for data theft, with the primary objective of exfiltrating sensitive information from infected systems. The attack vector utilizes USB drives, making it particularly potent in environments with shared or transient storage media. The CMoon worm has raised significant concerns due to its potential impact on both government and private sector entities in Russia.

 

In this attack, users are lured into clicking on links to regulatory documents—such as .docx, .xlsx, .rtf, and .pdf files—on the company’s website. However, these links have been compromised by threat actors, who have substituted the legitimate documents with malicious executables. These executables are distributed in the form of self-extracting archives that contain both the supposed document and a malicious payload named CMoon. When users download and open these archives, they inadvertently execute the CMoon payload, which establishes a backdoor or performs other malicious actions, giving the attackers control over the affected systems. This tactic exploits the trust users have in the legitimate appearance of regulatory documents and the company’s website to initiate the infection chain.

CrowdStrike
Fallout

 

In recent days, an incident involving CrowdStrike’s Falcon platform has ignited a flurry of posts
across social media platforms. Reports of Windows hosts encountering blue screen errors follow-
ing a flawed content update have highlighted a critical cybersecurity concern often underestimat-
ed: the inadvertent exposure of organizational vulnerabilities through social media.
The outcry on platforms like LinkedIn and Facebook inadvertently disclosed users’ reliance on
CrowdStrike for endpoint security. Beyond immediate operational disruptions, this exposure intro-
duces a subtler yet significant risk: targeted attacks. Adversaries proficient in reconnaissance capi-
talize on such disclosures to gather intelligence on potential targets. This intelligence can inform
the development of customized endpoint exploits meticulously crafted to evade or compromise
CrowdStrike’s defenses.
Compounding this emerging incident is attacks from malicious actors who are mimicking
CrowdStrike’s official site, disseminating counterfeit code and instructions under the guise of as-
sisting entities affected by the outage. In responding to this incident, it’s crucial for organizations
to mitigate risks stemming from social media exposure, while also remaining vigilant against fraud-
ulent attempts to exploit the situation for malicious purposes.

CyberStash Security Advisory -
Lockbit 3.0 Ransomware

 

Lockbit 3.0 is a pernicious form of ransomware that encrypts files on infected systems and de-
mands payment for the decryption key. This Ransomware-as-a-Service (RaaS) variant first
emerged in March 2023 and employs various distribution vectors, including phishing emails,
exploit kits, compromised credentials, and brute-force attacks against exposed public ser-
vices. The threat actors behind Lockbit 3.0 also leverage remote administration tools such as
AnyDesk, Splashtop, and Atera RMM to establish persistent access to the victim’s network.
Once a system is infected with Lockbit 3.0 ransomware, it employs advanced Living-off-the-
Land (LoL) techniques and additional tools to spread itself across the network, seeking out
other vulnerable devices. This allows the ransomware to maximise its impact, potentially caus-
ing significant damage to the affected organisation. Given the sophisticated tactics used by
Lockbit 3.0 threat actors, organisations must remain vigilant and adopt a multi-layered securi-
ty approach to detect and prevent attacks in real-time

Cuttlefish
Malware

 

A new malware dubbed Cuttlefish has emerged, posing a significant threat to small office and home office (SOHO) routers. Its primary objective is to covertly monitor all traffic passing through these devices and extract authentication data from HTTP GET and POST requests. Cuttlefish operates as a modular malware, specifically targeting web requests passing through routers, facilitating the theft of authentication material.

Deadglyph
Malware

 

In a recent cyber espionage incident targeting the Middle Eastern Government entities, a newly emerged and highly sophisticated backdoor malware called ‘Deadglyph’ made its ominous debut.

The Deadglyph malware is designed with interchangeable parts, known as modules. These modules are like specialized tools that it can download from a central control center (C2). Each tool, or module, comes with specific instructions called shellcodes that the malware follows to carry out different tasks.

This modular approach gives threat actors the flexibility to create new tools whenever they need them. It’s like having a toolbox with the ability to craft custom tools for specific targets. These custom tools can then be sent to victims to carry out additional harmful actions.

Deep
Gosu

 

DEEP#GOSU Malware represents a highly sophisticated and elaborate cyber threat campaign observed recently, leveraging PowerShell and VBScript malware to compromise Windows systems. DEEP#GOSU malware is highly advanced and operates stealthily on Windows systems, especially when it comes to monitoring network activity.

Its abilities encompassed keylogging, monitoring clipboard activities, executing dynamic payloads, exfiltrating data, and maintaining persistence. This was achieved through a combination of Remote Access Trojan (RAT) software for complete remote control, scheduled tasks, and self-executing PowerShell scripts utilizing jobs.

Security Advisory -
DragonSpark

 

The DragonSpark Attack is a sophisticated attack that utilizes a tool called SparkRAT. SparkRAT
is a Remote Access Trojan that can run on multiple platforms and is developed using the Go pro-
gramming language. The attack was first discovered by SentinelLabs and is carried out by com-
promising infrastructure located in China, Hong Kong, Taiwan, Singapore, and the United
States. The attacker uses this compromised infrastructure to deploy malware and a variety of
other tools. To execute code from the malware binaries, the attackers use a technique called
Golang source code interpretation, which allows them to create a reverse shell for remote code
execution. This technique makes it difficult to detect the attack because most endpoint security
software assesses the behavior of compiled code, rather than the source code itself

Exploiting
The regreSSHion Vulnerability

 

The identified vulnerability, known as “regreSSHion,” impacts OpenSSH, a widely-deployed imple-
mentation of the Secure Shell (SSH) protocol pivotal for secure remote administration and file
transfers within enterprises. This flaw permits remote, unauthenticated adversaries to execute ar-
bitrary code on affected systems, thereby potentially compromising the confidentiality, integrity,
and availability of the targeted infrastructure.
Designated as CVE-2024-6387, this vulnerability manifests as a race condition in the signal handler
of OpenSSH, facilitating unauthenticated remote code execution with root privileges. Notably, this
issue pertains specifically to the default configuration of sshd, thus posing a critical security threat
necessitating immediate attention and remediation by organizations reliant on OpenSSH for se-
cure communications.
Addressing this vulnerability can be effectively managed through proactive measures such as ap-
plying patches promptly or implementing network configurations that restrict direct internet ac-
cess. If these controls are not feasible right away, you can reduce the risk by configuring the
OpenSSH server to set the LoginGraceTime parameter to 0. This prevents unauthenticated ses-
sions from staying open and being vulnerable to exploitation. Yet, this adjustment could potential-
ly lead to a denial of service if all connection slots are filled

Emojis
Powered Malware Operations

 

A novel Linux malware, designated as ‘DISGOMOJI,’ has emerged, distinguished by its unconven-
tional use of emojis to facilitate command execution on compromised systems. Predominantly di-
rected at governmental entities within India, this malicious software has been linked to the activi-
ties of ‘UTA0137,’ a threat actor believed to operate out of Pakistan.
In functionality, DISGOMOJI exhibits traits akin to conventional backdoors and botnets, empower-
ing threat actors with capabilities such as remote command execution, screen capturing, file exfil-
tration, payload deployment, and targeted file reconnaissance. However, its hallmark innovation
resides in its adoption of Discord as a command and control (C2) platform, supplemented by emo-
jis to issue directives. This departure from traditional text-based commands potentially augments
its stealth capabilities, as it may elude detection by security solutions oriented towards scrutinizing
text-based communications.
The emergence of DISGOMOJI underscores a notable evolution in malware tactics, where leverag-
ing popular communication platforms and unconventional mediums like emojis represents a con-
certed effort to circumvent traditional cybersecurity defenses. As such, vigilance and adaptation in
defensive strategies are imperative to counteract this emerging threat landscape effectively

Mint
Sandstorm Campaign

 

Mint Sandstorm, who share similarities with the threat actor monitored by other researchers un-
der the names APT35 and Charming Kitten, is an Iranian state-sponsored APT group that primarily
focuses on cyber-espionage activities, with a specific interest in targeting individuals and organiza-
tions associated with Microsoft’s educational and research sectors. Their operations aim to steal
sensitive intellectual property, research findings, and other valuable information.
Mint Sandstorm’s primary targets are educators and researchers affiliated with Microsoft. The
group is known for leveraging social engineering tactics, spear-phishing campaigns, and watering
hole attacks to compromise the systems of their victims. The adversaries exploit vulnerabilities in
software commonly used by educators and researchers, seeking to gain unauthorized access to
sensitive information.
The threat actors utilized compromised legitimate email accounts to send phishing lures, em-
ployed the Client for URL (curl) command to establish connections with the Mint Sandstorm com-
mand-and-control (C2) server for downloading malicious files, and introduced a new custom back-
door named MediaPl. These sophisticated techniques enhance Mint Sandstorm’s ability to evade
detection and persistently compromise targeted systems.

Security Advisory -
Nevada Ransomware

 

NEVADA is a ransomware that targets Windows and Linux operating systems, encrypting files
and appending the “.NEVADA” extension to filenames. It also drops a ransom note in folders
containing encrypted files. The security community has addressed the malware’s initial access
vector and variations, with investigations ongoing to determine which known vulnerabilities
attackers may be exploiting.
As of February 3rd, 2023, Nevada ransomware is targeting VMware ESXi servers exposed to
the Internet, and it’s a growing Ransomware-as-a-Service with an affiliate network for both
Russian and English-speaking entities. The new variant of ESXiArgs encrypts more data, mak-
ing it challenging to recover, and the bitcoin wallet is no longer trackable. To counter the on-
going situation, it’s essential to ensure that ESXi servers are updated with VMWare’s provided
patches for known vulnerabilities and not exposed to the Internet.

Quasar
RAT Stealthy DLL Side-Loading

 

The Quasar RAT, an open-source remote access trojan, has been observed employing DLL side-
loading techniques to discreetly operate and siphon data from compromised Windows hosts. This
method takes advantage of the implicit trust these files hold within the Windows environment,
utilizing ctfmon.exe and calc.exe as integral components of its attack chain.
Quasar RAT, also recognized as CinaRAT or Yggdrasil, operates as a C#-based remote administra-
tion tool, offering functionalities such as collecting system information, listing running applica-
tions, accessing files, logging keystrokes, capturing screenshots, and executing arbitrary shell com-
mands.
This trojan’s utilization of DLL side-loading adds a layer of stealth to its activities, enabling it to nav-
igate undetected through security measures while conducting its malicious operations on the com-
promised systems.

Remcos
RAT

 

The advent of a fresh variant of the IDAT loader, frequently utilized by cybercriminals for malware
dissemination, presents a formidable obstacle for both standard and advanced defense mecha-
nisms. This latest iteration harnesses steganography, a technique for camouflaging data within ap-
parently benign files, to clandestinely deploy the Remcos Remote Access Trojan (RAT). Steganog-
raphy amplifies the stealth attributes of the payload, rendering it notably arduous for conventional
security measures to identify.
The Remcos RAT facilitates various malicious activities, including remote monitoring and data exfil-
tration. IDAT utilizes sophisticated evasion techniques, such as dynamic loading of Windows API
functions and obfuscation of API calls, to avoid detection. Upon execution, IDAT extracts the hid-
den payload from a PNG image file, decrypts it, and executes it in memory, injecting additional
modules into legitimate processes. The final stage involves decrypting and executing the Remcos
RAT, enabling covert data theft and surveillance.
Mitigation strategies include deploying robust security controls to reduce exposure and educating
users about the risks of opening files from untrusted sources.

Remcos RAT

 

The advent of a fresh variant of the IDAT loader, frequently utilized by cybercriminals for malware
dissemination, presents a formidable obstacle for both standard and advanced defense mecha-
nisms. This latest iteration harnesses steganography, a technique for camouflaging data within ap-
parently benign files, to clandestinely deploy the Remcos Remote Access Trojan (RAT). Steganog-
raphy amplifies the stealth attributes of the payload, rendering it notably arduous for conventional
security measures to identify.
The Remcos RAT facilitates various malicious activities, including remote monitoring and data exfil-
tration. IDAT utilizes sophisticated evasion techniques, such as dynamic loading of Windows API
functions and obfuscation of API calls, to avoid detection. Upon execution, IDAT extracts the hid-
den payload from a PNG image file, decrypts it, and executes it in memory, injecting additional
modules into legitimate processes. The final stage involves decrypting and executing the Remcos
RAT, enabling covert data theft and surveillance.
Mitigation strategies include deploying robust security controls to reduce exposure and educating
users about the risks of opening files from untrusted sources.

Security Advisory -
VectorStealer Malware

 

VectorStealer is modular malware that emerged in 2020 and steals .rdp files using phishing
emails and malicious websites, enabling threat actors to perform RDP hijacking and propagate
across connected systems. Its primary goal is to exfiltrate sensitive information, including log-
in credentials and financial and personal data, through popular channels like SMTP, Discord, or
Telegram.
VectorStealer uses advanced anti-analysis techniques, including the KGB Crypter tool, which
encrypts and modifies the code with each compilation, making it challenging to detect and
remove. It can also recover sensitive data from popular browsers, like Firefox, Chrome, and
Safari. By leveraging KGB Crypter, VectorStealer can evade traditional security measures and
successfully infiltrate systems, posing a severe threat to targeted individuals and organisa-
tions.

Security Advisory -
Snake Implant Malware

The Snake implant is considered the most sophisticated cyber espionage tool designed and
used by Center 16 of Russia’s Federal Security Service (FSB) for long-term intelligence collection
on sensitive targets. Globally, the FSB has used Snake to collect sensitive intelligence from high
priority targets, such as government networks, research facilities, and journalists.
As one example, FSB actors used Snake to access and exfiltrate sensitive international relations
documents, as well as other diplomatic communications, from a victim in a NATO country. With-
in the United States, the FSB has victimized industries including education, small businesses,
and media organizations, as well as critical infrastructure sectors including government facili-
ties, financial services, critical manufacturing, and communications.

Exploiting the regreSSHion Vulnerability

 

The identified vulnerability, known as “regreSSHion,” impacts OpenSSH, a widely-deployed imple-
mentation of the Secure Shell (SSH) protocol pivotal for secure remote administration and file
transfers within enterprises. This flaw permits remote, unauthenticated adversaries to execute ar-
bitrary code on affected systems, thereby potentially compromising the confidentiality, integrity,
and availability of the targeted infrastructure.
Designated as CVE-2024-6387, this vulnerability manifests as a race condition in the signal handler
of OpenSSH, facilitating unauthenticated remote code execution with root privileges. Notably, this
issue pertains specifically to the default configuration of sshd, thus posing a critical security threat
necessitating immediate attention and remediation by organizations reliant on OpenSSH for se-
cure communications.
Addressing this vulnerability can be effectively managed through proactive measures such as ap-
plying patches promptly or implementing network configurations that restrict direct internet ac-
cess. If these controls are not feasible right away, you can reduce the risk by configuring the
OpenSSH server to set the LoginGraceTime parameter to 0. This prevents unauthenticated ses-
sions from staying open and being vulnerable to exploitation. Yet, this adjustment could potential-
ly lead to a denial of service if all connection slots are filled