Get Help Now
CONTACT US

RESOURCES  >   THREAT INTEL BRIEFINGS

Date: 5/09/2022

Password-Protected Excel Spreadsheet Pushes Remcos RAT

Overview

An investigation of an email with a password-protected Excel file attached to it revealed Remcos RAT 3.x activity remarkably similar to an infection chain reported by Fortinet last month. This diary reviews a Remcos RAT infection in Brad Duncan’s lab on Wednesday 2022-05-04.

Potential Impact

Remcos RAT (Remote Access Trojan) was designed as a professional tool to remotely control computers. Remcos RAT is recognized as a malware family because it has been abused by hackers to secretly control victims’ devices since its first version was published on July 21, 2016. Remcos RAT is commercial software that is sold online.

Affected platforms: Microsoft Windows

Impacted parties: Microsoft Windows Users

Impact: Controls victim’s device and collects sensitive information

Severity level: Critical

Recommended Actions

Consult with your equipment or support vendor regarding your tools for Web Filtering, Antivirus, Email Security, Remote Access or VPN clients, and Endpoint Detection and Response. These tools should note the following: 

  • All relevant URLs have been rated as “Malicious Websites” by your Web Filtering service. The URLs include the following:
    o hxxp://209[.]127[.]19[.]101/flip.vbs
    o hxxp://209[.]127[.]19[.]101/mem.txt
    o hxxp://209[.]127[.]19[.]101/faze.jpg
    o shiestynerd[.]dvrlists[.]com:10174
    o mimi44[.]ddns[.]net:2405
    o harveyautos110[.]ddns[.]net:2404
    o harveyautos111[.]hopto[.]org:2404
    o harveyautos112[.]ddns[.]net:2404
    o harvey205[.]camdvr[.]org:2404
    o harvey206[.]casacam[.]net:2404
    o harvey207[.]accesscam[.]org:2404
    o 23[.]226[.]128[.]197:2404
    o achimumuazi[.]hopto[.]org:2311
    o xhangzhi[.]duckdns[.]org:2404
  • The captured Excel sample and the downloaded Remcos payload files are detected as “VBA/Remcos.REM!tr ” and “W32/Rescoms.M!tr” and are blocked by your Antivirus service (note, your Antivirus may be found within your EDR tool).
  • Behavior detection (UEBA) may detect both the Excel file and Remcos payload file as malicious based on its behavior.
  • Ask your IPS provider for a signature “Remcos.Botnet” to detect and block Remcos’ C&C traffic to protect our customers.
  • Enable/disable stripping of linked objects in Microsoft Office documents.

Lastly, we suggest that organizations also have their end users go through Information Security Awareness Training designed to help end users learn how to identify and protect themselves from various types of phishing attacks.

Sources
https://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing
https://isc.sans.edu/diary/rss/28616
Author:  Brad Duncan

Critical CVE’s Put Aruba Networks, Avaya Enterprise Switches at Risk

Overview

Researchers from Armis discovered critical vulnerabilities across enterprise grade routers and switches from HPE unit Aruba Networks and Extreme Networks’ Avaya unit that could impact millions of devices.

Potential Impact

Called TLStorm 2.0, these vulnerabilities, if exploited, are considered so serious they could allow a threat actor to gain remote code execution over potentially millions of devices, according to a blog post from Armis published Tuesday.

The disclosures stem from the March discovery of similar vulnerabilities, called TLStorm, in APC Smart-UPS devices. Those critical vulnerabilities allow an attacker to take control of Smart-UPS devices and literally cause them to overload and go up in smoke.

The root cause of the vulnerability is the misuse of NanoSSL, a popular TLS library from Mocana, according to Armis researchers. Aruba and Avaya have switches vulnerable to remote code execution, which could allow an attacker to gain a dangerous level of access to affected devices. 

An attacker could move laterally to other devices by changing the switch behavior as well as exfiltrate data from the internal network.

General Recommended Actions

Researchers collaborated with both companies and there is no evidence of any current attacks in the wild actually taking place.

HPE is aware of the vulnerability and is working on a firmware update to address it, according to a spokesperson. The vulnerability impacts a limited number of switch models and firmware versions, and the company is not aware of any exploitation involving Aruba customers. “In the interim, we are advising customers using affected products to implement firewall controls to protect themselves,” according to HPE

Extreme Networks has shared the following information for customers to implement firmware upgrades:  https://extremeportal.force.com/ExtrArticleDetail?an=000104247

Sources
Cybersecurity Div
Extreme Networks
Armis Research

Google: Nation-State Phishing Campaigns Expanding to Target Eastern Europe Orgs

Overview

Cyber actors from Russia, Belarus and China are using a variety of email-based attack methods to steal credentials and gain access to organizations in Ukraine, Lithuania, Central Asia, countries in the Baltics and even Russia itself. 

“APT28 or Fancy Bear, a threat actor attributed to Russia GRU, was observed targeting users in Ukraine with a new variant of malware,” TAG’s Billy Leonard wrote. 

“The malware, distributed via email attachments inside of password protected zip files (ua_report.zip), is a .Net executable that when executed steals cookies and saved passwords from Chrome, Edge, and Firefox browsers. The data is then exfiltrated via email to a compromised email account.”

Potential Impact

“APT28 or Fancy Bear, a threat actor attributed to Russia GRU, was observed targeting users in Ukraine with a new variant of malware,” TAG’s Billy Leonard wrote. 

“The malware, distributed via email attachments inside of password protected zip files (ua_report.zip), is a .Net executable that when executed steals cookies and saved passwords from Chrome, Edge, and Firefox browsers. The data is then exfiltrated via email to a compromised email account.”

Other Russian groups – including the FSB’s Turla and another Russian-based threat actor named COLDRIVER – were implicated in several attacks targeting defense and cybersecurity organizations in the Baltics as well as government and defense officials, politicians, NGOs and think tanks, and journalists.

COLDRIVER was previously accused by Google of targeting several U.S.-based NGOs, think tanks, the military of a Balkans country and a Ukrainian defense contractor with credential phishing campaigns. It also went after the military of multiple Eastern European countries and a NATO Centre of Excellence, which trains and educates military leaders and specialists.

Turla used unique links in emails that took victims to DOCX files hosted on attacker-controlled infrastructure while COLDRIVER used Gmail accounts to send credential phishing emails.

General Recommended Actions

Good encourages anyone to enable Google Account Level Enhanced Safe Browsing and ensure that all devices are updated. Google will continue to take action, identify bad actors and share relevant information with others across industry and governments, with the goal of bringing awareness to these issues, protecting users and preventing future attacks. While we are actively monitoring activity related to Ukraine and Russia, we continue to be just as vigilant in relation to other threat actors globally, to ensure that they do not take advantage of everyone’s focus on this region

Sources
The Record by Recorded Future
Google Threat Analysis Group (TAG)

Researchers Warn about new ‘Fileless’ Malware

Overview

Last Wednesday, May 4th 2022, Kaspersky researcher Denis Legezo published a security blog detailing a new malware anti-detection technique being employed in the wild. This involves hiding late-stage Trojan activity inside of Windows Event Logs. Not only is this an effective tactic for malware to remain “fileless” but it also is a highly successful approach to hide from modern day detection tools. Along with this the late-stage dropper modules have been observed to patch native Windows API functions to make the infection process even stealthier. Primarily these trojans have been observed to download a digitally signed Cobalt Strike module – the digital signature is a “Fast Invest” certificate. The SilentBreak toolset has also been observed using these trojans.

Additional anti-detection techniques are being utilized along with the novel Windows Event Log approach, these include MSVC, GCC, and Go compilers, whitelisted launches, digital certificates, and API related activities.

Potential Impact

Increasingly complex anti-detection techniques are being developed at an ever-increasing rate. As malware becomes more sophisticated the potential impact increases rapidly. Malware such as this Trojan pose a potential for successful late-stage attacks by adversaries and organizations must be aware of its presence.

Recommended Actions

Organizations should continue to pursue security base practices to secure their infrastructure. Updated security controls like endpoint detection and response are paramount to detect potential malicious code. Security-minded approaches like defense-in-depth are also paramount for layering protection methods.

Specifically looking at this Trojan organizations can put in EDR rules to scan for ThrowbackDLL.dll and drxDLL.dll (possibly original Trojan names), as well as monolithDLL.dll and SlingshotDLL.dll (additionally possible named pipes-based Trojan names).

Sources
https://thehackernews.com/2022/05/this-new-fileless-malware-hides.html?m=1
https://threatpost.com/attackers-use-event-logs-to-hide-fileless-malware/179484/
https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/
https://www.securityweek.com/kaspersky-warns-fileless-malware-hidden-windows-event-logs

Attackers Attempting to Exploit Critical F5 BIP-IP Vulnerability 

Overview

Malicious actors are attempting to exploit a critical remote code execution vulnerability tracked as CVE-2022-1388 affecting F5 BIG-IP networking devices and modules. This vulnerability is trivial to exploit. 

Potential Impact

Successful exploitation could lead to unauthenticated remote execution allowing malicious actors to take over BIG-IP devices and execute system commands, create and delete files, or disable services. 

Recommended Actions

F5 has released a fix for CVE-2022-1388 and administrators are urged to update BIG-IP installations as soon as possible. Furthermore, administrated can implement the following mitigations to protect vulnerable devices:

  • Blocking iControl REST access through the self IP address
  • Blocking iControl REST access through the management interface
  • Modifying the BIG-IP httpd configuration

Sources
https://www.helpnetsecurity.com/2022/05/09/cve-2022-1388-poc-exploitation/
https://portswigger.net/daily-swig/big-ip-proof-of-concept-released-for-rce-vulnerability-in-f5-network-management-tool

‘AvosLocker’ Ransomware Observed Exploiting Years-Old Vulnerabilities 

Overview

The anti-rootkit kernel driver released in 2016 is associated with vulnerabilities CVE-2022-26522 and CVE-2022-26523 affects Avast and AVG antivirus software; the vulnerabilities that were disclosed during December of last year, and the patch two months later, affect the driver named asWarPot.sys. Yet, the new AvosLocker ransomware variant has recently been observed exploiting this flaw.

Potential Impact

This is possible because the attackers disable the antivirus software to evade detection, which allows them to manipulate the operating system. Privilege escalation from running code in the kernel as a non-administrative user can lead to the blue screen of death error. In addition, these vulnerabilities can be leveraged in part to conduct a browser attack or sandbox escape.

Recommended Actions

As always, it is important to keep your software up to date and to remain informed on the latest trends in cybersecurity, particularly the information that involves the software your company utilizes. 

Sources
Researchers Disclose Years-Old Vulnerabilities in Avast and AVG Antivirus (thehackernews.com)
AvosLocker Ransomware Variant Using New Trick to Disable Antivirus Protection (thehackernews.com)

For strategic clients, your vCISO will add this to your next Office Hours for further discussion. However, if you have an immediate need, concern, or question, please reach out to them directly.

For non-strategic clients, please reach out to your Advisor for further discussion.

Let’s Discuss Your Cybersecurity Needs

Contact Us

 

Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Youtube
Consent to display content from Youtube
Vimeo
Consent to display content from Vimeo
Google Maps
Consent to display content from Google
Spotify
Consent to display content from Spotify
Sound Cloud
Consent to display content from Sound
Contact Us