Cybersecurity Threats Affecting Businesses in April 2023

Cybersecurity threats are increasing rapidly. As a result, companies need to be more aware of potential deficiencies in their overall cybersecurity strategy. Threat hunt queries, offered as part of Marcum Technology’s SOC services, are key to identifying potential threats in an organization’s environment.

Below are the top five threats that emerged over the past month.

QR Code Scams

Recently, the FBI issued a warning to the public about the proliferation of QR (quick response) code frauds. A QR code is a sort of barcode that can be quickly scanned by a digital device and contains data as a sequence of pixels in a square-shaped grid. The pandemic led to a dramatic increase in the use of QR codes over the last two years, as businesses utilized these codes as a quick and secure method of contactless payment and menu access. Today, QR codes are utilized almost everywhere, including restaurants, TV advertisements, public parking meters, etc. In one instance of crime, an ABC News article claimed that bogus QR codes had been discovered all around a city. In this case, consumers were misdirected to a false website where they made a payment to a fictitious vendor. Here are a few fraudulent QR code schemes to be aware of:

• QR phishing scams: Cybercriminals can send an email, flyer, or message on social media containing a QR code.
• Online marketplace: Scammers might approach you through an online marketplace claiming they are trying to purchase goods that you are selling and ask you to scan a QR code.
• QR viruses: criminals can embed links to web pages containing viruses.
• QR crypto (Bitcoin) scams: crypto currencies can use QR codes to transfer money. These codes can be tampered with by cybercriminals, leading to money being sent to the wrong address.

There are various measures one can take to avoid becoming a victim of one of these forms of QR code fraud. After scanning a QR code, verify the URL to ensure it leads to the correct site and appears authentic. A malicious domain name may be nearly identical to the desired URL yet contain errors or misspellings. Use caution when inputting login, personal, or financial information on a website accessed via a QR code. When scanning a physical QR code, be sure it hasn’t been tampered with – for example, ensure there is not a sticker or other alteration on top of the original code. Never use a QR code to download an app. For a safer download, use your phone’s app store. Do not use a QR code scanner app. This raises the likelihood of malware being downloaded onto your device. The camera app on most phones includes a built-in QR scanner. Avoid making payments from a website accessed via a QR code. To make the payment, manually input a recognized and trustworthy website.

ChatGPT Stealer-Extension

A Chrome extension promising quick access to fake ChatGPT functionality was found to be hijacking Facebook accounts and installing hidden account backdoors. The malicious stealer-extension, titled “Quick access to Chat GPT” is promoted on Facebook-sponsored posts and described as a quick way to get started with ChatGPT directly from one’s browser. Although the extension does provide that functionality, it also harvests all the information it can from the victim’s browser, stealing cookies of authorized active sessions to any services in use, and employing tailored tactics to take over its victims’ Facebook accounts.

Once the extension is installed, it presents a small popup window extension icon, with a prompt to interact with ChatGPT. Once the victim opens the window and writes a query to ChatGPT, it is sent to OpenAI’s servers while in the background the harvesting stage is triggered. Examples of de-obfuscated code from the malicious extension source were written in typescript and packed using .map files.

This extension is an integral part of the victim’s browser when it is activated and can send requests to other services as if the browser’s owner was initiating the request. The browser, in most cases, already has active and authenticated sessions with almost all of a user’s day-to-day services. As a result, the extension likely has access to Meta’s Graph API for developers — allowing the threat actor to make API calls.

Security measures taken by Facebook are designed to make sure API requests originate from an authenticated user and the relevant origin. However, thanks to Chrome’s declarativeNetRequest API, the extension has a simple way to circumvent Facebook’s protection. A piece of code is called on by the malicious extension upon initiation, making sure all requests made to facebook.com by any source on the browser will have their headers modified to reflect the origin as “facebook.com.” This gives the extension the ability to freely browse any Facebook page (while making API calls and actions) using the infected browser without a trace.

Iron Tiger’s SysUpdate

Iron Tiger, or APT27, is an advanced persistent threat group that has been active for over a decade and focused mainly on cyberespionage. They are presumed to be affiliated with the Chinese government and have created a new Linux version of their SysUpdate custom remote access malware. The updated version was first seen in July 2022 and began to circulate with multiple payloads in October 2022.

This new malware is similar to the 2021 Windows SysUpdate and is written in C++. Instead of using RTTI classes the code was changed and now uses Asio library. The group also made the loading logic more complex, probably to evade security solutions. With these changes, reverse engineering efforts have been hampered.

The latest campaign has been seen deploying Windows and Linux versions of SysUpdate. Analysts theorize that chat apps were used as a hoax to get unsuspecting users to download the payloads. SysUpdate is a remote access tool that enables the APT to use multiple tools with the ability to take screenshots, retrieve drive information, open and manipulate file, service and process managers, and execute commands. The Linux version also includes DNS tunneling, which will try to retrieve the default system DNS IP, or if that fails, use Google’s DNS server of 8.8.8.8. This may help to bypass firewalls or network security tools designed to block traffic that is not whitelisted. The malware then sends the information it has gathered about the infected host back to a C2 server encrypted with DES.

Protecting against this new threat starts with properly trained staff who know how to spot deceptive phishing attempts with a suspicious link or attachment. Personnel should avoid interacting with these phishing messages before carefully vetting or submitting them to the security team.

MortalKombat and Laplas Clipper Malware

Since December, an unidentified actor has been deploying two fairly new threats: The new MortalKombat ransomware, and a GO variant of the Laplas Clipper malware that steals cryptocurrency. The attack begins, as do so many today, with a phishing email. The attached .ZIP contains a BAT loader script, which downloads another malicious .ZIP from the attacker’s hosting server. The script is then extracted and executed automatically with the payload being either the GO Laplas Clipper or MortalKombat. The script runs the dropped payload as a process in the victim’s machine, then deletes the downloaded files to cover its tracks.

A sample phishing email related to a failed cryptocurrency payment was observed, with the sender email “noreply[at]coinpayments[.]net.” The use of noreply is an effective tactic that gives more legitimacy to the email for most users. With the subject about a payment timeout, the attached ZIP has a filename resembling a transaction ID. MortalKombat is new, and was first seen only in January. Little is known about who made it or their models. Encrypted files include system, app, database, backup, and VM files, including remote locations mapped as logical drives on the machine. The ransom note is dropped and a wallpaper change (referencing the titular media franchise) is made. No wiper behavior or volume shadow copy deletion processes have been noted. Still, through Explorer corruption, the removal of applications and folders from startup, and the disabling of the Run command the effected machine is rendered unusable.

qTOX, an IM application available on GitHub, is used for comms with the victim. An alternate email address is available as well. At least one server used in the campaign is located in Poland and runs an RDP crawler scanning for exposed port 3389 on internet-facing machines.

If you’re facing challenges related to cybersecurity threats, breaches, and bad actors, or are interested in learning more about identifying potential threats to your organization, contact Marcum Technology today.