Cybersecurity Threats Affecting Businesses in September 2023
Cybersecurity threats are increasing rapidly. As a result, company leaders need to be more aware of potential deficiencies in their overall cybersecurity strategy. Threat hunt queries, offered as part of Marcum Technology’s SOC services, are key to identifying potential threats in an organization’s environment.
Below are the top four threats that emerged over the past month.
Without getting too deep into the technical details, suffice to say the embedded JS leads victims to a page or pop-up claiming some kind of computer issue and enticing them to call for assistance to resolve it. The calls are fielded by a third-party fraudulent call center which will attempt to obtain payment or steal funds through various means. This latest version of the WoofLocker toolkit is more robust overall, with lures more targeted based on information about victim sessions that is exfiltrated, and infrastructure being hosted by providers in countries like Bulgaria and Ukraine which makes it much harder to take down. There is somewhat of a saving grace in that most of the websites that are infiltrated and used to serve malicious PNGs are adult website or otherwise obscure destinations that would be blocked by most businesses or at least appear somewhat unsavory at a glance.
With the identity of the threat actor(s) behind WoofLocker still unknown, these campaigns will almost certainly continue to flourish and improve in scope as time goes on. As always, the best defenses are user vigilance and the maintenance of security tool threat intelligence.
A new malware called WikiLoader has been seen in recent campaigns, though it was first identified in December of ’22 by TA544, an actor most commonly working with Ursnif. WikiLoader is a sophisticated downloader that serves as a means to download further malware payloads, leveraging unique evasion techniques and custom code to make detection and analysis more difficult. Likely designed so that once access is gained it can be rented to other cybercriminals, this business model of operating as an Initial Access Broker continues to prove popular.
The campaigns begin, as most do, with phishing emails containing macro enabled Excel, OneNote, or PDF attachments. The use of macro enabled documents for attack initiation stands out with this threat actor, as most others have begun pivoting away from them. If the user enables the macros, WikiLoader is downloaded and executed.
The first stage is highly obfuscated, down to an extremely granular level: most call instructions are replaced with push/jmp ones to recreate the actions of a return without having to use an explicit return instruction. As such, common analysis tools have issues parsing the actual logic. Indirect syscalls are leveraged as well, to avoid EDR systems.
Control flow is obfuscated down to the assembly code level by leveraging instruction interpretation and movement tricks to hide what instructions are actually being executed and in what order. Its purpose is to execute instructions in a packed DLL.
The second to fourth stages execute shellcode, the second decrypts stage three, which is encrypted with a single byte XOR key. Stage three is the main stage, containing most of the actual executable commands. They are decoded by simply reading odd numbered characters in long strings. The loader makes an HTTPS request to Wikipedia.com (hence the name) and checks that the response has the string “The Free” (from “The Free Encyclopedia”) in the contents, presumably to make sure that the device is connected to the internet and to prevent detonation in sandbox environments. Following this, the loader makes a request to an intentionally unregistered domain. If a valid response is received, the malware will terminate.
Following this, more confounding activity is observed which downloads the next stage, which is hosted on Discord’s CDN (Discord is a gaming chat platform). A PE file is retrieved by the fourth stage, and finally this retrieves the Ursnif malware that is dropped on the host. Given the strange paths used, it is likely that the infrastructure is composed of compromised hosts either that are either paid for or infiltrated during previous campaigns.
While Ursnif, a banking trojan, spyware, and stealer, is the only observed payload so far, there is no reason that the attackers can’t choose others.
Ultimately, as convoluted and sophisticated as the attack chain is for this malware, the beginning relies on simple phishing, which is easily mitigated with proper awareness and training.
Freeze.rs and SYK Crypter
FortiGuard Labs recently uncovered a malware injector coded in Rust, an emerging programming language. The origin of this injector traces back to the “Freeze.rs” Red Team tool, designed for crafting EDR-evading payloads.
This particular attack campaign commenced via a phishing email on July 13, in which it posed as an urgent order request and used tactics which included a blurred image within a malicious PDF to entice recipients into engaging and triggering a sequence. This led to Freeze.rs and SYK Crypter, a tool prevalent in Discord chat-based malware distribution, execution via a LNK file.
Next, RC4 encryption was harnessed by the attacker to execute decrypted shellcode that launched XWorm, a RAT featuring conventional capabilities like screen capture, keystroke logging, and takeover of compromised devices. This also launched Remcos, originally designed for remote control but exploited maliciously by hackers. This then in turn enabled communication with a command and control (C2) server.
Malware persistence was achieved via registry and file manipulation concealing its presence. The primary targets were in Europe and North America.
Russian state-sponsored hackers, the perpetrators behind the SolarWinds breach, have resurfaced with a fresh approach. This time, they’re leveraging Microsoft Teams to launch targeted campaigns, aiming to pilfer Microsoft 365 passwords and gain entry into Azure Active Directory networks and beyond. The group, known by several aliases such as Midnight Blizzard, Nobelium, APT29, UNC2452, and Cozy Bear, has already targeted approximately 40 global organizations spanning government, NGOs, IT services, technology, manufacturing, and media sectors.
Microsoft detected this renewed activity and issued a warning in the first week of August. Their report indicates that aside from these larger entities, the hackers are also targeting smaller businesses using compromised Microsoft 365 accounts. This cloud platform has increasingly become a focal point for nation-state cyber threats, demonstrated by recent email breaches that impacted U.S. government agencies. The hackers craftily pose as technical support to manipulate users into disclosing Microsoft 365 credentials and multifactor authentication prompts, allowing them access to a treasure trove of data and applications, including Outlook, Teams, and cloud-based Microsoft Office tools.
The hackers employ tactics such as renaming compromised tenants, creating new subdomains, and adding fabricated users to enhance the credibility of their messages. They even attempt to bypass security measures by adding devices to organizations, potentially undermining access restrictions. Microsoft researchers stress the group’s consistent and unchanging focus on cyber-espionage objectives, reflecting their persistent and targeted approach. Darren James, Senior Product Manager at Specops Software, underscores the necessity for organizations to adopt a comprehensive defense strategy. This should encompass robust passphrase security, phishing-resistant multifactor authentication, and well-structured training to mitigate the evolving threats posed by such attack vectors. With cloud services now ubiquitous across various sectors, a multi-layered approach becomes imperative to safeguard against these intricate cyber campaigns.
If you’re facing challenges related to cybersecurity threats, breaches, and bad actors, or are interested in learning more about identifying potential threats to your organization, contact Marcum Technology today.