Kategorie

A threat actor called Redfly has been linked to a compromise of a national grid located in an unnamed Asian country for as long as six months earlier this year using a known malware referred to as ShadowPad. "The attackers managed to steal credentials and compromise multiple computers on the organization's network," the Symantec Threat Hunter Team, part of Broadcom, said in a report shared with

A threat actor called Redfly has been linked to a compromise of a national grid located in an unnamed Asian country for as long as six months earlier this year using a known malware referred to as ShadowPad. "The attackers managed to steal credentials and compromise multiple computers on the organization's network," the Symantec Threat Hunter Team, part of Broadcom, said in a report shared with THNhttp://www.blogger.com/profile/09767675513435997467noreply@blogger.comCritical Infrastructure Security37.09024 -95.7128918.780006163821156 -130.869141 65.400473836178847 -60.556641

A sophisticated phishing campaign is using a Microsoft Word document lure to distribute a trifecta of threats, namely Agent Tesla, OriginBotnet, and RedLine Clipper, to gather a wide range of information from compromised Windows machines. "A phishing email delivers the Word document as an attachment, presenting a deliberately blurred image and a counterfeit reCAPTCHA to lure the recipient into

A sophisticated phishing campaign is using a Microsoft Word document lure to distribute a trifecta of threats, namely Agent Tesla, OriginBotnet, and RedLine Clipper, to gather a wide range of information from compromised Windows machines. "A phishing email delivers the Word document as an attachment, presenting a deliberately blurred image and a counterfeit reCAPTCHA to lure the recipient into THNhttp://www.blogger.com/profile/09767675513435997467noreply@blogger.comEndpoint Security / Malware37.09024 -95.7128918.780006163821156 -130.869141 65.400473836178847 -60.556641

UPDATE 13.09.2023. Free Download Manager team issued an official statement regarding this incident.

Over the last few years, Linux machines have become a more and more prominent target for all sorts of threat actors. According to our telemetry, 260,000 unique Linux samples appeared in the first half of 2023. As we will demonstrate in this article, campaigns targeting Linux can operate for years without being noticed by the cybersecurity community.

We discovered one such long-lasting attack when we decided to investigate a set of suspicious domains, among them:

• 2c9bf1811ff428ef9ec999cc7544b43950947b0f.u.fdmpkg[.]org
• c6d76b1748b67fbc21ab493281dd1c7a558e3047.u.fdmpkg[.]org
• 0727bedf5c1f85f58337798a63812aa986448473.u.fdmpkg[.]org
• c3a05f0dac05669765800471abc1fdaba15e3360.u.fdmpkg[.]org

To a security researcher’s eye, these domains look alarming, as they can be a sight of malware using domain-generation algorithms for C2 communications. We thus decided to take a close look at the fdmpkg[.]org domain.

A malicious Debian repository

We identified that the domain in question has a deb.fdmpkg[.]org subdomain. Going there in the browser shows the following web page:

As suggested by the page, this subdomain claims to host a Debian repository of a piece of software called ‘Free Download Manager’. We further discovered a Debian package of this software available for download from the https://deb.fdmpkg[.]org/freedownloadmanager.deb URL. This package turned out to contain an infected postinst script that is executed upon installation. This script drops two ELF files to the paths /var/tmp/crond and /var/tmp/bs. It then establishes persistence by creating a cron task (stored in the file /etc/cron.d/collect) that launches the /var/tmp/crond file every 10 minutes.

The version of Free Download Manager installed by the infected package was released on January 24, 2020. Meanwhile, the postinst script contains comments in Russian and Ukrainian, including information about improvements made to the malware, as well as activist statements. They mention the dates 20200126 (January 26, 2020) and 20200127 (January 27, 2020).

A DNS-based backdoor

Once the malicious package is installed, the executable /var/tmp/crond gets launched on every startup through cron. This executable is a backdoor, and it does not import any functions from external libraries. To access the Linux API, it invokes syscalls with the help of the statically linked dietlibc library.

Upon startup, this backdoor makes a type A DNS request for the <hex-encoded 20-byte string>.u.fdmpkg[.]org domain. In response to this request, the backdoor receives two IP addresses that encode the address and port of a secondary C2 server. The following addresses were returned at the time of our research:

• 172.111.48[.]101
• 127.1.0[.]80

The first IP address in the list above is the address of the secondary C2 server, while the second address contains the connection port (encoded in the third and fourth octets) and the connection type (encoded in the second octet).

After parsing the response of the DNS request, the backdoor launches a reverse shell, using the secondary C2 server for communications. The communication protocol is, depending on the connection type, either SSL or TCP. In the case of SSL, the crond backdoor launches the /var/tmp/bs executable and delegates all further communications to it. Otherwise, the reverse shell is created by the crond backdoor itself.

A Bash stealer

Having found out that the crond backdoor creates a reverse shell, we decided to check how this shell is used by attackers. To do that, we installed the infected Free Download Manager package in a malware analysis sandbox. Having analyzed the traffic generated by crond, we determined that the attackers deployed a Bash stealer to the sandbox. This stealer collects data such as system information, browsing history, saved passwords, cryptocurrency wallet files, as well as credentials for cloud services (AWS, Google Cloud, Oracle Cloud Infrastructure, Azure).

After collecting information from the infected machine, the stealer downloads an uploader binary from the C2 server, saving it to /var/tmp/atd. It then uses this binary to upload stealer execution results to the attackers’ infrastructure.

We did not observe any other activity performed via the reverse shell, and thus the whole infection chain can be described with the graph below:

Mystery of the infection vector

After analyzing all components in the chain, we wanted to find out how the infected Debian package was distributed to victims. We checked the official website of Free Download Manager (freedownloadmanager[.]org). Packages available for download from this website turned out to be hosted on the files2.freedownloadmanager[.]org domain, and they were not backdoored.

We then decided to conduct an open-source check on the fdmpkg[.]org domain. This check revealed a dozen posts on websites such as StackOverflow and Reddit, where users have been discussing problems caused by the infected Free Download Manager distribution, not realizing they actually became victims of malware. These posts were made over the course of three years – from 2020 to 2022.

In one such post on Unix Stack Exchange, the author complains about the message ‘Waiting for process: crond’ that prevents the computer from shutting down:

The responses to this post, which came from users dealing with the same problem, suggest that this issue is caused by the Free Download Manager software. They advise to remove the files /etc/cron.d/collect, /var/tmp/crond and /var/tmp/bs. However, none mention that these three files are malicious.

In another post created in 2020, a Reddit user asked whether it is OK to install Free Download Manager without running the postinst script, which, unbeknownst to the user, contained malware.

Moreover, the post author pasted the contents of the script, and another Reddit user pointed out in the comments that it may be malicious. However, these users did not identify the website distributing the infected package or find out what this script does.

We additionally found a post on Reddit mentioning that the official website of this software was distributing malware in 2015. However, the malware described in this post turned out to be unrelated to the campaign that we discovered.

All these posts on social networks made us think that the malicious Debian package could have been distributed via a supply chain attack, through the freedownloadmanager[.]org website. So, we decided to look for further facts that could prove or disprove this claim.

An unexpected redirection

While checking videos on Free Download Manager that are hosted on YouTube, we identified several tutorials demonstrating how to install this software on Linux machines. We observed the following actions that happen in all these videos:

• The video makers opened the legitimate website of Free Download Manager (freedownloadmanager[.]org) in the browser;
• They afterwards clicked on the Download button for the Linux version of the software;
• They were redirected to the malicious https://deb.fdmpkg[.]org/freedownloadmanager.deb URL that hosts the infected version of Free Download Manager.

We also noted that the redirection to the malicious deb.fdmpkg[.]org domain was not occuring in all cases. In another video posted within the same timeframe, , a user clicked on the ‘Download’ button hosted on the software website and ended up downloading Free Download Manager from the legitimate website.

Thus, it is possible that the malware developers scripted the malicious redirection to appear with some degree of probability or based on digital fingerprint of the potential victim.

We further inspected the legitimate Free Download Manager website, wanting to find out if the software developers were aware their website was potentially compromised. In one of the comments made on the software’s blog in 2021, a user complains about observing access to the 5d6167ef729c91662badef0950f795bf362cbb99.u.fdmpkg[.]org domain. A reply to this comment from the user ‘blogadmin’ says that Free Download Manager is not related to this domain and advises to make use only of official versions of the software:

However, nobody bothered to discover how this user ended up installing this suspicious version of Free Download Manager. As such, the official website of this software continued distributing the malicious Debian package until at least 2022.

Origins of the backdoor

Having established how the infected Free Download Manager package was distributed, we decided to check whether the implants discovered over the course of our research have code overlaps with other malware samples. It turned out that the crond backdoor represents a modified version of a backdoor called Bew. Kaspersky security solutions for Linux have been detecting its variants since 2013.

Code of the 2013 version of Bew (left, MD5: 96d8d47a579717223786498113fbb913) and the crond backdoor (right, MD5: 6ced2df96e1ef6b35f25ea0f208e5440)

The Bew backdoor has been analyzed multiple times, and one of its first descriptions was published in 2014. Additionally, in 2017, CERN posted information about the BusyWinman campaign that involved usage of Bew. According to CERN, Bew infections were carried out through drive-by downloads.

As for the stealer, its early version was described by Yoroi in 2019. It was used after exploitation of a vulnerability in the Exim mail server.

The Bash stealer described in 2019 (left, MD5: 8C7EFB0493B6FB805B2C2F0593DE0AB1) and the stealer used in the FDM campaign in 2022 (right, MD5: AD7F99D44931489B2C38DF7A5A166C4D)

Why wasn’t the malicious package discovered earlier?

The malware observed in this campaign has been known since 2013. In addition, the implants turned out to be quite noisy, as demonstrated by multiple posts on social networks. According to our telemetry, victims of this campaign are located all over the world, including Brazil, China, Saudi Arabia and Russia. Given these facts, it may seem paradoxical that the malicious Free Download Manager package remained undetected for more than three years.

We assess that this is due to the following factors:

• As opposed to Windows, Linux malware is much more rarely observed;
• Infections with the malicious Debian package occurred with a degree of probability: some users received the infected package, while others ended up downloading the benign one;
• Social network users discussing Free Download Manager issues did not suspect that they were caused by malware.

While the campaign is currently inactive, this case of Free Download Manager demonstrates that it can be quite difficult to detect ongoing cyberattacks on Linux machines with the naked eye. Thus, it is essential that Linux machines, both desktop and server, are equipped with reliable and efficient security solutions.

We additionally contacted the developers of Free Download Manager and notified them about this campaign. At the time of publishing this article, we had not received a response from them.

Indicators of Compromise

File checksums
b77f63f14d0b2bde3f4f62f4323aad87194da11d71c117a487e18ff3f2cd468d (Malicious Debian Package)
2214c7a0256f07ce7b7aab8f61ef9cbaff10a456c8b9f2a97d8f713abd660349 (crond backdoor)
93358bfb6ee0caced889e94cd82f6f417965087203ca9a5fce8dc7f6e1b8a3ea (bs backdoor)
d73be6e13732d365412d71791e5eb1096c7bb13d6f7fd533d8c04392ca0b69b5 (atd uploader)

File paths
/etc/cron.d/collect
/var/tmp/crond
/var/tmp/bs
/var/tmp/atd

Network indicators
fdmpkg[.]org
172.111.48[.]101

A new information stealer malware called MetaStealer has set its sights on Apple macOS, making the latest in a growing list of stealer families focused on the operating system after MacStealer, Pureland, Atomic Stealer, and Realst. "Threat actors are proactively targeting macOS businesses by posing as fake clients in order to socially engineer victims into launching malicious payloads,"

A new information stealer malware called MetaStealer has set its sights on Apple macOS, making the latest in a growing list of stealer families focused on the operating system after MacStealer, Pureland, Atomic Stealer, and Realst. "Threat actors are proactively targeting macOS businesses by posing as fake clients in order to socially engineer victims into launching malicious payloads," THNhttp://www.blogger.com/profile/09767675513435997467noreply@blogger.comEndpoint Security / Data Security37.09024 -95.7128918.780006163821156 -130.869141 65.400473836178847 -60.556641

Google on Monday rolled out out-of-band security patches to address a critical security flaw in its Chrome web browser that it said has been exploited in the wild. Tracked as CVE-2023-4863, the issue has been described as a case of heap buffer overflow that resides in the WebP image format that could result in arbitrary code execution or a crash. Apple Security Engineering and Architecture (SEAR

Google on Monday rolled out out-of-band security patches to address a critical security flaw in its Chrome web browser that it said has been exploited in the wild. Tracked as CVE-2023-4863, the issue has been described as a case of heap buffer overflow that resides in the WebP image format that could result in arbitrary code execution or a crash. Apple Security Engineering and Architecture (SEARTHNhttp://www.blogger.com/profile/09767675513435997467noreply@blogger.comBrowser Security / Zero Day37.09024 -95.7128918.780006163821156 -130.869141 65.400473836178847 -60.556641

A new phishing attack is leveraging Facebook Messenger to propagate messages with malicious attachments from a "swarm of fake and hijacked personal accounts" with the ultimate goal of taking over the targets' Business accounts. "Originating yet again from a Vietnamese-based group, this campaign uses a tiny compressed file attachment that packs a powerful Python-based stealer dropped in a

A new phishing attack is leveraging Facebook Messenger to propagate messages with malicious attachments from a "swarm of fake and hijacked personal accounts" with the ultimate goal of taking over the targets' Business accounts. "Originating yet again from a Vietnamese-based group, this campaign uses a tiny compressed file attachment that packs a powerful Python-based stealer dropped in a THNhttp://www.blogger.com/profile/09767675513435997467noreply@blogger.comMalware / Social Media37.09024 -95.7128918.780006163821156 -130.869141 65.400473836178847 -60.556641

The Iranian threat actor known as Charming Kitten has been linked to a new wave of attacks targeting different entities in Brazil, Israel, and the U.A.E. using a previously undocumented backdoor named Sponsor. Slovak cybersecurity firm is tracking the cluster under the name Ballistic Bobcat. Victimology patterns suggest that the group primarily singles out education, government, and healthcare

The Iranian threat actor known as Charming Kitten has been linked to a new wave of attacks targeting different entities in Brazil, Israel, and the U.A.E. using a previously undocumented backdoor named Sponsor. Slovak cybersecurity firm is tracking the cluster under the name Ballistic Bobcat. Victimology patterns suggest that the group primarily singles out education, government, and healthcare THNhttp://www.blogger.com/profile/09767675513435997467noreply@blogger.comCyber Espionage / Malware37.09024 -95.7128918.780006163821156 -130.869141 65.400473836178847 -60.556641

With the growing reliance on web applications and digital platforms, the use of application programming interfaces (APIs) has become increasingly popular. If you aren’t familiar with the term, APIs allow applications to communicate with each other and they play a vital role in modern software development. However, the rise of API use has also led to an increase in the number of API breaches.

With the growing reliance on web applications and digital platforms, the use of application programming interfaces (APIs) has become increasingly popular. If you aren’t familiar with the term, APIs allow applications to communicate with each other and they play a vital role in modern software development. However, the rise of API use has also led to an increase in the number of API breaches. The Hacker Newshttp://www.blogger.com/profile/16801458706306167627noreply@blogger.comData Security / API Security37.09024 -95.7128918.780006163821156 -130.869141 65.400473836178847 -60.556641

More RISC-V architecture updates were merged this weekend for the ongoing Linux 6.6 merge window.

Google has officially begun its rollout of Privacy Sandbox in the Chrome web browser to a majority of its users, nearly four months after it announced the plans. "We believe it is vital to both improve privacy and preserve access to information, whether it's news, a how-to-guide, or a fun video," Anthony Chavez, vice president of Privacy Sandbox initiatives at Google, said. "Without viable

Google has officially begun its rollout of Privacy Sandbox in the Chrome web browser to a majority of its users, nearly four months after it announced the plans. "We believe it is vital to both improve privacy and preserve access to information, whether it's news, a how-to-guide, or a fun video," Anthony Chavez, vice president of Privacy Sandbox initiatives at Google, said. "Without viable THNhttp://www.blogger.com/profile/09767675513435997467noreply@blogger.comPrivacy / Online Security37.09024 -95.7128918.780006163821156 -130.869141 65.400473836178847 -60.556641

Introduction

Knowledge is our best weapon in the fight against cybercrime. An understanding of how various gangs operate and what tools they use helps build competent defenses and investigate incidents. This report takes a close look at the history of the Cuba group, and their attack tactics, techniques and procedures. We hope this article will help you to stay one step ahead of threats like this one.

Cuba ransomware gang

Cuba data leak site

The group’s offensives first got on our radar in late 2020. Back then, the cybercriminals had not yet adopted the moniker “Cuba”; they were known as “Tropical Scorpius”.

Cuba mostly targets organizations in the United States, Canada and Europe. The gang has scored a series of resonant attacks on oil companies, financial services, government agencies and healthcare providers.

As with most cyberextortionists lately, the Cuba gang encrypts victims’ files and demands a ransom in exchange for a decryption key. The gang infamously uses complex tactics and techniques to penetrate victim networks, such as exploitation of software vulnerabilities and social engineering. They have been known to use compromised remote desktop (RDP) connections for initial access.

The Cuba gang’s exact origins and the identities of its members are unknown, although some researchers believe it might be a successor to another ill-famed extortion gang, Babuk. The Cuba group, like many others of its kind, is a ransomware-as-a-service (RaaS) outfit, letting its partners use the ransomware and associated infrastructure in exchange for a share of any ransom they collect.

The group has changed names several times since its inception. We are currently aware of the following aliases it has used:

• ColdDraw
• Tropical Scorpius
• Fidel
• Cuba

This past February, we came across another name for the gang — “V Is Vendetta”, which deviated from the hackers’ favorite Cuban theme. This might have been a moniker used by a sub-group or affiliate.

There is an obvious connection with the Cuba gang: the newly discovered group’s website is hosted in the Cuba domain:

http[:]//test[.]cuba4ikm4jakjgmkezytyawtdgr2xymvy6nvzgw5cglswg3si76icnqd[.]onion/

Website of V IS VENDETTA

Cuba remains active as at the time of writing this, and we keep hearing about new extortion victims.

Victimology

In this section, we used data consensually provided by our users and information about victims from open sources, such as other security vendors’ reports and the data leak site of the ransomware gang itself.

The group has attacked numerous companies around the world. Industry affiliation does not seem to be a factor: victims have included retailers, financial and logistical services, government agencies, manufacturers, and others. In terms of geography, most of the attacked companies have been located in the United States, but there have been victims in Canada, Europe, Asia and Australia.

Geographic distribution of Cuba victims

Ransomware

The Cuba ransomware is a single file without additional libraries. Samples often have a forged compilation timestamp: those found in 2020 were stamped with June 4, 2020, and more recent ones, June 19th, 1992.

Cuba extortion model

Extortion models

Four extortion models exist today in terms of tools used for pressuring the victim.

• Single extortion: encrypting data and demanding a ransom just for decryption.
• Double extortion: besides encrypting, attackers steal sensitive information. They threaten to both withhold the encryption key and publish the stolen information online unless the victim pays up. This is the most popular model among ransomware gangs today.
• Triple extortion: adding a threat to expose the victim’s internal infrastructure to DDoS attacks. The model became widespread after the LockBit gang got DDoS’ed, possibly by a victim. After getting targeted, the hackers realized that DDoS was an effective pressure tool, something they stated openly, setting an example for others. To be fair, isolated cases of triple extortion predate the LockBit case.
• The fourth model is the least common one, as it implies maximum pressure and is thus more costly. It adds spreading news of the breach among the victim’s investors, shareholders and customers. DDoS attacks in that case are not necessary. This model is exemplified by the recent hack of Bluefield University in Virginia, where the AvosLocker ransomware gang hijacked the school’s emergency broadcast system to send students and staff SMS texts and email alerts that their personal data had been stolen. The hackers urged not to trust the school’s management, who they said were concealing the true scale of the breach, and to make the situation public knowledge as soon as possible.

The Cuba group is using the classic double extortion model, encrypting data with the Xsalsa20 symmetric algorithm, and the encryption key, with the RSA-2048 asymmetric algorithm. This is known as hybrid encryption, a cryptographically secure method that prevents decryption without the key.

Cuba ransomware samples avoid encrypting files with the following name extensions: .exe, .dll, .sys, .ini, .lnk, .vbm and .cuba, and the following folders:

• \windows\
• \program files\microsoft office\
• \program files (x86)\microsoft office\
• \program files\avs\
• \program files (x86)\avs\
• \$recycle.bin\
• \boot\
• \recovery\
• \system volume information\
• \msocache\
• \users\all users\
• \users\default user\
• \users\default\
• \temp\
• \inetcache\
• \google\

The ransomware saves time by searching for, and encrypting, Microsoft Office documents, images, archives and others in the %AppData%\Microsoft\Windows\Recent\ directory, rather than all files on the device. It also terminates all SQL services to encrypt any available databases. It looks for data both locally and inside network shares.

List of services that the Cuba ransomware terminates

Besides encrypting, the group steals sensitive data that it discovers inside the victim’s organization. The type of data that the hackers are after depends on the industry that the target company is active in, but in most cases, they exfiltrate the following:

• Financial documents
• Bank statements
• Company accounts details
• Source code, if the company is a software developer

Arsenal

The group employs both well-known, “classic” credential access tools, such as mimikatz, and self-written applications. It exploits vulnerabilities in software used by the victim companies: mostly known issues, such as the combination of ProxyShell and ProxyLogon for attacking Exchange servers, and security holes in the Veeam data backup and recovery service.

Malware

• Bughatch
• Burntcigar
• Cobeacon
• Hancitor (Chanitor)
• Termite
• SystemBC
• Veeamp
• Wedgecut
• RomCOM RAT

Tools

• Mimikatz
• PowerShell
• PsExec
• Remote Desktop Protocol

Vulnerabilities

ProxyShell:

• CVE-2021-31207
• CVE-2021-34473
• CVE-2021-34523

ProxyLogon:

• CVE-2021-26855
• CVE-2021-26857
• CVE-2021-26858
• CVE-2021-27065

Veeam vulnerabilities:

• CVE-2022-26501
• CVE-2022-26504
• CVE-2022-26500

ZeroLogon:

• CVE-2020-1472

Mapping of the attack arsenal to MITRE ATT&CK® tactics

Profits

The incoming and outgoing payments in the bitcoin wallets whose identifiers the hackers provide in their ransom notes exceed a total of 3,600 BTC, or more than $103,000,000 converted at the rate of $28,624 for 1 BTC. The gang owns numerous wallets, constantly transferring funds between these, and uses bitcoin mixers: services that send bitcoins through a series of anonymous transactions to make the origin of the funds harder to trace.

Part of the transaction tree in the BTC network

Investigation of a Cuba-related incident and analysis of the malware Host: SRV_STORAGE

On December 19, we spotted suspicious activity on a customer host, which we will refer to as “SRV_STORAGE” in this report. Telemetry data showed three suspicious new files:

Suspicious events in the telemetry data as discovered by the Kaspersky SOC

An analysis of kk65.bat suggested that it served as a stager that initiated all further activity by starting rundll32 and loading the komar65 library into it, which runs the callback function DLLGetClassObjectGuid.

Contents of the .bat file that we found

Let us take a look inside the suspicious DLL.

Bughatch

The komar65.dll library is also known as “Bughatch”, a name it was given in a report by Mandiant.

The first thing that caught our attention was the path to the PDB file. There’s a folder named “mosquito” in it, which translates into Russian as “komar”. The latter is a part of the DDL name suggesting the gang may include Russian speakers.

Path to the komar65.dll PDB file

The DLL code presents Mozilla/4.0 as the user agent when connecting to the following two addresses:

• com, apparently used for checking external connectivity
• The gang’s command-and-control center. The malware will try calling home if the initial ping goes through.

Analysis of komar65.dll

This is the kind of activity we observed on the infected host. After Bughatch successfully established a connection with the C2 server, it began collecting data on network resources.

Bughatch activity

Looking into the C2 servers, we found that in addition to Bughatch, these spread modules that extend the malware’s functionality. One of those collects information from the infected system and sends it back to the server in the form of an HTTP POST request.

Files we found on the Cuba C2 servers

One could think of Bughatch as a backdoor of sorts, deployed inside the process memory and executing a shellcode block within the space it was allocated with the help of Windows APIs (VirtualAlloc, CreateThread, WaitForSingleObject), to then connect to the C2 and await further instructions. In particular, the C2 may send a command to download further malware, such as Cobalt Strike Beacon, Metasploit, or further Bughatch modules.

Bughatch operating diagram

SRV_Service host Veeamp

After some time, we found a malicious process started on a neighboring host; we dubbed this “SRV_Service”:

Malicious process starting

Veeamp.exe is a custom-built data dumper written in C#, which leverages security flaws in the Veeam backup and recovery service to connect to the VeeamBackup SQL database and grab account credentials.

Analysis of Veeamp

Veeamp exploits the following Veeam vulnerabilities: CVE-2022-26500, CVE-2022-26501, CVE-2022-26504. The first two allow an unauthenticated user to remotely execute arbitrary code, and the third one, lets domain users do the same. After any of the three are exploited, the malware outputs the following in the control panel:

• User name
• Encrypted password
• Decrypted password
• User description in the Credentials table of Veeam: group membership, permissions and so on

The malware is not exclusive to the Cuba gang. We spotted it also in attacks by other groups, such as Conti and Yanluowang.

Activity we saw on SRV_Service after Veeamp finished its job was similar to what we had observed on SRV_STORAGE with Bughatch:

Bughatch activity on SRV_Service

As was the case with SRV_STORAGE, the malware dropped three files into the temp folder, and then executed these in the same order, connecting to the same addresses.

Avast Anti-Rootkit driver

After Bughatch successfully established a connection to its C2, we watched as the group used an increasingly popular technique: Bring Your Own Vulnerable Driver (BYOVD).

Exploiting a vulnerable driver

The malicious actors install the vulnerable driver in the system and subsequently use it to various ends, such as terminating processes or evading defenses through privilege escalation to kernel level.

Hackers are drawn to vulnerable drivers because they all run in kernel mode, with a high level of system access. Besides, a legitimate driver with a digital signature will not raise any red flags with security systems, helping the attackers to stay undetected for longer.

During the attack, the malware created three files in the temp folder:

• aswarpot.sys: a legitimate anti-rootkit driver by Avast that has two vulnerabilities: CVE-2022-26522 and CVE-2022-26523, which allow a user with limited permissions to run code at kernel level.
• KK.exe: malware known as Burntcigar. The file we found was a new variety that used the flawed driver to terminate processes.
• av.bat batch script: a stager that helps the kernel service to run the Avast driver and executes Burntcigar.

Analysis of the BAT file and telemetry data suggests that av.bat uses the sc.exe utility to create a service named “aswSP_ArPot2”, specifying the path to the driver in the С\windows\temp\ directory and the service type as kernel service. The BAT file then starts the service with the help of the same sc.exe utility and runs KK.exe, which connects to the vulnerable driver.

Contents of the .bat file that we found

Burntcigar

The first thing we noticed while looking into Burntcigar was the path to the PDB file, which contained a folder curiously named “Musor” (the Russian for “trash”), more indication that the members of the Cuba gang may speak Russian.

Path to the KK.exe PDB file

We further discovered that the sample at hand was a new version of Burntcigar, undetectable by security systems at the time of the incident. The hackers had apparently updated the malware, as in the wake of previous attacks, many vendors were able to easily detect the logic run by older versions.

You may have noticed that in the screenshot of our sample below, all data about processes to be terminated is encrypted, whereas older versions openly displayed the names of all processes that the attackers wanted stopped.

Comparison between the old and new version of Burntcigar

The malware searches for process names that suggest a relation to popular AV or EDR products and adds their process IDs to the stack to terminate later.

Burntcigar uses the DeviceIoContol function to access the vulnerable Avast driver, specifying the location of the code that contains the security issue as an execution option. The piece of code contains the ZwTerminateProcess function, which the attackers use for terminating processes.

Analysis of Burntcigar

Fortunately, our product’s self-defense was able to cope with the malware by blocking all hooks to the driver.

Later, we discovered similar activity exploiting the Avast anti-rootkit driver on the Exchange server and the SRV_STORAGE host. In both cases, the attackers used a BAT file to install the insecure driver and then start Burntcigar.

Burntcigar activity on the neighboring hosts

SRV_MAIL host (Exchange server)

On December 20, the customer granted our request to add the Exchange server to the scope of monitoring. The host must have been used as an entry point to the customer network, as the server was missing critical updates, and it was susceptible to most of the group’s initial access vectors. In particular, SRV_MAIL had the ProxyLogon, ProxyShell and Zerologon vulnerabilities still unremediated. This is why we believe that the attackers penetrated the customer network through the Exchange server.

Telemetry data starts coming in

On SRV_MAIL, the SqlDbAdmin user showed the same kind of activity as that which we had observed on the previous hosts.

Malicious activity by SqlDbAdmin

We found that the attackers were using the legitimate gotoassistui.exe tool for transferring malicious files between the infected hosts.

GoToAssist is an RDP support utility often used by technical support teams, but the application is often abused to bypass any security defenses or response teams when moving files between systems.

Sending malicious files via gotoassistui.exe

We also found that new Bughatch samples were being executed. These used slightly different file names, callback functions and C2 servers, as our systems were successfully blocking older versions of the malware at that time.

Bughatch activity

SqlDbAdmin

We wondered who that SqlDbAdmin was. The answer came through a suspicious DLL, addp.dll, which we found manually on a compromised host.

Suspicious dynamic library

We found that it used the WIN API function NetUserAdd to create the user. The name and password were hard-coded inside the DLL.

Analysis of addp.dll

As we looked further into the library, we found that it used the RegCreateKey function to enable RDP sessions for the newly created user by modifying a registry setting. The library then added the user to the Special Account registry tree to hide it from the system login screen, an interesting and fairly unconventional persistence technique. In most cases, bad actors add new users with the help of scripts thatsecurity products rarely miss.

Analysis of addp.dll

Cobalt Strike

We found a suspicious DLL, ion.dll, running on the Exchange server as part of the rundll32 process with unusual execution options. At first, we figured that the activity was similar to what we had earlier seen with Bughatch. However, further analysis showed that the library was, in fact, a Cobalt Strike Beacon.

Execution of the suspicious ion.dll file

When we were looking at the ion.dll code, what caught our attention was execution settings and a function that uses the Cobalt Strike configuration. The library used the VirtualAlloc function for allocating process memory to execute the Cobalt Strike Beacon payload in, later.

Analysis of ion.dll

All configuration data was encrypted, but we did find the function used for decrypting that. To find the Cobalt Strike C2 server, we inspected a rundll32 memory dump with ion.dll loaded into it, running with the same settings it did on the victim host.

Memory dump of rundll32

Finding out the name of the C2 helped us to locate the history of communications with that server within the telemetry data. After the malware connected to the C2, it downloaded two suspicious files into the Windows folder on the infected server and then executed these. Unfortunately, we were not able to obtain the two files for analysis, as the hackers had failed to disable security at the previous step, and the files were wiped off the infected host. We do believe, though, that what we were dealing with was the ransomware itself.

Communications with the attackers’ C2 server

The customer promptly isolated the affected hosts and forwarded the incident to the Kaspersky Incident Response team for further investigation and search for possible artifacts. This was the last we saw of the malicious actor’s activity in the customer system. The hosts avoided encryption thanks to the customer following our recommendations and directions, and responding to the incident in time.

New malware

We found that VirusTotal contained new samples of the Cuba malware with the same file metadata as the ones in the incident described above. Some of those samples had successfully evaded detection by all cybersecurity vendors. We ran our analysis on each of the samples. As you can see from the screenshot below, these are new versions of Burntcigar using encrypted data for anti-malware evasion. We have made Yara rules that detect these new samples, and we are providing these in the attachment to this article.

New malware samples

BYOVD (Bring Your Own Vulnerable Driver)

We will now take a closer look at an attack that uses insecure drivers, which we observed as we investigated the incident and which is currently growing in popularity as various APT and ransomware gangs add it to their arsenals.

Bring Your Own Vulnerable Driver (BYOVD) is a type of attack where the bad actor uses legitimate signed drivers that are known to contain a security hole to execute malicious actions inside the system. If successful, the attacker will be able to exploit the vulnerabilities in the driver code to run any malicious actions at kernel level!

Understanding why this is one of the most dangerous kinds of attacks takes a quick refresher on what drivers are. A driver is a type of software that acts as an intermediary between the operating system and the device. The driver converts OS instructions into commands that the device can interpret and execute. A further use of drivers is supporting applications or features that the operating system originally lacks. As you can see from the image below, the driver is a layer of sorts between user mode and kernel mode.

User mode and kernel mode interaction diagram. Source:
https://learn.microsoft.com/en-us/windows-hardware/drivers/gettingstarted/user-mode-and-kernel-mode

Applications running in user mode have fewer privileges to control the system. All they can get access to is a virtualized memory area that is isolated and protected from the rest of the system. The driver runs inside the kernel memory, and it can execute any operations just like the kernel itself. The driver can get access to critical security structures and modify those. Modifications like that make the system liable to attacks that use privilege escalation, disabling of OS security services, and arbitrary reading and writing.

The Lazarus gang made use of that technique in 2021 as they gained write access to kernel memory and disabled Windows security features by abusing a Dell driver that contained the CVE-2021-21551 vulnerability.

There is no sure-fire defense from legitimate drivers, because any driver could prove to have a security flaw. Microsoft has published a list of recommendations to protect against this type of techniques:

• Enable Hypervisor-Protected Code Integrity.
• Enable Memory Integrity.
• Enable validation of driver digital signatures.
• Use the vulnerable driver blocklist.

However, studies suggest that the recommendations are irrelevant even with every Windows protection feature enabled, and attacks like these go through anyway.

To counter this technique, many security vendors started adding a self-defense module into their products that prevents malware from terminating processes and blocks every attempt at exploiting vulnerable drivers. Our products have that feature too, and it proved effective during the incident.

Conclusion

The Cuba cybercrime gang employs an extensive arsenal of both publicly available and custom-made tools, which it keeps up to date, and various techniques and methods including fairly dangerous ones, such as BYOVD. Combating attacks at this level of complexity calls for sophisticated technology capable of detecting advanced threats and protecting security features from being disabled, and a massive, continuously updated threat knowledge base that helps to detect malicious artifacts manually.

The incident detailed in this article shows that investigation of real-life cyberattacks and incident response, such as Managed Detection and Response (MDR), are sources of the latest information about malicious tactics, techniques and procedures. In particular, during this investigation, we discovered new and previously undetected samples of the Cuba malware, and artifacts suggesting that at least some of the gang members spoke Russian.

That said, effective investigation and response begin with knowledge of current cyberthreats, which is available from Threat Intelligence services. At Kaspersky, the Threat Intelligence and MDR teams work closely while exchanging data and enhancing their services all the time.

Appendix

Sigma and YARA rules: https://github.com/BlureL/SigmaYara-Rules
Indicators of Compromise: Download PDF
Mitre ATT&CK matrices: Download PDF

A new cyber attack campaign is leveraging the PowerShell script associated with a legitimate red teaming tool to plunder NTLMv2 hashes from compromised Windows systems primarily located in Australia, Poland, and Belgium. The activity has been codenamed Steal-It by Zscaler ThreatLabz. "In this campaign, the threat actors steal and exfiltrate NTLMv2 hashes using customized versions of Nishang's