Threat Update: Blowing Cobalt Strike Out of the Water With Memory Analysis
Chinese Gambling Spam Targets World Cup Keywords
(published: December 2, 2022)
Background:
Since 2018, a large-scale website infection campaign was affecting up to over 100,000 sites at a given moment. Infected websites, mostly oriented at audiences in China, were modified with additional scripts. Compromised websites were made to redirect users to Chinese gambling sites. Title and Meta tags on the compromised websites were changed to display keywords that the attackers had chosen to abuse search engine optimization (SEO). At the same time, additional scripts were switching the page titles back to the original if the visitor fingerprinting did not show a Chinese search engine from a preset list (such as Baidu).
Takeaway:
Website owners should keep their systems updated, use unique strong passwords and introduce MFA for all privileged or internet facing resources, and employ server-side scanning to detect unauthorized malicious content. Implement secure storage for website backups.
Leaked Android Platform Certificates Create Risks for Users
(published: December 2, 2022)
Background:
On November 30, 2022, Google reported 10 different Android platform certificates that were seen actively abused in the wild to sign malware. Rapid7 researchers found that the reported signed samples are adware, so it is possible that these platform certificates may have been widely available. It is not shared how these platform certificates could have been leaked.
Takeaway:
Malware signed with a platform certificate can enjoy privileged execution with system permissions, including permissions to access user data. Developers should minimize the number of applications requiring a platform certificate signature.
Learn about our Penetration Testing Services
Blowing Cobalt Strike Out of the Water With Memory Analysis
(published: December 2, 2022)
Background:
The Cobalt Strike attack framework remains difficult to detect as it works mostly in memory and doesn’t touch the disk much after the initial loader stage. Palo Alto researchers analyzed three types of Cobalt Strike loaders: KoboldLoader which loads an SMB beacon, MagnetLoader loading an HTTPS beacon, and LithiumLoader loading a stager beacon.
These beacon samples do not execute in normal sandbox environments and utilize in-memory evasion features. For example, the KoboldLoader’s SMB beacon attempts to free memory associated with the reflective DLL package, overwrites the MZ magic PE bytes and subsequent DOS header with a small loader shellcode, uses the x86 reflective loader to load the specified library and overwrite its space, and obfuscates the reflective DLL’s import table, overwriting unused header content.
Takeaway:
Highly-evasive nature of in-memory beacons makes it important to analyze artifacts from the deltas in process memory at key points of execution. It is suggested to concentrate on function pointers, decoded stages of the loader, OS Structure modifications, and all changes made to page permissions.
Buyer Beware: Fake Cryptocurrency Applications Serving as Front for AppleJeus Malware
(published: December 1, 2022)
Background:
Since 2018, North Korea-sponsored Lazarus Group has been using fake cryptocurrency-related applications to spread the AppleJeus malware. In June-October 2022, Volexity researchers observed continuation and evolution of this campaign. Lazarus Group was switching from using Microsoft Installation (MSI) malicious files to Microsoft Office documents that use an OLE object with a macro dynamically loaded from another macro. The attackers also augmented their DLL sideloading procedure by adding a second step. The legitimate binary loads a legitimate DLL from the System32 directory, and then that DLL causes the loading of a malicious DLL from the binary’s directory.
Takeaway:
Users involved in cryptocurrency and other financial activity should take extra caution when downloading new applications. Consider blocking macro execution in Microsoft Office. Network defenders are advised to pay extra attention to creation of new scheduled tasks.
Advanced Phishing Campaign Targeting Individuals & Businesses in the Middle East
(published: November 28, 2022)
Background:
A major business email compromise (BEC) phishing campaign targets UAE organizations using fake job offers, contract bidding, and vendor registration lures. CloudSEK researchers connected this campaign to an unidentified, experienced group that has been active since at least 2020.
Some of the typosquatted domains were impersonating three major oil companies and were only used for email servers. Other typosquattted domains included websites copying the respective investment firms, hotels, and travel agencies. The attackers used HTTrack to port sites from one typosquatted domain to another, and services slow-to-respond to abuse complaints such as Tucows Domains, and Zoho Mail.
Takeaway:
It is important to keep a watchful eye on suspicious domain registration activity related to your brand and companies from your supply chain. Encourage your employees to check email addresses and web links for altered spellings.
Attacker Uses a Popular TikTok Challenge to Lure Users Into Installing Malicious Package
(published: November 28, 2022)
Background:
Checkmarx researchers discovered a new social engineering campaign tricking users to install the WASP stealer. In November 2022, the attackers were tricking users to download malicious packages claiming the ability to remove nudity obfuscation from “Invisible Body” filtered TikTok videos.
Despite efforts to report and remove initial malicious packages from pypi, the attackers showed some resiliency by publishing new ones. Besides prompting users to download the malware, new members were asked to “star” the GitHub project, giving it more social weight.
Takeaway:
Users should be careful when downloading software projects that are new, especially if their alleged functionality is illegal or of dubious nature. Open-source package registries should implement multi-step verification to protect their ecosystem against the abuse.
Learn about our Penetration Testing Services
source https://www.rootshellsecurity.net/threat-update-blowing-cobalt-strike-out-of-the-water-with-memory-analysis/
Comments
Post a Comment