Attackers continuously refine their methods to bypass conventional security measures. A recent discovery has shed light on a sophisticated multi-stage malware attack that leverages invoice-themed phishing emails to deploy a variety of malicious programs. This article delves into the intricacies of this threat and emphasizes the need for advanced defensive strategies.
Understanding the Threat: Multi-Stage Malware
Cybersecurity experts have identified an alarming trend where cybercriminals use deceptive invoice phishing emails to initiate a chain of malware infections. These emails typically contain attachments with Scalable Vector Graphics (SVG) files. When unsuspecting users click on these files, they trigger the malware’s infection sequence.
The Infection Mechanism
The process begins with an SVG file that, once activated, downloads a ZIP archive containing a batch script. This script is likely developed using an obfuscation tool known as BatCloak, which effectively disguises the malicious code to avoid detection by traditional antivirus solutions.
BatCloakand ScrubCryptplay pivotal roles in these attacks. BatCloak, which has been available for sale since late 2022, originated from another tool called Jlaive. Its main purpose is to load a secondary payload that can bypass standard detection technologies. ScrubCrypt, identified by Fortinet FortiGuard Labs in early 2023, is a crypter linked to cryptojacking campaigns by the 8220 Gang and is one of the iterations of BatCloak.
The Execution Phase
Once the initial script is executed, it unpacks a ScrubCrypt batch file, setting the stage for the final payload delivery. This includes the deployment of Venom RAT, a fork of Quasar RAT, which allows attackers to take control of the compromised systems. The malware sets up persistence on the host and implements techniques to bypass Anti-Malware Scanning Interface (AMSI) and Event Tracing for Windows (ETW) protections.
Venom RAT is designed to maintain communication with its command-and-control (C2) server to fetch additional plugins for a range of activities, including keylogging and data theft. Notably, it can also deploy other RATs like NanoCore, XWorm, and Remcos via its plugin system.
Impact on Data Security
The deployment of Venom RAT and its associated plugins results in significant threats to data security. One of the plugins is a stealer that targets information from wallets and applications such as Atomic Wallet, Electrum, and Telegram. This data is then exfiltrated to remote servers, putting sensitive information at risk.
Comprehensive Defense Strategies against Multi-Stage Malware
To counter such sophisticated attacks, organizations must implement a multi-layered security strategy that includes:
Education and Awareness: Regular training sessions for employees to recognize phishing attempts and suspicious emails.
Advanced Detection Tools: Utilizing security solutions that go beyond traditional antivirus programs to detect obfuscated scripts and encrypted payloads.
Incident Response: Developing a robust incident response plan that can be swiftly executed upon detection of a potential breach.
Regular Updates and Patches: Keeping all systems updated to mitigate vulnerabilities that could be exploited by attackers.
The recent findings highlight the complexity and adaptability of modern cyber threats. By understanding the mechanisms behind these attacks and implementing comprehensive security measures, businesses can better protect themselves against the evolving tactics of cyber adversaries. It’s imperative to stay informed and vigilant, as the methods employed by attackers grow more sophisticated by the day.
For the latest insights on protecting your business from cyber threats and to learn more about our comprehensive security solutions, follow us on LinkedIn. You can also contact us directly through our website, or book a free consultation session to discuss how we can assist you in achieving the business security and resilience your organization needs.
AnyDesk, a widely-used remote access software provider, has confirmed a significant breach of its production systems. The incident, first reported by BleepingComputer, involved unauthorized access where source code and private code signing keys were reportedly stolen.
The Breach and Its Implications
AnyDesk, known for its remote access solutions popular among enterprises and individual users, acknowledged the cyberattack following the detection of unusual activities on their production servers. With over 170,000 customers, including giants like 7-Eleven, Comcast, Samsung, and the United Nations, the breach’s potential impact is substantial.
Company’s Response to the Incident
Upon discovering the breach, AnyDesk initiated a comprehensive security audit, confirming the system compromise. They engaged cybersecurity firm CrowdStrike for assistance and have since been working on a robust response plan. While ransomware was ruled out as a cause, specific details of the attack’s nature remain undisclosed.
Signed AnyDesk 8.0.6 (left) vs AnyDesk 8.0.8 (right) Source: BleepingComputer
Measures Taken by AnyDesk
In response to the breach, AnyDesk has taken several critical steps:
Revocation of compromised security-related certificates.
Remediation and replacement of affected systems.
Reassurance to customers about the safety of using AnyDesk, emphasizing no evidence of end-user device impact.
The company has stressed that AnyDesk remains secure for use, urging customers to update to the latest version featuring a new code signing certificate.
Password Revocation and Security Advice
Although no authentication tokens were reportedly stolen, AnyDesk has proactively revoked all passwords to their web portal. They advise users to change their passwords, especially if the same password is used on other sites. The company has emphasized the design of their session authentication tokens, which reportedly cannot be stolen as they are uniquely tied to the user’s device.
Replacement of Code Signing Certificates
AnyDesk has begun issuing new code signing certificates, with the recent version 8.0.8 featuring this update. This step is critical, as certificates are generally invalidated only if compromised. Users are strongly recommended to switch to the new version of the software.
Connection to Recent Maintenance and Outage
A reported four-day outage starting January 29th, where AnyDesk disabled client login capabilities, was initially unexplained. However, AnyDesk has now confirmed this maintenance was related to the cybersecurity incident.
Broader Context of Cybersecurity Breaches
This incident at AnyDesk is part of a growing trend of high-profile breaches. Recent examples include Cloudflare’s disclosure of a hack using stolen Okta authentication keys and Microsoft’s revelation of being targeted by Russian state-sponsored hackers.
ZLoader, originally an offshoot of the Zeus banking trojan, first emerged in 2015. Its evolution from a banking trojan to a multifaceted tool capable of delivering various payloads, including ransomware, marks its adaptability and persistent threat to cybersecurity.
The New Variant of ZLoader
After a period of dormancy following a successful takedown operation, ZLoader has re-emerged with enhanced capabilities. This new variant, indicative of ongoing development by its orchestrators, signals not only a revival but an escalation in its threat level.
Distribution and Evasion Techniques
The latest versions of ZLoader exhibit advanced evasion tactics. These include the use of RSA encryption and an updated domain generation algorithm, making its detection and analysis more challenging for cybersecurity experts.
By adapting to 64-bit Windows operating systems, ZLoader has expanded its potential target base. This compatibility indicates a strategic move to infiltrate more modern and secure systems.
ZLoader now requires specific filenames for execution, a tactic designed to bypass malware sandbox environments that typically rename sample files for analysis.
ZLoader’s primary distribution channels remain phishing emails and malicious search engine ads. These methods exploit human error and are often the first line of attack in a multi-layered strategy. Given ZLoader’s history and its role as a loader for ransomware, its resurgence is particularly concerning. The malware’s ability to deliver ransomware payloads makes it a formidable tool in the arsenal of cybercriminals.
Protective Measures
Employee Education: Regular training on identifying phishing emails and malicious ads is crucial. Our online flagship program, Business Security and Resilience, offers comprehensive courses on these topics. Learn more about our phishing awareness training.
Endpoint Security: Implementing robust endpoint security solutions can help detect and block ZLoader infections. Xiphos offers solutions in endpoint security that can fortify your defense against such threats. Explore our endpoint security services.
Backup and Recovery: Regular backups and an effective disaster recovery plan are essential. For businesses seeking to enhance their resilience, we provide specialized services in business continuity and disaster recovery. Check out our backup and recovery solutions.
ISO 27001 Compliance: Adhering to ISO 27001 standards can significantly bolster your cybersecurity posture. Our expertise in ISO 27001 implementation and auditing can guide you through this process. Discover our ISO 27001 services.
Advanced Threat Detection: Incorporating advanced threat detection tools and services, such as SOC and log management, can help identify and mitigate threats like ZLoader. Explore our SOC and log management services.
The re-emergence of ZLoader malware is a serious concern for businesses globally. However, with the right strategies and solutions in place, organizations can effectively mitigate these risks. At Xiphos, we are committed to helping you ensure your protection against such threats. Our comprehensive range of services, from information security management to ISO compliance and risk management, is designed to reinforce your business’s security and resilience.
Contact us today to fortify your defenses against emerging cybersecurity threats like ZLoader.
Stay informed and protected with Xiphos Security Portal.
The cybersecurity world is facing a new formidable challenge with the advent of Kasseika ransomware. This malicious entity stands out for its innovative approach in circumventing traditional antivirus measures, marking a concerning evolution in cyber threats.
Kasseika’s Unique Offensive Strategy
What sets Kasseika apart is its employment of the Bring Your Own Vulnerable Driver (BYOVD) tactic. This method leverages the exploitation of vulnerable system drivers, specifically targeting the Martini driver from TG Soft’s VirtIT Agent System. By disabling key antivirus products, Kasseika gains an unobstructed path to encrypt files on the targeted system.
The BlackMatter Connection
In-depth analysis by Trend Micro reveals striking similarities between Kasseika and the infamous BlackMatter ransomware. The parallels in their operational tactics and source code hint at Kasseika’s possible origins: it might be the brainchild of ex-BlackMatter members or developed by seasoned ransomware creators who procured BlackMatter’s code. This connection raises alarms due to BlackMatter’s history of destructive cyber campaigns.
The Modus Operandi of Kasseika
Kasseika initiates its attack chain with carefully crafted phishing emails aimed at employees. These emails are designed to pilfer login credentials, granting the attackers initial access to the victim’s corporate network. Subsequently, the ransomware exploits the Windows PsExec tool to deploy malicious .bat files across the network, enabling it to spread laterally.
A key step in the attack involves shutting down the ‘Martini.exe’ process and introducing the compromised ‘Martini.sys’ driver. This driver plays a pivotal role, empowering Kasseika to terminate a list of predefined processes, primarily targeting security and antivirus programs.
“Martini.sys” file properties and certificate information. Source:Trend Micro
How Kasseika Executes Its Plan
Post-preparation, Kasseika proceeds to run its main ransomware executable, named smartscreen_protected.exe, effectively sidelining antivirus processes. The ransomware uses a combination of ChaCha20 and RSA encryption algorithms to lock down files, mirroring tactics used by BlackMatter. Each file is tagged with a unique pseudo-random string, and the victims’ desktops are altered with ransom notes.
The Ransom Demand and Cleanup
The demands made by Kasseika are steep: victims are given a 72-hour window to transfer 50 Bitcoins (valued at about $2,000,000). The ransom increases for every 24-hour delay in payment. Furthermore, victims are instructed to post their payment proofs in a designated Telegram group to obtain the decryption key. In a final act to cover its tracks, Kasseika wipes the system event logs, erasing evidence of its presence and activities.
Proactive Measures and Trend Micro’s Contribution
In response to this escalating threat, Trend Micro has compiled and released a set of indicators of compromise (IoCs) associated with Kasseika. These IoCs are critical for organizations globally to identify and defend against this sophisticated ransomware.
Kasseika ransomware emerges as a daunting new player in the cybercrime arena. Its advanced tactics and connection to BlackMatter underscore the need for enhanced vigilance and adaptive security strategies. The release of IoCs by Trend Micro serves as an essential tool for organizations to shield themselves against this and similar cybersecurity threats. more details on: https://www.trendmicro.com/en_us/research/24/a/kasseika-ransomware-deploys-byovd-attacks-abuses-psexec-and-expl.html
GitHub is critical platform that’s fallen prey to sophisticated cybercriminal tactics. Initially designed as a hub for collaboration and code sharing, GitHub’s open nature has inadvertently made it a target for malicious activities. The exploitation ranges from hosting harmful files to orchestrating phishing scams, showcasing the dual nature of technology as both a tool for advancement and a weapon for cybercrime.9
Subtle Threats: The Art of Camouflage
The tactics employed by these cybercriminals are not just advanced; they are insidiously woven into the fabric of GitHub’s legitimate operations. The concept of living-off-the-land (LotL) has evolved into a more covert strategy known as “living-off-trusted-sites” (LOTS). This approach cleverly disguises malicious activities, making them nearly indistinguishable from regular, benign traffic. It’s a method that blurs the lines between the legitimate and the illicit, making detection a daunting task for even the most astute security professionals.
Ingenious Methods: DDR and C2 Networks
Among the techniques utilized, dead drop resolving (DDR) and command-and-control (C2) networks stand out. DDR involves leveraging GitHub’s legitimate infrastructure to hide information about malicious domains, effectively turning the service into a beacon for further cybercriminal activities. Similarly, C2 networks find a veil in GitHub’s traffic, making these malicious operations appear as harmless as any regular data exchange on the platform.
The Road Ahead: A Complex Challenge
Confronting these threats requires more than just traditional security measures. Advanced detection methods, enhanced visibility, and diverse detection angles are essential in this fight against cybercrime. However, the complexity and sophistication of these threats mean that a quick resolution is not on the horizon. The responsibility for detecting and mitigating these risks may gradually shift towards larger internet services, signaling a new era in cybersecurity where vigilance and innovation are paramount.
Introduction to CVE-2023-7024 The cybersecurity landscape has encountered a significant threat with the discovery of a high-severity zero-day vulnerability in Google Chrome. Tagged as CVE-2023-7024, this vulnerability is a heap-based buffer overflow issue found in the WebRTC framework, posing a serious risk of program crashes and arbitrary code execution.
Discovery and Reporting Clément Lecigne and Vlad Stolyarov, members of Google’s Threat Analysis Group (TAG), were instrumental in identifying and reporting this vulnerability. Their work highlights the critical role of continuous monitoring and proactive response in the field of cybersecurity.
The Severity and Impact of CVE-2023-7024
Nature of the Vulnerability: As a heap-based buffer overflow bug, CVE-2023-7024 can be exploited to execute arbitrary code on a victim’s system, making it a target for malicious actors.
Exploitation in the Wild: The vulnerability has been actively exploited, prompting an urgent response from Google and the cybersecurity community.
Contextualizing CVE-2023-7024 Within 2023’s Cybersecurity Trends 2023 has been marked by an alarming increase in cybersecurity threats, with CVE-2023-7024 being the eighth zero-day vulnerability exploited in Chrome this year. The total number of vulnerabilities disclosed in 2023 so far has surpassed the previous year’s total by over 1,500 CVEs, signifying a growing challenge in digital security.
Updating after a prolonged period will also patch these additional vulnerabilities:
CVE-2023-2033 (CVSS score: 8.8) – Type confusion in V8
CVE-2023-2136 (CVSS score: 9.6) – Integer overflow in Skia
CVE-2023-3079, CVE-2023-4762, CVE-2023-4863 (CVSS score: 8.8 each) – Type confusion in V8
CVE-2023-5217 (CVSS score: 8.8) – Heap buffer overflow in vp8 encoding in libvpx
CVE-2023-6345 (CVSS score: 9.6) – Integer overflow in Skia
Recommended Actions for Users and Businesses To counter the threat posed by CVE-2023-7024, users and businesses are advised to:
Update Chrome to version 120.0.6099.129/130 for Windows and 120.0.6099.129 for macOS and Linux.
Regularly check for and apply updates to their web browsers, especially those based on the Chromium framework like Microsoft Edge, Brave, Opera, and Vivaldi.
This situation underscores the importance of maintaining up-to-date software and implementing comprehensive cybersecurity measures. Regular updates, informed awareness of security threats, and the application of advanced security solutions are crucial in protecting against such vulnerabilities.
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies. However you may visit Cookie Settings to provide a controlled consent.
This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
Cookie
Duration
Description
__cf_bm
1 hour
This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
apbct_headless
never
Cleantalk set this cookie to detect spam and improve the website's security.
apbct_page_hits
never
CleanTalk sets this cookie to prevent spam on comments and forms and act as a complete anti-spam solution and firewall for the site.
apbct_pixel_url
never
Clean Talk sets this cookie to make WordPress anti-spam cookies, e.g., spam on forms and comments.
apbct_site_landing_ts
never
CleanTalk sets this cookie to prevent spam on comments and forms and act as a complete anti-spam solution and firewall for the site.
apbct_urls
never
CleanTalk Spam Protect sets this cookie to prevent spam on our comments and forms and acts as a complete anti-spam solution and firewall for this site.
apbct_visible_fields
never
CleanTalk sets this cookie to prevent spam on the site's comments/forms, and to act as a complete anti-spam solution and firewall for the site.
cookielawinfo-checkbox-advertisement
1 year
Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics
1 year
Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Analytics" category.
cookielawinfo-checkbox-functional
1 year
The GDPR Cookie Consent plugin sets the cookie to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary
1 year
Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Necessary" category.
cookielawinfo-checkbox-others
1 year
Set by the GDPR Cookie Consent plugin, this cookie stores user consent for cookies in the category "Others".
cookielawinfo-checkbox-performance
1 year
Set by the GDPR Cookie Consent plugin, this cookie stores the user consent for cookies in the category "Performance".
CookieLawInfoConsent
1 year
CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
ct_has_scrolled
never
CleanTalk sets this cookie to store dynamic variables from the browser.
ct_pointer_data
never
CleanTalk sets this cookie to prevent spam on the site's comments/forms, and to act as a complete anti-spam solution and firewall for the site.
ct_timezone
never
CleanTalk–Used to prevent spam on our comments and forms and acts as a complete anti-spam solution and firewall for this site.
rc::a
never
This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.
rc::c
session
This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.
viewed_cookie_policy
1 year
The GDPR Cookie Consent plugin sets the cookie to store whether or not the user has consented to use cookies. It does not store any personal data.
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Cookie
Duration
Description
ct_checked_emails
never
Clean Talk sets this cookie to prevent spam on the site's comments or forms.
ct_checkjs
never
Clean Talk sets this cookie to prevent spam on the site's comments or forms.
ct_fkp_timestamp
never
Clean Talk sets this cookie to prevent spam on the site's comments or forms.
ct_ps_timestamp
never
Clean Talk sets this cookie to prevent spam on the site's comments or forms.
yt-player-headers-readable
never
The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available
session
The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed
session
The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices
never
YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id
never
YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period
session
The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app
session
The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name
session
The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY
never
The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Cookie
Duration
Description
_ga
1 year 1 month 4 days
Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_ga_*
1 year 1 month 4 days
Google Analytics sets this cookie to store and count page views.
ct_screen_info
never
CleanTalk sets this cookie to complete an anti-spam solution and firewall for the website, preventing spam from appearing in comments and forms.
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Cookie
Duration
Description
VISITOR_INFO1_LIVE
6 months
YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA
6 months
YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC
session
Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId
never
YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests
never
YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
