New Linux Malware "OrBit" Discovered Evading Detection Through Uncommon Methodology
"OrBit," an emerging and previously undetected Linux malware, has been discovered by Intezer researchers and observed infecting all running processes as well as new processes on the targeted machine. Researchers noted that the malware can be installed either with persistence capabilities or as a resilient implant that enables advanced evasion techniques. OrBit also gains persistence by "hooking key functions, provides the threat actors with remote access capabilities over SSH, harvesting credentials, and logs TYY commands." OrBit evades detection through filtering the logs to hide all traces of its existence. Researchers explained that OrBit utilizes two (2) ways of loading the malicious library in order to achieve persistence as well as make it difficult to remove the malware from a machine while it's running. The first method is through the addition of a shared object to the "/etc/ld.so.reload" configuration file that is used by the loader. The second method is through copying the loader's binary and replacing the "/etc/ld.so.preload" string with a file path within the %MALWARE_FOLDER% so it will act as the configuration file. This methodology is unlike other Linux malware (such as Symbiote, HiddenWasp, etc.), which typically just modifies an environment variable to seize shared libraries. OrBit's dropper and payload were previously undetected by anti-virus engines when first discovered, but some vendors have since updated their products. An in-depth technical analysis of OrBit as well as indicators of compromise (IOCs) can be viewed in Intenzer's report linked below.
Threat Actor Activity
Threat Actors Target United States Healthcare Organizations
North Korean APT actors have targeted several United States Healthcare and Public Health (HPH) organizations within the healthcare industry through a string of Maui ransomware attacks. These threat actors have encrypted and exfiltrated information from several organizations’ servers, which contain assets for electronic health record services, diagnostic services, imaging services, and internal networks. By choosing the Maui ransomware variant, threat actors have more control over the behavior of the program with the ability to choose which files and directories are to be ransomed. During the encryption process, Maui will utilize a combination of encryption methods including AES, RSA, and XOR prior to exfiltration of the data. Each file is encrypted with AES-128 with an associated key, which is encrypted by RSA public and private keys, and those keys are encrypted by XOR hard drive encryption. While no one group has been tied to these attacks, analysts from the Federal Bureau of Investigation attribute the attacks to North Korea based on the observed tactics, techniques, and procedures of the threat actors. Indicators of compromise for the Maui ransomware are included in the articles below. CTIX urges security personnel and network administrators to implement security controls to detect ransomware and other malicious programs in order to mitigate the risk of compromise from threat actors.
Threat Actor Profile: Vice Society
Vice Society is a relatively unknown cybercrime group that started operating a year ago. Over that year they have shown steady activity encrypting and exfiltrating victims’ data. Unlike other RaaS (Ransomware-as-a-Service) double extortion groups, Vice Society focuses on getting into the victim’s system to deploy ransomware binaries they bought on dark web forums. This is likely a way for the group to save resources in developing its own ransomware. Vice Society mainly targets small or middle-sized companies and does not restrict choosing their targets from government, healthcare, or critical infrastructure. According to Sekoia, 73.9% of known Vice Society victims are in France, the United States, the United Kingdom, Spain, Italy, Germany, and Brazil. Samples utilized by Vice Society include HelloKitty ransomware variants alongside modernized Zeppelin ransomware payloads. The group has chosen to maintain a relatively low profile, possibly to prevent attracting the attention of law enforcement agencies. They also have maintained a low profile by limiting the number of samples found in public repositories. CTIX continues to track threat actor activity worldwide and will provide additional updates accordingly.
Actors Exploit Follina to Download “Rozena” Backdoor
Threat actors have been actively exploiting the already patched "Follina," Microsoft Windows Support Diagnostic Tool (MSDT) remote code execution (RCE) vulnerability in a phishing campaign to inject a new remote shell backdoor known as "Rozena" on vulnerable Windows instances. Follina, tracked as CVE-2022-30190, is a flaw in the MSDT URI protocol handler that allows threat actors to weaponize Word documents to locally execute remotely hosted malicious PowerShell scripts, leading to arbitrary code execution (ACE) utilizing the privileges of the calling application. Researchers from Fortinet have been monitoring this newest campaign, identifying a Word document that exploits Follina to download Rozena after luring a victim into opening the document. Once opened, the malicious document connects to and leverages a Discord CDN attachment service to download an HTML file, which invokes msdt.exe via a PowerShell script. The code downloads a single batch file known as "cd.bat”, which executes four (4) tasks. It downloads a second document as a distraction, erases any trace of exploiting Follina, downloads Rozena, and finally deletes the "cd.bat" file. The distraction document is benign and is used to coerce the victim into opening the malicious executable (disguised as a Word document and titled “Word.exe”). Once the "Word.exe" Rozena file is executed, it creates a reverse shell back to the attacker-controlled host. Once the attack is successfully executed, the threat actors can monitor the target, as well as exfiltrate sensitive data, all while maintaining a persistent backdoor to the victim machine. CTIX analysts recommend that any Windows instances vulnerable to Follina should be updated immediately with the latest patch. As a best practice, we recommend always scrutinizing emails and email attachments before clicking any links or files.
"Rolling-PWN" Vulnerability Remotely Unlocks Honda Cars, Potentially Others
A team of researchers from Star-V Lab discovered a new vulnerability in Honda cars that allow the cars to be unlocked or started remotely. The vulnerability, dubbed "Rolling-PWN", has been tested on the popular Honda models Civic (2012 & 2022), X-RV (2018), C-RV (2020), Accord (2020), Odyssey (2020), Inspire (2021), Fit (2022), VE-1 (2022), and the Breeze (2022), though the researchers theorize the attack works on most Honda models. The attack exploits the rolling code mechanism that is used to verify the keyfob button presses and prevent man-in-the-middle replay attacks. Rolling codes are generated using a pseudorandom number generator algorithm that ensures each button press outputs a unique random string for authentication. Authentication also relies on a counter that prevents old codes from being used. The researchers discovered that the counter is "resynchronized" when multiple old codes were replayed in the correct sequence, resetting the counter back to the value of the old codes. This allows attackers to capture a series of valid consecutive codes and then replay them at any later point to unlock or start the car. If a car is started by the attacker, it cannot be driven as the keyfob must be in close proximity to the vehicle while it is running. While this has been tested and proven to work against Honda vehicles, the researchers believe other brands may be affected. Honda has denied this vulnerability, stating "the key fobs in the referenced vehicles are equipped with rolling code technology that would not allow the vulnerability as represented in the report." The company also questions the legitimacy of the video by adding "in addition, the videos offered as evidence of the absence of rolling code do not include sufficient evidence to support the claims." The issue has reportedly been verified by multiple independent journalists and researchers, contradicting Honda's statements. If the issue is deemed valid by Honda, newer models may be able to receive a software update to fix the issue. Older models may prove more difficult to upgrade as they are not connected to the internet. CTIX analysts will continue to monitor the situation and will provide updates if any actions are required by Honda users.
The Ankura semi-weekly Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The following is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to Flash (firstname.lastname@example.org) if additional context is needed.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.