Ransomware/Malware Activity
New NullMixer Malware Campaign Spreading Through Cracked Software Websites
An emerging campaign was recently discovered by Kaspersky researchers spreading the "NullMixer" malware. NullMixer exfiltrates victims' credentials, addresses, credit card data, cryptocurrencies, as well as Facebook and Amazon account credentials by capturing all information entered with the device's keyboard. Researchers emphasized that currently 47,500 individuals have been attacked with NullMixer and the malware is distributed by cracked software websites. The operators of NullMixer were observed using "professional SEO [search engine optimization] tools" in order to have their websites appear in the early results of an online search. It is common for those downloading content illegally to receive adware or other low-end malware, but NullMixer is described as "far more dangerous" due to its ability to download many malicious files at once (such as "downloaders, spyware, backdoors, bankers and other threats"), potentially leading to a large-scale infection of a victim network. The infection chain involves the victim attempting to download software from a malicious site and repeatedly being redirected to a page containing a password-protected archived program with detailed instructions. Following the instructions leads the victims to downloading NullMixer, which has the potential of downloading infamous malware such as "RedLine Stealer" and "Disbuk" (also known as "Socelar"). Researchers noted that the most targeted countries of this campaign are the United States, Germany, France, Italy, Turkey, Russia, Egypt, India, and Brazil. CTIX analysts recommend all users download legitimate software from trustworthy websites to help mitigate the risk of threat actors utilizing their machine as an initial access point into their network.
Threat Actor Activity
Threat Profile: Metador
An emerging threat group dubbed Metador has been explicitly targeting universities, telecommunication companies, and internet service providers throughout Africa and the greater Middle East. Metador, named after a code signature in one (1) of their attacks, is an up-and-coming threat group believed to be conducting collection operations on behalf of a nation state, but have yet to be attributed to a specific country. Attributed malicious programs utilized by Metador include "metaMain" and "Mafalda" which operate solely within Windows memory space and never write to the disk, making discovery difficult for anti-virus defenses. Additional payloads uncovered from Metador attacks are "CryShell", a network connection bouncer for command-and-control (C2) communications, and an unnamed Linux malware which routes pilfered materials from machines to Mafalda. While Metador has not been attributed to a country or government entity at this time, indicators reveal the threat actors are fluent in English and Spanish and make references to British punk music and Argentinian political animations. CTIX will continue to monitor activity surrounding the Metador group and other threat organizations worldwide providing updates accordingly.
Vulnerabilities
Sophos Firewall Vulnerable to Critical Zero-day RCE Attack
Security software and hardware vendor Sophos has patched a critical zero-day firewall vulnerability that is being actively exploited in-the-wild, targeting a specific set of organizations in the South Asia region. The flaw, tracked as CVE-2022-3236 (with a CVSS score of 9.8/10), is a code injection vulnerability discovered in the User Portal and Web administration components of the Sophos Firewall product. If exploited, this flaw could allow malicious attackers to conduct arbitrary remote code execution (RCE). The specific technical details surrounding the attacks have not yet been published due to Sophos' ongoing post-compromise investigation, and it's highly likely that a proof-of-concept (PoC) exploit will be published in the coming weeks. This isn't the first Sophos firewall vulnerability this year; in March, another zero-day Sophos Firewall flaw tracked as CVE-2022-1040 (also with a CVSS score of 9.8/10) was actively exploited in a "highly-targeted" attack campaign. Threat actors were able to exploit CVE-2022-1040, an authentication bypass vulnerability, to perform RCE, allowing them to conduct a man-in-the-middle (MITM) attack to pilfer sensitive network data. Post-compromise analysis of the March attack attributed the activity to a Chinese state-sponsored threat actor known as "DriftingCloud," and coincidently, the threat group was also targeting a specific unnamed South Asian victim. This suggests that the two (2) campaigns may be associated with the same actor and/or same campaign, however that cannot be said with high confidence until the details of this latest vulnerability become public so that the tactics, techniques, and procedures (TTPs) of the two (2) attacks can be compared. This vulnerability has been patched by Sophos, and customers utilizing the company's firewall products should ensure that they are running the most up-to-date version of the software to prevent exploitation. In the event that the firewalls can't be updated immediately, Sophos has provided manual mitigation techniques, urging their customers to "Disable WAN access to the User Portal and Webadmin by following device access best practices and instead use VPN and/or Sophos Central (preferred) for remote access and management." CTIX analysts will continue to monitor this vulnerability, and an update may be released in future issues.
- Bleeping Computer: CVE-2022-3236 Article
- The Hacker News: CVE-2022-3236 Article
- Sophos: CVE-2022-3236 Security Advisory
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (flash@ankura.com) if additional context is needed.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
