Malware Activity
New Domino Backdoor Suspected to be a Collaboration Between Former Conti Members and FIN7
Researchers have observed a new backdoor dubbed "Domino" that they believe was likely developed by the FIN7 Russian cybercriminal group and is being utilized by former Conti affiliates since at least February 2023. This belief is due to code overlaps between Domino Backdoor and the "Lizar" malware family (also known as "Tirion" and "Diceloader"), which is linked to FIN7. Lizar is known to collect sensitive information from "clipboard, Discord, web browsers, crypto wallets, VPN services, and other apps." Domino's focus is to obtain victims' system information and send the data to its command-and-control (C2) server, where an AES encrypted payload is sent in return. Researchers emphasized that the returned payload, named "Domino Loader," is a second payload that has coded overlaps with Domino Backdoor. Domino is currently being used to deliver "either the Project Nemesis information stealer or more capable backdoors such as Cobalt Strike” and has been observed using the Dave Loader (which has been linked to Conti/Trickbot). Domino has been active in the wild since at least October of 2022. Additional technical details as well as indicators of compromise (IOCs) can be viewed in the report linked below.
Threat Actor Activity
SimpleHelp Remote Support Software Used by Iranian Hackers for Persistent Access
The Iranian threat actor known as Muddy Water, assessed to be a subordinate element within Iran's Intelligence Ministry (MOIS), has a history of deploying legitimate remote administration tools to targeted systems, specifically targeting systems of other Middle Eastern countries and the U.S. Having previously leveraged ScreenConnect, RemoteUtilities, and Syncro, this time the nation-state group figured out a way to legitimately download SimpleHelp from the official website and effectively use it in their attacks. SimpleHelp is a remote device control and management software tool, and MuddyWater is using it to establish persistence on targeted devices. MuddyWater was first seen leveraging SimpleHelp as far back as June 2022. However, it is still unclear how the software is distributed to host devices and what further actions are taken once downloaded. Researchers believe that spear-phishing emails from already compromised emails are sent with malicious links that download SimpleHelp, and then MuddyWater can use Fast Reverse Proxy (FRP) or Ligolo to establish persistence and extract information for final collection or additional lateral movement. A report released in January earlier this year encapsulated MuddyWater's attacks in Saudi Arabia and Egypt where SimpleHelp was used to deploy a Ligolo reverse tunneling tool and harvest credentials using MKL64. CTIX continues to monitor threat organizations around the globe and will provide additional details accordingly.
Vulnerabilities
Google Patches First Actively Exploited Zero-day Vulnerability of 2023
Google has just released an emergency security update for a critical zero-day vulnerability in the Chrome browser that is being actively exploited by threat actors in the wild. The flaw, tracked as CVE-2023-2033, is a type of confusion vulnerability in the V8 JavaScript engine of the Chrome browser. The vulnerability stems from the engine allocating resources using one type but later attempting to access the resource using another type. This causes logical errors because the resources do not have the expected properties, which can lead to out-of-bounds memory access. If successfully exploited, this vulnerability could allow threat actors to crash the target browsers, as well as execute arbitrary code by reading or writing memory out of buffer bounds. The flaw was discovered by a researcher at Google's own Threat Analysis Group (TAG) and, at this time, the technical details of the exploit are being withheld in an attempt to allow as many Chrome users as possible to patch their vulnerable systems. This update patches the desktop versions of the Chrome browser for Windows, Mac, and Linux, and mobile updates will be released in the coming weeks. This is Google's first zero-day vulnerability of 2023, and CTIX analysts recommend that all users ensure their desktop browsers are running the most recent update as well as monitor for the release of the following patches.
- Bleeping Computer: CVE-2023-2033 Article
- Dark Reading: CVE-2023-2033 Article
- Google: CVE-2023-2033 Advisory
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (flash@ankura.com) if additional context is needed.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
