Malware Activity
Researchers Begin Publishing Report Series on the Fully Undetectable Malware Obfuscation Engine "BatCloak"
Researchers have released the first report of a three (3) part series about "BatCloak," a fully undetectable (FUD) malware obfuscation engine that has been used to deploy malware strains since September 2022. FUD refers to "a type of malicious software designed to evade antivirus and security solutions" that may make use of combined techniques such as encryption, obfuscation, and polymorphism. Researchers emphasized that the identified samples of BatCloak grant actors "the ability to load numerous malware families and exploits with ease through highly obfuscated batch files," and noted that 80% of the 784 reviewed samples had zero (0) detections from security solutions. The BatCloack engine is noted to be the most fundamental part of an open-source batch file loader called Jlaive. Jlaive was previously available on GitHub and GitLab in September 2022 and has the main capabilities of bypassing Antimalware Scan Interface (AMSI) and compressing and encrypting the primary payload in order to evade security detection. Since its removal from GitHub/GitLab, actors have cloned and modified the tool. Researchers explained that "Jlaive uses BatCloak as a file obfuscation engine to obfuscate the batch loader and save it on a disk." Additional technical details of BatCloak's capabilities and history can be viewed in the report linked below.
Threat Actor Activity
Pink Drainer Drains $3 Million From Crypto Users
A newly discovered social engineering campaign is actively exploiting users on Twitter and Discord social platforms and causing users to lose thousands in cryptocurrency. The campaign is currently attributed to a threat group tracked as Pink Drainer, properly named after the Ethereum Name Service (ENS) seen in the attacks, “pink-drainer[.]eth.” Pink Drainer's recent campaign revolves around the compromise of legitimate Twitter and Discord accounts and the distribution of malicious website URLs through those compromised accounts. Specific to Discord, threat actors would initially spear phish the account holder, build trust by masking themselves as media journalists, then send a maliciously crafted link with the end result often being theft of the user’s Discord token. By using a legitimate user account to disseminate these malicious links, increased trust is established and leads to an increase in successful social engineering compromises, which in this campaign includes the theft of millions of dollars in various cryptocurrencies. Pink Drainer actors also employ persistence tactics including removing moderators/administrators from applicable servers and escalating user accounts to have Discord administrative rights, allowing for the phishing posts to remain live for an extended amount of time. This campaign has been ongoing for just one (1) month and has already stolen over 3 million dollars in assets from over 1,900 individuals. CTIX continues to urge users to validate the integrity of any digital communications prior to opening any links or downloading any attachments to lessen the risk of threat actor compromise.
Vulnerabilities
Second Vulnerability in MOVEit Transfer Gets Patched
UPDATE: Progress Software, the manufacturer of the recently compromised popular managed file transfer (MFT) software solution MOVEit Transfer has announced that they have identified and patched a second zero-day vulnerability within the software. These findings come as more organizations' victims to exploitation begin to come forward. This new vulnerability is another SQL injection flaw, tracked as CVE-2023-35036, that could allow unauthenticated threat actors to gain unauthorized access to MOVEit Transfer database instances. An attacker could exploit this vulnerability by sending a maliciously crafted payload to a vulnerable MOVEit Transfer endpoint, allowing for modification of the database and exfiltration of the data within. The exploitation of the original flaw tracked as CVE-2023-34362, was attributed to threat actors affiliated with the notorious Cl0p ransomware group. The attribution was initially based off of similar tactics, techniques, and procedures (TTPs) utilized by Cl0p actors in other breaches like GoAnywhere MFT, where their tactic of extorting victims without encrypting any of the data within the victim's infrastructure was used. Since then, Cl0p has assumed responsibility for the campaign and published an extortion note on June 7, 2023. They claimed to have successfully compromised hundreds of organizations and ordered the victims to self-report to Cl0p threat actors to begin ransom negotiations or risk having their confidential data leaked to the public. This campaign is highly sophisticated and researchers state that Cl0p affiliates may have been experimenting with the initial zero-day vulnerability as far back as 2021. The identification of a second vulnerability supports the claims made by researchers that the design of file transfer platforms is fundamentally flawed and that patching single vulnerabilities will only defend organizations until threat actors are able to find another way to conduct the same type of exploitation. At this time, there is no indication that the second vulnerability is being actively exploited. CTIX analysts recommend that any organizations utilizing MOVEit Transfer or Cloud update their software immediately as well as conduct an internal investigation to look for signs of exploitation. New findings for this campaign are being published weekly, and the Ankura CTIX team will continue to monitor the situation and inform our readers of new and interesting information.
- Bleeping Computer: MOVEit Transfer Article
- The Record: MOVEit Transfer Article
- Progress Software: MOVEit Transfer Advisory
- Kroll: MOVEit Transfer Report
Honorable Mention
Moonlighter Satellite Enters Orbit for Simulated Cyber-Attacks
Moonlighter, a five (5) kilogram mini-satellite, will be the hacking target of five (5) teams during the DEF CON security conference in Las Vegas this August. The shoebox sized satellite is currently orbiting low-earth after being launched into space aboard SpaceX's Falcon Nine (9). The goal at DEF CON is for the hackers to figure out a method of hijacking the satellite, but the satellite's main mission is to help researchers further safeguard satellite systems from being hacked by offering professional hackers a playground to perform cyber exercises. Previous satellite cyberattacks have been recorded, such as the European Space Agency's ethical hacking exercise back in April 2023, or the security researcher who hacked SpaceX's Starlink satellite in 2022 as a part of their bug bounty program. The Moonlighter satellite is special though, because its communication method does not rely on ground-based stations for communication and commands. Moonlighter is therefore much more resilient and autonomous, being able to maintain communication during compromised situations and ultimately allowing for space-based cyber experiments that are "repeatable, realistic, and secure." Satellite security has been an ever-growing concern, with NASA having warned about the consequences of hackers disrupting communications between spacecrafts and ground control back in 2008. The Cyberspace Solarium Commission recently recommended that the U.S. add space as a critical infrastructure sector, encouraging greater efforts to protect satellites and space systems against cyber-attacks. Satellite security was highlighted again more recently during the Russian-Ukrainian conflicts where satellites have been targeted to disrupt communications during critical times. Simulated cyber-attacks and other space-based cyber experiments will help create more cyber-resilient architecture for the future that will be better equipped to protect the "next frontier" of cyberspace.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (flash@ankura.com) if additional context is needed.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.