Malware Activity
Researchers Observe New Custom "RDStealer" Malware in the Highly Targeted "RedClouds" Campaign
"RDStealer," a new custom malware written in Golang, has been observed in a highly targeted cyber campaign tracked as "RedClouds," which has been ongoing since early 2022. This campaign has been targeting an East Asian company and has the goal of data exfiltration and credential theft. The campaign has yet to be attributed to a specific threat group, though researchers noted that the target aligns with "the interest of China-based threat actors" and has the sophistication of a state-sponsored actor. RDStealer is described as a server-side implant that takes advantage of the redirection feature in remote desktop servers. RDStealer monitors incoming remote desktop protocol (RDP) connections with client drive mapping enabled and, once clients are connected, infects them with the "Logutil" backdoor, and additional custom malware, as well as exfiltrates sensitive information. The five modules of RDStealer are "a keylogger, a persistence establisher, a data theft and exfiltration staging module, a clipboard content capturing tool, and one controlling encryption/decryption functions, logging, and file manipulation utilities." CTIX analysts urge administrators to review the additional technical details of the campaign's attack chain found in the linked research paper and incorporate the indicators of compromise (IOCs) into their ongoing monitoring strategy.
- Bleeping Computer: RDStealer Article
- Bitdefender: RDStealer Article
- Bitdefender: RDStealer Research Paper
Threat Actor Activity
Threat Profile: Diicot
A less-popular threat organization has become more active in the threat landscape over the past weeks by launching a new campaign targeting exploitable SSH servers with malicious payloads. Known primarily for their extensive technical knowledge and cryptojacking campaigns, the Diicot group (previously known as Mexals) is an organization that has been active since 2020 and has strong connections back to Romania. A unique characteristic of the Diicot group is their close alignment and similarities with the Romanian anti-terrorism unit, sharing similar messaging themes and imagery. Tactics and techniques employed by the group include intrusion method preferences alongside customized malware payloads and botnets. In their most recent campaign, Diicot threat actors have utilized brute-force scripts as their intrusion method against public-facing SSH servers with a very restrictive username and password combination list. This customized list only utilizes common, default, or easy-to-guess username and password combinations likely to target organizations with a weak security posture. Additionally, Diicot will often employ the use of the popular communication platform Discord as a front for establishing and communicating with their command-and-control (C2) server(s) due to the capability of sending HTTP POST requests to a webhook URL in the platform. Lastly, Diicot also does a fair amount of doxing of other hackers throughout the threat landscape, specifically of their rival threat groups which appeared in a video hosted on Diicot servers, leaking several group member's personally identifiable information. CTIX continues to track threat actor activity worldwide and will provide additional updates accordingly.
Vulnerabilities
Microsoft Discloses the Patching of Critical Vulnerabilities Impacting Azure Cloud Infrastructure
Microsoft has disclosed the patching of two (2) critical vulnerabilities in their Azure cloud platform after Orca Security published a blog post with a working proof-of-concept (PoC). Of the two (2) bugs, one (1) impacts Azure Bastion and the other affects Azure Container Registry, ultimately stemming from issues in Azure's Network Watcher connection troubleshooter. If exploited, these flaws could allow threat actors to conduct cross-site scripting (XSS) attacks, injecting malicious scripts into trusted websites that execute on unsuspecting victim environments. To become compromised, a victim would need to visit an attacker-controlled webpage via Azure Bastion. Successful exploitation could allow attackers to access the victim's session in Bastion or Container Registry, as well as make configuration changes, tamper with privileged data, and move laterally. This flaw is not an isolated incident, and a Microsoft spokesperson has stated that their engineers have "updated their internal rules to improve scanning for this class of bug across all of Microsoft’s products and services" to prevent future XSS attacks facilitated by these types of vulnerabilities. Both vulnerabilities were patched by May 24, 2023, and there is currently no evidence that either flaw has been actively exploited in the wild. To prevent exploitation, CTIX analysts recommend that all Microsoft administrators and users ensure that their Azure infrastructure is up to date with the latest security patch.
- The Record: Microsoft Azure Vulnerabilities Article
- Orca Security: Microsoft Azure Vulnerabilities Blog
Honorable Mention
100,000 ChatGPT Account Credentials Sold on Dark Web, Stolen via Information Stealer Malware
Over the past year, more than 100,000 OpenAI ChatGPT account credentials have been stolen by information stealer malware and posted to elicit marketplaces on the dark web. These credentials were discovered within information stealer logs that can be found for sale on underground cybercrime sites. Leaked ChatGPT credentials peaked in May 2023, with threat actors posting roughly 26,800 new credential pairs. Within the last year, info-stealer logs with ChatPGT credentials have most heavily targeted the Asian-Pacific region, having seen 41,000 compromised accounts. India accounted for 12,632 of those Asian-Pacific accounts and was the largest targeted country. Additional heavily hit countries include Pakistan, Brazil, Vietnam, Egypt, and the United States. Researchers found that the Racoon stealer consisted of 80% of all stolen ChatGPT logs, Vidar with 13%, and Redline with 7%. With ChatGPT's inherent retainer of user conversations, threat actors who obtain account credentials may find troves of sensitive information as more enterprises continue to integrate ChatGPT into their operational flows and individual users continue to leverage the AI-powered tool to work on propriety software code, internal business strategies, or classified correspondence. Overall, information-stealer malwares have become a popular tool amongst cybercriminals, having the ability to hijack passwords, cookies, credit cards, and other account data stored on applications such as email clients, web browsers, instant messengers, gaming services, cryptocurrency wallets, and more. CTIX analysts recommend users secure their accounts with two-factor authentication to prevent account takeover attacks and consider turning off ChatGPT's standard configuration that retains conversations.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (flash@ankura.com) if additional context is needed.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
