New Malvertising Campaign Spotted Disguising as Legitimate Windows News Portal
A new malvertising campaign has been identified disguising as the legitimate Windows news portal "WindowsReport[.]com" to distribute a malicious installer for the "CPU-Z" processor tool. The campaign is noted to be a part of a large-scale malvertising campaign that has been observed targeting other applications, such as Notepad++, Citrix, and VNC Viewer. Researchers identified a malicious ad at the top of provided search results when searching for "cpu-z", which is a common utility for Windows end-users for troubleshooting their machine. If clicked, the malicious ad redirects the user to a domain impersonating WindowsReport[.]com and uses content directly from the legitimate portal. Researchers emphasized that several additional domains are hosted on the same IP address that are also used in malvertising campaigns. The campaign's payload is a digitally signed installer that contains a loader known as "FakeBat". The loader contains a remote payload for "Redline Stealer" as well. CTIX analysts will continue to monitor malvertising campaigns as they continue to evolve. Indicators of compromise (IOCs) can be viewed in the report linked below.
Threat Actor Activity
North Korean Threat Group BlueNoroff Observed Utilizing New macOS Malware Strain
BlueNoroff (otherwise known as Saphire Sleet or APT38), a North Korean-linked hacking group, has been attributed to targeting financial institutions with a new undocumented malware strain targeting macOS. BlueNoroff is an advanced persistent threat (APT) group that is a subgroup of North Korea's notorious Lazarus Group. Having been first recognized in 2014, the threat group is known to run typical North Korean cyber campaigns focused on attacking financial institutions, cryptocurrency companies, and military entities in leu of growing their nuclear weapons and ballistic missile programs. As part of their larger "RustBucket" malware campaign, BlueNoroff's current financially motivated attacks have targeted cryptocurrency exchanges, venture capital firms, and banks with a starkly simplistic new malware called “ObjCShellz”. The initial access vector is currently unknown; however, it is presumed the malware is delivered through social engineering attacks where attackers disguise themselves as potential partners, investors, or headhunters, which is common in the RustBucket campaign. The malware was not initially present on VirusTotal, but later had submissions in September and October of 2023 originating from Japan and the United States. A domain in the code appears to be linked to a cryptocurrency company, showing communication with a typosquat domain of the cryptocurrency exchange “swissborg[.]com/blog”. This is common practice for the threat actor based on the patterns of previous attacks where the attacker creates a domain looking to be a legitimate crypto or financial company to blend in with network activity. CTIX analysts will stay up to date with relevant updates concerning this campaign.
CISA Adds Actively Exploited SLP Vulnerability to KEV
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added an actively exploited high-severity vulnerability in the Service Location Protocol (SLP) to their Known Exploited Vulnerabilities (KEV) catalog. SLP enables systems on a local area network (LAN) to discover and enable generic hardware and software services such as those for printers or file/email servers. The flaw, tracked as CVE-2023-29552, received a CVSS score of 7.5/10 and allows for denial-of-service (DoS) attacks if successfully exploited. This vulnerability also allows for DoS amplification attacks, significantly threatening networks by allowing attackers to register services and send spoofed UDP traffic. While the specific details of the exploitation are unknown at this time, the threat is severe enough that all federal civilian executive branch (FCEB) agencies are mandated to implement mitigation techniques, such as disabling the SLP service on systems within untrusted networks by no later than November 29, 2023. CTIX analysts will continue to follow the exploitation of this vulnerability and provide updates when applicable.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (email@example.com) if additional context is needed.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.