Ransomware/Malware Activity
Fake Web Browser Updates Used to Deploy LummaC2 and BitRAT
Researchers at eSentire’s Threat Response Unit (TRU) have reported on a malware campaign active in May 2024 which is using fake Chrome update webpages to trick users into downloading information-stealing malware. In this latest campaign, users are directed to a fake Chrome browser update page after visiting a compromised website. Users are urged to click a link to download the update, which downloads a zip file called “Update.zip”. Once opened, a malicious JavaScript file “Update.js” executes PowerShell scripts that retrieve malicious files that serve as the loaders, persistence mechanisms, and final payloads of BitRAT and LummaC2 (aka Lumma Stealer). BitRAT is categorized as a Remote Access Tool, but also includes XMR miner for cryptocurrency mining, webcam live feed, keylogger functionality, and file manager with zip compression among other capabilities. LummaC2 is a very popular infostealer which targets web browsers, crypto wallets, and other sensitive data repositories. LummaC2 has been available to threat actors as a Malware-as-a-Service since August 2022 and rose to be one of the most prevalent information stealers in 2023. While spreading malware via fake browser updates is not new, it is worth reporting to stress the importance of security awareness training for end users. eSentire notes that in April 2024 fake updates were also used to lure victims into installing FakeBat, and prior to that SocGholish was also spread using a similar technique. CTIX analysts recommend that organizations educate users on these types of malware campaigns. CTIX analysts will continue to report on new and emerging malware and associated campaigns.
- The Hacker News: Fake Browser Updates Deliver BitRAT and Lumma Stealer
- eSentire: Fake Browser Updates Delivering BitRAT and Lumma Stealer
Threat Actor Activity
OpenAI Reports Successful Use of Their Tools by Threat Actors and Nation States
OpenAI published a report last week that several government-linked threat actors have been observed abusing the model and using the tool for influence operations. Over the last three (3) months alone, OpenAI said they've disrupted as many as five (5) campaigns carrying out influence operations. OpenAI detected campaigns from Russian, Chinese, Iranian, and Israeli threat actors linked to various government and political entities. OpenAI reported that the groups whose operations were disrupted were using AI "to some degree, but none used it exclusively." The report revealed that the campaigns leveraged the company's tools in a variety of ways, but mostly generated content in the form of texts and photos to create articles and social media posts. The threat actors were also seen using it to debug code and create falsified social media engagement by creating artificial content that was reinforced with fake comments. The current conflicts around the world along with multiple elections happening this year have heightened the concerns around how bad actors might be able to use generative AI. In reassurance, however, the company said none of the influence campaigns they disrupted received a score higher than a two (2) out of six (6) on the "Breakout Scale", a metric that measures how influential malicious activity is to an audience. While there were a handful of campaigns using the company's tool that had to be disrupted, OpenAI also reported that there were many instances where built-in guard rails in the software prevented threat actors from achieving success in the first place.
Vulnerabilities
CISA Adds Linux and Check Point Vulnerabilities to the KEV
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two (2) high-severity vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog due to evidence of active exploitation. The first vulnerability, tracked as CVE-2024-1086, involves a use-after-free bug in the Linux kernel's netfilter component, allowing local attackers to escalate privileges to root and possibly execute arbitrary code. Despite a fix in January 2024, public exploits released in March led to potential compromises. The second vulnerability was reported on by CTIX in the May 31, 2024 FLASH Update. Tracked as CVE-2024-24919, this flaw affects Check Point network gateway security products, enabling attackers to access sensitive information on systems with remote access VPN or mobile access enabled. CISA has mandated that all federal Civilian Executive Branch (FCEB) agencies apply patches for both flaws by no later than June 20, 2024, and suggests implementing mitigation techniques like blocklisting “nf_tables” and using the Linux Kernel Runtime Guard. CTIX urges any administrators affected by these vulnerabilities to patch them immediately to avoid future exploitation.
- Bleeping Computer: CISA KEV Vulnerabilities Article
- The Hacker News: CISA KEV Vulnerabilities Article
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence about current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence about recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the CTIX Team (ctix@ankura.com) if additional context is needed.
© Copyright 2024. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice
