Malware Activity
Internet Explorer Zero-Day Leads to Zero-Click RokRAT Infections
Threat Actor “ScarCruft” (AKA “APT37” or “RedEyes”) has allegedly exploited an Internet Explorer zero-day flaw to host zero-click malware on toast advertisements. ScarCruft is a hacking group tied to North Korea and is known for targeting victims in South Korea and Europe with phishing, watering hole, and zero-day attacks. In a large-scale attack in May 2024, ScarCruft exploited a zero-day vulnerability in Internet Explorer to install the RokRAT malware on victim systems. RokRAT is designed to exfiltrate data to a Yandex cloud, log keystrokes, monitor for clipboard changes, and capture screenshots every three (3) minutes. ScarCruft has been known to use RokRAT in their attacks over the past few years. Cybersecurity researchers notified Microsoft of the campaign and flaw in August 2024, and although Internet Explorer is out of support, Microsoft released a security update to address the vulnerability tracked as CVE-2024-38178. ScarCruft carried out their campaign by compromising the server of a domestic advertising agency which served the malicious toast ads within a free software used by many in South Korea. Toast ads are pop-ups embedded in software to display notifications or advertisements. The attacker-crafted advertisements contained a malicious iframe which caused a JavaScript file to trigger remote execution via the flaw in Internet Explorer’s “JScript9.dll” file. The malware payloads are injected in the explorer.exe process to evade detection. A payload “rubyq.exe” is dropped into the Windows startup and is scheduled for execution every four (4) minutes. Although Internet Explorer is out of support, it can still be integrated into third-party software, and that software may not have incorporated the latest update to fix this flaw. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.
- Bleeping Computer Article: Malicious Ads Article
- Ahn Lab Blog Post: Joint Report on Microsoft Zero-Day
Threat Actor Activity
SideWinder APT Amplifying Multi-Stage Attacks Across Middle East, Africa, and More
The advanced persistent threat (APT) group SideWinder, with suspected ties to India, has launched a series of sophisticated cyberattacks targeting high-profile entities and strategic infrastructures across Asia, the Middle East, Africa, and Europe. Known for targeting rivals in Pakistan, Afghanistan, China, and Nepal since 2012, SideWinder has expanded its geographic reach, recently attacking entities in Bangladesh, Djibouti, Jordan, Malaysia, the Maldives, Myanmar, Nepal, Pakistan, Saudi Arabia, Sri Lanka, Turkey, and the UAE. The group's targets span various sectors, including government, military, logistics, telecommunications, financial institutions, universities, and oil trading companies, as well as diplomatic entities in multiple countries. Central to these attacks is a new post-exploitation toolkit dubbed "StealerBot", a modular implant designed for espionage. The attack chain begins with spear-phishing emails containing malicious attachments, leading to a multi-stage infection process that ultimately deploys StealerBot. This malware, developed with .NET, facilitates a range of espionage activities, including keystroke logging, password theft, file stealing, and privilege escalation. SideWinder employs a variety of tactics to deliver its payloads, such as remote template injection and exploiting known vulnerabilities like CVE-2017-11882. Despite being perceived as a low-skilled group due to their use of public exploits and remote access trojans (RATs), their operations reveal advanced capabilities that pose a significant threat. CTIX analysts recommend organizations observe SideWinder’s indicators of compromise (IoCs) to better detect and defend against a potential attack. These IoCs include references to malicious documents, .rtf and .lnk files, and various modules of StealerBot, along with a list of malicious domains and IPs associated with the attacks.
- The Hacker News: SideWinder Article
- Dark Reading: SideWinder Article
- Secure List: SideWinder IoCs Report
Vulnerabilities
Kubernetes Image Builder Vulnerability Allows Attackers to Obtain Root Access
Kubernetes Image Builder has been found to have critical vulnerabilities that could allow attackers to gain unauthorized root access to virtual machines (VMs) using default credentials. The first flaw, tracked as CVE-2024-9486, is rated as critical with a CVSS score of 9.8/10, and specifically impacts VMs built with the Proxmox provider, where default credentials remain enabled after the build process. This vulnerability allows attackers to connect via SSH and gain root access to the affected VMs. The issue is fixed in Kubernetes Image Builder version 0.1.38, which introduces a random password during the build process and disables the "builder" account after completion. The second vulnerability, tracked as CVE-2024-9594 (CVSS score: 6.3), affects VM images built with providers like Nutanix, OVA, and QEMU, however, exploitation is harder because attackers need access to the image-building VM during the process. To mitigate these risks, users are urged to upgrade to version 0.1.38, rebuild vulnerable images, and redeploy them. Temporary mitigation includes disabling the "builder" account on affected VMs. Addressing these vulnerabilities is crucial for ensuring the security of Kubernetes clusters, and CTIX analysts urge users to upgrade to the latest patch immediately.
- The Hacker News: Kubernetes Vulnerability Article
- Cybersecurity News: Kubernetes Vulnerability Article
- Bleeping Computer: Kubernetes Vulnerability Article
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence about current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence about recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to contact the CTIX Team (ctix@ankura.com) if you need more context.
© Copyright 2024. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice