April 2024 Threat Advisory – Top 5

SecurityHQ’s Monthly Threat Report, Drawn from Recent Advisories of April 2024.

China-Linked Threat Actor Unleash Stealthy Operations with New UNAPIMON Malware

Threat Reference: Global

Risks: Malware

Advisory Type: Threat Advisory

Priority: Standard

SecurityHQ observed reports regarding a cyberespionage attack attributed to the cyberthreat group known as Earth Freybug. The group have been operational since before 2012 and specialize in espionage and financially motivated actions. Their targets span organizations from diverse sectors across multiple countries.

The attack flow utilizes the vmtoolsd.exe which is a component of VMware Tools called VMware user process, which is installed and runs inside a guests virtual machine to facilitate communication with the host machine. Meanwhile, schtasks.exe is a component of Windows called Task Scheduler Configuration Tool, which is used to manage tasks in a local or remote machine.

Threat Actors Association

Earth Freybug is a subset of APT41, a prolific cyber threat actor group that carries out Chinese state-sponsored espionage activity in addition to financially motivated activity potentially outside of state control.

UNAPIMON Malware

This DLL malware, coded in C++, is devoid of packing or obfuscation, except for a lone encrypted string. Its functionality includes the ability to thwart the monitoring of child processes. To achieve this, it utilizes the Detours library, an open-source Microsoft tool, to disengage crucial API functions. By doing so, it effectively circumvents detection in sandbox environments that rely on API hooking for monitoring.

CVE Association

SecurityHQ haven’t observed any CVE being exploited or utilized by the APT41 and Earth Freybug campaigns.

Attack Scenario

• Initially an attacker injects a code of unknown origin to vmtoolsd.exe process that creates a remote scheduled task using schtasks.exe into the remote machine.
• Once executed, it launches a pre-deployed cc.bat in the remote machine.
• The cc.bat file launches commands to gather system information and store it in text file called %System%\res.txt.
• Once this is done, another scheduled task is set up to execute %Windows%\Installer\cc.bat in the target machine, which launches a backdoor.
• This cc.bat file is leveraging a service called SessionEnv that triggers the loading of a non-existent library – “%Windows%\Installer\hdr.bin” to facilitate the side-loading of a malicious DLL – “%System%\TSMSISrv.DLL also named UNAPIMON”.
• Then it stops the SessionEnv service, waits for a few seconds, then restarts the service.
• The service gets loaded and executes the file “%System%\TSMSISrv.DLL”.
• TSMSISrv.DLL then drops and loads a file named Windows%\_{5 to 9 random alphabetic characters}.dll and starts a cmd.exe process in which the same dropped DLL is also injected.
• The cmd.exe is used to execute commands coming from another machine thus acting as a backdoor.
• Indicators of compromise (IOCs).

IP Addresses

• 154[.]223[.]131[.]237
• 117[.]16[.]142[.]9
• 103[.]19[.]3[.]109
• 110[.]45[.]146[.]253
• 117[.]16[.]142[.]69
• 122[.]10[.]117[.]206
• 207[.]148[.]125[.]56
• 118[.]193[.]236[.]206
• 167[.]88[.]176[.]205
• 103[.]224[.]83[.]95
• 103[.]19[.]3[.]21

Domains/URLs

• Yxwasec[.]com
• www[.]andropwn[.]xyz
• smiss[.]imwork[.]net
• huaxin[-]bantian[.]duckdns[.]org
• dns[.]win10micros0ft[.]com
• alxc[.]tbtianyan[.]com
• xp101[.]dyn[-]dns[.]com
• svn[-]dns[.]ahnlabinc[.]com
• dns1-1[.]7release[.]com
• ssl[.]dyn[-]dns[.]com

Recommendations

• Update Security Software: Ensure that antivirus and endpoint protection software are updated with the latest definitions to detect and mitigate UNAPIMON and related threats.
• Implement Behavioural Analysis: Utilize security solutions that employ behavioural analysis to detect unusual or suspicious activity indicative of malware injection.
• Deploy EDR: Make sure Endpoint Detection & Response tools have been implemented to detect the latest malware and suspicious activities on endpoints.
• Patch Management: Keep operating systems and software up to date with the latest security patches to mitigate vulnerabilities exploited by malware like UNAPIMON.
• Educate Employees: Raise awareness among your staff about the threat and inform them about the potential risks associated with opening suspicious emails or documents in general.

Adobe Released Security Update to Fix Multiple Critical Severity Vulnerabilities in Adobe Products

Threat Reference: Global

Risks: Arbitrary Code Execution, Memory Leak and Application Denial-of-Service (DoS).

Advisory Type: Updates/Patches

Priority: Standard

Adobe has released a security update to fix multiple critical and important severity vulnerabilities in Adobe products. Successful exploitation of these vulnerabilities could lead to arbitrary code execution, Memory leak and application denial-of-service.

Affected Products include Adobe Animate 2023, Adobe Animate 2024, Adobe Media Encoder, Adobe Commerce, and Magento Open Source.

Notable CVE’s

• [Critical] – CVE-2024-20797 – An Out-of-bounds Read vulnerability could allow an attacker to read sensitive information from other locations or cause a crash.
• [Critical] – CVE-2024-20795 – An Integer Overflow or Wraparound vulnerability occurs when an integer value is incremented to a value that is too large to store in the associated representation.
• [Critical] – CVE-2024-20772 – A Buffer Overflow vulnerability occurs when a product attempts to put more data in a buffer than it can hold.
• [Critical] – CVE-2024-20758 – An Improper Input Validation vulnerability occurs when product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
• [Critical] – CVE-2024-20759 – A cross–site scripting vulnerability (Stored XSS) occurs when the product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
• [Important] – CVE-2024-20796 – An Out-of-bounds Read vulnerability could allow an attacker to read sensitive information from other locations or cause a crash.
• [Important] – CVE-2024-20794 – A NULL Pointer Dereference vulnerability can occur through a number of flaws, including race conditions, and simple programming omissions.

Recommendation

It is recommended to update all the affected products to the latest available patch version.

New RedLine Stealer Variant Utilizes Lua Bytecode for Advanced Stealth and Distribution Tactics

Threat Reference: Global

Risks: Malware & Credential Theft

Advisory Type: Threats

Priority: Standard

Security researchers have uncovered a new packed variant of RedLine Stealer, an advanced malware strain targeting a wide array of industries, including financial services and organizations across multiple geographic regions.

Redline Stealer is known for its ability to steal browser data such as saved passwords, autocompleted data, credit card details, etc, and in the recent version is also known to steal cryptocurrency, FTP and IM clients’ details from affected machine.

After getting access to all this information it is been shared to C2 Server and uploaded on forums for sale. All this information can be used to compromise various accounts (e.g., social media, email, banking-related accounts, cryptocurrency wallets), while also facilitating the initiation of phishing campaigns.

RedLine Stealer functions as a potent information-stealing tool, characterized by its intricate use of obfuscation techniques and multi-stage infection chain. Initially identified as a data exfiltration tool, RedLine Stealer has since morphed into a multifaceted malware variant with enhanced functionalities.

Infection Chain

The RedLine Stealer malware, masquerading as Cheat.Lab.2.7.2.zip, is deceitfully hosted on GitHub under Microsoft’s official account within the vcpkg repository. Upon installation, facilitated by an MSI installer, the malware prompts users with a persuasive interface, coercing them to disseminate the malicious payload. During installation, three files manifest in the C:\program Files\Cheat Lab Inc\ Cheat Lab\ directory, facilitating the malware’s execution.

Persistence Mechanisms

To ensure enduring presence, the malware orchestrates a series of persistence mechanisms. It creates a scheduled task, executing compiler.exe (renamed to NzUW.exe) with readme.txt as a parameter. Additionally, the malware duplicates files to an obscure directory within program data, bolstering resilience. Notably, ErrorHandler.cmd materializes in C:\Windows\Setup\Scripts, orchestrating compiler.exe execution, safeguarding continuity in case of initial failure.

Command-and-Control (C2) Communication

Seamless communication with the C2 server is facilitated via HTTP. Upon task allocation, the infected system dutifully executes directives, including capturing screenshots. These visual insights are encoded in base64 and transmitted to the C2 server through HTTP PUT requests, enriching the attacker’s arsenal.

Analysis of Bytecode

Examination of the Lua bytecode unveils encrypted data ensconced within tables. A meticulous decryption process unveils concealed insights, including sensitive strings like “Tamper Detected!” The malware adroitly employs Lua JIT bytecode, establishing a pristine environment and incorporating critical libraries. Leveraging system intricacies, such as MachineGuid and ComputerName from the Windows registry, data is meticulously collected and relayed to the C2 server.

Execution and Evasion Techniques

Employing a multipronged approach, the malware deftly navigates execution and evades detection. Crafting a mutex named winter750 for synchronization, it ensures seamless operation. Dynamic loading of DLLs, facilitated by the LdrLoaddll function from ntdll.dll, augments functionality. Notably, system reconnaissance is conducted, with resultant insights meticulously dispatched to the C2 server, amplifying potential exploitation avenues.

IP Addresses

213[.]248[.]43[.]58

Domains/URLs

• https[:]//github.com/microsoft/STL/files/14432565/Cheater.Pro.1.6.0.zip
• https[:]//github[.]com/microsoft/vcpkg/files/14125503/Cheat.Lab.2.7.2.zip

Recommendation

• Monitor the network for presence of mentioned Indicator of Compromise (IOCs).
• Implement advanced email filtering and security measures to prevent phishing emails and malicious attachments from reaching your employees inboxes.
• Enforce the principle of least privilege to limit users’ access to sensitive systems and data and implement multi-factor authentication (MFA).
• Utilize URL filtering solutions and implement web security controls to block access to known malicious websites and to monitor and restrict downloads of suspicious file types, such as ZIP files, from external sources.
• Make sure Endpoint Detection & Response tools have been implemented to detect the latest malware and suspicious activities on endpoints.
• Raise awareness among your staff about the potential risks associated with opening suspicious emails or documents in general.

Microsoft Released April 2024 Patch Tuesday for 149 Flaws, Including 67 Remote Code Execution Vulnerabilities

Threat Reference: Global

Risks: Remote Code Execution, Elevation of Privilege, Security Feature Bypass, Information Disclosure, Spoofing and Denial of Service.

Advisory Type: Updates/Patches

Priority: Standard

Microsoft has released Patch Tuesday for April 2024 with security updates for 149 flaws, including 67 Remote code Execution Vulnerabilities. Successful exploitation of these vulnerabilities could result in Remote Code Execution, Elevation of Privilege, Security Feature Bypass, Information Disclosure, Spoofing and Denial of Service.

Affected Products include Windows, Azure, Skype, SQL Server, Visual Studio Code, Microsoft Dynamics, Microsoft Office, Microsoft Exchange Server, CBL-Mariner.

Notable CVE’s

• [Critical] – CVE-2024-29053 – Microsoft Defender for IoT Remote Code Execution Vulnerability
• [Critical] – CVE-2024-21322 – Microsoft Defender for IoT Remote Code Execution Vulnerability
• [Critical] – CVE-2024-21323 – Microsoft Defender for IoT Remote Code Execution Vulnerability

To view the full list of critical and important CVEs, go here.

Recommendation

It is recommended to update all the affected products to the latest available patch version.

DinodasRAT Malware Strikes Linux Servers in Espionage Campaign

Threat Reference: Global

Risks: Malware

Advisory Type: Threat Intel

Priority: Standard

SecurityHQ are aware of an ongoing campaign utilising the DinodasRAT malware, which primarily targets Linux servers, particularly those within critical infrastructure and corporate environments.

DinodasRAT aims to infiltrate and compromise these servers to gain unauthorized access and conduct espionage activities, with potential targets including government agencies, enterprises, and organizations across various industries.

Detected in late 2022, DinodasRAT is a remote access trojan (RAT) written in C++. It contains a victim identifier string named ‘Din’ and can exfiltrate files, manipulate Windows registry keys, and execute CMD commands. The malware encrypts information sent to the command-and-control server using the Tiny Encryption Algorithm (TEA). DinodasRAT’s execution process and path depend on whether specific arguments are passed during operation.

Attack Scenario

1. Initial Compromise: Attackers gain unauthorized access to Linux servers through various means, such as exploiting vulnerabilities or using phishing techniques.

2. File Creation: Upon execution, DinodasRAT creates a hidden file serving as a mutex to ensure only one instance of the implant runs.

3. Deployment of DinodasRAT: Attackers deploy DinodasRAT onto compromised Linux servers by executing malicious code or uploading the RAT.

4. Establishing C2 Server Communication: DinodasRAT communicates with a remote command and control (C2) server operated by the attackers, enabling remote command issuance and instruction reception.

5. Data Exfiltration: DinodasRAT searches for sensitive data within compromised servers, exfiltrating it to the attackers’ C2 server.

6. Persistence: DinodasRAT achieves persistence through direct execution without arguments and by utilizing SystemV or SystemD startup scripts for automatic launch upon system boot.

7. Encryption: The malware encrypts communication with the C2 server using TEA or similar techniques to avoid detection and ensure data security.

CVE Association

SecurityHQ has not observed exploitation of specific vulnerabilities associated with DinodasRAT; however, it is possible that the malware operators obtain exploit kits from Initial Access Brokers (IABs) on marketplace forums.

IP Addresses: 199[.]231[.]211[.]19

Domains/URLs: update[.]centos[-]yum[.]com

Recommendations

• Monitor the Network: For presence of mentioned Indicator of Compromise (IOCs).
• Deploy EDR: Make sure Endpoint Detection & Response tools have been implemented to detect the latest malware and suspicious activities on endpoints.
• Strengthen Email Security: Implement advanced email filtering and security measures to prevent phishing emails and malicious attachments from reaching your employees inboxes.
• Secure Exposed Infrastructure: Ensure access to publicly exposed devices and servers are restricted to known users. It is recommended to regularly assess publicly exposed assets for vulnerabilities and the feasibility to access the device or application via VPN instead of publicly over the internet directly.
• Update and Patch Systems: Ensure all software and applications are up to date with the latest security patches to minimise vulnerabilities.
• SecurityHQ also recommended ensuring all public facing Linux servers are identified and are kept in an up-to-date state to avoid being prone to any remote code execution, privilege escalation or other remotely exploitable vulnerabilities.

Threat Intelligence for the Future

SecurityHQ’s Threat Intelligence team is a cohesive global unit dedicated to Cyber Threat Intelligence. Our team is focused on researching emerging threats, tracking activities of threat-actors, ransomware groups, and campaigns, to ensure that they stay ahead of potential risks. Beyond their investigative work, the Intelligence team provides actionable threat intelligence and research, enriching the understanding of SecurityHQ’s customers worldwide. United by a common commitment, the SecurityHQ Threat Intelligence team delivers the insights needed to confidently navigate the intricacies of the cyber security threat landscape.

For more information on these threats, speak to an expert here. Or if you suspect a security incident, you can report an incident here.