Monthly Advisory • 7 MIN READ

December 2024 Threat Advisory – Top 5

by Eleanor Barlow • Dec 2024

SecurityHQ’s Monthly Threat Report, Drawn from Recent Advisories of December 2024.

Two New Variants of Remcos RAT Identified in Recent Malware Campaigns

Threat Reference: Global

Risks: Malware

Advisory Type: Threats

Priority: Standard

The Remcos Remote Access Trojan (RAT) is a growing cybersecurity threat that primarily spreads through the use of phishing emails containing malicious attachments. Two new variants of the RAT have recently been uncovered. One variant is seen using VBS files to trigger hidden PowerShell scripts to download and execute malicious files. The second variant uses malicious attachments to exploit older vulnerabilities (CVE-2017-11882) in Microsoft Office to install the RAT.

Attack Scenario, Variant 1

1. The VBS file triggers an obfuscated PowerShell script on the victim’s system, which downloads malicious files (e.g., DLL01.txt, Entry.txt) from a command-and-control (C2) server via FTP server or Google Drive.

2. The PowerShell script checks the installed version, and once downloaded, the files are decoded, and the malicious payload is executed. The payload is injected into a legitimate system process, RegAsm.exe, a Microsoft .NET executable file.

3. The Remcos keylogger payload is loaded into memory, and the keylogger monitors the victim’s activity by logging all keystrokes.

4. The malware creates a registry entry under HKCU (HKEY_CURRENT_USER) Run for persistence and a misleading directory in AppData/Local/Microsoft\LocalLow to hide the malicious files from detection.

5. The Captured data, including keystrokes, is stored in %ProgramData%\1210\logs.dat and exfiltrated to the C2 server. The malware maintains continuous communication with the C2 server, which can deliver payloads, receive stolen data, or issue commands to control the system.

Attack Scenario, Variant 2

1. This variant is delivered through a spam email with a malicious Office Open XML Document (.docx) file.

2. The document is an RTF file with a long filename, designed to trick the victim into opening it.

3. The document contains a reference to an external URL, which downloads an RTF file exploiting the CVE-2017-11882 vulnerability in Microsoft Equation Editor, allowing remote code execution.

4. The RTF file downloads a highly obfuscated VBS script. The payload includes a .NET DLL (dnlib.dll), which is loaded into memory via PowerShell without writing to disk to evade detection. After that, the Remcos RAT follows the usual malicious activities.

Indicators of compromise (IOCs). Domains/URLs:

  • dealc[.]me/NLizza
  • raw[.]githubusercontent[.]com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V[.]txt
  • 91[.]134[.]96[.]177/70/RGGFVC[.]txt
  • 91[.]134[.]96[.]177/70/picturewithmegetbacktouse[.]tIF

Recommendations

  1. Implement Multi-Factor Authentication to significantly reduce the risk of successful login attempts using stolen credentials.
  2. Deploy Endpoint Detection and Response (EDR) solutions to help identify and respond to suspicious activity, potentially stopping ransomware deployment.
  3. Regular data backups stored securely offline are essential for recovery in case of a ransomware attack.
  4. Prioritize and apply security patches promptly to address vulnerabilities that attackers can exploit.
  5. Educate employees to identify phishing attempts and other social engineering tactics used to gain initial access.
  6. Regular Security Assessments Conduct regular security assessments to identify and address potential weaknesses in your IT infrastructure.

71 Vulnerabilities, Including 30 Remote Code Execution Flaws in Microsoft’s Dec Patch Tuesday

Threat Reference: Global

Risks: Remote Code Execution, Privilege Escalation, Security Feature Bypass, Information Disclosure, Denial of Service, and Spoofing

Advisory Type: Updates/Patches

Priority: Standard

Microsoft has released its Patch Tuesday for December 2024, addressing 71 security vulnerabilities, including one zero-day and 30 remote code execution vulnerabilities.

Successful exploitation of these vulnerabilities could lead to remote code execution, privilege escalation, security feature bypass, information disclosure, denial of service, and spoofing.

Affected products include Microsoft Office, Microsoft Edge, Microsoft Defender for Endpoint, Microsoft Office SharePoint, Microsoft Office Word, Windows Task Scheduler, Windows Resilient File System (ReFS), and GitHub.

Notable CVEs Include:

  • [Zero-Day] – CVE-2024-49138 – Windows Common Log File System Driver Elevation of Privilege Vulnerability
  • [Critical] – CVE-2024-49115 – Windows Remote Desktop Services Remote Code Execution Vulnerability
  • [Critical] – CVE-2024-49116 – Windows Remote Desktop Services Remote Code Execution Vulnerability
  • [Critical] – CVE-2024-49117 – Windows Hyper-V Remote Code Execution Vulnerability
  • [Critical] – CVE-2024-49118 – Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability
  • [Critical] – CVE-2024-49119 – Windows Remote Desktop Services Remote Code Execution Vulnerability
  • [Critical] – CVE-2024-49120 – Windows Remote Desktop Services Remote Code Execution Vulnerability
  • [Critical] – CVE-2024-49122 – Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability
  • [Critical] – CVE-2024-49123 – Windows Remote Desktop Services Remote Code Execution Vulnerability
  • [Critical] – CVE-2024-49124 – Lightweight Directory Access Protocol (LDAP) Client Remote Code Execution Vulnerability
  • [Critical] – CVE-2024-49126 – Windows Local Security Authority Subsystem Service (LSASS) Remote Code Execution Vulnerability
  • [Critical] – CVE-2024-49127 – Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability
  • [Critical] – CVE-2024-49128 – Windows Remote Desktop Services Remote Code Execution Vulnerability
  • [Critical] – CVE-2024-49132 – Windows Remote Desktop Services Remote Code Execution Vulnerability
  • [Critical] – CVE-2024-49106 – Windows Remote Desktop Services Remote Code Execution Vulnerability
  • [Critical] – CVE-2024-49108 – Windows Remote Desktop Services Remote Code Execution Vulnerability
  • [Critical] – CVE-2024-49112 – Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability

View the full list, here.

Recommendations

Update all affected products to the latest available patch version.

SecurityHQ Recommendation for Microsoft Default Teams External Access Hardening – Addendum

Threat Reference: Global

Risks: Threats

Advisory Type: Phishing, Spoofing, Ransomware

Priority: Standard

While this advisory revisits insights shared in November 2024, it reflects new campaign developments observed since October 2024, necessitating immediate review and enhancement of security settings.

SecurityHQ has observed a resurgence in targeted social engineering attacks exploiting Microsoft Teams’ external access settings. Threat actors such as Storm-1811 and Black Basta are leveraging these settings to initiate contact with victims, using display names like “Help Desk Manager” or impersonating internal IT staff. After gaining the victim’s trust, attackers manipulate them into downloading remote desktop tools such as AnyDesk, Quick Assist, or TeamViewer, enabling unauthorized system access and further malicious activity.

By default, Microsoft Teams allows external users to initiate chats and share files with corporate accounts. This configuration is exploited by these actors to execute sophisticated attacks.

Key Threat Actor Tactics

• Storm-1811

1. Initial Contact: Floods the victim’s inboxes with spam (email bombing) to create urgency.

2. Impersonation: Poses as an IT administrator via Microsoft Teams or phone calls.

3. Exploitation: Guides users to install RMM tools and establishes SSH tunnel backdoors for persistence and reconnaissance.

• Black Basta

1. Initial Contact: Overloads inboxes with spam and follows up via Teams, impersonating IT staff.

2. Credential Harvesting: Deploys obfuscated malware (e.g., Zbot, DarkGate) and custom harvesters for rapid credential theft.

3. Payload Delivery: Uses compromised cloud services or direct uploads to deploy ransomware payloads.

Risk and Exploits

While Microsoft Teams requires users to accept chat requests before viewing messages from external accounts, this safeguard is easily bypassed through spoofed corporate accounts, urgent scenarios, and trusted source impersonation.

The SecurityHQ team has also added recently observed Indicators of Compromise (IOCs) related to the Abuse of Teams External Access Feature in an internal investigation.

Indicators of compromise (IOCs). IP Addresses:

  • 185[.]130[.]47[.]96
  • 65[.]87[.]7[.]151
  • 66[.]78[.]40[.]86
  • 184[.]174[.]97[.]32
  • 212[.]232[.]22[.]140
  • 8[.]209[.]111[.]227
  • 8[.]211[.]34[.]166
  • 109[.]172[.]88[.]38
  • 109[.]172[.]87[.]135
  • 188[.]130[.]206[.]243
  • 46[.]8[.]232[.]106
  • 46[.]8[.]236[.]61
  • 91[.]212[.]166[.]91
  • 93[.]185[.]159[.]253
  • 94[.]103[.]85[.]114
  • 193[.]29[.]13[.]60
  • 88[.]214[.]25[.]32
  • 147[.]28[.]163[.]206
  • 45[.]61[.]152[.]154
  • 185[.]229[.]66[.]224
  • 172[.]81[.]60[.]122
  • 145[.]223[.]116[.]66
  • 185[.]238[.]169[.]17
  • 179[.]60[.]149[.]194
  • 178[.]236.247[.]173
  • 38[.]180.192[.]243
  • 45[.]8.157[.]162
  • 45.8[.]157.158
  • 178.236[.]247.173
  • 195[.]123.233[.]148
  • 89[.]185.80[.]170
  • 195.211[.]96.135

Domains/URLs:

  • youadmin.onmicrosoft[.]com
  • delparqueflats[.]com
  • bilipow.onmicrosoft[.]com
  • brandonsupport.onmicrosoft[.]com
  • cofincafe[.]com
  • cybersecurityadmin.onmicrosoft[.]com
  • cybershieldassist.onmicrosoft[.]com
  • databreachsupport.onmicrosoft[.]com
  • endpointshield.onmicrosoft[.]com
  • eps.udg.edu
  • filtrocorp[.]com
  • helpadministrator.onmicrosoft[.]com
  • itsecurityassistance.onmicrosoft[.]com
  • itusaacademy[.]com
  • malwareremovalassistance.onmicrosoft[.]com
  • networksecuritymonitoring.onmicrosoft[.]com
  • pereirabrito[.]com.br
  • safesoc.onmicrosoft[.]com
  • securitypatching.onmicrosoft[.]com
  • servicedeskadmin.onmicrosoft[.]com
  • spamprotectionmanager.onmicrosoft[.]com
  • spamprotections.onmicrosoft[.]com
  • supporthelper.onmicrosoft[.]com
  • supporthelpspam.onmicrosoft[.]com
  • supportteamsservice.onmicrosoft[.]com
  • llladminllll.onmicrosoft[.]com
  • hegss.onmicrosoft[.]com
  • llladminhlpll.onmicrosoft[.]com
  • 1helpyou.onmicrosoft[.]com
  • truehalp.onmicrosoft[.]com
  • adminsteams.onmicrosoft[.]com
  • asssistingyou.onmicrosoft[.]com
  • suporting.onmicrosoft[.]com
  • hprsynergyengineering.onmicrosoft[.]com
  • bevananda[.]com
  • sslip[.]io
  • *.doc[.]docu-duplicator[.]com
  • *.doc1[.]docu-duplicator[.]com
  • *.doc2[.]docu-duplicator[.]com
  • dns[.]winsdesignater[.]com
  • crystallakehotels[.]com
  • summerrain[.]cloud
  • mailh[.]org
  • file[.]io
  • bigdealcenter[.]world
  • brownswer[.]com
  • blazingradiancesolar[.]com
  • posetoposeschool[.]com
  • arifgrouporg-my[.]sharepoint[.]com
  • binusianorg-my[.]sharepoint[.]com
  • dropmeafile[.]com

Recommendations

Kindly check if your current team’s external access settings allow external users to initiate chat messages. It is highly recommended to restrict access to external users.

Step 1: Log in to the Microsoft Teams admin center.

Step 2: Go to the external access setting and scroll down.

Step 3: Unchecked to People In my org can communicate with Teams users whose accounts aren’t managed by an organization.

Step 4: Click on save and confirm the changes.

Once you are done with changes, it will take some time to reflect changes

Ivanti Patched Multiple Critical and High-Severity Vulnerabilities

Threat Reference: Global

Risks: Arbitrary File Deletion, Unauthorized access, Remote code execution, Denial of Service

Advisory Type: Updates/Patches

Priority: Standard

SecurityHQ has observed that Ivanti has released multiple high and critical severity vulnerabilities affecting multiple Ivanti Products. Successful exploitation of these vulnerabilities may allow an attacker to perform Arbitrary File Deletion, Unauthorized access, Remote code execution, and Denial of Service (DOS) attacks.

Affected Products include Ivanti Cloud Services Application (CSA), Ivanti Desktop and Server Management (DSM), Ivanti Policy Secure (IPS), Ivanti Connect Secure (ICS), Ivanti Sentry, Ivanti Endpoint Manager, Ivanti Security Controls, Ivanti Patch for Configuration Manager, Ivanti Neurons for Patch Management, and Ivanti Neurons Agent Platform.

Notable CVE’s:

  • [Critical] CVE-2024-11633- Argument injection in Ivanti Connect Secure before version 22.7R2.4 allows a remote authenticated attacker with admin privileges to achieve remote code execution
  • [Critical] CVE-2024-11634- Command injection in Ivanti Connect Secure before version 22.7R2.3 and Ivanti Policy Secure before version 22.7R1.2 allows a remote authenticated attacker with admin privileges to achieve remote code execution.
  • [Critical] CVE-2024-11639 – An authentication bypass in the admin web console of Ivanti CSA before 5.0.3 allows a remote unauthenticated attacker to gain administrative access
  • [Critical] CVE-2024-11772 – Command injection in the admin web console of Ivanti CSA before version 5.0.3 allows a remote authenticated attacker with admin privileges to achieve remote code execution.
  • [Critical] CVE-2024-11773 – SQL injection in the admin web console of Ivanti CSA before version 5.0.3 allows a remote authenticated attacker with admin privileges to run arbitrary SQL statements.

SecurityHQ was not able to identify any evidence of these vulnerabilities being exploited in the wild nor any association with the Advanced Persistent Threat (APT) group or malware variant.  

Recommendation

Update all the affected products to the latest available patch version.

Adobe Released Security Updates to Address 161 Security Vulnerabilities Across Products with Critical and Important Severity.

Threat Reference: Global

Risks: Cross-site Scripting (XSS), Stack-Bases, Heap-based Buffer Overflow and Improper Input Validation.

Advisory Type: Updates/Patches

Priority: Standard

Adobe has released its Patches, addressing a total 161 of new security vulnerabilities across multiple Adobe Products. Out of which 45 are critical vulnerabilities and 116 are important vulnerabilities. These updates aim to mitigate vulnerabilities that could allow attackers to attempt Cross-site Scripting (XSS), stack bases, Heap-based Buffer overflow, and Improper input validation.

Affected Products include Adobe Experience Manager (AEM), Acrobat DC, Acrobat Reader DC, Acrobat 2024, Acrobat 2020, Acrobat Reader 2020, Adobe Media Encoder, Adobe After Effects, Adobe Animate 2023, Adobe Animate 2024, Adobe InDesign, Adobe PDFL Software Development Kit (SDK), Adobe Connect, Adobe Substance 3D Sampler, Photoshop 2025, Adobe Bridge, Adobe Premiere Pro, Adobe Substance 3D Painter, and Adobe FrameMaker.

Recommendation

Update all the affected products to the latest available patch version.

Threat Intelligence for the Future

SecurityHQ’s Threat Intelligence team is a cohesive global unit dedicated to Cyber Threat Intelligence. Our team is focused on researching emerging threats and tracking activities of threat actors, ransomware groups, and campaigns, to ensure that they stay ahead of potential risks. Beyond their investigative work, the Intelligence team provides actionable threat intelligence and research, enriching the understanding of SecurityHQ’s customers worldwide. United by a common commitment, the SecurityHQ Threat Intelligence team delivers the insights needed to confidently navigate the intricacies of the cyber security threat landscape.

For more information on these threats, speak to an expert here. Or if you suspect a security incident, you can report an incident here.