Zero-Days, Phishing Exploits, And Advanced Malware Tactics On The Way

Akamai, a prominent web infrastructure and security company, has uncovered an active malware campaign capitalizing on two undisclosed zero-day vulnerabilities, enabling remote code execution (RCE). 

The attackers employ these exploits to exploit routers and video recorders, through a Mirai-based distributed denial-of-service (DDoS) botnet.

Technical Details

The malware payload is strategically designed to target routers and network video recorder (NVR) devices utilizing default admin credentials. 

It installs Mirai variants upon successful infiltration, thereby expanding the InfectedSlurs botnet. The codename is derived from the concerning use of racial and offensive language in the command-and-control (C2) servers and hard-coded strings. 

This specific variant, identified as JenX Mirai, initially surfaced in January 2018.

Attribution and Timeline

As of now, the perpetrators behind these attacks remain unidentified. Akamai detected the malicious activity in late October 2023.

The disclosure emphasizes the need for confidentiality to allow affected vendors to develop and release patches, mitigating the risk of further exploitation. 

One of the vulnerabilities is expected to receive fixes in the coming month.

The use of racial and offensive language in C2 servers is a problematic tactic, possibly aiming to distract and provoke reactions. 

The integration of legitimate tools showcases the increasing sophistication of malware, making detection and attribution challenging for cybersecurity experts.

Phishing Campaign in Russian-Language Malware

A recent cybersecurity observation reveals a phishing attack employing a Russian-language Microsoft Word document to distribute malware capable of extracting sensitive information from compromised Windows systems. 

The attributed actor, Konni, exhibits similarities with the North Korean cluster known as Kimsuky or APT43.

Konni’s primary focus centers on data exfiltration and espionage, utilizing various malware and tools. 

Warning to all think tanks/think tankers working in the Korea space – this is really important advice to prevent your institutional email address from being spoofed by APT43. We've now seen a third org that was spoofed. The fix is easy – get your IT dept to do it today!!!!! https://t.co/bHn1q5xzLF

— Jenny Town (@j3nnyt0wn) November 7, 2023

The group adapts tactics to evade detection and attribution, showcasing a dynamic and persistent threat landscape.

Attack Sequence

The recent attack sequence involves a macro-laden Word document presenting a Russian article supposedly discussing “Western Assessments of the Progress of the Special Military Operation.” 

Upon enabling the macro, a Visual Basic for Application (VBA) script initiates a Batch script, conducting system checks and UAC bypass, paving the way for a DLL file deployment with information gathering and exfiltration capabilities.

Threat actors continually refine tactics, necessitating constant vigilance, and adaptive defense strategies. 

The use of regional languages and geopolitical topics in phishing attacks adds a layer of complexity, emphasizing the need for user awareness and robust security measures.

WailingCrab Malware Shipping-themed Emails

A wave of sophisticated cyber threats has emerged, utilizing delivery- and shipping-themed email messages to distribute the elusive WailingCrab malware. 

This malware, also known as WikiLoader, was initially identified in August 2023, with campaigns targeting Italian organizations. 

IBM X-Force researchers have attributed its creation to the threat actor TA544, also tracked as Bamboo Spider and Zeus Panda, and grouped under the cluster Hive0133.

Exploit for Windows Defender’s Windows SmartScreen technology bypass vulnerability CVE-2023-36025 is public now.
It was a 0-day until Microsoft issued a patch for it yesterday.
GO FIX IT
Because Threat Actor TA544 is actively exploiting it in the wild.

— Mahi (@0xMahi) November 22, 2023

Attack Chain

The attack begins with phishing emails containing PDF attachments housing URLs. 

Clicking these URLs triggers the download of a JavaScript file responsible for fetching and launching the WailingCrab loader hosted on Discord. 

The loader initiates a sequence involving a shellcode, an injector module, a downloader, and ultimately the deployment of the backdoor, the malware’s core.

Incorporating unconventional protocols like MQTT reflects the determination of threat actors to stay ahead of detection mechanisms. 

The reliance on shipping-themed emails adds a layer of social engineering, exploiting topical relevance to increase the likelihood of successful phishing attempts.

Cyber Security Challenges the Whole Society

Today’s malware, trojans, and phishing campaigns succeed because we are ignorant of our cyber posture. 

This implies to each of us that we are responsible for our security.

Cybersecurity companies are doing their job, but we must also contribute to securing the space for us and generations ahead.