Cyber Deceptions: Weaponized Tools & Stealthy Attacks

Hi, my fellow malware enthusiast,

Yes, yes, I know it’s Saturday, not Thursday; I’m late. No point fussing about it now; what’s done is done! But guess what? You get the chance to enjoy my improved introduction! 😂

I’m sure you’ve been eagerly waiting for this week’s newsletter—there’s a lot to uncover, and I promise it’s worth the wait!👀 From IT tools turned cyber weapons to the latest in APT group tactics, we’ve got a jam-packed edition for you. We’ll dive into how everyday software like NetSupport Manager is being weaponized, expose the design flaws lurking in Windows, and reveal how cloud services are becoming the new playground for stealthy espionage.

So, let’s not delay any further—dive in and enjoy the read!

NetSupport Manager: From IT Tool to Cyber Weapon

NetSupport Manager, a legitimate remote administration tool from 1989, has increasingly been repurposed by cybercriminals as a Remote Access Trojan (RAT). Since 2017, this software has been widely recognized as a threat, especially as remote work surged in the 2020s, leading to its frequent use in phishing and drive-by download attacks.

In late 2023, a significant campaign emerged where attackers used fake browser updates on compromised sites to deploy NetSupport RAT. They leveraged PowerShell commands to install the tool, gaining control over victims’ systems. By early 2024, researchers observed that the attackers had further refined their techniques, making the malware harder to detect.

StormBamboo’s DNS Poisoning: Unmasking the Malware Campaign

In mid-2023, Volexity uncovered multiple incidents where systems across various organizations were infected with malware linked to the StormBamboo group, also known as Evasive Panda. The malware, targeting both macOS and Windows systems, was traced back to a DNS poisoning attack at the internet service provider (ISP) level.

Initially, the infection vector was unclear, but Volexity later identified that StormBamboo was manipulating DNS responses for specific domains associated with automatic software updates. The group targeted software with insecure update processes, such as those using HTTP without proper digital signature validation. This allowed the attackers to replace legitimate updates with malware, including MACMA and POCOSTICK.

This attack mirrors a previous incident linked to DriftingBamboo, a potentially related threat actor. In April 2023, ESET speculated about a similar attack vector, which Volexity has now confirmed, showing that StormBamboo controlled ISP DNS infrastructure to inject malware via corrupted updates. This blog post details how these attacks exploited vulnerable software update mechanisms, highlighting a broader threat landscape.

APT41's Stealthy Attack on Taiwanese Institute Unveiled

In mid-July 2023, APT41 launched a sophisticated cyberattack on a Taiwanese research institute, showcasing the complexity of modern cyber warfare. The attack used advanced tools and techniques to maintain stealth and control.

The attackers deployed ShadowPad and Cobalt Strike. ShadowPad exploited an outdated Microsoft Office IME binary to deliver a custom payload, while Cobalt Strike was introduced via the Go-based loader CS-Avoid-Killing, designed to evade antivirus detection.

Although the exact initial access vector remains unknown, the breach involved the use of a web shell to maintain persistent access and deploy additional payloads. This method ensured ongoing control over the compromised environment.

Cisco Talos discovered the intrusion in August 2023 by identifying abnormal PowerShell commands connecting to an external IP address to download and execute malicious scripts. This incident underscores the importance of monitoring unusual PowerShell activity as a critical indicator of potential breaches.

APT Groups Embrace Cloud Services for Stealthy Espionage

Symantec research reveals a rising trend of advanced persistent threat (APT) groups using cloud storage services from Microsoft and Google for command and control (C2) and data exfiltration. This tactic allows attackers to exploit widely trusted services, making their activities less likely to trigger security alerts.

Recent findings show APTs are increasingly adopting these techniques. Symantec’s Threat Hunter Team identified several espionage operations using cloud services and noted that attackers benefit from the low cost and stealth of cloud platforms. However, if detected, cloud accounts can be quickly suspended, potentially disrupting the attack and revealing valuable information about the operation.

New malware like GoGra and Trojan.Grager, which use Microsoft’s Graph API for C2, highlight the growing sophistication of these attacks. GoGra, used against a South Asian media organization, reads encrypted commands from Outlook. Trojan.Grager, targeting organizations in Taiwan and Vietnam, relies on OneDrive for command execution.

Symantec also discovered other cloud-based threats, including Onedrivetools and MoonTag, as well as a Google Drive tool used by the Firefly group. The increase in APT groups adopting these methods underscores a trend of mimicking successful techniques observed in other attacks.

Design Flaws in Windows Smart App Control and SmartScreen Exposed

Cybersecurity researchers have identified vulnerabilities in Microsoft’s Smart App Control (SAC) and SmartScreen that could allow attackers to bypass security checks and gain initial access to systems without triggering warnings.

SAC, introduced with Windows 11, blocks untrusted apps based on cloud intelligence and digital signatures. SmartScreen, part of Windows 10, evaluates URLs and files for potential threats using a reputation-based system. When SAC is enabled, it replaces SmartScreen.

Elastic Security Labs highlighted several methods attackers use to circumvent these protections, including:

• Reputation Hijacking: Using apps with good reputations to bypass security.

• Reputation Seeding: Exploiting vulnerabilities in seemingly benign binaries.

• Reputation Tampering: Modifying legitimate files to insert malicious code.

• LNK Stomping: Exploiting bugs in Windows shortcut handling to remove security labels.

These techniques have been in use for years, indicating ongoing challenges in relying solely on native security features. Researchers stress the importance of vigilant scrutiny of downloads and security measures beyond built-in protections.

Fighting Ursa Uses Car Ads to Distribute HeadLace Backdoor

Russian threat actor Fighting Ursa, also known as APT28 or Fancy Bear, has adopted a new tactic to target diplomats through a deceptive used-car sale email scheme. The attack involves a .zip file supposedly containing images of an Audi Q7 Quattro SUV for diplomatic use. In reality, these files are executables with hidden .exe extensions.

Yes, Microsoft yet again

The scheme includes a Romanian phone number and contact details for added credibility. Once the victim downloads and opens the file, it deploys the HeadLace backdoor malware. This malware establishes persistent access for espionage activities.

The attack utilizes a free service called "webhook" to host a malicious HTML page, which determines if the target machine is running Windows. If so, it offers the malicious .zip file. Inside are disguised executables and scripts that load and execute the HeadLace backdoor, leading to data theft and surveillance.

Fighting Ursa's use of such tactics aligns with their previous campaigns and highlights the group’s ongoing use of free services to mask their activities. Notably, the hidden file extensions in Windows, which obscure the true nature of these files, remain a significant security flaw.

Fighting Ursa is known for high-profile attacks, including interference in the 2016 US elections and recent campaigns against Ukrainian government bodies.

Unmasking Windows Downgrade Attacks: New Vulnerabilities Exposed

Downgrade attacks, or version-rollback attacks, target fully updated software by reverting it to vulnerable older versions, thus allowing exploitation of previously patched flaws. In 2023, the BlackLotus UEFI Bootkit used such an attack to bypass Secure Boot on Windows, revealing the potential of this technique.

Recent research presented at Black Hat USA 2024 and DEF CON 32 (2024) highlights significant findings regarding downgrade attacks on Windows. The study led to the creation of Windows Downdate, a tool capable of crafting undetectable and persistent downgrades in critical OS components. This tool can elevate privileges, bypass security features, and render patched Windows machines vulnerable to thousands of past exploits.

Key findings include:

1. Windows Update Vulnerability: The research uncovered a flaw in the Windows Update process, allowing undetectable and irreversible downgrades of essential OS components like DLLs, drivers, and the NT kernel.

2. Virtualization Stack Risk: Downgrades also exposed vulnerabilities in Windows Virtualization-Based Security (VBS), including Credential Guard and Hyper-V’s hypervisor, bypassing UEFI locks without physical access.

3. Need for Awareness: The findings underscore the necessity for increased awareness and research into downgrade attacks, highlighting that current OS protections may not fully address these threats.

4. Design Flaws: The research revealed design flaws in Windows’ virtualization stack, allowing less privileged levels to update more secure components, suggesting that older features might still pose risks.

The study calls for more research into OS-based downgrade attacks and emphasizes the importance of examining in-the-wild attacks to anticipate and mitigate potential threats.

✉️ Wrapping Up

In the world of malware, understanding is key. As we delve into these threats together, remember that knowledge and vigilance are our best allies.

If you find this newsletter helpful and know others who might benefit from it, I'd be grateful if you could pass it along. 🙏

Until next time, stay informed and keep your defenses sharp. Here’s to staying one step ahead

Thanks for reading!

@8erg