Threat Intelligence Report August 30 - September 5 2022

A new malware campaign disguised as Google Translate or MP3 downloader programs was found distributing cryptocurrency mining malware across 11 countries. The fake applications are being distributed through legitimate free software sites, providing broad exposure to the malicious applications to both regular visitors of the sites and search engines. According to a report by Check Point, the malware is created by a developer named 'Nitrokod,' which at first look appears to be a legitimate application free of malware and provides the advertised functionality. These are the steps the Nitrokod attacker followed to avoid detection:

-Executing the malware almost a month after the Nitrokod program was installed.

-Delivering the payload after 6 earlier stages of infected programs.

-A continuous infection chain initiated after a long delay using a scheduled task mechanism, giving the attackers time to clear the evidence.

A threat actor (TAs) has released the source code of Parrot Stealer, a malware that can steal data from a target network and send it to the dark web in a post on a cybercrime forum. Parrot Stealer is a 64-bit .NET-binary that uses Timestomping (a technique that modifies the timestamps of a file). Adversaries use this technique on their payloads to deflect any unnecessary attention during forensic investigations. The stealer uses multiple AntiAnalysis checks to prevent debugging of the sample. To detect profiling, the code verifies if the COR_ENABLE_PROFILING environment variable is present and set to 1. Profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET Common Language Runtime. This stealer payload steals data from the following Chromium-based browsers and FTP applications. The stealer appears to be in the development stage as several FTP applications are hardcoded in the stealer, but it does not appear to target all of them.

An International Bank Account Number (IBAN) Clipper Malware was identified selling by a Threat Actor (TA) on a cybercrime forum offering monthly subscription-based services of clipper malware targeting Windows operating systems. IBAN is an internationally agreed system developed to identify an overseas bank account. Clipper malware targets a victim’s clipboard to perform unauthorized swapping operations by replacing the victim’s data with the TA’s data to carry out financial theft. Most popular clippers target crypto transactions where the malware swaps the victim’s crypto address with the TA’s crypto address and tricks unsuspecting victims into sending money to the TA’s crypto address. Similarly, IBAN clipper targets bank account numbers.

IRATA (Iranian Remote Access Trojan) Android Malware is a new malware detected in the wild. It originates from a phishing attack through SMS. The theme of the message resembles information coming from the government that will ask you to download this malicious application. IRATA can collect sensitive information from your mobile phone including bank details. Since it infects your mobile, it can also gather your SMS messages which then can be used to obtain 2FA tokens.

The domains for these command-and-control servers have been identified and are deployed on the Crystal Eye platform to reject such traffic when triggered.

Trojan-activity

PureCrypter is a malware loader known to be used in Malware-as-a-Service (MaaS). This loader is currently active and is known to promote at least 10 malware families with hundreds of Command-and-Control servers in their arsenal. Once they are loaded on a victim's machine, it downloads malware such as Formbook, AgentTesla, Mars Stealer, etc.

A list of Domains and Command-and-Control servers for PureCrypter have been identified, and rules are in place to detect and reject this traffic.

A pre-auth remote code execution vulnerability was found in DotCMS which was achievable by performing a directory traversal attack during file upload. This vulnerability ultimately allows attacker to execute arbitrary commands on the underlying system. This vulnerability is exploitable with the default configuration of DotCMS and tested on version 22.01. An attacker can upload arbitrary files to the system. By uploading a JSP file to the tomcat’s root directory, it is possible to achieve code execution, leading to command execution. An attacker can ultimately execute arbitrary commands on the underlying system. The vulnerability was confirmed on 22.01 and below. This vulnerability may also work on 22.02, however not yet confirmed. DotCMS is an open-source content management system written in Java for managing content and content driven sites and applications. DotCMS provides a community edition of their content management system that is free to download and use. They also provide an Enterprise edition, a SaaS-based product, that you can purchase on an annual or monthly subscription.