Talos is releasing a new list of CyberChef recipes that enable faster and easier reversal of encoded JavaScript code contained in the observed HTML attachments.

Wednesday, July 10, 2024 08:00

*   Cisco Talos has spotted several malicious email campaigns over the past few months that disguise JavaScript code within HTML email attachments, a technique commonly known as “HTML Smuggling.”
*   Cisco Talos has noticed that some industry verticals were targeted more than others by email threats using the HTML smuggling technique during the observed time window. For example, companies in the human resources, insurance and healthcare domains were targeted the most, while legal, supply chain and e-commerce companies were among those targeted the least. 
*   A wide range of evasion techniques has been identified from the senders of these emails, finding ways to get around email gateways and even more advanced detections. These techniques range from various encoding mechanisms to encryption and obfuscation. 
*   These adversaries use simple methods to increase their chances of success, like playing around with email attachments, as well as more advanced techniques by combining different evasion methods or employing a single evasion method multiple times. 
*   Talos is releasing a new list of CyberChef recipes that enable faster and easier reversal of encoded JavaScript code contained in the observed HTML attachments. This may assist in creating automation to process and identify such emails for more effective long-term security measures. 

**Introduction to HTML smuggling **

HTML smuggling is a technique used by attackers to embed encoded or encrypted JavaScript code within HTML attachments or web pages. This technique has been used extensively in spear phishing email campaigns over the past few months. HTML smuggling is quite effective in bypassing perimeter security controls such as email gateways and web proxies for two main reasons: It abuses the legitimate features of HTML5 and JavaScript, and it leverages different forms of encoding and encryption. 

Threat actors start by sending one or more emails with URLs or HTML attachments to their targets. When the recipient clicks on the URL or opens the attachment, the browser decodes and runs all encoded JavaScript code automatically, which will eventually download and deliver the malware to the victim’s device, or alternatively, redirect the user to the final phishing page. In some cases, the code for the malware is embedded in the HTML attachment, and the JavaScript code simply reconstructs and runs it without needing additional downloads. 

**Reversing the HTML attachments **

Security researchers should continuously monitor changes in threat actors’ techniques and update their detection logic and/or processes to make sure customers stay protected. Reverse engineering tools could be helpful for several reasons because they help security analysts better understand attackers’ techniques, especially those that are used to help them stay under the radar. They could be used to update the logic in detection rules or feature extraction processes for more advanced detection solutions that rely on machine learning.  

By sharing the insights gained from reverse engineering with the broader cybersecurity community, organizations can contribute to collective threat intelligence efforts, helping others to prepare for and defend against similar attacks. 

CyberChef is a powerful open-source web application developed by Government Communications Headquarters (GCHQ) that facilitates the decoding and decryption of JavaScript code in HTML attachments. It provides a variety of modules (or functions) for decoding and decryption that can be combined to build up a “recipe.” These recipes can then be exported in different formats and loaded later to be used elsewhere. A snippet of an HTML attachment is shown below.  

A snippet of an HTML attachment with base64-encoded string within a script tag. 

This attachment contains an encoded string in JavaScript that can be decoded using a base64-decoding function. The URL is defanged to avoid being opened by the readers by mistake.  

An encoded string and its decoded equivalent using the “From Base64” function in CyberChef. 

Talos is releasing new recipes that security researchers can use to reverse encoded and/or encrypted JavaScript code in HTML attachments. Alternatively, these recipes could be integrated into automated feature extraction processes to improve the detection of emails containing HTML attachments. We will also share recipes that are not referenced in this blog post but have been used frequently to reverse HTML attachments. The combinations captured by these recipes show which evasion techniques threat actors use most often. 

**A dive into evasion techniques **

Talos has been closely monitoring email campaigns that leverage HTML smuggling over the past several months. Various evasion techniques have been identified, which threat actors use to bypass email gateways, ranging from different encoding mechanisms to encryption. In some instances, evasion techniques are chained together, but in others, a single method is employed multiple times to increase the challenge of detection. Additionally, obfuscation has been applied to the encoded JavaScript code to further complicate their detection. 

**Playing around with attachments **

Talos has witnessed various attempts by threat actors to manipulate email attachments to take advantage of software engineering oversights and evade detection systems. 

One common technique involves using alternative or similar file extensions for attachments to bypass message filtering mechanisms. For example, XHTML, an older and stricter version of HTML that follows XML syntax, has been frequently used in HTML smuggling. SHTML, an extension of HTML that allows for the inclusion of dynamic content, has also been used in the wild. 

Instead of using alternative file extensions, a frequent pattern has been identified where dots are added to the end of HTML file extensions (e.g., “html.”, “htm.”, “htm…”). This attempt aims to bypass email parsers that rely on the Content-Type header to determine the type of an email attachment. By adding at least one dot to the end of the file extension, the Content-Type of an email attachment changes from text/html to application/octet-stream (see the examples below). 

The Content-Type of the HTML attachment of an example email. 

The Content-Type of the ”htm.” attachment of an example email. 

In some cases, the attachment’s file extension is repeated multiple times, or the attachment lacks any file extension (see the examples below). We have also observed attempts to combine different file extensions (e.g., “.pdf.html” or “xls.html”), which may confuse the file type identification logic of the detection code. This can affect how files are passed to downstream modules for further assessment.

An example email with ”.html .html” file extension.

A snippet of the HTML attachment of the above email with JavaScript code. 

An example email with an HTML attachment that lacks the file extension.

A snippet of the HTML attachment of the above email with JavaScript code.

Other popular techniques frequently observed include enclosing HTML attachments in ZIP archives and attaching multiple similar HTML attachments to a single email. The latter method has been identified as an attempt to increase the chances of success. The following email provides an example in which multiple SHTML attachments with identical content have been attached to a spear phishing email. The goal of the threat actors is to offer multiple employment benefits and trick the victim into engaging with any one of them. The more attractive these benefits are to an employee, the higher the chance of success for the attackers.

A spearphishing example email with multiple SHTML attachments.

A snippet of the SHTML attachment of the above email with JavaScript code, and the decoded phishing URL.

**Obfuscation **

Code obfuscation is used extensively in HTML smuggling attacks to make their detection more challenging and expensive. One of the most popular techniques that is often applied to JavaScript code is identifier renaming, which changes the key identifiers of the code such as variable and function names to some meaningless strings. This technique is popular because it’s offered by most free and open-source obfuscators and doesn’t change the logic of the code. Two examples are provided below. In the first example, the phishing URL is an array of integers and is stored in an obfuscated variable, which is then decoded on the fly, followed by a “click” method that redirects the victim to the phishing page.

A spear phishing example email with obfuscated JavaScript within HTML attachment.

A snippet of the HTML attachment of the above email with JavaScript variables that are obfuscated via identifier renaming method, and the decoded phishing URL.

In the second example, the function name is also obfuscated. Here, an obfuscated string is initially decoded through a series of replacements. Subsequently, the decoded string is passed to the “eval” method, which executes it.

An example email with obfuscated JavaScript within HTML attachment.

A snippet of the HTML attachment of the above email with JavaScript variables and functions that are obfuscated via the identifier renaming method.

**Using a single evasion technique multiple times **

The following case provides an example in which one of our customers received an email with an "html." attachment in October 2023. In this instance, threat actors leveraged the base64 encoding method twice, a technique also known as double encoding, to evade detection systems that likely rely on single-stage decoding procedures before analyzing scripts. 

A spear phishing example email with an HTML attachment that contains double encoded JavaScript string variables.

The content of the HTML attachment is shown in the figure below. This attachment contains four hidden input fields. Hidden input fields are not visible on the webpage, but they can still hold values that are sent to the server when the form is submitted. Initially, the JavaScript code retrieves the values of these hidden input fields. It then uses the "substr" method to extract substrings from the values and concatenates them. Finally, two URLs are generated from these hidden fields on the fly (the values of the hidden fields and next variables can be decoded via this recipe: Base64\_Decode\_DecimalUnicode2String\_Base64\_Decode recipe). 

A snippet of the HTML attachment of the above email with double encoded JavaScript string variables.

The final phishing page (https\[:\]//dompr\[.\]arrogree\[.\]park/login.php), constructed on the fly and stored in the 'trc' variable, is automatically shown to the victim once the HTML page is fully loaded, using the 'onload' method. As soon as the user enters the credentials, the 'SFiegrt' method will send them to another remote server (https\[:\]//cpsvr\[.\]hiominsa\[.\]com/POST/genofcatch.php) using an asynchronous HTTP POST request.

A snippet of the HTML attachment of the above email with double-encoded JavaScript string variables and the decoded URLs.

**Chaining different evasion techniques**

Talos has observed continuous efforts to combine different encoding and/or encryption techniques in HTML attachments by email campaigns to evade detection. In addition, threat actors typically obfuscate the embedded JavaScript code to increase their chances of success.

In the example below, you can find an email with an "htm" attachment that was sent to one of our customers in December 2023.

A spear phishing example email with an HTML attachment that combines identifier renaming obfuscation, base64 encoding and Caesar encryption to bypass detection.

The embedded JavaScript code is shown in the figure below. This email was clearly tailored for a specific recipient (see the masked email address).

A snippet of the HTML attachment of the above email with obfuscated JavaScript variables and a base64-encoded string variable. 

The script block contains an obfuscated variable named '\_0x5da6a8' that holds a base64-encoded string. When decoded (via the Base64\_Decode\_2 recipe), it yields the main JavaScript code, which includes the final phishing URL and the de-obfuscation function. The de-obfuscation function takes the "link" string variable as input, iterates over its characters, converts each character to its Unicode equivalent, subtracts five from the decimal value of each character, converts the resulting decimal value back to a Unicode character, and converts the Unicode value back to a string. Under the hood, this function effectively replicates the functionality of a Caesar cipher decryption method (see the Caesar\_Decrypt recipe).

The decoded JavaScript code of the above base64-encoded string variable, the Caesar decryption function, and the phishing URL.

So, threat actors have used encoding, Caesar encryption and obfuscation altogether in this case to evade detection.

The example email below shows how threat actors have combined encoding and AES encryption in an HTML attachment to evade detection. 

A spear phishing example email with an HTML attachment that combines base64 encoding and AES encryption to bypass detection.

A snippet of the HTML attachment of the above email with a base64-encoded input field that is hidden.

As can be seen from the HTML attachment snippet, there is a base64-encoded string in this file. This string is first decoded using the 'atob' method (or the Base64\_Decode\_1 recipe). Once decoded, it yields a JSON string with four keys (a-d), as shown below. The value of the 'a' key is the encrypted string, which is decrypted on the fly. The values of the 'b' and 'd' keys are the passphrase and salt, respectively, for the PBKDF2 key derivation function used to create the decryption key. The value of the 'c' key is the Initialization Vector (IV) for the AES decryption function.  

The decoded JSON string is obtained from the encoded input field in the above HTML attachment. 

With the above values, the decryption key is derived on the fly (using the Derive\_Key\_PBKDF2 recipe). Then, with this key and the IV parameter, the value of 'a' is decrypted (using the Base64\_Decode\_AES\_CBC\_Decrypt recipe) to retrieve the URL, as shown below. Note that the inner URL is in HEX format (which can be decoded using the Hex\_Decode recipe).  

The final phishing URL is obtained from AES decryption.

Once this URL is created, a fetch request with a POST method is sent to it, with a JSON body containing "{ "lettuce": "friendliness" }". Then, the response from the fetch request is read as text. The text is decrypted again by calling the pea function, and finally, the second decrypted result is written to the document using "document.write", replacing all current content. The walkthrough above gives an idea of how threat actors combine different evasion techniques and how challenging it is for defenders to detect such threats.

**HTML smuggling in the wild **

The number of unique emails that used HTML smuggling between Oct. 1, 2023, and May 31, 2024.

The above chart indicates that we observed a peak in the number of emails leveraging this technique on Feb. 2, 2024, particularly those employing advanced encoding and obfuscation in their HTML attachments. The subsequent pie chart shows that our American customers were targeted significantly more than our European customers by email threats utilizing this technique. 

The percentage of emails that used HTML smuggling against customers in different geographical regions.

We noticed that some industry verticals were targeted more than others by email threats using the HTML smuggling technique during the observed time window. For example, companies in the human resources, insurance and healthcare domains were targeted the most, while legal, supply chain and e-commerce companies were among those targeted the least.

The number of convictions for email threats that used HTML smuggling across different industry verticals.

Our observation shows that the ".shtml" file extension, followed by ".htm" and ".html", were the most used in email threats that leveraged the HTML smuggling technique. The fourth and fifth most widely used file extensions were ".htm...." and ".xhtml". The other file extensions we found interesting included ".pdf.shtml", ".pdf.htm", and ".xlsx.html". We have identified these as potential techniques to exploit software engineering oversights and bypass detection mechanisms.

Top HTML attachment file extensions observed in email campaigns that used HTML smuggling.

**How to protect against email threats that use HTML Smuggling? **

As outlined earlier, HTML smuggling poses significant challenges to traditional security solutions and rule-based detection engines. The extensive deployment of encoding, encryption, and obfuscation renders the detection of emails utilizing this technique challenging, necessitating enhancements in various aspects of defense. Several of these areas are detailed below.

**Multi-layered defense **

Swiftly blocking an attack minimizes its potential impact on our customers' business operations. Thus, it is advantageous to neutralize threats at initial stages, such as at the email gateway and web filtering level. However, if a message passes through these perimeter security controls and lands in a user’s inbox, retrospective detections and endpoint protection controls should either detect these messages at later stages and pull them out of the user’s inbox or prevent the execution of such malicious JavaScript on the victim’s device. 

**Improved security engineering**

Despite typically having insufficient information about the architecture and inner workings of commercial security solutions, threat actors occasionally exploit software engineering oversights to bypass detection mechanisms. A notable instance of this is their manipulation of email attachments to evade scrutiny. Therefore, monitoring these evasion techniques and revising the code accordingly could improve the efficacy of existing detection engines significantly. Talos monitors changes in adversaries’ techniques precisely and makes sure our customers stay protected.  

**Advanced detection methods **

The HTML smuggling technique enables emails to effectively evade traditional perimeter security measures, including email gateways and presents significant detection challenges for rule-based systems. Consequently, the deployment of more sophisticated message processing and security solutions is imperative. Additionally, enhancing endpoint security measures to prevent the execution of such scripts on user devices is essential.  

Talos continuously monitors the changes in attackers' techniques and updates our detection capabilities to ensure our customers stay protected. Learn more about Cisco Security Email Threat Defense here.

**Indicators of compromise (IOCs)**

Indicators of compromise (IOCs) associated with this blog post can be found here.

Hidden between the tags: Insights into spammers’ evasion techniques in HTML Smuggling

Based on a comprehensive review of more than a dozen prominent ransomware groups, we identified several commonalities in TTPs, along with several notable differences and outliers.

Wednesday, July 10, 2024 06:00

Given the recent slate of massive ransomware attacks that have disrupted everything from hospitals to car dealerships, Cisco Talos wanted to take a renewed look at the top ransomware players to see where the current landscape stands. 

Based on a comprehensive review of more than a dozen prominent ransomware groups, we identified several commonalities in tactics, techniques and procedures (TTPs), along with several notable differences and outliers.  

Talos’ studies indicate that the most prolific ransomware actors prioritize gaining initial access to targeted networks, with valid accounts being the most common mechanism. Phishing for credentials often precedes these attacks, a trend observed across all incident response engagements, consistent with our 2023 Year in Review report. Over the past year, many groups have increasingly exploited known and zero-day vulnerabilities in public-facing applications, making this a prevalent initial access vector. 

**Watch: Discussion of latest ransomware trends**

The AlphV/Blackcat and Rhysida groups stood out with the broadest range of TTPs, demonstrating significant tactical diversity. Conversely, groups like BlackBasta, LockBit and Rhysida not only encrypted data and defaced victim systems to maximize impact. Distinctively, the Clop ransomware group primarily focused on extortion through data theft rather than typical encryption tactics and is one of the only actors to exploit zero-day vulnerabilities. 

Our findings are based on a comprehensive analysis of 14 ransomware groups between 2023 and 2024. We selected the ransomware groups based on volume of attacks, impact on customers, and atypical threat actor behavior. Our research includes data from the actors’ public leak sites, Cisco Talos Incident Response (Talos IR), Talos internal tracking efforts and open-source reporting.

During this research period, Talos IR was actively engaged in responding to a considerable number of ransomware attacks heavily targeting the United States. These attacks spanned a broad spectrum of industries, notably impacting the manufacturing and information sectors, employing various techniques to encrypt data and demand ransoms, with their activities resulting in significant levels of financial losses and business disruption. 

Over the past year, we have witnessed major shifts in the ransomware space with the emergence of multiple new ransomware groups, each exhibiting unique goals, operational structures and victimology. The diversification highlights a shift toward more boutique-targeted cybercriminal activities, as groups such as Hunters International, Cactus and Akira carve out specific niches, focusing on distinct operational goals and stylistic choices to differentiate themselves. 

**An advanced arsenal: Notable TTPs employed by ransomware actors **

Utilizing the MITRE ATT&CK framework as a baseline, we identified the primary TTPs utilized by major ransomware threat actors over the past three years which involved a detailed examination of each TTP, its execution methods, and relevant sub-techniques, that highlight unique TTPs not previously emphasized in MITRE’s top ATT&CK techniques. 

Key findings indicate that many of the most prominent groups in the ransomware space prioritize establishing initial access and evading defenses in their attack chains, highlighting these phases as strategic focal points. Within the past year, many groups have exploited critical vulnerabilities in public-facing applications, becoming a prevalent attack vector, which we addressed later, indicating an increased need for appropriate security controls and patch management.  

Echoing a trend identified in our Talos Year in Review report, our data supported the conclusion that ransomware actors continue to apply a significant focus to defense evasion tactics to increase dwell time in victim networks. Typical popular defense evasion methods include the disablement and modification of security software such as anti-virus programs, endpoint detection solutions, or security features in the operating system to prevent the detection of the ransomware payload. Adversaries will also often obfuscate malicious software by packing and compressing the code, eventually unpacking itself in memory when executed. They’ll also modify the system registry to disable security alerts, configure the software to execute at startup, or block certain recovery options for users. 

The most prevalent credential access technique Talos IR engagements have seen in 2023 and 2024 is the dumping of LSASS memory contents. Ransomware threat actors were seen often targeting the Local Security Authority Subsystem Service (LSASS) to extract authentication credentials by dumping memory. This technique involves accessing the LSASS process' memory to retrieve plaintext passwords, hashed passwords, and other authentication tokens stored in memory. This tactic is particularly effective because it exploits the normal functioning of a legitimate system process. 

We also identified a trend in command and control (C2) activities indicating continued use of commercially available tools by affiliates, such as AnyDesk and ScreenConnect remote monitoring and management (RMM) applications, indicating a threat actor preference for readily accessible, legitimate technologies in maintaining influence over compromised systems. Abusing often trusted applications allows actors to blend in with corporate network traffic and reduce resource development costs without needing to develop distinct custom C2 mechanisms.  

**Typical attack chain of ransomware actors: Insights from the top 14 groups **

In the first phase of a ransomware attack, adversaries work to gain initial access to the target network, using a combination of social engineering, network scanning and open-source research to learn about their victims, identify possible access vectors, and customize their initial access attempts. Adversaries may send emails containing malicious attachments or URL links that will execute malicious code on the target system, deploying the actors' tools and malware, and exploiting multi-factor authentication (MFA). There are many ways adversaries hope to bypass MFA, whether because of poor implementation or because they already have valid account credentials. Most notably, we have seen an increasing number of ransomware affiliates attempting to exploit vulnerabilities or misconfigurations in internet-facing systems, such as in legacy or unpatched software.   

Then, these actors will look to establish long-term access, ensuring that their operations will be successful even if their initial intrusion is discovered and remediated.  Attackers often use automated malware persistence mechanisms, such as AutoStart execution upon system boot, or modify registry entries. Remote access software tools and create local, domain and/or cloud accounts can also be deployed to establish secondary credentialed access. 

Upon establishing persistent access, threat actors will then attempt to enumerate the target environment to understand the network’s structure, locate resources that can support the attack, and identify data of value that can be stolen in double extortion. Using various local utilities and legitimate services, they exploit weak access controls and elevate privileges to the administrator level to progress further along the attack chain. Ransomware actors continue this cycle of persistence to escalate privileges and compromise additional hosts. We have observed the popular use of many network scanner utilities in conjunction with local operating system tools and utilities (living-off-the-land binaries) like Certutil, Wevtutil, Net, Nltes and Netsh to blend in with typical operating system functions, exploit trusted applications and processes, and aid in malware delivery.  

In the shifting focus to a double extortion model, many adversaries collect sensitive or confidential information to send to an external adversary-controlled resource or over some C2 mechanism. File compression and encryption utilities WinRAR and 7-Zip have been used to conceal files for the unauthorized transfer of data, while adversaries often exfiltrate files using the previously mentioned legitimate RMM tools. Custom data exfiltration tools have been developed and used by the more mature RaaS operations, offering custom tooling such as Exbyte (BlackByte) and StealBit (LockBit) to facilitate data theft.  

At this point, adversaries are ready to stage the ransomware payload and begin encryption. Steps they may take to prepare for the attack include customizing the code for specific objectives (e.g., ignoring certain file types/locations), embedding the ransomware in the environment, testing delivery mechanisms, and ensuring that the ransomware relates to and receiving instructions from the attacker's C2 server, which contains the encryption key. The adversary will then begin encrypting the network and notifying the victim that they have been breached. If the goal is pure data theft extortion, then this phase is skipped.   

**Ransomware actor’s exploitation of vulnerable applications (CVEs)   **

Analysis of Talos IR engagements focusing on the exploitation of critical vulnerabilities in public-facing applications by ransomware actors uncovered three vulnerabilities for their repeated exploitation: CVE-2020-1472, CVE-2018-13379 and CVE-2023-0669. Exploitation of these and other critical vulnerabilities can provide initial access and lead to privilege escalation by the threat actors.  

**_CVE-2020-1472 ("Zerologon")_   **

CVE-2020-1472, known as "Zerologon," exploits a flaw in the Netlogon Remote Protocol (MS-NRPC), allowing attackers to bypass authentication mechanisms and change computer passwords within a domain controller's Active Directory. Ransomware actors leverage this vulnerability to gain initial access to networks without requiring authentication, quickly escalating privileges to domain administrator levels. This access enables them to manipulate security policies, and potentially disable security defenses, facilitating unobstructed lateral movement and attack progression.   

**_CVE-2018-13379 (Fortinet FortiOS SSL VPN vulnerability)_   **

The path traversal vulnerability in Fortinet's FortiOS SSL VPN, identified as CVE-2018-13379, allows unauthenticated attackers to access system files through specially crafted HTTP requests. Ransomware groups have exploited this vulnerability to obtain sensitive information, such as VPN session tokens, which can be used to gain unauthorized access to the network. With access secured, attackers will then advance through the attack chain moving laterally within the network, exploiting further vulnerabilities or weak configurations, deploying ransomware, and exfiltrating data.   

**_CVE-2023-0669 (GoAnywhere MFT vulnerability)_   **

Discovered in January 2023, CVE-2023-0669 affects the GoAnywhere Managed File Transfer (MFT) software, allowing remote attackers to execute arbitrary code on the server without requiring authentication. This critical vulnerability enables actors to deploy ransomware payloads directly to servers or use the compromised server as a pivot for further internal reconnaissance and lateral movement. The ability to execute arbitrary code enables attackers to manipulate systems, create backdoors and disable security controls.   

Volt Typhoon, a People’s Republic of China-affiliated threat actor, was recently documented actively targeting U.S. critical infrastructure, with an attack chain involving exploitation of known or zero-day vulnerabilities. Volt Typhoon has been observed infiltrating IT systems of critical infrastructure organizations across the U.S., including territories like Guam exploiting vulnerabilities in multiple products including a server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure, CVE-2023-46805 and CVE-2024-21887.

Talos also recently reported on a complex campaign targeting Cisco Adaptive Security Appliances (ASA), exemplifying further state-sponsored actors targeting critical vulnerability exploits in perimeter network devices. Cisco's PSIRT and Talos Threat Intelligence and Interdiction identified the previously unknown actor UAT4356, who employed bespoke tooling for sophisticated espionage activities, leveraging two vulnerabilities, CVE-2024-20353 and CVE-2024-20359, as part of this campaign.

The security of public-facing applications continues to be an area of significance due to organizations' continued reliance of scalable software applications, integral for day-to-day business operations, posing a significant impact on organizational security and data integrity. The exploitation of these vulnerabilities can lead to severe disruptions, financial losses and reputational damage.  

**Mitigation recommendations **

**Regular patch management:** Consistently apply patches and updates to all systems and software to address vulnerabilities promptly and reduce the risk of exploitation. 

**Strict password policy and MFA:** Implement strong password policies that require complex, unique passwords for each account. Additionally, enforce multi-factor authentication (MFA) to add an extra layer of security. 

**System and environment hardening:** Apply best practices to harden all systems and environments, minimizing attack surfaces by disabling unnecessary services and features. 

**Network separation and client network authentication:** Segment your network using VLANs or similar technologies to isolate sensitive data and systems, preventing lateral movement in case of a breach. In addition to utilizing network access control mechanisms such as 802.1X to authenticate devices before granting network access, ensuring only authorized device connections. 

**Monitoring and endpoint detection and response:** Implement a Security Information and Event Management (SIEM) system to continuously monitor and analyze security events, in addition to the deployment of EDR/XDR solutions on all clients and servers to provide advanced threat detection, investigation, and response capabilities 

**Principle of least privilege:** Adopt a least-privilege approach, ensuring that users and systems have only the minimal level of access necessary to perform their functions, thereby limiting potential damage from compromised accounts. 

**Minimize IT exposure to the internet:** Reduce your IT systems' exposure to the Internet by limiting the number of public-facing services and ensuring robust protections for any necessary external interfaces.

Inside the ransomware playbook: Analyzing attack chains and mapping common TTPs

This is the largest Patch Tuesday since April, when Microsoft patched 150 vulnerabilities.

Tuesday, July 9, 2024 14:01

Microsoft released its monthly security update on Tuesday, disclosing 142 vulnerabilities across its suite of products and software. Of those, there are five critical vulnerabilities, and every other security issue disclosed this month is considered "important."

This is the largest Patch Tuesday since April when Microsoft patched 150 vulnerabilities.

Of the critical vulnerabilities, two are considered more likely to be exploited:

CVE-2024-38023, a remote code execution vulnerability in Microsoft SharePoint server, where an authenticated attacker with Site Owner permissions can use the vulnerability to execute arbitrary code in the context of SharePoint server.

CVE-2024-38060, a remote code execution vulnerability in Microsoft Windows Codecs Library that can be exploited by an authenticated attacker who uploads a specially crafted malicious TIFF file.

There are three other critical vulnerabilities listed in this advisory. All three (CVE-2024-38074, CVE-2024-38076 and CVE-2024-38077) are remote code execution vulnerabilities in Windows Remote Desktop Licensing Service. In all of them, an attacker could send a specially crafted network packet which could cause remote code execution. In the case of CVE-2024-38077, the adversary does not need to be authenticated.

All the remaining vulnerabilities are considered important. Of these, CVE-2024-38080 is particularly relevant because Microsoft has acknowledged that it’s already being exploited in the wild. An adversary could exploit this elevation of privilege vulnerability in Windows Hyper-V to gain System privileges.

Cisco Talos' Vulnerability Research team discovered another elevation of privilege vulnerability, CVE-2024-38062, in the kernel-mode driver. An adversary could also exploit this vulnerability to gain System privileges. Microsoft considers the complexity of this attack to be "low," though it's "less likely" to be exploited.

Several other “important” vulnerabilities could lead to remote code execution and are identified by Microsoft as being “more likely” to be exploited.

CVE-2024-38021 is a remote code execution vulnerability in Microsoft Office. An attacker could craft a malicious link that bypasses the Protected View Protocol, leading to the leaking of local NTLM credentials and remote code execution.

CVE-2024-38024 is a remote code execution vulnerability in Microsoft SharePoint Server. An adversary could exploit this issue by uploading a specially crafted file to the targeted SharePoint Server and crafting specialized API requests to trigger the deserialization of a file's parameters, leading to arbitrary code execution in the context of the SharePoint server. However, this attacker would need to have Site Owner permissions or higher.

CVE-2024-38094 is another vulnerability in SharePoint servers. Adversaries with Site Owner permissions can use this vulnerability to inject arbitrary code and execute code in the context of a SharePoint server.

A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page.  

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date, and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their rule set by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up-to-date by downloading the latest rule pack available for purchase on Snort.org.  

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 63687 - 63690, 63693, 63694 and 63697 - 63700. There are also Snort 3 rules 300958 - 300961.

Largest Patch Tuesday in 3 months includes 5 critical vulnerabilities

In recent months, a surge in cryptodrainer phishing attacks has been observed, targeting cryptocurrency holders with sophisticated schemes aimed at tricking them into divulging their valuable credentials.

Tuesday, July 9, 2024 08:00

_By_ _Teoderick Contreras_ _and_ _Jose Hernandez_ _of Splunk, with contributions from the Splunk Threat Research Team._  

Cryptodrainer scams have emerged as a significant threat in the cryptocurrency ecosystem, targeting unsuspecting individuals with the promise of easy profits while covertly siphoning their digital assets.  

Initially, cryptodrainer scams primarily manifested as fraudulent investment schemes, promising high returns on investments in dubious projects or fake initial coin offerings (ICOs). These scams exploited the speculative nature of cryptocurrency markets, luring investors with the allure of quick riches and revolutionary technology. However, instead of delivering on their promises, scammers absconded with investors' funds. 

An example of a cryptodraining scam spread on a Jamaican news outlet’s X account in 2023 after the account was hacked. 

Cryptodrainer phishing scams targeting cryptocurrency holders have become increasingly sophisticated, with scammers employing social engineering techniques to trick users into divulging their private keys or login credentials. These stolen assets were then swiftly drained from victims' wallets, often leaving them with little recourse for recovery. 

In recent months, a surge in cryptodrainer phishing attacks has been observed, targeting cryptocurrency holders with sophisticated schemes aimed at tricking them into divulging their valuable credentials. These tactics involve deceptive URLs, carefully crafted to resemble legitimate cryptocurrency platforms, enticing unsuspecting users to input their sensitive login information. 

One particularly concerning trend is the emergence of phishing campaigns proliferating across various social media platforms, including X (Twitter). In these instances, compromised accounts, likely hijacked by cybercriminals, are used as unwitting conduits to deliver the malicious URLs to a wider audience. The compromised accounts lend an air of legitimacy to the fraudulent scheme, thereby increasing the likelihood of unsuspecting users falling victim to the scam. 

These types of platforms have long been rife for abuse and scams. Cisco Talos has previously highlighted how various aspects of “Web 3” such as the metaverse and smart contracts have been abused to trick users into emptying their cryptocurrency wallets. Malicious Google Forms documents have also been used as an attack vector for these scams.  

**Anatomy of a crytodrainer attack **

Splunk researchers used the Splunk Attack Analyzer to gain insights into the anatomy of this phishing campaign, which we believe follows the same general infection method and attack pattern of cryptodrainer scams. 

Below are a few examples of phishing website pages designed to mimic legitimate cryptocurrency platforms, enticing users to disclose their cryptocurrency login credentials. 

Phishing site web pages. 

Splunk expanded our repository of potential cryptodrainer phishing URLs using the Attack Analyzer. One such example is _hxxp\[://\]nfts-manta\[.\]network/_, a site identified and flagged as a phishing site by several anti-virus products, according to VirusTotal. 

A phishing site in VirusTotal. 

Splunk Attack Analyzer also provides a comprehensive overview, including the landing page screenshot of the phishing site, potential URL link redirections, detections and related artifacts, facilitating further in-depth analysis. 

A screenshot of Splunk Attack Analyzer. 

Upon accessing this phishing site, users are prompted to connect their cryptocurrency wallets to purportedly claim tokens. A common method observed for wallet connection involves scanning a QR code using a mobile phone. This QR code may seemingly link to the desired cryptocurrency wallet app, offering the illusion of a seamless login process. In reality, this action grants the phishing site access to the user's login credentials, enabling the unauthorized draining of their cryptocurrency wallet. 

A phishing website posing as Manta, a cryptocurrency application.

A QR code displayed on the Manta phishing site. 

**Why should you care? **

Understanding and staying vigilant against cryptodrainer scams is important for safeguarding your financial well-being and data security.  

These scams, often executed through phishing tactics, pose significant risks to individual's finances and personal information if they are invested at all in cryptocurrency.  

By remaining informed about the tactics employed by scammers, you can take proactive measures to protect yourself and prevent potential financial losses. Additionally, spreading awareness about these scams helps mitigate their impact by empowering others to recognize and avoid falling victim to fraudulent schemes.  

Here are a few tips for spotting possible cryptocurrency scams like the ones outlined above: 

*   Carefully consider and thoroughly research before registering for, or investing, in any cryptocurrency that promises quick and significant returns. High-reward opportunities often come with high risks, and many such promises may be scams. As always, if it seems too good to be true, it probably is. 
*   Always verify the legitimacy of the website before providing your personal information or registering your cryptocurrency accounts or wallet. Look for signs of credibility such as secure URLs (https), professional design and positive reviews from trusted sources. 
*   Ensure that your security products are consistently updated to detect and block known malicious websites that employ these deceptive tactics. Regular updates provide the latest protection against evolving threats and scams in the cryptocurrency space. 

By following these guidelines, you can better protect yourself from the risks associated with investing in cryptocurrencies and engaging with online platforms. 

**Coverage **

The following Splunk SOAR playbooks integrate with Splunk Attack Analyzer and other sandbox tools, allowing users and admins to easily triage and identify this type of activity in a given environment. 

Accepts URL link, domain or vault\_id (hash) to be detonated using Splunk Attacker (SAA) API connector. This playbook produces a normalized output for each user and device. 

Leverages Splunk technologies to determine if a .eml or .msg file in the vault is malicious, whether or not it contained suspect URLs or Files, and who may have interacted with the IoCs (emails, URLs or files). 

Automatically dispatches input playbooks with the 'sandbox' tag. This will produce a merge report and indicator tag for each input. 

Below is a list of other IOCs related to cryptodrainer scams.  

    hxxps://123-bti[.]pages[.]dev/ 
    hxxps://giveaway-omnicat[.]pages[.]dev/ 
    hxxps://visit-ait[.]pages[.]dev/ 
    hxxps://enrol-manta[.]network/ 
    hxxp://nfts-manta[.]network/ 
    hxxp://nftbonus-manta[.]network/ 
    hxxps://sea-manta[.]network/ 
    hxxps://sale-starknet[.]io/ 
    hxxps://gain-manta[.]pages[.]dev/ 
    hxxps://frame-343[.]pages[.]dev/ 
    hxxps://gainsatoshi[.]pages[.]dev/ 
    hxxps://visit-dymension[.]pages[.]dev/ 
    hxxps://manta11[.]pages[.]dev/ 
    hxxps://explore-satoshi[.]pages[.]dev/ 
    hxxps://governance-mantanetwork[.]pages[.]dev/ 
    hxxps://accept-satoshivmio[.]pages[.]dev/ 
    hxxps://preregistration-satoshivmio[.]pages[.]dev/ 
    hxxps://receive-altlayerio[.]pages[.]dev/ 
    hxxps://bonus-8u0[.]pages[.]dev/ 
    hxxps://reveal-manta[.]pages[.]dev/ 
    hxxp://acquire-satoshivm[.]io/ 
    hxxps://farcana123[.]pages[.]dev/ 
    hxxps://enlist-jup[.]app/ 
    hxxps://distributedymension[.]pages[.]dev/ 
    hxxps://visit-lineabuild[.]pages[.]dev/ 
    hxxps://1-67c[.]pages[.]dev/ 
    hxxps://registryzetachain[.]pages[.]dev/ 
    hxxps://gratitude-satoshivm[.]pages[.]dev/ 
    hxxps://whitelist-woo[.]pages[.]dev/ 
    hxxps://join-jupapp[.]pages[.]dev/ 
    hxxps://million-satoshivmio[.]pages[.]dev/ 
    hxxps://achieve-altlayer[.]pages[.]dev/ 
    hxxps://follow-satoshivm[.]io/

How do cryptocurrency drainer phishing scams work?

A report in March found that 72% of cryptocurrency projects had died since 2020, with crypto trading platform FTX’s downfall taking out many of them in one fell swoop.

Thursday, June 27, 2024 14:00

AI has since replaced “cryptocurrency” and “blockchain” as the cybersecurity buzzwords everyone wants to hear. 

We're not getting as many headlines about cryptocurrency miners, the security risks or promises of the blockchain, or non-fungible tokens being referenced on “Saturday Night Live.” 

A report in March found that 72% of cryptocurrency projects had died since 2020, with crypto trading platform FTX’s downfall taking out many of them in one fell swoop. This, in turn, means there are fewer instances of cryptocurrency mining malware being deployed in the wild — if cryptocurrencies aren’t as valuable, the return on investment for adversaries just isn’t there.  

But that still hasn’t stopped bad actors from using the cryptocurrency and blockchain spaces to carry out other types of scams that have cost consumers millions of dollars, as a few recent incidents highlight. 

In place of major cryptocurrencies, many bad faith actors are creating “memecoins,” which are cryptocurrencies usually themed around a particular internet meme or character meant to quickly generate hype. The most famous example, Dogecoin, themed after the “Doge” meme, was 72% below its peak value as of Wednesday. 

At one point, Dogecoin was at least worth something, which is more than can be said for most other memecoins launched today. Cryptocurrency news site CoinTelegraph found that one in six newly launched meme-themed cryptocurrencies are outright scams, primarily centered around getting users to spend real-world money to invest in currency before the creator just takes off with their funds. 

And 90% of the memecoins they studied contained at least one security vulnerability that could leave users open to abuse or theft. 

Singer Jason Derulo is even facing allegations that his “JASON” memecoin on the Solana blockchain platform is a scam after it hit a market cap of $5 million on June 23, and then the value fell almost immediately later that day. Separately, someone hacked rapper 50 Cent’s Twitter account to promote the “$GUINT” memecoin. Upon regaining control of his account, 50 Cent said that whoever committed the scam made $3 million in 30 minutes, with consumers putting money into the memecoin thinking it was legitimate, before the creator took off with the money almost immediately, leaving users unable to access their funds. 

Another popular scam still going around in this space is called the “rug pull,” where a cryptocurrency or NFT developer starts to hype up a new project to attract investor funds, only to completely shut down the project days or weeks later, taking investors’ assets with them. 

Blockfence, a Web3 security firm, found a collection of these scammers earlier this year, claiming they had stolen the equivalent of $32 million from more than 42,000 people across multiple rug pull scams. Unmoderated social media platforms have been rife for abuse for these types of scams, with semi-anonymous users with large followings finding it fairly easy to get a large amount of interest in whatever their latest “project” is in a short amount of time.  

The last example, I’m still not sure if it’s a scam yet. A new video game called “Banana” recently blew up on the Steam online store, even though it’s barely a video game. Users can open the game at fixed intervals and click a button to receive a “banana” in their Steam account. Some of these bananas, usually different artists' renderings of an image of the fruit, are extraordinarily rare and can be re-sold on Steam’s internal marketplace for real-world money. 

Some of these bananas have sold for more than $1,000, but most of the basic ones are only worth a few cents. To me, this looks and smells like an NFT. A former cryptocurrency scammer was once even connected to the project before the creators parted ways with him.  

I have no way of knowing any of this for sure, but there doesn’t seem to be any safeguards in place to ensure the creators of the game could rig it for themselves and give only themselves or close friends copies of the rarer items. And I’m not fully sure what the endgame is for the developers, since “Banana” is free to download and “play.”  

Thankfully, I’m not getting as many questions as I used to about NFTs and “the crypto” from extended family members. But just because it’s disappeared from mainstream consciousness doesn’t mean scammers have forgotten about this space, too. 

**The one big thing **

Cisco Talos recently discovered an ongoing campaign from SneakyChef, a newly discovered threat actor using SugarGh0st malware. SneakyChef uses lures that are scanned documents of government agencies, most of which are related to various countries’ Ministries of Foreign Affairs or embassies. Talos recently revealed SneakyChef’s continuing campaign targeting government agencies across several countries in EMEA and Asia, delivering the SugarGh0st malware, however, we found a new malware we dubbed “SpiceRAT” was also delivered in this campaign.   

**Why do I care? **

SneakyChef has already targeted more than a dozen government ministries across the Eastern Hemisphere. Based on the lure documents Talos discovered the actor using, like targets for the campaign could include the Ministries of Foreign Affairs from Angola, India, Kazakhstan, Latvia, and Turkmenistan and the Saudi Arabian embassy in Abu Dhabi. This actor doesn’t seem to be deterred by much, either, as their actions have largely continued in the same manner since Talos first disclosed the existence of SugarGh0st several years ago, using the same TTPs and C2.  

**So now what? **

Talos could not find any of the lure documents used in the wild, so they were very likely stolen through espionage and slightly modified. This could make it more difficult to spot lure documents and spam emails, so users should pay closer attention to the sender’s email address if they are suspicious of any messages. We also released OSQueries, Snort rules and ClamAV signatures that can detect and block SneakyChef’s activities and the SpiceRAT malware.  

**Top security headlines of the week **

**A cyber attack that is stalling communication and sales at car dealerships around the U.S. is unlikely to be restored by the end of the month.** CDK Global, the victim of the campaign, reportedly told customers that they should prepare alternative methods for preparing month-end financial statements. Car dealerships use CDK to conduct sales, process financial information, and look up vehicles’ warranties and recalls. The outage is affecting more than 60 percent of Audi dealerships in the U.S. and about half of Volkswagen’s locations, forcing them to switch to pen-and-paper transactions and contracts or to drop sales altogether. One sales manager of an affected dealership told CNN it could take “months to correct, if not years,” the financial fallout of the outage. CDK first disclosed two back-to-back cyber attacks last week, both of which occurred on June 19. There are already two class action lawsuits against CDK, with plaintiffs alleging that the breach may have exposed customers’ and employees’ names, addresses, social security numbers and other financial information. (Reuters, CNN) 

**The list of victims resulting from a data breach at cloud storage provider Snowflake continues to grow.** Australian ticket sales platform Tiketek informed customers this week of a potential data breach, though it was not immediately clear if it was connected to Snowflake. Retailer Advance Auto Parts also said this week that said employee and applicant data — including social security numbers and other government identification information — were stolen during the breach. Clothing chain Neiman Marcus also filed regulatory documents in Maine and Vermont disclosing that the personal information of more than 64,000 people was potentially accessed because of the Snowflake breach. This information could include names, contact information, dates of birth and gift card numbers for the retailer. Security researchers at Mandiant first estimated that as many as 165 Snowflake customers could be affected. Snowflake says that internal investigations found that the breach was not caused by “a vulnerability, misconfiguration, or breach of Snowflake’s platform." (The Register, The Record by Recorded Future) 

**Adversaries quickly started exploiting another vulnerability in the MOVEit file transfer software, just hours after it was disclosed.** The high-severity vulnerability, CVE-2024-5806, could allow an attacker to authenticate to the file-transfer platform as any valid user with the accompanying privileges. The vulnerability exists because of an improper authentication issue in MOVEit’s SFTP module, which Progress, the creator of the software, says “can lead to authentication bypass in limited scenarios.” A different vulnerability in MOVEit was targeted in a rash of Clop ransomware attacks that eventually affected more than 160 victims, including the state of Maine, the University of California Los Angeles, and British Airways. Managed file transfer software (MFT) like MOVEit are popular targets for threat actors because they contain large amounts of sensitive information, which adversaries will steal and then use to extort victims. The Shadowserver Foundation posted on Twitter on Tuesday that they began seeing exploitation attempts shortly after details emerged about CVE-2024-5806. (Dark Reading, SecurityWeek) 

**Can’t get enough Talos? **

*   Cisco Talos: How Threat Actors Target MFA 
*   MFA plays a rising role in major attacks, research finds 
*   SpiceRAT: Cisco Talos Sound Alarm Over New Trojan 
*   Hack your water and electricity! Myth or Reality? 
*   Multiple vulnerabilities in TP-Link Omada system could lead to root access 
*   Talos Takes Ep. #188: Everything we know about denial-of-service attacks in 2024 

**Upcoming events where you can find Talos **

**_BlackHat USA_** **_(Aug. 3 – 8)_** 

_Las Vegas, Nevada_ 

**_Defcon_** **_(Aug. 8 – 11)_** 

_Las Vegas, Nevada_ 

**_BSides Krakow_** **_(Sept. 14)_**  

_Krakow, Poland_ 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202   
**MD5:** e4acf0e303e9f1371f029e013f902262   
**Typical Filename:** FileZilla\_3.67.0\_win64\_sponsored2-setup.exe   
**Claimed Product:** FileZilla   
**Detection Name:** W32.Application.27hg.1201 

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**MD5:** 7bdbd180c081fa63ca94f9c22c457376  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.33515991

**SHA 256:** a024a18e27707738adcd7b5a740c5a93534b4b8c9d3b947f6d85740af19d17d0   
**MD5:** b4440eea7367c3fb04a89225df4022a6   
**Typical Filename:** Pdfixers.exe   
**Claimed Product:** Pdfixers   
**Detection Name:** W32.Superfluss:PUPgenPUP.27gq.1201 

**SHA 256:** 484c74d529eb1551fc2ddfe3c821a7a87113ce927cf22d79241030c2b4a4aa74  
**MD5:** dc30cfd21bbb742c10e3621d5b506780  
**Typical Filename:** KMS-R@1nHook.exe  
**Claimed Product:** N/A  
**Detection Name:** W32.File.MalParent

**SHA 256:** 9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202  
**MD5:** e4acf0e303e9f1371f029e013f902262  
**Typical Filename:** FileZilla\_3.67.0\_win64\_sponsored2-setup.exe  
**Claimed Product:** FileZilla  
**Detection Name:** W32.Application.27hg.1201

We’re not talking about cryptocurrency as much as we used to, but there are still plenty of scammers out there

By Nick Biasini with contributions from Kendall McKay and Guilherme Venere
Headlines continue to roll in about the many implications and follow-on attacks originating from leaked and/or stolen credentials for the Snowflake cloud data platform.

Adversaries obtained stolen login credentials for Snowflake accounts acquired via information-stealing malware and used

Thursday, June 27, 2024 08:01

_By Nick Biasini with contributions from Kendall McKay and Guilherme Venere_

Headlines continue to roll in about the many implications and follow-on attacks originating from leaked and/or stolen credentials for the Snowflake cloud data platform.

  
Adversaries obtained stolen login credentials for Snowflake accounts acquired via information-stealing malware and used those credentials — which weren’t protected by multi-factor authentication (MFA) — to infiltrate Snowflake customers’ accounts and steal sensitive information. However, Snowflake isn’t the issue here. This incident is indicative of a much larger shift we’ve seen on the threat landscape for a while — and it focuses on identity.

  
Over the past few decades, we’ve seen the criminal threat landscape collapse under the ransomware / data extortion umbrella, which is generating so much revenue everyone is trying to grab their piece of the pie. This has been a stark transformation from a loosely associated group of criminals searching for credit card numbers to steal, and spam messages to send to large syndicates that generate, according to the FBI, more than a billion dollars in revenue annually.

**Infostealer logs are a gold mine**

As part of our regular intelligence discussions, Talos reviews all Cisco Talos Incident Response (Talos IR) engagements. Ransomware/data extortion typically dominate engagements, with business email compromise (BEC) periodically rising to the top, but more broadly, we’ve seen the ways these actors gain initial access continue to diversify.

  
Early on, active exploitation of known vulnerabilities or other critical misconfigurations would dominate the initial compromise leading to the breach. Lately, the sources have broadened with a focus on compromised, legitimate credentials. These credentials originate from a wide array of sources from generic phishing campaigns and infostealers to insider threats, valid credentials are the ideal cover for malicious activities. This is further supported with information from the most recent Talos IR Quarterly Trends report, where the top infection vector was valid accounts. This problem extends far beyond compromised credentials with large-scale brute force and password spraying attacks occurring regularly.

  
Infostealers specifically are commonly cited as a source of credentials for these breaches and have been reportedly involved in the recent wave. Many defenders think the infostealers landscape is a monolith with individual actors compromising victims and gathering credentials, but the truth is these are highly organized widely distributed campaigns. The groups have congregated online in Telegram chat rooms where credentials are sold by the thousands or tens of thousands. These actors operate large scale campaigns, gather, vet, and organize the credentials they harvest ready to sell to the highest bidder. This ecosystem includes providing tooling for searching and extracting specific types of data from the logs and validating the credentials before offering.

Advertisement for one of the infostealer log services.

Cisco Talos has sat in these channels and seen thousands of personal credentials for things like Google, Facebook, Netflix, etc. posted for free as a teaser to the larger services they offer. For a fee, actors can get timed access to a repository of credentials to search and use freely. The cost to access these tools varies, but considering a compromised set of enterprise credentials could result in a multi-million-dollar ransom, it’s a minute price to pay.

Free infostealer log offering in Telegram channel.

These channels are full of would-be criminals trying to gain the foothold necessary for their nefarious activities. So far, the focus has been on ransomware and data extortion, but BEC actors can also earn payouts from valid enterprise credentials — even the basic accounts tied to organizations like Google can be a windfall. The Cisco breach from several years ago originated with Google credentials and a password vault that contained their corporate credentials.

  
Today in many enterprises, the credentials alone aren’t enough, as organizations worked diligently to deploy MFA to improve their security baselines. The challenge is that the application isn’t consistent, and the focus has largely been on the enterprise (domain) itself.

**Protect data with MFA, not just assets**

Organizations have heeded the constant drone of security professionals pushing for deployment of MFA across the organization and its helped. We’ve seen a huge increase in attacks designed to defeat the protections MFA provides. We constantly observe things like MFA fatigue and social engineering to defeat MFA. This is further supported from the IR Quarterly Trends report, where for the first time, MFA push notifications was the top observed security weakness. Improper MFA implementation was also found in nearly as many engagements. Likewise, MFA itself has gone through some iterations with basic push notifications being insufficient for modern attackers. Now, challenge-based authentication is recommended for all MFA deployments. Actors have noticed, and this recent issue with Snowflake credentials has shown you need to protect data, not just assets, and corporate data is everywhere.

  
Software as a service (SaaS) has revolutionized business and provided advanced sales tools and analytics to a wide array of industries, facilitating growth and expansion. The problem is it requires data to leave the organization’s safe haven. Most medium- to large-sized organizations today are heavily invested in the cloud, if not multi-tenet cloud environments, with data and resources spread across multiple vendors around the globe. This creates many points of entry for attackers that might be more focused on data exfiltration than unauthorized encryption in 2024.

  
We’ve noticed a marked shift over the last year or two with larger cartels increasingly focusing on the data they can exfiltrate over the data they can encrypt. There are a variety of factors driving this shift, most importantly technology is catching up. We are seeing more pre-ransomware engagements that are detected and stopped before deployment in our emergency responses (ERs), an important shift from the years prior. Organizations are prepared and ready to respond to ransomware and have solid, practiced recovery processes to minimize any effects of data encryption. This has driven actors to focus on the data they can steal over the data they can encrypt.

  
Actors running large scale infostealer campaigns have compromised tens of thousands, if not millions, of accounts and the breadth of accounts is extensive. Modern infostealers will gather credentials from web browsers, applications, and the system themselves to even include crypto wallets. For many organizations, this includes the SaaS applications that house sensitive data that, when stolen, can result in financial damage. It’s obvious criminals have taken notice — the recent activity was linked to Snowflake, but all SaaS providers and other organizations that house business-critical data for organizations are at risk.

**What can defenders do?**

The solution to this problem isn’t going to sound novel, in fact it's going to sound quite familiar. Primarily, anywhere critical data is housed, it needs to be protected with MFA. Organizations should conduct audits of all external data houses and ensure that the vendor supports MFA, and that MFA has been configured along with whatever logging capabilities are available, specifically associated with authentication.

  
The next thing organizations need to do is acknowledge and act on infostealer infections with urgency. Once an infostealers is detected, assume that all credentials on that system have been compromised, work quickly and effectively to remediate by resetting the passwords, remembering this spreads far beyond just the enterprise itself. Speed is of the utmost importance, as high-value credentials will be sold and actioned quickly. The goal is to make sure that whoever purchases the credentials cannot access critical data. Additionally, ensuring your users have a vetted and trusted way to store passwords is critical. By having an approved mechanism, you avoid credentials ending up stored in web browsers and easy picking for infostealers.

  
In a perfect world, we’d expect MFA to be deployed everywhere, but that’s not realistic. For instances where MFA cannot be deployed, there are a couple mechanisms to increase security and protection. If possible, limit the access of these accounts to the absolute least privilege. If internal assets are going to be accessed, look at deploying jump boxes. This creates a single point of connection where increased scrutiny can be applied. All non-MFA protected accounts should have increased visibility and all security alerts generated from these accounts should be investigated quickly and effectively.

  
As attackers continue to shift focus to the data they are trying to steal organizations need to take an honest look at where this data is housed and what data protections are in place to ensure you don’t end up in the headlines for stolen data being sold to the highest bidder, even if that bidder is the compromised organization itself.

Snowflake isn’t an outlier, it’s the canary in the coal mine

Affected devices could include wireless access points, routers, switches and VPNs.

Multiple vulnerabilities in TP-Link Omada system could lead to root access

The new remote access trojan (RAT) dubbed SpiceRAT was used by the threat actor SneakyChef in a recent campaign targeting government agencies in EMEA and Asia.

*   Cisco Talos discovered a new remote access trojan (RAT) dubbed SpiceRAT, used by the threat actor SneakyChef in a recent campaign targeting government agencies in EMEA and Asia. 
*   We observed that SneakyChef launched a phishing campaign, sending emails delivering SugarGh0st and SpiceRAT with the same email address. 
*   We identified two infection chains used to deliver SpiceRAT utilizing LNK and HTA files as the initial attack vectors. 

_Cisco Talos would like to thank the Yahoo! Paranoids Advanced Cyber Threats Team for their collaboration in this investigation._ 

**SneakyChef delivered SpiceRAT to target Angola government with lures from Turkmenistan news agency **

Talos recently revealed SneakyChef’s continuing campaign targeting government agencies across several countries in EMEA and Asia, delivering the SugarGh0st malware (read the corresponding research here). However, we found a new malware we dubbed “SpiceRAT” was also delivered in this campaign.  

SneakyChef is using a name "ala de Emissão do Edifício B Mutamba" and the email address “dtti.edb@\[redated\]” to send several phishing emails with at least 28 different RAR file attachments to deliver either SugarGh0st or SpiceRAT. 

One of the decoy PDFs that we analysed in this campaign was dropped by a RAR archive, delivered as an attachment in the emails likely targeted Angolan government agencies. The decoy PDF contained lures from the Turkmenistan state-owned news media “ТУРКМЕНСКАЯ ГОСУДАРСТВЕННАЯ ИЗДАТЕЛЬСКАЯ СЛУЖБА” (Neytralnyy Turkmenistan), indicating that the actor has likely downloaded the PDF from their official website. We also found that a similar decoy PDF from the same news agency was dropped by the RAR archive that delivered the SugarGh0st malware in this campaign, highlighting that SneakyChef has SugarGh0st RAT and SpiceRAT payloads in their arsenal.   

__Decoy PDF samples of SugarGh0st and SpiceRAT attacks.__

**Two infection chains **

Talos discovered two infection chains employed by SneakyChef to deploy SpiceRAT. Both infection chains involved multiple stages launched by an HTA or LNK file.  

**LNK-based infection chain  **

The LNK-based infection chain begins with a malicious RAR file that contains a Windows shortcut file (LNK) and a hidden folder. This folder contains multiple components, including a malicious executable launcher, a legitimate executable, a malicious DLL loader, an encrypted SpiceRAT masquerading as a legitimate help file (.HLP) and a decoy PDF. The table below shows an example of the components of this attack chain and the description. 

File Name 

Description 

2024-01-17.pdf.lnk 

Malicious shortcut file  

LaunchWlnApp.exe 

Windows EXE to open decoy PDF and run a legitimate EXE 

dxcap.exe 

Benign executable to side-load the malicious DLL 

ssMUIDLL.dll 

Malicious DLL loader 

CGMIMP32.HLP 

Encrypted SpiceRAT

Microsoftpdf.pdf 

Decoy PDF  

When the victim extracts the RAR file, it drops the LNK and a hidden folder on their machine. After a victim opens the shortcut file, which masqueraded as a PDF document, it executes an embedded command to run the malicious launcher executable from the dropped hidden folder.  

__Sample LNK file that starts the malicious launcher EXE.__

This malicious launcher executable is a 32-bit binary compiled on Jan. 2, 2024. When launched by the shortcut file, it reads the victim machine’s environment variable, the execution path of the legitimate executable and the path of the decoy PDF document and runs them using the API ShellExecuteW.  

__Sample function that starts the legitimate EXE and opens the decoy document.__

The legitimate file is one of the components of SpiceRAT infection, which will sideload the malicious DLL loader to decrypt and launch the SpiceRAT payload.  

**HTA-based infection chain **

The HTA-based infection chain also begins with a RAR archive delivered with the email. The RAR file contains a malicious HTA file. When the victim runs the malicious HTA file, the embedded malicious Visual Basic script executes and drops the embedded base64-encoded downloader binary into the victim’s user profile temporary folder, disguised as a text file named “Microsoft.txt.” 

After dropping the malicious downloader executable, the HTA file executes another function, which drops and executes a Windows batch file in the victim’s user profile temporary folder, named “Microsoft.bat.”  

The malicious batch file performs the following operations on the victim’s machine: 

*   The certutil command decodes the base64-encoded binary data from “Microsoft.txt” and saves it as “Microsoft.exe” in the victim’s user profile temporary folder.  

certutil -decode %temp%\\\\Microsoft.txt %temp%\\\\Microsoft.exe

*   It creates a Windows scheduled task that runs the malicious downloader every five minutes, supressing any warnings that it triggers when the same task name existed.  

schtasks /create /tn MicrosoftEdgeUpdateTaskMachineClSAN /tr %temp%\\\\Microsoft.exe /sc minute -mo 5 /F 

*   The batch script creates another Windows task named “MicrosoftDeviceSync” to run a downloaded legitimate executable “ChromeDriver.exe” every 10 minutes.  

schtasks /create /tn MicrosoftDeviceSync /tr C:\\\\ProgramData\\\\Chrome\\\\ChromeDirver.exe /sc minute -mo 10 /F 

*   After establishing persistence with the Windows scheduled task, the batch script runs three other commands to erase the infection markers. This includes deleting the Windows task named MicrosoftDefenderUpdateTaskMachineClSAN and removing the encoded downloader “Microsoft.txt,” the malicious HTA file, and any other contents unpacked from the RAR file attachment.  

schtasks /delete /f /tn MicrosoftDefenderUpdateTaskMachineClSAN 

del /f /q %temp%\\\\Microsoft.txt %temp%\\\\Microsoft.hta 

del %0 

The malicious downloader is a 32-bit executable compiled on March 5, 2024. After running on the victim’s machine through the Windows task MicrosoftEdgeUpdateTaskMachineClSAN, it downloads a malicious archive file “chromeupdate.zip” from an attacker-controlled server through a hardcoded URL and unpacks its contents into the folder at “C:\\ProgramData\\Chrome”. The unpacked files are the components of SpiceRAT.  

__A sample function of the malicious downloader.__

**Analysis of SpiceRAT **

Both infection chains eventually drop the SpiceRAT files into victim machines. The SpiceRAT files include four main components: a legitimate executable file, a malicious DLL loader, an encrypted payload and the downloaded plugins.  

**The loader components of SpiceRAT ****Legitimate executable **

The threat actor is using a legitimate executable (named “RunHelp.exe”) as a launcher to sideload the malicious DLL loader file (ssMUIDLL.dll). This legitimate executable is a Samsung RunHelp application signed with the certificate of "Samsung Electronics CO., LTD.” In some instances, it has been observed masquerading as “dxcap.exe,” a DirectX diagnostic included with Visual Studio, and “ChromeDriver.exe,” an executable that Selenium WebDriver uses to control the Google Chrome web browser. 

__File properties and digital signature details of the legitimate executable.__

The legitimate Samsung helper application typically loads a DLL called “ssMUIDLL.dll.” In this attack, the threat actor abuses the application by sideloading a malicious DLL loader that is masquerading as the legitimate DLL and executes its exported function GetFulllangFileNamew2. 

__Sample function that side-loads the malicious DLL.__

**Malicious DLL loader **

The malicious loader is a 32-bit DLL compiled on Jan. 2, 2024. When its exported function GetFullLangFileNameW2() is run, it copies the downloaded legitimate executable into the folder "C:\\Users\\<user>\\AppData\\Local\\data\\” as “dxcap.exe” along with the malicious DLL “ssMUIDLL.dll” and the encrypted SpiceRAT payload “CGMIMP32.HLP.”  

__A sample function copies the SpiceRAT components.__

It executes the schtasks command to create a Windows task named “Microsoft Update,” configured to run “dxcap.exe” every two minutes. This technique establishes persistence at multiple locations on the victim's machine to maintain resilience.    

schtasks  -CreAte -sC minute -mo 2 -tn "Microsoft Update" -tr "C:\\Users\\<User>\\AppData\\Local\\data\\dxcap.exe" 

__A sample function that creates Windows task.__

Then the loader DLL takes the snapshot of the running processes in the victim machine and checks if the legitimate executable that sideloads this malicious DLL is being debugged by querying its process information using “NtQueryInformationProcess.” 

The loader DLL executes another function that loads the encrypted file “CGMIMP32.HLP,” which is masquerading as a legitimate Windows help file into memory and decrypts it using the RC4 encryption algorithm. In one of the samples, we found that the DLL used a key phrase “{11AADC32-A303-41DC-BF82-A28332F36A2E}” for decrypting SpiceRAT in memory. After decryption, the loader DLL injects and runs the SpiceRAT from memory to its parent process “dxcap.exe.”  

__A sample function that decrypts the SpiceRAT in memory.__

**The SpiceRAT payloads **

Talos discovered that SneakyChef has employed SpiceRAT and its plugin as the payloads in this campaign. With the capability to download and run executable binaries and arbitrary commands, SpiceRAT significantly increases the attack surface on the victim’s network, paving the way for further attacks.  

SpiceRAT is a 32-bit Windows executable with three malicious export functions GetFullLangFileNameW2, WinHttpPostShare and WinHttpFreeShareFree. Initially, it executes the GetFullLangFileNameW2 function, creating a mutex as an infection marker on the victim machine. The mutex name is hardcoded in the RAT binary. We spotted two different mutex names among the SpiceRAT samples that we analyzed: 

*   {00866F68-6C46-4ABD-A8D6-2246FE482F99}  
*   {00861111-3333-4ABD-GGGG-2246FE482F99} 

After the Mutex is created, the RAT collects reconnaissance data from the victim’s machine, including the operating system’s version number, hostname, username, IP address and the system’s network card hardware address (MAC address). The reconnaissance data is then encrypted and stored in the machine’s memory. 

__A sample function that encrypts the reconnaissance data in memory.__

During runtime, the RAT loads the WININET.dll file and imports the addresses of its functions to prepare for C2 communication.  

__A sample function that loads the APIs of WININET.dll.__

Once the function addresses of WININET.dll are imported, the RAT executes the WinHttpPostShare function to communicate with the C2. It connects to the C2 server with a hardcoded URL in the binary and through the HTTP POST method.  

 

 

Then, it attempts to read and send the encrypted stream of reconnaissance data and user credentials from memory to the C2 server. The C2 server responds with an encrypted message enclosed with HTML tags in the format “<HTML><encrypted Response> </HTML>”. The RAT decrypts the response and writes them into the memory stream.  

We discovered that the C2 server sends an encrypted stream of binary to the RAT. The RAT decrypts the binary stream into a DLL file in the memory and executes its exported functions. The decrypted DLL functions as a plugin to the SpiceRAT.  

 __Sample function of SpiceRAT executing the export functions of plugin.__ 

**SpiceRAT plugin enables further attacks  **

SpiceRAT plugin is a 32-bit dynamic link library compiled on March 28, 2023. The plugin has an original filename “Moudle.dll” and has two export functions: Download and RunPE. 

The Download function of the plugin appears to access decrypted response data from the C2 server stored in the victim’s memory and writes them into a file on disk, likely as commanded by the C2.  

__The downloader function of SpiceRAT plugin.__

The RunPE function appears to execute arbitrary commands or binaries that were likely sent from C2 using the WinExec API.  

__A sample function to run a PE file.__ 

**C2 communications **

SneakyChef’s infrastructure includes the malware’s download and command and control (C2) servers. In one attack, the threat actor hosted a malicious ZIP archive on the server 45\[.\]144\[.\]31\[.\]57 and hardcoded the following URL in a malicious downloader executable.  

http://45[.]144[.]31[.]57:80/S1VRB0HpMXR79eStog35igWKVTsdbx/chromeupdate.zipservers

We observed that the threat actor used IP addresses and domain names to connect to the C2 servers in different samples of SpiceRAT in this campaign. Our research uncovered various C2 URLs hardcoded in SpiceRAT samples.  

*   hxxp\[://\]94\[.\]198\[.\]40\[.\]4/homepage/index.aspx 
*   hxxp\[://\]stock\[.\]adobe-service\[.\]net/homepage/index.aspx 
*   hxxp\[://\]app\[.\]turkmensk\[.\]org\[/\]homepage\[/\]index.aspx 

One of the C2 servers, 94\[.\]198\[.\]40\[.\]4, was found to be running Windows Server 2016 and hosted on the M247 network, which is frequently abused by APT groups. Passive DNS resolution data indicate that the IP address 94\[.\]198\[.\]40\[.\]4 resolved to the domain app\[.\]turkmensk\[.\]org and we found another SpiceRAT sample in the wild that communicated with this domain.  

Further analysis of the C2 server 94\[.\]198\[.\]40\[.\]4 uncovered a unique C2 communication pattern of SpiceRAT. The SpiceRAT initially sends the encrypted reconnaissance data to the C2 URL through the HTTP POST method. The C2 server then responds with an encrypted message embedded in the HTML tags.   

We observed that the SpiceRAT and its C2 servers use a three-byte prefix for their first three requests and responses, as shown in the table below. 

C2 server response prefix 

Our analysis suggests that the second request that SpiceRAT sends likely contains the encrypted stream of the victim’s machine user credentials. We found that for the third request that SpiceRAT sends from the victim machine, the C2 server responds with an encrypted stream of the SpiceRAT’s plugin binary. SpiceRAT then decrypts and injects the plugin DLL reflectively.  

Once the plugin is downloaded and implanted on the victim’s machine, SpiceRAT sends another request with the prefix “wG.” The C2 server responds with an unencrypted message “<HTML>D\_OK<HTML>”, likely to get a confirmation of successful payload download.  

**TTPs overlap with other malware campaigns  **

Talos assesses with medium confidence that the actor SneakyChef, using SpiceRAT and SugarGh0st RAT is a Chinese-speaking actor based of the language observed in the artifacts and overlapping TTPs with other malware campaigns.  

In this campaign, we saw that SpiceRAT leverages the sideloading technique, utilizing a legitimate loader alongside a malicious loader and the encrypted payload. Although sideloading is a widely adopted tactic, technique and procedure (TTP), the choice to use the Samsung helper application to sideload the malicious DLL masquerading “ssMUIDLL.dll” file is particularly notable. This method has been previously observed in the PlugX and SPIVY RAT campaigns. 

**Coverage **

 Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here. 

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center. 

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SID for this threat is 63538. 

ClamAV detections are also available for this threat: 

Win.Trojan.SpiceRAT-10031450-0 

Win.Trojan.SpiceRATPlugin-10031560-0 

Win.Trojan.SpiceRATLauncher-10031652-0 

Win.Trojan.SpiceRATLauncherEXE-10032013-0 

**Indicators of Compromise **

Indicators of Compromise associated with this threat can be found here.

Unveiling SpiceRAT: SneakyChef's latest tool targeting EMEA and Asia

Cisco Talos recently discovered an ongoing campaign from SneakyChef, a newly discovered threat actor using SugarGh0st malware, as early as August 2023.

Friday, June 21, 2024 08:00

*   Cisco Talos recently discovered an ongoing campaign from SneakyChef, a newly discovered threat actor using SugarGh0st malware, as early as August 2023.  
*   In the newly discovered campaign, we observed a wider scope of targets spread across countries in EMEA and Asia, compared with previous observations that mainly targeted South Korea and Uzbekistan.   
*   SneakyChef uses lures that are scanned documents of government agencies, most of which are related to various countries’ Ministries of Foreign Affairs or embassies. 
*   Beside the two infection chains disclosed by Talos in November, we discovered an additional infection chain using SFX RAR files to deliver SugarGh0st.  
*   The language used in the SFX sample in this campaign reinforces our previous assertion that the actor is Chinese speaking.   

_Cisco Talos would like to thank the Yahoo! Paranoids Advanced Cyber Threats Team for their collaboration in this investigation._ 

**SneakyChef actor profile **

In early August 2023, Talos discovered a campaign using the SugarGh0st RAT to target users in Uzbekistan and South Korea. We continued to observe new activities using the same malware to target users in a wider geographical location. Therefore, we created an actor profile for the group and dubbed them “SneakyChef.” 

Talos assesses with medium confidence that SneakyChef operators are likely Chinese-speaking based on their language preferences, the usage of the variants of Gh0st RAT — a popular malware among various Chinese-speaking actors — and the specific targets, which includes the Ministry of Foreign affairs of various countries and other government entities. Talos also discovered another RAT dubbed “SpiceRAT” used in the campaign. Read the corresponding research here.

**Targets across EMEA and Asia **

Talos assess with low confidence that the following government agencies are the potential targets in this campaign based on the contents of the decoy documents: 

*   Ministry of Foreign affairs of Angola 
*   Ministry of Fisheries and Marine Resources of Angola  
*   Ministry of Agriculture and Forestry of Angola 
*   Ministry of Foreign affairs of Turkmenistan 
*   Ministry of Foreign affairs of Kazakhstan 
*   Ministry of Foreign affairs of India 
*   Embassy of the Kingdom of Saudi Arabia in Abu Dhabi 
*   Ministry of Foreign affairs of Latvia  

Most of the decoy documents we found in this campaign are scanned documents of government agencies, which do not appear to be available on the internet. During our research, we observed and analyzed various decoy documents with government-and research conference-themed lures in this campaign. We are sharing a few samples of the decoy documents accordingly. 

**Lures targeting Southern African countries **

The threat actor has used decoy documents impersonating the Ministry of Foreign affairs of Angola. The lure content in one of the sample documents appeared to be a circular from the Angolan Ministry of Fisheries and Marine Resources about a debt conciliation meeting between the ministry authority and a financial advisory company.  

Another document contained information about a legal decree concerning state or public assets and their disposal. This document appealed to anyone interested in legal affairs and public heritage regimes and was addressed to the Ministry of Foreign Affairs – MIREX, a centralized institution in Luanda. 

 

 

**Lures targeting Central Asian countries **

The decoy documents used in the attacks likely targeting countries in Central Asia were either impersonating the Ministry of Foreign affairs of Turkmenistan or Kazakhstan. One of the lures is related to a meeting organized with the Turkmenistan embassy in Argentina and the heads of transportation and infrastructure of the Italian Republic. Another document was a report of planned events and the government-issued list of priorities to be addressed in the year 2024 that includes a formal proclamation-signing event between the Ministry of Defense of Uzbekistan and the Ministry of Defense of Kazakhstan. 

 

 

**Lures targeting Middle Eastern countries **

A decoy document we observed in the attack likely targeting Middle Eastern countries was an official circular regarding the declaration of an official holiday for the Founding Day of the Kingdom of Saudi Arabia.  

**Lures targeting Southern Asian countries **

We found another sample that was likely used to target the Indian Ministry of Foreign Affairs. It has decoy documents, including an Indian passport application form, along with a copy of an Aadhar card, a document that serves as proof of identity in India.  

 

 

One of the decoy Word documents we observed contained lures related to India-U.S. relations, including a list of events involving interactions between India’s prime minister and the U.S. president. 

**Lures targeting European countries **

A decoy document found in a sample likely targeting the Ministry of Foreign Affairs of Latvia was a circular impersonating the Embassy of Lithuania. It contained a lure document regarding an announcement of an ambassador’s absence and their replacement. 

**Other targets **

Along with the government-themed decoy document samples we analyzed, we observed a few other samples from these campaigns. These included decoys such as an application form to register for a conference run by the Universal Research Cluster (URC) and a research paper abstract of the ICCSE international conference. We also saw a few other decoys related to other conference invitations and details, including those for the Political Science and International Relations conference.   

 

 

Recently, Proofpoint researchers reported a SugarGh0st campaign targeting an organization in the U.S. involved in artificial intelligence across academia, the private technology sector, and government services, highlighting the wider adoption of SugarGh0st RAT in targeting various business verticals. 

**Threat actor continues to leverage old and new C2 domains **

After Talos’ initial disclosure of SugarGh0st campaign in November 2023, we are attributing the past attacks to the newly named threat actor SneakyChef. Despite our disclosure, SneakyChef continued to use the C2 domain we mentioned and deployed the new samples in the following months after our blog post. Most of the samples observed in this campaign communicate with the C2 domain account\[.\]drive-google-com\[.\]tk, consistent with their previous campaign. Based on Talos’ Umbrella records, resolutions to the C2 domain were still observed until mid-May.  

DNS requests for the SugarGh0st C2 domain. 

Talos also observed the new domain account\[.\]gommask\[.\]online, reported by Proofpoint as being used by SugarGh0st. The domain was created in March 2024, and queries were observed through April 21.  

**Infection chain abuse SFX RAR as the initial attack vector **

With Talos’ first reporting of the SugarGh0st campaign in November, we disclosed two infection chains that utilized a malicious RAR with an LNK file, likely delivered via phishing email. In the newly observed campaign, in addition to the old infection chains, we discovered a different technique from a few malicious RAR samples.  

The threat actor is using an SFX RAR as the initial vector in this attack. When a victim runs the executable, the SFX script executes to drop a decoy document, DLL loader, encrypted SugarGh0st, and a malicious VB script into the victim’s user profile temporary folder and executes the malicious VB script.  

The malicious VB script establishes persistence by writing the command to the registry key UserInitMprLogonScript which executes when a user belonging to either a local workgroup or domain logs into the system. 

HKCU\\Environment\\UserInitMprLogonScript 

regsvr32.exe /s %temp%\\update.dll 

When a user logs into the system, the command runs and launches the loader DLL “update.dll” using regsvr32.exe. The loader reads the encrypted SugarGg0st RAT “authz.lib”, decrypts it and injects it into a process. This technique is same as that of the SugarGh0st campaign disclosed by the Kazakhstan government in February. 

**Coverage **

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here. 

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center. 

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SID for this threat is 62647. 

ClamAV detections are also available for this threat: 

Win.Trojan.SugarGh0stRAT-10014937-0 

Win.Tool.DynamicWrapperX-10014938-0 

Txt.Loader.SugarGh0st\_Bat-10014939-0 

Win.Trojan.SugarGh0stRAT-10014940-0 

Lnk.Dropper.SugarGh0stRAT-10014941-0 

Js.Trojan.SugarGh0stRAT-10014942-1 

Win.Loader.Ramnit-10014943-1 

Win.Backdoor.SugarGh0stRAT-10014944-0 

Win.Trojan.SugarGh0st-10030525-0 

Win.Trojan.SugarGh0st-10030526-0 

**Orbital Queries **

Cisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this specific threat. For specific OSqueries related to this threat, please follow the links: 

*   SugarGh0st RAT file detected 
*   SugarGh0st RAT Registry key  

**Indicators of Compromise **

Indicators of Compromise associated with this threat can be found here

Source

TALOS