Cisco Talos is disclosing a new malware campaign called “Operation Celestial Force” running since at least 2018. It is still active today, employing the use of GravityRAT, an Android-based malware, along with a Windows-based malware loader we track as “HeavyLift.”

Operation Celestial Force employs mobile and desktop malware to target Indian entities

Against a backdrop of political conflict, a years-long cyber-espionage campaign in South Asia is coming to light.

Source: Frank Nowikowski via Alamy Stock Photo

A Pakistani threat actor has been spying on Indian government-associated entities for at least six years now.

A new report from Cisco Talos has collated years of cyber espionage by a group it calls "Cosmic Leopard," under the umbrella title "Operation Celestial Force." The Pakistan-based Cosmic Leopard overlaps with but as yet remains distinct from the threat actor known as Transparent Tribe. Cosmic Leopard's attacks focus on espionage and surveillance against individuals and organizations associated with India's government and defense sectors, as well as related technology companies.

"What we're seeing is constant, persistent efforts to infect targets of interest, and establish long-term access," says Asheer Malhotra, Cisco outreach researcher. "I'm pretty sure that the threat actors themselves don't know specifically what they're looking for. The intention here is to get as much data as they can, so that they can analyze it and then figure it out at a later stage."

**Operation Celestial Force**

Signs of Cosmic Leopard activity date back to 2016, when it created a Windows version of its GravityRAT Trojan.

Since then, Malhotra says, "We've seen a constant evolution in everything they do, basically."

In 2019, for example, the group developed its HeavyLift malware loader, and Android versions of GravityRAT for targeting mobile devices. MacOS, too. "We've also seen a constant evolution in the TTPs \[tactics, techniques, and procedures\] used by the threat actor. They used to send out phishing messages; now they establish conversations with victims over social media channels. At the same time, they're setting up new infrastructure which they can use to outrun detection," he explains.

In all, a current Celestial Force attack will look something like this:

First, a spear-phishing email or social media message arrives, containing a malicious document or, more often, a link. The link will seem like a website for downloading a legitimate Android application that, in fact, masks GravityRAT or HeavyLift.

GravityRAT is a fairly standard but powerful mobile Trojan. It can read and delete SMS messages, call logs, and files as well as other device information — about the SIM card, phone number, IMEI, manufacturer, network operator, location, and more.

HeavyLift is an executable masked as a legitimate installer. Typically, it installs both a harmless decoy application and a malicious one on the device. The malicious component can gather and exfiltrate a variety of system data, download further payloads, and check if it's running in a virtual machine.

It doesn't have to do any of that, however, to be effective.

"HeavyLift has a component that can download and run additional malware on the victim system, but it also gives the victim the ability to upload data to the threat actors' cloud," Malhotra explains. In some scenarios, the threat actor simply tells a target over social media about their cloud storage application. "The threat actor is being upfront about it. They say this is a cloud storage application, you can store all of your data in it. And once the target starts uploading all of their data, they have access to it, so they don't need to go in and steal from them."

It works so well, says Cisco lead security researcher Vltor Ventura, because "If you go to the site, if you go through the UI, it's really, really well done. Even while we were investigating the malware, it seemed almost like a legitimate application. It started a discussion between us — like, OK, is this really malicious or not?"

**Preventing Infections**

Luckily, steering clear of these attacks on mobile devices is simple: only download software from authorized app stores (for Android, that's Google Play). "Unless the attacker uses a zero-day, or n-day if the system is not updated, that's pretty much the only way they can get into the Android ecosystem," Ventura notes.

Windows computers lack this simple fix, but they have an advantage all their own.

"When you think about Android, organizations don't have that much visibility to what's going on these devices. It's a harder environment for organizations to control. With laptops, there is better visibility," Ventura explains.

With that extra visibility, organizations can apply layered security to prevent one employee's wayward click from becoming an organizationwide issue.

"When people get a link or when they get a file, they want to see what's inside," he says. Rather than denying reality, "we need to go to the next level, and prevent that \[decision\] from becoming something much worse."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Pakistani Hacking Team 'Celestial Force' Spies on Indian Gov't, Defense

An RCE vulnerability that affects the Web scripting language on Windows systems is easy to exploit and can provide a broad attack surface.

Source: Vladimir Stanisic via Alamy Stock Photo

A threat group is exploiting a critical, easily exploitable PHP bug for remote code execution (RCE) in living-off-the-land style ransomware attacks that target businesses and individuals running both Windows and Linux systems.

TellYouThePass is a ransomware group active since 2019 that attacks victims using known vulnerabilities, particularly those found within open source Web development languages, including the widely exploited Apache Log4j (CVE-2021-44228) and the Apache ActiveMQ Server RCE bug tracked as CVE-2023-46604, according to a blog post published this week by Imperva Threat Research.

Lately the group has been exploiting a critical RCE vulnerability found within the PHP scripting language discovered earlier this month and tracked as CVE-2024-4577. "We noticed a few campaigns, including WebShell upload attempts and several attempts to place ransomware on a target system," the researchers said.

Similar to Java, PHP is a commonly used language in Web development, making any flaws that affect it a broad attack surface for attackers. If the Log4j flaw is any indication, these types of vulnerabilities can set off a viral stream of attacks that can plague organizations and their respective security posture for years.

**Critical Flaw With Public Exploit**

CVE-2024-4577 is an argument-injection vulnerability that stems from errors in character-encoding conversions in PHP, particularly impacting the "Best Fit" feature on Windows systems. "It poses significant risks, potentially allowing malicious actors to execute arbitrary code on vulnerable servers," according to analysis of the flaw by Beagle Security.

Researchers at watchTowr released a proof-of-concept (PoC) exploit script for CVE-2024-4577 on their GitHub page on June 7, demonstrating that the bug was not difficult to exploit.

Apparently TellYouThePass got the memo and has pounced on the flaw to execute arbitrary PHP code on the target system, according to Imperva. Specifically, the group is "leveraging the code to use the 'system' function to run an HTML application file hosted on an attacker-controlled Web server via the mshta.exe binary," according to the post. Mshta.exe is a native Windows binary that can execute remote payloads; thus, the attack vector shows the group operating in a living-off-the-land style.

**How TellYouThePass Attacks**

First identified by security researchers in 2019, TellYouThePass and its ransomware has taken "various forms over the years," according to Imperva. Most recently, variants of the malware have taken the form of .NET samples delivered using HTML applications.

"The initial infection is performed with the use of an HTA file (dd3.hta), which contains a malicious VBScript," according to the post. "The VBScript contains a long base64 encoded string, which when decoded reveals bytes of a binary, which are loaded into memory during runtime."

Further analysis of the executable reveals that the ransomware is a .NET variant that upon initial execution sends an HTTP request to the command-and-control (C2) server containing details about the infected machine as a notification of infection. "The callback masquerades as a request to retrieve CSS resources likely designed to evade detection," according to Imperva.

Once executed, the ransomware enumerates directories, kills processes, generates encryption keys, and encrypts files within each enumerated directory that has a defined file extension. Its final act is to publish a ReadMe message in the Web root directory that provides victims the info they need to respond to the attack.

**Avoiding Compromise via CVE-2024-4577**

The issue affects PHP versions 8.1. before 8.1.29; 8.2. before 8.2.20; and 8.3. before 8.3.8 when using Apache and PHP-CGI on Windows. PHP versions 8.1.29, 8.2.20 and 8.3.8 patch the flaw.

There are other ways that organizations can mitigate exploit of the PHP flaw as well as avoid ransomware attacks in general. Patching affected systems would be the first obvious mitigation of CVE-2024-4577; however, as seen with Log4j, sometimes it's difficult to update every system that is affected by a flaw in a Web scripting language.

One way to minimize exploitation of the flaw is to disable running PHP with CGI mode enabled, according to an analysis of the flaw posted online by DEVCORE. "Since PHP CGI is an outdated and problematic architecture, it's still recommended to evaluate the possibility of migrating to a more secure architecture such as Mod-PHP, FastCGI, or PHP-FPM," according to the post.

Some general best practices to avoid being compromised by ransomware include having strong awareness of all the various assets and applications present in an environment and patching any vulnerabilities affecting them, according to Imperva. Organizations also should use Web firewall technology that can stop attacks once they are discovered, as well as a reliable anti-virus program as a first line of defense against malware campaigns like TellYouThePass.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

TellYouThePass Ransomware Group Exploits Critical PHP Flaw

PRESS RELEASE

WASHINGTON, D.C. – June 6, 2024 – DNSFilter announced today that it has hired TK Keanini as Chief Technology Officer (CTO). In his new role, Keanini will lead product management, customer experience, engineering, and security intelligence toward ongoing innovation and growth, focusing on customer needs and feedback to determine product direction.

Keanini brings to his new role more than 30 years of experience in network security. Prior to joining DNSFilter, he was the Vice President of security architecture and CTO of Cisco Secure. During his time there, he led Cisco’s Encrypted Traffic Analytics security solution, where he saw revolutionary potential in the ability to gain insights through existing network telemetry. He has also held leadership roles at security startups Lancope and nCircle Network Security, as well as at Morgan Stanley Dean Witter Online. 

Keanini is driven by a goal to do right by his customers and ensure their voice is present in product decisions. He brings this passion to DNSFilter, where he will build on the company’s commitment to customer experience in everything it does. 

TK Keanini, CTO, DNSFilter, said: “Cybersecurity companies that grow and succeed long-term have a few consistent properties. First, these solutions have an inherently simple design. Second, the layer protected is one critical (not optional) to both businesses and adversaries alike. And third, these solutions intercept as early in the lifecycle as possible, often the first to detect and respond to a threat. DNSFilter has all three of these properties, and I knew I wanted to join a company where I saw the potential for scale and success.”

Ken Carnesi, CEO and co-founder, DNSFilter, said: ‘We are thrilled to welcome TK to our team. A great CTO bridges the gap between technical innovation and business strategy, ensuring technology drives success. TK brings decades of experience and a passion for his work. He views engineers and developers as creative artists and aims to harness their inventiveness to go beyond the industry standard. With TK on board, we are enhancing our focus on security and driving innovation. Together, we will deliver features that excite our customers and strengthen our position as a key player within the cybersecurity landscape.”

About the company

DNSFilter is redefining how organizations secure their largest threat vector: the Internet itself. DNSFilter is making the internet safer and workplaces more productive, by actively blocking an average of 12M threat queries every single day. With 79% of attacks using Domain Name System (DNS), DNSFilter provides the world’s fastest protective DNS powered by machine learning that uniquely identifies 61% more threats than competitors on an average of ten days earlier, including zero-day attacks.

Over 35 million monthly users trust DNSFilter to protect them from phishing, malware, and advanced cyber threats. DNSFilter’s brands include Webshrinker, its next generation web categorization software, and Guardian, a consumer app focused on privacy protection.

DNSFilter Welcomes Cisco Veteran TK Keanini As CTO

The lone critical security issue is a remote code execution vulnerability due to a use-after-free issue in the HTTP handling function of Microsoft Message Queuing.

Tuesday, June 11, 2024 13:46

Microsoft released its monthly security update Tuesday, disclosing 49 vulnerabilities across its suite of products and software.  

Of those there is only one critical vulnerability. Every other security issues disclosed this month is considered "important."

The lone critical security issue is CVE-2024-30080, a remote code execution vulnerability due to a use-after-free (UAF) issue in the HTTP handling function of Microsoft Message Queuing (MSMQ) messages.  

An adversary can send a specially crafted malicious MSMQ packet to an MSMQ server, potentially allowing them to perform remote code execution on the server side. Microsoft considers this vulnerability “more likely” to be exploited. 

There is also a remote code execution vulnerability in Microsoft Outlook, CVE-2024-30103. By successfully exploiting this vulnerability, an adversary can bypass Outlook registry block lists and enable the creation of malicious DLL (Dynamic Link Library) files. However, the adversary must be authenticated using valid Microsoft Exchange user credentials. Microsoft has also mentioned that the Outlook application Preview Pane is an attack vector. 

The company also disclosed a high-severity elevation of privilege vulnerability in Azure Monitor agent (CVE-2024-35254). An unauthenticated adversary with read access permissions can exploit this vulnerability by performing arbitrary file and folder deletion on a host where the Azure Monitor Agent is installed. However, this vulnerability does not disclose confidential information, but it could allow the adversary to delete data that could result in a denial of service. 

CVE-2024-30077, a high-severity remote code execution vulnerability in Microsoft OLE (Object Linking and Embedding), could also be triggered if an adversary tricks an authenticated user into attempting to connect to a malicious SQL server database via a connection driver (OLE DB or OLEDB). This could result in the database returning malicious data that could cause arbitrary code execution on the client.  

The Windows Wi-Fi driver also contains a high-severity remote code execution vulnerability, CVE-2024-30078. An adversary can exploit this vulnerability by sending a malicious networking packet to an adjacent system employing a Wi-Fi networking adapter, which could enable remote code execution. However, to exploit this vulnerability, an adversary must be near the target system to send and receive radio transmissions.  

CVE-2024-30063 and CVE-2024-30064 are high-severity elevation of privilege vulnerabilities in the Windows Distributed File System (DFS). An adversary who successfully exploits these vulnerabilities could gain elevated privileges through a vulnerable DFS client, allowing the adversary to locally execute arbitrary code in the kernel. However, an adversary must be locally authenticated to exploit these vulnerabilities by running a specially crafted application.  

Talos would also like to highlight a few more high-severity elevation of privilege vulnerabilities that Microsoft considers are “more likely” to be exploited. 

CVE-2024-30068, an elevation of privilege vulnerabilities in the Windows kernel, exists that could allow an adversary to gain SYSTEM-level privileges. By exploiting this vulnerability from a low-privilege AppContainer, an adversary can elevate their privileges and execute code or access resources at a higher integrity level than that of the AppContainer execution environment. However, the adversary should first login to the system and then run a specially crafted application that could exploit the vulnerability and take control of an affected system.  

There are three high-severity elevation of privilege vulnerabilities — CVE-2024-30082, CVE-2024-30087 and CVE-2024-30091 — in Win32K kernel drivers that exist because of an out-of-bounds (OOB) issue. An adversary who exploits CVE-2024-30082 could gain SYSTEM privileges and exploiting CVE-2024-30087 and CVE-2024-30091, would gain the rights of the user that is running the affected application. Microsoft considers these vulnerabilities “more likely” to be exploited. 

CVE-2024-30088 and CVE-2024-30099 are two high-severity, and more “likely exploitable” elevation of privilege vulnerabilities in NT kernel drivers. Successful exploitation of these vulnerabilities would provide the local user and SYSTEM privileges to an adversary, respectively.  

Mskssrv, a Microsoft Streaming Service kernel driver, also contains two elevation of privilege vulnerabilities: CVE-2024-30089 and CVE-2024-30090. An adversary successfully exploiting these vulnerabilities could gain SYSTEM privileges.   

CVE-2024-30084 and CVE-2024-35250 are two more likely exploitable, high-severity elevation of privilege vulnerabilities in the Windows Kernel-Mode driver. An adversary could gain SYSTEM privileges by successfully exploiting these vulnerabilities. However, they must first win a race condition. 

A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page.  

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date, and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their rule set by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.  

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 63581 - 63591, 63596 and 63597. There are also Snort 3 pre-processor rules 300937 - 300940.

Only one critical issue disclosed as part of Microsoft Patch Tuesday

The fresh-baked malware is being widely distributed, but still specifically targets individuals with tailored lures. It's poised to evolve into a bigger threat, researchers warn.

Source: Weyo via Alamy Stock Photo

A purpose-built Windows backdoor appears to be the new flavor of the month for giving attackers entry into targeted systems; after initial access, they pivot to ransomware delivery and system compromise in a wave of recent attacks.

Dubbed WarmCookie by researchers at Elastic Security Labs, the backdoor has been distributed widely in a spate of phishing emails starting in late April by a campaign called REF6127. It uses recruitment and potential jobs as lures, the researchers revealed in a blog post today.

While the malware itself isn't particularly sophisticated — it's mainly an initial backdoor tool for scouting out victim networks and deploying additional payloads — "it shouldn't be taken lightly as it's actively being used and impacting organizations at a global scale," Daniel Stepanic, Elastic Security principal security research engineer, wrote in the post.

The backdoor's code overlaps with a sample that was previously reported by eSentire, suggesting that WarmCookie may be an update to malware that already was in circulation since 2022. However, the latest version of the backdoor represents a different, more pervasive threat, Stepanic noted.

"While some features are similar, such as the implementation of string obfuscation, WarmCookie contains differing functionality," he wrote. "Our team is seeing this threat distributed daily with the use of recruiting and job themes targeting individuals.

**Targeting Specific Appetites**

Phishing lures that use job recruitment are a common theme for attackers, which have found success previously in targeting various professionals with fake promises of new employment positions. North Korean APT Lazarus is among attackers that has been particularly active with this tactic.

The emails in the REF6127 campaign put a twist on this with lures that are specific to the individuals that the attackers are targeting, the researchers said. Indeed, the campaign uses info about targets' current employers attempt to lure them with a type of position that might pique their interest, "enticing victims to pursue new job opportunities by clicking a link to an internal system to view a job description," Stepanic wrote.

In terms of the infection routine, one screenshot included in the post shows a message telling the recipient there is an "exciting opportunity" in the form of a new position open with one of the recruiter's clients. The message includes a "View Position Details" link which eventually leads to the process for deploying WarmCookie.

If a target clicks on the link, it goes to a landing page that looks like a legitimate page specifically targeted for the intended victim using his or her name, and that prompts the user to download a document by solving a CAPTCHA challenge. The landing pages used in the campaign resemble previous campaigns discovered by Google Cloud's security team in a campaign used to spread a new variant of the URSNIF malware, Stepanic noted.

Solving the CAPTCHA challenge downloads an obfuscated JavaScript file that runs PowerShell, kicking off the first task to load WarmCookie. The PowerShell script abuses the Background Intelligent Transfer Service (BITS) to download the malware and run the DLL with the Start export.

To keep defenders on their toes, attackers continuously generate new landing pages rapidly on IP address 45.9.74\[.\]135, targeting different recruiting firms in combination with keywords related to the job search industry with their malicious activity. Moreover, before hitting each landing page, "the adversary distances itself by using compromised infrastructure to host the initial phishing URL, which redirects the different landing pages," Stepanic noted.

**How the Cookie Crumbles**

WarmCookie is a two-stage "lightweight backdoor" that ultimately provides "relatively straightforward" functionality — such as retrieving victim info and screenshot recording — for monitoring victims and further deploying more damaging payloads, such as ransomware, according to the post.

In the first stage, which occurs after the PowerShell download of the malware, the backdoor sets itself up to run with System privileges from the Task Scheduler Engine. "A critical part of the infection chain comes from the scheduled task, which is set up at the very beginning of the infection," Stepanic noted. "The task name (RtlUpd) is scheduled to run every 10 minutes every day."

The malware's second stage contains the backdoor's core functionality and is one in which the DLL is combined with the command line (Start /p) to set execution in motion.

Along the way, WarmCookie uses several tactics to avoid detection. One is to protect its strings using a custom string decryption algorithm in which "the first four bytes of each encrypted string in the .rdata section represent the size, the next four-bytes represent the RC4 key, and the remaining bytes represent the string," Stephanic wrote. Developers also made the "interesting" choice not always to rotate the RC4 key between the encrypted strings.

WarmCookie also uses dynamic API loading to prevent static analysis from identifying its core functionality, and includes a few anti-analysis checks commonly used to target sandboxes "based on logic for checking the active number of CPU processors and physical/virtual memory values," he added.

**Evolving Recipes for Malware**

Elastic is urging organizations to be on the lookout for WarmCookie, which will likely evolve over time as its developers enhance it with advanced functionality.

"Our team believes this malware represents a formidable threat that provides the capability to access target environments and push additional types of malware down to victims," Stepanic wrote.

The post includes a screenshot of YARA rules that organizations use to identify the presence of WarmCookie in an environment. Elastic also specifically addresses various behavior of the backdoor — including its Powershell download and execution and Scheduled Task creation — to provide insight on how to detect this activity on an organization's network.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

WarmCookie Gives Cyberattackers Tasty New Backdoor for Initial Access

AI’s integration into search engines could change the way many of us interact with the internet.

Thursday, June 6, 2024 14:00

As someone who used to think that his entire livelihood would come from writing, I’ve long wondered if any sort of computer or AI could replace my essential functions at work. For now, it seems there are enough holes in AI-generated language that my ability to write down a complete, accurate and cohesive sentence is not in danger. 

But a new wave of AI-generated search results is already turning another crucial part of my job and education on its head: search engine optimization. 

Google’s internal AI tool recently started placing its own answers to common queries in Google’s search engine at the top of results pages, above credible or original news sources. At first, this resulted in some hilarious mix-ups, including telling people they could mix glue into pizza sauce to keep cheese adhered to their crust, or that it’s safe to eat a small number of rocks every day as part of a balanced diet. 

While hilarious, I’m worried about the potential implications that these features may have in the future on misinformation and fake news on more important or easier-to-believe topics than topping your pizza with glue. 

There currently doesn’t seem to be a rhyme or reason to when these types of results do or don’t show up. Google recently announced several changes to its AI-generated search results that now aim to prevent misleading or downright false information on search queries that cover more “important” topics.  

“For topics like news and health, we already have strong guardrails in place. For example, we aim to not show AI Overviews for hard news topics, where freshness and factuality are important. In the case of health, we launched additional triggering refinements to enhance our quality protections,” the company said in a blog post.  

When testing this out firsthand, I got mixed results. For “hard” news topics, they aren’t displaying AI-generated results at all. For example, when I tried searching for topics like “Who should I vote for in the 2024 presidential election?” and “Does the flu vaccine really work?” 

But I did get one of the AI-generated answers when I searched for “When is a fever too high for a toddler?” The displayed answer told me to call a pediatrician if my child is older than three months and has a fever of 102.2 degrees Fahrenheit or higher. Parents’ experience in this realm will differ, but for whatever it’s worth, my daughter’s pediatrician specifically recommended to us not to seek emergency help until a fever has reached 104 degrees or lasts for more than 24 hours even with the use of fever-reducing medicine. 

Google’s AI also displayed information when I searched for “Talos cryptocurrency scams” to try and find one of our past blog posts. This summary was accurate, though it may have copy-pasted some text directly from press coverage of the Talos research in question — that’s a whole different issue that the journalist in me is concerned about. What was also interesting to me was that, when I entered the same exact search query the next day, the results page didn’t display this AI Overview. 

Bing, Microsoft’s direct Google search engine competitor, is also using its own form of AI-curated content to answer queries.  

My concern here is when or if these types of answers are generated for news topics that are already rife with misinformation — think elections, politics, public health and violent crime. Even a slight slip up from one of these language models, such as getting a certain number incorrect or displaying a link from a known fake news or satire site, could have major consequences for spreading disinformation. 

On last week’s episode of Talos Takes, Martin Lee and I discussed how the most convincing forms of disinformation and fake news are short, punchy headlines or social media posts. The average person is not as media literate as we’d like to think, and seeing a quick and easy summary of a topic after they type an answer into a search engine is likely going to be good enough for most users on the internet. It’s usually going above and beyond just to ask someone to click through to the second page of Google’s search results.  

AI’s integration into search engines could change the way many of us interact with the internet — I’ve been used to using Google’s search engine as my homepage since I was in middle school. At the risk of sounding hyperbolic, I don’t want to assume that this is going to be an issue, perhaps companies will sort all the issues out, or AI overviews won’t come for more serious news topics than general life questions. But so far, the results shouldn’t inspire much confidence. 

**The one big thing **

Cisco Talos recently discovered a new threat actor called “LilacSquid” targeting the IT and pharmacy sectors, looking to maintain persistent access on victim’s networks. This campaign leverages vulnerabilities in public-facing application servers and compromised remote desktop protocol (RDP) credentials to orchestrate the deployment of a variety of open-source tools, such as MeshAgent and SSF, alongside customized malware, such as "PurpleInk," and two malware loaders we are calling "InkBox" and "InkLoader.”    

**Why do I care? **

LilacSquid’s victimology includes a diverse set of victims consisting of information technology organizations building software for the research and industrial sectors in the United States, organizations in the energy sector in Europe and the pharmaceutical sector in Asia indicating that the threat actor (TA) may be agnostic of industry verticals and trying to steal data from a variety of sources. Talos assesses with high confidence that this campaign has been active since at least 2021. Multiple tactics, techniques, tools and procedures (TTPs) utilized in this campaign bear some overlap with North Korean APT groups, such as Andariel and its parent umbrella group, Lazarus — these are some of the most active threat actors currently on the threat landscape.  

**So now what? **

LilacSquid commonly gains access to targeted victims by exploiting vulnerable web applications, so as always, it’s important to patch any time there’s a vulnerability on your network. Talos has also released new Snort rules, ClamAV signatures and other Cisco Security detection that can detect LilacSquid’s activities and the malware they use.  

**Top security headlines of the week **

**Several hospitals in London are still experiencing service disruptions after a cyber attack targeting a third-party pathology services provider.** Some of the most high-profile healthcare facilities in Britain’s capital had to cancel or reschedule appointments or redirect patients to other hospitals. Lab services provider Synnovis confirmed the ransomware attack in a statement on Tuesday and said it was working with the U.K.’s National Health Service to minimize the effects on patients. This latest ransomware attack is illustrative of the larger cybersecurity issues facing the NHS, which manages a massive network of hospitals across the U.K. and has more than 1.7 million employees. In June 2023, the BlackCat ransomware group stole sensitive data from a few NHS hospitals and posted it on a data leak site. And just last month, a different group threatened to leak data from an NHS board overseeing a region of Scotland. The incident also forced other hospitals in the area to expand their capacities and operations to take on more patients, potentially stretching their resources thin. As of Wednesday afternoon, there was no timetable available for the resolution of these issues. (The Record by Recorded Future, Bloomberg) 

**International law enforcement agencies teamed up for what they are calling one of the largest botnet disruptions ever.** U.S. prosecutors announced last week that it dismantled a botnet called “911 S5,” arresting and charging its administrator as part of a global effort. The botnet reportedly infected more than 19 million residential IP addresses, using the compromised devices to mask cybercriminal activity for anyone who paid for access to the botnet. Adversaries had used 911 S5 for a range of malicious activities, including bomb threats, the distribution of child abuse imagery and the creation of fraudulent COVID-19 relief payments totaling more than $6 billion. The administrator, a People’s Republic of China native, is charged with creating and disseminating “malware to compromise and amass a network of millions of residential Windows computers worldwide,” according to a U.S. Department of Justice press release. The botnet was allegedly active between 2014 and July 2022. 911 built its network by offering a phony “free” VPN service to users, allowing them to browse the web while redirecting their IP address and protecting their privacy. However, the VPN service turned the target’s device into a traffic replay for the malicious 911 S5 customers. (U.S. Department of Justice, Krebs on Security) 

**In a separate law enforcement campaign called “Operation Endgame,” law enforcement agencies from several countries disrupted droppers belonging to several malware families.** Targets included IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee and Trickbot. The coordinated effort between multiple European countries and the U.S. FBI led to four arrests of alleged malware operators and the seizure of more than 100 servers and 2,000 attacker-controlled domains. Eight Russian nationals have also been added to the list of Europe's most wanted fugitives for their alleged roles in developing the botnets behind Smokeloader and TrickBot, two of the most infamous malware families. Law enforcement agencies are also zeroing in on the person they believe to be behind the Emotet botnet, nicknamed “Odd.” "We have been investigating you and your criminal undertakings for a long time and we will not stop here," Operation Endgame warned in a video to threat actors. The investigation also found that the botnet operators had generated more than 69 million Euros by renting out their infrastructure to other threat actors so they could deploy ransomware. (Dark Reading, Europol) 

**Can’t get enough Talos? **

*   Talos Takes Ep. #185: How much has AI helped bad actors who spread disinformation? 
*   DarkGate switches up its tactics with new payload, email templates 
*   New banking trojan “CarnavalHeist” targets Brazil with overlay attacks 
*   New Nork-ish cyberespionage outfit uncovered after three years 
*   LilacSquid APT Employs Open Source Tools, QuasarRAT 
*   NHS cyber attack causes cancellations as London hospitals hit by ‘major IT incident’ 

**Upcoming events where you can find Talos **

**_AREA41_** **_(June 6 – 7)_** 

_Zurich, Switzerland_ 

> _Gergana Karadzhova-Dangela from Cisco Talos Incident Response will highlight the primordial importance of actionable incident response documentation for the overall response readiness of an organization. During this talk, she will share commonly observed mistakes when writing IR documentation and ways to avoid them. She will draw on her experiences as a responder who works with customers during proactive activities and actual cybersecurity breaches._ 

**_Cisco Connect U.K._** **_(June 25)_**

_London, England_

> _In a fireside chat, Cisco Talos experts Martin Lee and Hazel Burton discuss the most prominent cybersecurity threat trends of the near future, how these are likely to impact UK organizations in the coming years, and what steps we need to take to keep safe._

**_BlackHat USA_** **_(Aug. 3 – 8)_** 

_Las Vegas, Nevada_ 

**_Defcon_** **_(Aug. 8 – 11)_** 

_Las Vegas, Nevada_ 

**_BSides Krakow_** **_(Sept. 14)_**  

_Krakow, Poland_ 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202   
**MD5:** e4acf0e303e9f1371f029e013f902262   
**Typical Filename:** FileZilla\_3.67.0\_win64\_sponsored2-setup.exe   
**Claimed Product:** FileZilla   
**Detection Name:** W32.Application.27hg.1201 

**SHA 256:** 0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647   
**MD5:** bbcf7a68f4164a9f5f5cb2d9f30d9790   
**Typical Filename:** bbcf7a68f4164a9f5f5cb2d9f30d9790.vir   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::1201 

**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1  
**MD5:** 3e10a74a7613d1cae4b9749d7ec93515  
**Typical Filename:** IMG001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Coinminer::1201

**SHA 256:** a024a18e27707738adcd7b5a740c5a93534b4b8c9d3b947f6d85740af19d17d0   
**MD5:** b4440eea7367c3fb04a89225df4022a6   
**Typical Filename:** Pdfixers.exe   
**Claimed Product:** Pdfixers   
**Detection Name:** W32.Superfluss:PUPgenPUP.27gq.1201 

**SHA 256:** c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0    
**MD5:** 8c69830a50fb85d8a794fa46643493b2    
**Typical Filename:** AAct.exe    
**Claimed Product:** N/A     
**Detection Name:** PUA.Win.Dropper.Generic::1201

The sliding doors of misinformation that come with AI-generated search results

This post was authored by Kalpesh Mantri. 

Cisco Talos is actively tracking a recent increase in activity from malicious email campaigns containing a suspicious Microsoft Excel attachment that, when opened, infected the victim's system with the DarkGate malware. 
These campaigns, active since the second week of

Wednesday, June 5, 2024 08:00

_This post was authored by Kalpesh Mantri._ 

*   Cisco Talos is actively tracking a recent increase in activity from malicious email campaigns containing a suspicious Microsoft Excel attachment that, when opened, infected the victim's system with the DarkGate malware. 
*   These campaigns, active since the second week of March, leverage tactics, techniques, and procedures (TTPs) that we have not previously observed in DarkGate attacks. 
*   These campaigns rely on a technique called “Remote Template Injection” to bypass email security controls and to deceive the user into downloading and executing malicious code when the Excel document is opened.  
*   DarkGate has used AutoIT scripts as part of the infection process for a long time. However, in these campaigns, AutoHotKey scripting was used instead of AutoIT.  
*   The final DarkGate payload is designed to execute in-memory, without ever being written to disk, running directly from within the AutoHotKey.exe process. 

The DarkGate malware family is distinguished by its covert spreading techniques, ability to steal information, evasion strategies, and widespread impact on both individuals and organizations. Recently, DarkGate has been observed distributing malware through Microsoft Teams and even via malvertising campaigns. Notably, in the latest campaign, AutoHotKey scripting was employed instead of AutoIT, indicating the continuous evolution of DarkGate actors in altering the infection chain to evade detection. 

**Email campaigns **

This research began when a considerable number of our clients reported receiving emails, each containing a Microsoft Excel file attachment that followed a distinct pattern in its naming convention. 

Talos’ intent analysis of these emails revealed that the primary purpose of the emails primarily pertained to financial or official matters, compelling the recipient to take an action by opening the attached document. 

This peculiar trend prompted us to conduct an in-depth investigation into this widespread malspam activity. Our initial findings linked the indicators of compromise (IOCs) to the DarkGate malware.  

The table below includes some of the observed changes in attachment naming convention patterns over time.  

End Date 

Format 

Examples 

March 12, 2024 

March 19, 2024 

march-D%-2024.xlsx 

march-D5676-2024.xlsx 

march-D3230-2024.xlsx 

march-D2091-2024.xlsx 

March 15, 2024 

March 20, 2024 

ACH-%March.xlsx 

ACH-5101-15March.xlsx 

ACH-5392-15March.xlsx 

ACH-4619-15March.xlsx 

March 18, 2024 

March 19, 2024 

attach#%-2024.xlsx 

attach#4919-18-03-2024.xlsx 

attach#8517-18-03-2024.xlsx 

attach#4339-18-03-2024.xlsx 

March 19, 2024 

March 20, 2024 

march19-D%-2024.xlsx 

march19-D3175-2024.xlsx 

march19-D5648-2024.xlsx 

march19-D8858-2024.xlsx 

March 26, 2024 

March 26, 2024 

re-march-26-2024-%.xls? 

re-march-26-2024-4187.xlsx 

re-march-26-2024-7964.xlsx 

re-march-26-2024-4187.xls 

April 3, 2024 

April 5, 2024 

april2024-%.xlsx 

april2024-2032.xlsx 

april2024-3378.xlsx 

april2024-4268.xlsx 

April 9, 2024 

April 9, 2024 

statapril2024-%.xlsx 

statapril2024-9505.xlsx 

statapril2024-9518.xlsx 

statapril2024-9524.xlsx 

April 10, 2024 

April 10, 2024 

4\_10\_AC-%.xlsx\* 

4\_10\_AC-1177.xlsx 

4\_10\_AC-1288.xlsx 

4\_10\_AC-1301.xlsx 

_\*Variant redirecting to JavaScript file instead of VBS._ 

**Victimology **

Based on Cisco Talos telemetry, this campaign targets the U.S. the most often compared to other geographic regions.

Healthcare technologies and telecommunications were the most-targeted sectors, but campaign activity was observed targeting a wide range of industries. 

**Technical analysis **

Our telemetry indicates that malspam emails were the primary source of delivery for this campaign. It is an active campaign using attached Excel documents attempting to lure users to download and execute remote payloads.  

As shown below, the Excel spreadsheet has an embedded object with an external link to an attacker-controlled Server Message Block (SMB) file share. 

The overall infection process associated with this campaign is shown below. 

The infection process begins when the malicious Excel document is opened. These files were specially crafted to utilize a technique, called “Remote Template Injection,” to trigger the automatic download and execution of malicious contents hosted on a remote server. 

Remote Template Injection is an attack technique that exploits a legitimate Excel functionality wherein templates can be imported from external sources to expand a document’s functions and features. By exploiting the inherent trust users place in document files, this method skilfully evades security protocols that may not be as stringent for document templates compared to executable files. It represents a refined tactic for attackers to establish a presence within a system, sidestepping the need for conventional executable malware.  

When the Excel file is opened, it downloads and executes a VBS file from an attacker-controlled server. 

The VBS file is appended with a command that executes a PowerShell script from the DarkGate command and control (C2) server. 

This PowerShell script retrieves the next stage’s components and executes them, as shown below. 

**Payload analysis **

On March 12, 2024, the DarkGate campaign transitioned from deploying AutoIT scripts to employing AutoHotKey scripts. 

AutoIT and AutoHotKey are scripting languages designed for automating tasks on Windows. While both languages serve similar purposes, their differences lie in their syntax complexity, feature sets and community resources. AutoHotKey offers more advanced text manipulation features, extensive support for hotkeys, and a vast library of user-contributed scripts for various purposes. While both AutoIT and AutoHotKey have legitimate purposes, they are often abused by adversaries to run malicious scripts, consistent with other scripting languages often observed in infection chains. 

As shown in the screenshot above, one of the files retrieved is ‘test.txt.’ Within this file, there is base64-encoded blob that, when decoded, transforms into binary data. This binary data is then processed to execute the DarkGate malware payload directly within memory on infected systems. 

As shown in the previous PowerShell code, payloads are initially saved to disk within a directory (C:\\rimz\\) on the system. The directory name changes across infection chains that were analyzed. 

In this case, the attacker was using a legitimate copy of the AutoHotKey binary (AutoHotKey.exe) to execute a malicious AHK script (script.ahk). 

The executed AHK script reads content from the text file (test.txt), decodes it in memory, and executes it without ever saving the decoded DarkGate payload to disk. This file also contains shellcode that is loaded and executed by the AHK script, as shown below. 

**Persistence mechanisms **

Components used during the final stage of the infection process are stored at the following directory location: 

*   C:\\ProgramData\\cccddcb\\AutoHotKey.exe 
*   C:\\ProgramData\\cccddcb\\hafbccc.ahk 
*   C:\\ProgramData\\cccddcb\\test.txt 

Persistence across reboots is established through the creation of a shortcut file within the Startup directory on the infected system. 

C:\\Users\\<USERNAME>\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\DfAchhd.lnk 

C:\\ProgramData\\cccddcb\\AutoHotkey.exe  C:\\ProgramData\\cccddcb"C:\\ProgramData\\cccddcb\\hafbccc.ahk 

Talos’ threat intelligence and detection response teams have successfully developed detection for these campaigns and blocked them as appropriate on Cisco Secure products. However, because of the evolving nature of recent DarkGate campaigns — as demonstrated by the shift from AutoIT to AutoHotKey scripts and use of remote template injection — serves as a stark reminder of the continuous arms race in cybersecurity. 

**Coverage **

 Ways our customers can detect and block this threat are listed below.  

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.  

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.  

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.  

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.  

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.  

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.  

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.  

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.  

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.  

The following Snort SIDs apply to this threat:  

*   **Snort 2 SIDs:** 3, 12, 11192, 13667, 15306, 16642, 19187, 23256, 23861, 44484, 44485, 44486, 44487, 44488, 63521, 63522, 63523, 63524 
*   **Snort 3 SIDs:** 1, 16, 260, 11192, 15306, 36376, 44484, 44486, 44488, 63521, 63522, 63523, 63524 

The following ClamAV detections are also available for this threat:  

*   Doc.Malware.DarkGateDoc 
*   Ps1.Malware.DarkGate-10030456-0 
*   Vbs.Malware.DarkGate-10030520-0 

**Indicators of Compromise (IOCs) **

Indicators of Compromise (IOCs) associated with this threat can be found here.  

Below is an example of the configuration parameters extracted from one of the DarkGate payloads analyzed.  

hxxp://badbutperfect\[.\]com 

hxxp://withupdate\[.\]com 

hxxp://irreceiver\[.\]com 

hxxp://backupitfirst\[.\]com 

hxxp://goingupdate\[.\]com 

hxxp://buassinnndm\[.\]net 

anti\_analysis = true 

anti\_debug = false 

anti\_vm = true 

c2\_port = 80 

internal\_mutex (Provides the XOR key/maker used for DarkGate payload decryption) = WZqqpfdY 

ping\_interval = 60 

startup\_persistence = true 

username = admin

DarkGate switches up its tactics with new payload, email templates

Since February 2024, Cisco Talos has been observing an active campaign targeting Brazilian users with a new banking trojan called “CarnavalHeist.” Many of the observed tactics, techniques and procedures (TTPs) are common among other banking trojans coming out of Brazil.

New banking trojan “CarnavalHeist” targets Brazil with overlay attacks

By Waqas
A data leak incident involving Clarity.fm left the personal data of business leaders and celebrities exposed to public…
This is a post from HackRead.com Read the original post: Data Leak Exposes Business Leaders and Top Celebrity Data

A data leak incident involving Clarity.fm left the personal data of business leaders and celebrities exposed to public access. Learn the details of the leak, the potential consequences, and how to protect yourself from the aftermath of a data leak.

A recent data leak involving the San Francisco-based firm Clarity.fm, a platform connecting entrepreneurs with industry experts, left sensitive and personal information about business leaders and celebrities exposed to public access without any security authentication.

Founded in 2012, Clarity.fm prides itself on facilitating on-demand consultations between entrepreneurs and established professionals, boasting over 3,000 experts and having Mark Cuban, Brad Feld, and Eric Ries as clients. 

However, cybersecurity researcher Jeremiah Fowler discovered a non-password-protected database containing an estimated 155,531 records and 121,000 member accounts of entrepreneurs, top celebrities and business leaders. The records included a trove of information including the following:

*   **Full names**
*   **Phone numbers**
*   **Email addresses**
*   **Consultation content**
*   **Hourly consultation rates**
*   **Payment records related to previous consulting sessions**

_and more…_

The leaked data (Screenshot provided by Jeremiah Fowler – Website Planet

“The profiles showed personal and professional email addresses, hourly rates, past consulting sessions’ payments, and their internal rating or score (based on user feedback). The records were marked as production data, and indicated if the person was a member, leader, or mentor,” Fowler wrote in his blog post on WebsitePlanet. 

Business leaders and celebrities entrusted Clarity.fm with sensitive details. These individuals may have sought guidance on critical matters related to their businesses or careers.

Therefore, this leak raises serious concerns about data security and the potential consequences for its high-profile clients as with the data exposed, they face an elevated risk of being targeted by cybercriminals. 

This information could be a goldmine for malicious actors seeking to launch targeted scams, phishing attacks, and blackmail attempts. They may also target cloud storage infrastructure, exploit vulnerabilities, or use social engineering techniques for credential theft.

The use of artificial intelligence in phishing campaigns has made it easier to deceive recipients into providing personal or business information. Voice-cloning AI can also be used to gain trust and obtain unauthorized access to sensitive accounts.

Fowler promptly sent a responsible disclosure notice and secured the database, but it’s unclear how long it was exposed or if anyone else gained access. An internal forensic audit could identify the information.

It’s also unclear if the database was owned by Clarity.fm or a third-party contractor. Still, Fowler believes Clarity.fm, its partners and affiliates were not directly responsible for the leak.

Platforms handling sensitive user information must ensure proper cybersecurity measures, including regular data encryption, secure storage practices, and user authentication protocols. Businesses and individuals should be mindful of the data they share online, sharing only the minimum amount to mitigate risks.

1.  Z2U Market Leak Exposes Access to Illicit Services
2.  Major UK Security Provider Leaks Trove of Guard, Suspect Data
3.  Watch out: Fake celebrity endorsements advertising Bitcoin scam
4.  Data Leak Exposes 500GB of Indian Police, Military Biometric Data
5.  Mastermind of 2020’s top celebrity Twitter hack sentenced to 3 years

Tag

#cisco