Founders Fund leads $100 million Series-C financing, gaining the email security startup unicorn status two years after its launch.

Redwood City, Calif., May 11, 2022 – Material Security, a company that can protect email accounts even after they have been compromised, today announced it has secured $100 million in Series-C funding at a valuation of $1.1 billion. The round is led by Founders Fund, with participation from previous backers Andreesen Horowitz, Silicon Valley solo capitalist Elad Gil and other high-profile individual tech investors, gaining the company unicorn status just two years after the official launch of its product suite. Material Security is also announcing new referenceable customers including Chubb, Compass, Roblox and Brex, to add to leading brands like Lyft, Mars, Databricks and DoorDash.

Founded by former Dropbox technologists in the wake of the 2016 Election Hack, Material Security is a pioneer of using “zero trust” security techniques to protect email. Its patented security technology is trusted by government agencies, media and manufacturing conglomerates, leading financial institutions, the most targeted companies in Silicon Valley, and high-profile personalities including billionaires and celebrities.

“The fundamental idea behind ‘zero trust’ is that it assumes a bad actor is going to find a way past the perimeter into your systems. But historically, email security has just focused on blocking suspicious messages,” said Ryan Noon, co-founder and CEO of Material Security. “Whether it’s a large global organization like News Corp. or a local health care provider, we are still seeing an overwhelming number of email and data security breaches occur on a regular basis. At Material, we begin with the assumption that a hacker is already in your email and limit the damage they can do.”

Material’s Leak Prevention feature, for example, automatically redacts sensitive content in email, keeping it safe in the event of a breach. Users can still access original messages via identity-protection apps that their company already uses. “Not all emails are created equal,” said Abhishek Agrawal, co-founder and CTO of Material Security. "Some messages are so critical that they deserve an extra layer of verification. But the way email works today is that it treats every message identically."

Bringing Material Security’s total investment to $166 million since its founding, this latest round of funding will be used to scale the company’s sales and marketing teams, extend the product into new areas (including a larger footprint in government) and expand internationally.

“As the U.S. government doubles down on ‘zero trust’ and organizations are increasingly vulnerable to cyber threats given geopolitical crises, Material Security is poised to minimize the risks associated with email hacks,” said Trae Stephens, partner at Founders Fund. “We are excited to partner with this innovative team at such a critical point in their growth trajectory.”

###

**About Material Security**

Material Security is taking a fresh approach to solving one of the most fundamental problems in security: protecting the data sitting in email. Material Security protects accounts even after they're compromised or harmful messages get through. It is entirely cloud-based, deploys in 30 minutes, and can be exclusively managed by the customer. Material Security was founded in 2017 and is headquartered in Redwood City. For more information visit www.material.security.

**About Founders Fund**

Founders Fund invests in the world’s most important and valuable companies across all geographies, sectors and stages. The firm’s partners have been founders and early funders of companies including PayPal, SpaceX, Palantir, Anduril, Airbnb, Stripe and Facebook. Founders Fund pursues a founder-friendly investment strategy, providing maximum support with minimum interference. More information is available at www.foundersfund.com.

Material Security Reaches $1.1 Billion Valuation for ‘Zero Trust’ Security on Microsoft and Google Email

Europe’s proposed child protection laws could undermine end-to-end encryption for billions of people.

All of your WhatsApp photos, iMessage texts, and Snapchat videos could be scanned to check for child sexual abuse images and videos under newly proposed European rules. The plans, experts warn, may undermine the end-to-end encryption that protects billions of messages sent every day and hamper people’s online privacy.

The European Commission today revealed long-awaited proposals aimed at tackling the huge volumes of child sexual abuse material, also known as CSAM, uploaded to the web each year. The proposed law creates a new EU Centre to deal with child abuse content and introduces obligations for tech companies to “detect, report, block and remove” CSAM from their platforms. The law, announced by Europe’s commissioner for home affairs, Ylva Johansson, says tech companies have failed to voluntarily remove abuse content, and it has been welcomed by child protection and safety groups.

Under the plans, tech companies—ranging from web hosting services to messaging platforms—can be ordered to “detect” both new and previously discovered CSAM, as well as potential instances of “grooming.” The detection could take place in chat messages, files uploaded to online services, or on websites that host abusive material. The plans echo an effort by Apple last year to scan photos on people’s iPhones for abusive content before it was uploaded to iCloud. Apple paused its efforts after a widespread backlash.

If passed, the European legislation would require tech companies to conduct risk assessments for their services to assess the levels of CSAM on their platforms and their existing prevention measures. If necessary, regulators or courts may then issue “detection orders” that say tech companies must start “installing and operating technologies” to detect CSAM. These detection orders would be issued for specific periods of time. The draft legislation doesn’t specify what technologies must be installed or how they will operate—these will be vetted by the new EU Centre—but says they should be used even when end-to-end encryption is in place.

The European proposal to scan people’s messages has been met with frustration from civil rights groups and security experts, who say it’s likely to undermine the end-to-end encryption that’s become the default on messaging apps such as iMessage, WhatsApp, and Signal. “Incredibly disappointing to see a proposed EU regulation on the internet fail to protect end-to-end encryption,” WhatsApp head Will Cathcart tweeted. “This proposal would force companies to scan every person's messages and put EU citizens' privacy and security at serious risk.” Any system that weakens end-to-end encryption could be abused or expanded to look for other types of content, researchers say.

“You either have E2EE or you don’t,” says Alan Woodward, a cybersecurity professor from the University of Surrey. End-to-end encryption protects people’s privacy and security by ensuring that only the sender and receiver of messages can see their content. For example, Meta, the owner of WhatsApp, doesn’t have any way to read your messages or mine their contents for data. The EU’s draft regulation says solutions shouldn’t weaken encryption and says it includes safeguards to ensure this doesn’t happen; however, it doesn’t give specifics for how this would work.

“That being so, there is only one logical solution: client-side scanning where the content is examined when it is decrypted on the user's device for them to view/read,” Woodward says. Last year, Apple announced it would introduce client-side scanning—scanning done on people’s iPhones rather than Apple’s servers—to check photos for known CSAM being uploaded to iCloud. The move sparked protests from civil rights groups and even Edward Snowden about the potential for surveillance, leading Apple to pause its plans a month after initially announcing them. (Apple declined to comment for this story.)

For tech companies, detecting CSAM on their platforms and scanning some communications is not new. Companies operating in the United States are required to report any CSAM they find or that is reported to them by users to the National Center for Missing and Exploited Children (NCMEC), a US-based nonprofit. More than 29 million reports, containing 39 million images and 44 million videos, were made to NCMEC last year alone. Under the new EU rules, the EU Centre will receive CSAM reports from tech companies.

“A lot of companies are not doing the detection today,” Johansson said in a press conference introducing the legislation. “This is not a proposal on encryption, this is a proposal on child sexual abuse material,” Johansson said, adding that the law is “not about reading communication” but detecting illegal abuse content.

At the moment, tech companies find CSAM online in different ways. And the amount of CSAM found is increasing as tech companies get better at detecting and reporting abuse—although some are much better than others. In some cases, AI is being used to hunt down previously unseen CSAM. Duplicates of existing abuse photos and videos can be detected using “hashing systems,” where abuse content is assigned a fingerprint that can be spotted when it’s uploaded to the web again. More than 200 companies, from Google to Apple, use Microsoft's PhotoDNA hashing system to scan millions of files shared online. However, to do this, systems need to have access to the messages and files people are sending, which is not possible when end-to-end encryption is in place.

“In addition to detecting CSAM, obligations will exist to detect the solicitation of children (‘grooming’), which can only mean that conversations will need to be read 24/7,” says Diego Naranjo, head of policy at the civil liberties group European Digital Rights. “This is a disaster for confidentiality of communications. Companies will be asked (via detection orders) or incentivized (via risk mitigation measures) to offer less secure services for everyone if they want to comply with these obligations.”

Discussions about protecting children online and how this can be done with end-to-end encryption are hugely complex, technical, and combined with the horrors of the crimes against vulnerable young people. Research from Unicef, the UN’s children’s fund, published in 2020 says encryption is needed to protect people’s privacy—including children—but adds that it “impedes” efforts to remove content and identify the people sharing it. For years, law enforcement agencies around the world have pushed to create ways to bypass or weaken encryption. “I’m not saying privacy at any cost, and I think we can all agree child abuse is abhorrent,” Woodward says, “but there needs to be a proper, public, dispassionate debate about whether the risks of what might emerge are worth the true effectiveness in fighting child abuse.”

Increasingly, researchers and tech companies have been focusing on safety tools that can exist alongside end-to-encryption. Proposals include using metadata from encrypted messages—the who, how, what, and why of messages, not their content—to analyze people’s behavior and potentially spot criminality. One recent report by the nonprofit Business for Social Responsibility, which was commissioned by Meta, found that end-to-end encryption is an overwhelmingly positive force for upholding people's human rights. It suggested 45 recommendations for how encryption and safety can go together and not involve access to people’s communications. When the report was published in April, Lindsey Andersen, BSR's associate director for human rights, told WIRED: “Contrary to popular belief, there actually is a lot that can be done even without access to messages.”

The EU Wants Big Tech to Scan Your Private Chats for Child Abuse

May's Patch Tuesday includes one actively exploited zero-day vulnerability and some other interesting ones.
The post Update now! Microsoft releases patches, including one for actively exploited zero-day appeared first on Malwarebytes Labs.

Posted: May 11, 2022 by

Microsoft has released patches for 74 security problems, including fixes for seven “critical” vulnerabilities, and an actively exploited zero-day vulnerability that affects all supported versions of Windows.

First, we’ll look at the actively exploited zero-day. Then we’ll discuss two zero-days that are publicly disclosed, but so far no in the wild exploits have been reported. And we’ll finish off with a few others that are worth keeping an eye on.

**LSA spoofing zero-day**

Microsoft has addressed an actively exploited Windows LSA spoofing zero-day that allows unauthenticated attackers to remotely force domain controllers to authenticate them via the Windows NT LAN Manager (NTLM) security protocol.

CVE-2022-26925: An unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate to the attacker using NTLM. The security update detects anonymous connection attempts in LSARPC and disallows it.

LSA (short for Local Security Authority) is a protected Windows subsystem that enforces local security policies and validates users for local and remote sign-ins. LSARPC is a protocol that enables a set of remote procedure calls (RPCs) to the LSA. Microsoft warns that the CVSS score would be 9.8 out of 10 when this vulnerability is chained with the noted NTLM Relay Attacks on Active Directory Certificate Services (AD CS).

The attack vector is closely related to the PetitPotam attacks we saw last year. If you are looking which patches to prioritize, this vulnerability affects all servers but domain controllers should be prioritized in terms of applying security updates.

**Windows Hyper-V vulnerability**

CVE-2022-22713: A denial of service (DoS) vulnerability in Windows Hyper V. Successful exploitation of this vulnerability requires an attacker to win a race condition. A race condition occurs when two or more threads can access shared data and they try to change it at the same time.

Hyper V is a native hypervisor, which means it can create virtual machines on x86-64 systems running Windows. The vulnerability only affects Windows Server (version 20H2) and Windows 10 x-64 based systems (versions 20H2 , 21H1, 21H2).

**Redshift driver**

CVE-2022-29972: A vulnerability that affects the Amazon Redshift ODBC and JDBC drivers and Amazon Athena ODBC and JDBC drivers due to improper validation of authentication tokens which may allow for unintended program invocation.

Microsoft products Azure Synapse Pipelines and Azure Data Factory are affected by a vulnerability in the Magnitude Simba Amazon Redshift ODBC Driver. An ODBC driver uses the Open Database Connectivity (ODBC) interface by Microsoft that allows applications to access data in database management systems (DBMS) using SQL (Structured Query Language) as a standard for accessing the data.

The vulnerability was dubbed SynLapse by the researchers that discovered it. They believe the tenant separation in the Microsoft Azure Synapse service is insufficiently robust to protect secrets against other tenants.

**Windows Network File System**

Next is a Remote Code Execution (RCE) vulnerability affecting Windows Network File System (NFS) listed under CVE-2022-26937. This vulnerability could be exploited over the network by making an unauthenticated, specially crafted call to a Network File System (NFS) service to trigger a Remote Code Execution (RCE). Microsoft considers it likely to be exploited and it is one of the highest-rated vulnerabilities of the month with a CVSS score of 9.8 out of 10.

**Point-to-Point Tunneling Protocol**

CVE-2022-21972: a Point-to-Point Tunneling Protocol Remote Code Execution vulnerability. An unauthenticated attacker could send a specially crafted connection request to a RAS server, which could lead to remote code execution (RCE) on the RAS server machine. A remote access server (RAS) is a type of server that provides a suite of services to remotely connected users over a network or the Internet.

CVE-2022-23270: another Point-to-Point Tunneling Protocol Remote Code Execution vulnerability. An unauthenticated attacker could send a specially crafted connection request to a RAS server, which could lead to remote code execution (RCE) on the RAS server machine.

Successful exploitation of these two vulnerabilities requires an attacker to win a race condition.

**Other updates**

Microsoft is not the only vendor to issue patches. Here are some other that may deserve your attention.

*   Adobe
*   Google Chrome
*   Cisco
*   F5 BIG-IP
*   Opera

Stay safe, everyone!

**RELATED ARTICLES**

February 21, 2022 - The most important and interesting security stories from the last seven days.

February 14, 2022 - Users of Adobe Commerce and Magento are vulnerable to a zero-day with a CVSS score of 9.8 out of 10.

November 10, 2021 - Another Patch Tuesday has come around, and while it may seem as a calm one for a change, there is enough to patch and update.

July 19, 2021 - A roundup of all the most interesting cybersecurity news stories, articles, and happenings of the previous seven days.

June 9, 2021 - A great many patches from different vendors have been released in the June security updates for Microsoft, Android, SAP, Cisco, and Adobe.

Update now! Microsoft releases patches, including one for actively exploited zero-day

IceApple's 18 separate modules include those for data exfiltration, credential harvesting, and file and directory deletion, CrowdStrike warns.

A likely China-based, state-sponsored threat actor has been deploying a sophisticated post-exploitation malware framework on Microsoft Exchange servers at organizations in the technology, academic, and government sectors across multiple regions since at least last fall.

The goal of the campaign appears to be intelligence gathering and is tied to a targeted state-sponsored campaign, according to researchers at CrowdStrike. The security vendor is tracking the framework as "IceApple" and described it in a report this week as made up of 18 separate modules with a range of functions that include credential harvesting, file and directory deletion, and data exfiltration.

CrowdStrike's analysis shows the modules are designed to run only in-memory to reduce the malware's footprint on an infected system — a tactic that adversaries often employ in long-running campaigns. The framework also has several other detection-evasion techniques that suggest the adversary has deep knowledge of Internet Information Services (IIS) Web applications. For instance, CrowdStrike observed one of the modules leveraging undocumented fields in IIS software that are not intended to be used by third-party developers.

Over the course of their investigation of the threat, CrowdStrike researchers saw evidence of the adversaries repeatedly returning to compromised systems and using IceApple to execute post-exploitation activities.

Param Singh, vice president of CrowdStrike's Falcon OverWatch threat-hunting services, says IceApple is different from other post-exploitation toolkits in that it is under constant ongoing development even as it is being actively deployed and used. "While IceApple has been observed being deployed on Microsoft Exchange Server instances, it is actually capable of running under any IIS Web application," Singh says.

**Microsoft .NET Link  
**CrowdStrike discovered IceApple while developing detections for malicious activity involving so-called reflective .NET assembly loads. MITRE defines reflective code loading as a technique that threat actors use to conceal malicious payloads. It involves allocating and executing payloads directly in the memory of a running process. Reflectively loaded payloads can include complied binaries, anonymous files, or just bits of fileless executables, according to MITRE. Reflective code loading is like process injection except that code is loaded into a process's own memory rather than that of another process, MITRE has noted.

**".**NET assemblies form the cornerstone of Microsoft’s .NET framework," Singh says. "An assembly can function as either a stand-alone application in the form of an EXE file or as a library for use in other applications as a DLL."

CrowdStrike discovered IceApple in late 2021 when a detection mechanism it was developing for reflective .NET assembly loads triggered on an Exchange Server at a customer location. The company's investigation of the alert showed anomalies in several .NET assembly files, which in turn led to the discovery of the IceApple framework on the system.

**Active Cyberattack Campaign  
**IceApple's modular design gave the adversary a way to build each piece of functionality into its own .NET assembly and then reflectively load each function only as needed. "If not caught, this technique can leave security defenders completely blind to such attacks," Singh says. "For example, defenders will see a legitimate application like a Web server connecting out to a suspicious IP; however, they have no means of knowing what code is triggering that connection."

Singh says CrowdStrike found IceApple to be using a couple of unique tactics to evade detection. One of them is to use undocumented fields in IIS. The other is to blend into the environment by using assembly file names that appear to be normal IIS temporary files. "At closer inspection, the file names are not randomly generated, as would be expected, and the way the assemblies are loaded falls outside of what is normal for Microsoft Exchange and IIS," Singh says.

The IceApple framework is designed to exfiltrate data in several ways. For instance, one of the modules, known as the File Exfiltrator module, allows for a single file to be pilfered from the target host. Another module, called the multifile exfiltrator, allows for multiple files to be encrypted, compressed, and exfiltrated, according to Singh.

"This campaign is currently active and effective," he warns. "But it is unknown at the moment how many organizations may have been impacted by this campaign beyond where CrowdStrike has visibility and those that might have been indirectly impacted via supply chain or other methods."

Cyber-Espionage Attack Drops Post-Exploit Malware Framework on Microsoft Exchange Servers

An espionage-focused threat actor known for targeting China, Pakistan, and Saudi Arabia has expanded to set its sights on Bangladeshi government organizations as part of an ongoing campaign that commenced in August 2021.
Cybersecurity firm Cisco Talos attributed the activity with moderate confidence to a hacking group dubbed the Bitter APT based on overlaps in the command-and-control (C2)

An espionage-focused threat actor known for targeting China, Pakistan, and Saudi Arabia has expanded to set its sights on Bangladeshi government organizations as part of an ongoing campaign that commenced in August 2021.

Cybersecurity firm Cisco Talos attributed the activity with moderate confidence to a hacking group dubbed the Bitter APT based on overlaps in the command-and-control (C2) infrastructure with that of prior campaigns mounted by the same actor.

"Bangladesh fits the profile we have defined for this threat actor, previously targeting Southeast Asian countries including China, Pakistan, and Saudi Arabia," Vitor Ventura, lead security researcher at Cisco Talos, told The Hacker News.

"And now, in this latest campaign, they have widened their reach to Bangladesh. Any new country in southeast Asia being targeted by Bitter APT shouldn't be of surprise."

Bitter (aka APT-C-08 or T-APT-17) is suspected to be a South Asian hacking group motivated primarily by intelligence gathering, an operation that's facilitated by means of malware such as BitterRAT, ArtraDownloader, and AndroRAT. Prominent targets include the energy, engineering, and government sectors.

The earliest attacks were distributing the mobile version of BitterRAT date back to September 2014, with the actor having a history of leveraging zero-day flaws — CVE-2021-1732 and CVE-2021-28310 — to its advantage and accomplish its adversarial objectives.

The latest campaign, targeting an elite entity of the Bangladesh government, involves sending spear-phishing emails to high-ranking officers of the Rapid Action Battalion Unit of the Bangladesh police (RAB).

As is typically observed in other social engineering attacks of this kind, the missives are designed to lure the recipients into opening a weaponized RTF document or a Microsoft Excel spreadsheet that exploits previously known flaws in the software to deploy a new trojan; dubbed "ZxxZ."

ZxxZ, named so after a separator used by the malware when sending information back to the C2 server, is a 32-bit Windows executable compiled in Visual C++.

"The trojan masquerades as a Windows Security update service and allows the

malicious actor to perform remote code execution, allowing the attacker to perform any other activities by installing other tools," the researchers explained.

While the malicious RTF document exploits a memory corruption vulnerability in Microsoft Office's Equation Editor (CVE-2017-11882), the Excel file abuses two remote code execution flaws, CVE-2018-0798 and CVE-2018-0802, to activate the infection sequence.

"Actors often change their tools to avoid detection or attribution, this is part of the lifecycle of a threat actor showing its capability and determination," Ventura said.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Bitter APT Hackers Add Bangladesh to Their List of Targets in South Asia

A novel form of phishing takes advantage of a disparity between how browsers and email inboxes read web domains.

A novel form of phishing takes advantage of a disparity between how browsers and email inboxes read web domains.

Researchers have identified a never-before-seen method for sneaking malicious links into email inboxes.

The clever trick takes advantage of a key difference in how email inboxes and browsers read URLs, according a Monday report by Perception Point.

The attacker crafted an unusual link using an “@” symbol in the middle. Ordinary email security filters interpreted it as a comment, but browsers interpreted it as a legitimate web domain. Thus the phishing emails successfully bypassed security, but when targets clicked on the link inside, they were directed to a fake landing page nonetheless.

**A Lame Phishing Attempt**

On May 2, Perception Point’s incident response (IR) team flagged a hasily-designed phishing email trying to pass itself off as a Microsoft notice. “You have new 5 held messages,” it read, directing the recipient to follow a “Personal Portal” hyperlink.

The link directed to a website masquerading as an Outlook login page. Again the hacker’s design choices were poor, and the domain name for this supposed Outlook page was, in fact, “storageapi.fleek.co,” followed by a long series of random characters.

In theory, if a user had overlooked all of these red flags, and submitted their Microsoft credentials, those credentials would’ve gone to the attacker.

So here’s the mystery: how did such a low-effort phishing attempt make it past email security filters, which are trained to spot much more sophisticated frauds than this?

The key was in the email link.

**Some Background on Links**

Pause here for a moment, and open up another webpage in your browser.

Type “https://” into your address bar, then any string of characters you want. Next, type an @ symbol, followed by any web domain. For example:

https\[://\]abc123@www\[.\]threatpost.com

Depending on what browser you’re using, that text before the @ will either return an error message, or disappear without a trace. Why?

Well, some browsers enable you to automatically send authentication information to the website you want to visit. The syntax is as follows:

http(s)://username\[:\]password\[@\]server/resource\[.\]ext

Browsers that support this feature will interpret the string before the @ sign as login credentials. Browsers that don’t will simply ignore the string and execute whatever follows the @. Either way, the domain following @ is where you’ll be going.

In January, Microsoft removed this feature from Internet Explorer because of how easily hackers can use it to mask malicious websites as legitimate ones. They explained how:

For example, the following URL appears to open http://www\[.\]wingtiptoys\[.\]com but actually opens http://example\[.\]com:

http://www\[.\]wingtiptoys\[.\]com@example\[.\]com

Which brings us to the crux of today’s news…

The Hacker’s Trick

The URL embedded in the phishing emails from our story was:

As we’ve established, browsers will read this as a URL. But email services read the @ symbol in the middle very differently.

“It is common knowledge that an @ sign will be ignored by email security systems when used within the text of an email, and there are many instances of this being used legitimately,” Motti Elloul, vice president of customer success and incident response at Perception Point, told Threatpost via email, “For example, it can be used to refer to user information within the body of the message.” For this reason, the IR team wrote in their report, “most email detection platforms cannot recognize this address as a URL, and instead see it as a comment.”

The @ symbol is a cover: to an email security filter it’s a comment, but underneath it’s a regular old malicious link.

**The Impact**

Our hacker – unknown but for an IP address 202\[.\]172.25\[.\]42, coming from Japan – went after “a wide range of targets, including telecom, web services and financial organizations,” said Elloul. None of their emails managed to trick any targets before they were discovered.

Despite the failure of this particular campaign, Elloul told Threatpost, “the technique has the potential to catch on quickly, because it’s very easy to execute.” As a proof of concept, at least, it proved rather effective.

“In order to identify the technique and avoid the fallout from it slipping past security systems, security teams need to update their detection engines in order to double check the URL structure whenever @ is included.”

Novel Phishing Trick Uses Weird Links to Bypass Spam Filters

Cisco Talos has observed an ongoing malicious campaign since August 2021 from the Bitter APT group that appears to target users in Bangladesh, a change from the attackers' usual victims.As part of this, there's a new trojan based on Apost Talos is calling "ZxxZ," that, among other...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

  

*   Cisco Talos has observed an ongoing malicious campaign since August 2021 from the Bitter APT group that appears to target users in Bangladesh, a change from the attackers' usual victims.
*   As part of this, there's a new trojan based on Apost Talos is calling "ZxxZ," that, among other features, includes remote file execution capability.
*   Based on the similarities between the C2 server in this campaign with that of Bitter's previous campaign, we assess with moderate confidence that this campaign is operated by the Bitter APT group.

**Executive Summary**

Cisco Talos discovered an ongoing campaign operated by what we believe is the Bitter APT group since August 2021. This campaign is a typical example of the actor targeting South Asian government entities.

This campaign targets an elite unit of the Bangladesh's government with a themed lure document alleging to relate to the regular operational tasks in the victim's organization. The lure document is a spear-phishing email sent to high-ranking officers of the Rapid Action Battalion Unit of the Bangladesh police (RAB). The emails contain either a malicious RTF document or a Microsoft Excel spreadsheet weaponized to exploit known vulnerabilities. Once the victim opens the maldoc, the Equation Editor application is automatically launched to run the embedded objects containing the shellcode to exploit known vulnerabilities described by CVE-2017-11882, CVE-2018-0798 and CVE-2018-0802 — all in Microsoft Office — then downloads the trojan from the hosting server and runs it on the victim's machine. The trojan masquerades as a Windows Security update service and allows the malicious actor to perform remote code execution, opening the door to other activities by installing other tools. In this campaign, the trojan runs itself but the actor has other RATs and downloaders in their arsenal.

Such surveillance campaigns could allow the threat actors to access the organization's confidential information and give their handlers an advantage over their competitors, regardless of whether they're state-sponsored.

**Bitter threat actor**

Bitter, also known as T-APT-17, is a suspected South Asian threat actor. They have been active since 2013, targeting energy, engineering and government sectors in China, Pakistan and Saudi Arabia. In their latest campaign, they have extended their targeting to Bangladeshi government entities.

Bitter is mainly motivated by espionage. The adversary typically downloads malware onto compromised endpoints from their hosting server via HTTP and uses DNS to establish contact with the command and control. Bitter is known for exploiting known vulnerabilities in victims' environments. For example, in 2021, security researchers discovered that the adversary was exploiting the zero-day vulnerability CVE-2021-28310, a security flaw in Microsoft's Desktop Manager. Bitter is known to target both mobile and desktop platforms. Their arsenal mainly contains Bitter RAT, Artra downloader, SlideRAT and AndroRAT.

**Infrastructure**

The actor's infrastructure consists of the C2 server (helpdesk\[.\]autodefragapp\[.\]com) and several domains that host the adversary's malware, which is outlined below.

 _Domains hosting Bitter APT malware._

The SSL thumbprints are unique for each domain's certificate. We compiled a list of these SSL thumbprints in the IOCs section of the report. The timeline below shows the various domains based on their certificate creation date.

The C2 host is helpdesk\[.\]autodefragapp\[.\]com. Its WhoIs record indicates that the domain autodefragapp\[.\]com registered it in November 2020, and later updated it on Nov. 3, 2021. We have seen the actor use this C2 in previous campaigns.

The C2 domain resolved to 99\[.\]83\[.\]154\[.\]118 during the period of the campaign. This is a legitimate IP address for the AWS Global Accelerator networking service. Usually, the AWS Global Accelerator provides static IPs to the registrant, which allows the user to redirect traffic to their application or host for improved performance. In this case, we believe that the actor is using the AWS Global Accelerator to redirect traffic to their actual C2 host, which is parked behind the legitimate AWS service. We believe that the actor has employed this technique to conceal their identity.

**Attribution**

We assess with moderate confidence that this campaign is operated by Bitter based on the use of the same C2 IP address from previous campaigns and similarities in the decrypted strings of the payload, such as module names, payload executable name, paths and the constants.

The 99\[.\]83\[.\]154\[.\]118 IP also hosts mswsceventlog\[.\]net, according to Cisco Umbrella, a domain that was previously reported as Bitter's C2 server in a campaign against Pakistani government organizations.

**The campaign**

Cisco Talos observed an ongoing campaign operated by the Bitter APT group since August 2021 targeting Bangladeshi government personnel with spear-phishing emails. The email contains a maldoc attachment and masquerades as a legitimate email. The sender asks the target to review or verify the attached maldoc, which is either a call data record (CDR), a list of phone numbers, or a list of registered cases. We have seen the actor use these themes in phishing emails in the past.

The maldocs are an RTF document and Microsoft Excel spreadsheets. Examples of the specific subjects of the phishing emails are below.

*   Subject: CDR
*   Subject: Application for CDR
*   Subject: List of Numbers to be verified
*   Subject: List of registered cases

The maldocs' file names are consistent with the phishing emails' themes, as seen in the list of file names below:

*   Passport Fee Dues.xlsx
*   List of Numbers to be verified.xlsx
*   ASP AVIJIT DAS.doc
*   Addl SP Hafizur Rahman.doc
*   Addl SP Hafizur Rahman.xlsx
*   Registered Cases List.xlsx

Below are two spear-phishing email samples of this campaign.

  
_Phishing email sample 1_

  
_Phishing email sample 2_

The actor is using JavaMail with the Zimbra web client version 8.8.15\_GA\_4101 to send the emails. Zimbra is a collaborative software suite that includes an email server and a web client for messaging.

  
_Phishing email header information._

The originating IP address and header information indicates the emails were sent from mail servers based in Pakistan and the actor spoofed the sender details to make the email appear as though it was sent from Pakistani government organizations. The actor exploited a possible vulnerability in the Zimbra mail server. By modifying the Zimbra mail server configuration file, a user can send emails from a non-existing email account/domain. We have compiled a list of fake sender email addresses from this campaign:

*   cdrrab13bd@gmail\[.\]com
*   arc@desto\[.\]gov\[.\]pk
*   so.dc@pc\[.\]gov\[.\]pk
*   mem\_psd@pc\[.\]gov\[.\]pk
*   chief\_pia@pc\[.\]gov\[.\]pk
*   rab3tikatuly@gmail\[.\]com
*   ddscm2@pof\[.\]gov\[.\]pk

**The infection chain**

The infection chain begins with the spear-phishing email and either a malicious RTF document or an Excel spreadsheet attachment. When the victim opens the attachment, it launches the Microsoft Equation Editor application to execute the equations in the form of OLE objects and connects to the hosting server to download and run the payload.

 _Malicious RTF infection chain summary._

In the case of a malicious Excel spreadsheet, when the victim opens the file, it launches the Microsoft Equation Editor application to execute the embedded equation object and launches the task scheduler to configure two scheduled tasks. One of the scheduled tasks downloads the trojan "ZxxZ" into the public user's account space, while the other task runs the "ZxxZ".

 _Malicious Excel infection chain summary._

The payload runs as a Windows security update service on the victim's machine and establishes communication with the C2 to remotely download and execute files in the victim's environment.

**RTF document**

The Malicious RTF document is weaponized to exploit the stack overflow vulnerability CVE-2017-11882, which enables arbitrary code execution on victims' machines running vulnerable versions of Microsoft Office. Our previous blog outlines how this particular exploit works in the victim's environment.

 _Malicious RTF document sample._

The RTF document is embedded with an OLE object with the class name "Equation 3.0." It contains the shellcode as an equation formula created using Microsoft Equation Editor.

 _Embedded Microsoft Equation object._

When the victim opens the RTF file with Microsoft Word, it invokes the Equation Editor application and executes the equation formula containing the Return-Oriented Programming (ROP) gadgets. The ROP loads and executes the shell code located at the end of the maldocs in an encrypted format that connects to the malicious host olmajhnservice\[.\]com and downloads the payload from the URL hxxp\[:\]//olmajhnservice\[.\]/nxl/nx. The payload is downloaded in the folder "C:\\$Utf" created by the shellcode and runs as a process on the victim's machine.

 _Download URL captured during runtime of the maldoc._

**Excel spreadsheet**

The malicious Excel spreadsheet is weaponized to exploit the Microsoft Office memory corruption vulnerabilities CVE-2018-0798 and CVE-2018-0802.

When the victim opens the Excel spreadsheet, it launches the Microsoft Equation Editor application to execute the embedded Microsoft Equation 3.0 objects.

 _Malicious Excel spreadsheet._

Once the Microsoft Equation Editor service executes the embedded objects, it invokes the scheduled task service to configure the task scheduler with the commands shown below:

Task 1: Rdx

Task 2: RdxFac

The actor creates the folder "RdxFact '' in the Windows tasks folder and schedules two tasks with the task names "Rdx '' and "RdxFac '' to run every five minutes. When the first task runs, the victim's machine attempts to connect to the hosting server through the URL and, using the cURL utility, downloads the "RdxFactory.exe" into the public user profile's music folder. RdxFactory.exe is the trojan downloader.

After five minutes of execution of the first task, "Rdx,", the second task, "RdxFac,"runs to start the payload.

Based on other related samples we discovered, the actor also uses different folder names, tasks names and dropper file names in their campaigns.

We noticed that the actor is using the cURL command-line utility to download the payload in the Windows environment. Systems running Windows 10 and later have the cURL utility, which the actor abuses in this campaign.

**The payload**

The payload is a 32-bit Windows executable compiled in Visual C++ with a timestamp of Sept. 10, 2021. We named the trojan "ZxxZ" based on the name of a separator that the payload uses while sending information to the C2. This trojan is a downloader that downloads and executes the remote file. The executables were seen with the filenames "Update.exe", "ntfsc.exe" or "nx" in this campaign. They are either downloaded or dropped into the victim's "local application data" folder and run as a Windows Security update with medium integrity to elevate the privileges of a standard user.

The actor uses common encoding techniques to obfuscate strings in the WinMain function to hide its behavior from static analysis tools.

 _WinMain function snippet._

The decryption function receives the encrypted strings and decrypts each character with the XOR operation and stores the result in an array that will be returned to the caller function.

 _Decryption function._

The malware searches for the Windows Defender and Kaspersky antivirus processes in the victim's machine by creating the snapshot of running processes using CreateToolhelp32Snapshot and iterates through each process using API Process32First and Process32Next.

  
_WinMain() snippet showing antivirus process detection._

The information-gathering function gathers the victim's hostname, operating system product name, and the victim's username and writes them into a memory buffer.

  
_Information-gathering function._

The C2 communicating function at offset 401C50 is called from the two other requests making functions to send the victim's information with the decrypted strings "xnb/dxagt5avbb2.php?txt=" and "data1.php?id=" to C2 and receive the response.

The received response is a remote file saved into the "debug" folder and executed with the API "ShellExecuteA". In our research debugging environment, the remote file is similar to the trojan.

 _Requests making function 1 at offset 00401E00._

 _Requests making function 2 at offset 00402130._

**C2 communication**

For C2 communication, first, the trojan sends the victim's computer name, user name, a separator "ZxxZ" and the Windows version pulled from the registry. The server responds back with data in the format <id><user>:"<Program name">.

Next, the malware requests the program data. The server sends back the data of the Portable Executable effectively matching the pattern:<zero or more bytes>ZxxZ<PE data minus the MZ>. It then saves the file to %LOCALAPPDATA%\\Debug\\<program name>.exe and tries to execute it.

 _Request sent to C2._

If the download is successful, the server sends back the request with the opcode DN-S and, in case of a failure, the opcode RN\_E in their response. Based on our analysis, the opdoce DN-S means "download successful" and RN\_E stands for run error. If failed, the malware attempts to download the program data 225 times, and after that, it will launch itself and exit.

**Conclusion**

Organizations should be vigilant about the highly motivated threat actors who are known to conduct targeted attacks in their region. Threat actors usually emerge with smart techniques to accomplish their adversarial objectives and we have seen such an attempt in this campaign with the addition of a new variant to their arsenal.

In this current campaign, upon compromising the victim's machine and implanting the trojan ZxxZ - which has remote file execution capability - the adversary can deploy and run other tools from their arsenal to achieve their malicious objective.

Organizations should have a layered defense strategy with the implementation of the latest detection rules and behavioral protections in their endpoint defense solutions - not only with technical controls, but the organizations should have matured incident response plans and have the organization's security posture streamlined to protect their environment against the latest threats.

**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

  
Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

The following ClamAV signatures have been released to detect this threat:

Ole2.Exploit.ZxxZDownloader-9944376-0  
Win.Downloader.ZxxZ-9944378-0

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.  
Snort SIDs for this threat are 59736 and 300132.

**IOC****Domains**

olmajhnservice\[.\]com  
levarisnetqlsvc\[.\]net  
urocakpmpanel\[.\]com  
tomcruefrshsvc\[.\]com  
autodefragapp\[.\]com  
helpdesk\[.\]autodefragapp\[.\]com

**URLs**

http\[://\]autodefragapp\[.\]com/  
hxxp\[://\]olmajhnservice\[.\]com/updateReqServ10893x\[.\]php?x=035347  
hxxp\[://\]olmajhnservice\[.\]com/  
hxxps\[://\]olmajhnservice\[.\]com/nt\[.\]php/?dt=%25computername%25-BKP&ct=BKP  
hxxp\[://\]olmajhnservice\[.\]com/nxl/nx  
hxxp\[://\]olmajhnservice\[.\]com/nxl/nx/  
hxxp\[://\]olmajhnservice\[.\]com/nt\[.\]php/?dt=  
hxxps\[://\]olmajhnservice\[.\]com/nt\[.\]php/?dt=%25computername%25-EX-2&ct=2  
hxxps\[://\]olmajhnservice\[.\]com/  
hxxps\[://\]olmajhnservice\[.\]com/nt\[.\]php/?dt=%25computername%25-EX-1  
hxxps\[://\]olmajhnservice\[.\]com/nt\[.\]php/?dt=%25computername%25-EX-1&amp  
hxxp\[://\]olmajhnservice\[.\]com/nt\[.\]php?dt=%25computername%25-ex-1&amp  
hxxp\[://\]olmajhnservice\[.\]com/nt\[.\]php  
hxxp\[://\]olmajhnservice\[.\]com/nt\[.\]php/  
hxxp\[://\]olmajhnservice\[.\]com/nt\[.\]php/?dt=%25username%25-EX-3ct=1  
hxxps\[://\]olmajhnservice\[.\]com/nt\[.\]php/?dt=%25computername%25-EX-1&ct=1  
hxxps\[://\]olmajhnservice\[.\]com/nt\[.\]php/?dt=%25computername%25-EX-1&amp;ct=1  
hxxps\[://\]olmajhnservice\[.\]com/nt\[.\]php/  
hxxps\[://\]olmajhnservice\[.\]com/nt\[.\]php/?dt=%25computername%25-EX-3&ct=3  
hxxps\[://\]olmajhnservice\[.\]com/nt\[.\]php/?dt=%25username%25-EX-3&ct=1  
hxxps\[://\]olmajhnservice\[.\]com/nt\[.\]php/?dt=%25username%25-EX-3&amp;ct=1  
hxxp\[://\]levarisnetqlsvc\[.\]net/drw/drw  
hxxp\[://\]levarisnetqlsvc\[.\]net/lt\[.\]php  
hxxp\[://\]levarisnetqlsvc\[.\]net/  
hxxps\[://\]levarisnetqlsvc\[.\]net/lt\[.\]php  
hxxp\[://\]levarisnetqlsvc\[.\]net/jig/gij  
hxxps\[://\]levarisnetqlsvc\[.\]net/lt\[.\]php/?dt=%25computername%25-LT-2&ct=LT  
hxxp\[://\]urocakpmpanel\[.\]com/axl/ax  
hxxp\[://\]urocakpmpanel\[.\]com/nt\[.\]php?dt=%25computername%25-\*\*\*\*  
hxxps\[://\]urocakpmpanel\[.\]com/  
hxxp\[://\]urocakpmpanel\[.\]com/nt\[.\]php/?dt=%25computername%25-\*\*\*\*  
hxxps\[://\]urocakpmpanel\[.\]com/nt\[.\]php/?dt=%25computername  
hxxp\[://\]urocakpmpanel\[.\]com/  
hxxp\[://\]urocakpmpanel\[.\]com:33324/  
hxxps\[://\]urocakpmpanel\[.\]com/nt\[.\]php

**SSL Certificates Thumbprints**

0cbf8c7ff9faf01a9b5c3874e9a9d49cbbf5037b  
25092b60d972e574ed593a468564de2394fa008b  
4fbde39a0735d1ad757038072cf541dfdc65faa3  
5a972665b590cc77dcdfb4500c04acda5dc1cc4e  
530f597666afc147886f5ad651b5071d0cc894ba  
04a75df9b60290efb1a2d934570ad203a23f4e9c  
aeb02ac0c0f0793651f32a3c0f594ce79ba99e82

**Documents**

b0b687977eee41ee7c3ed0d9d179e8c00181f0c0db64eebc0005a5c6325e8a82  
f7ed5eec6d1869498f2fca8f989125326b2d8cee8dcacf3bc9315ae7566963db  
490e9582b00e2622e56447f76de4c038ae0b658a022e6bc44f9eb0ddf0720de6  
b7765ff16309baacff3b19d1a1a5dd7850a1640392f64f19353e8a608b5a28c5  
ce922a20a73182c18101dae7e5acfc240deb43c1007709c20ea74c1dd35d2b12  
e4545764e0c54ed1e1321a038fa2c1921b5b70a591c95b24127f1b9de7212af8

**Payload**

fa0ed2faa3da831976fee90860ac39d50484b20bee692ce7f0ec35a15670fa92  
3fdf291e39e93305ebc9df19ba480ebd60845053b0b606a620bf482d0f09f4d3  
69b397400043ec7036e23c225d8d562fdcd3be887f0d076b93f6fcaae8f3dd61  
90fd32f8f7b494331ab1429712b1735c3d864c8c8a2461a5ab67b05023821787

Bitter APT adds Bangladesh to their targets

In an effort to combat phishing, Google will allow Android phones and iPhones to be used as security keys.

Security is a continuous game of cat and mouse, with defenders improving their defenses against new attack methods and techniques. At Google I/O this week, the company announced anti-phishing efforts that will make it possible to use Android and iOS devices in the same way as physical security keys.

Security keys such as Google’s Titan Security Key work well to block phishing attempts and are easy to use. Users are prompted to plug the security key into the USB port (although some are NFC-capable) and tap it to authorize a login attempt. Google is bundling this capability into mobile devices, where Android and iOS devices use Bluetooth to verify they are in physical proximity to the device the user is trying to log into.

“Like physical security keys, this helps prevent a distant attacker from tricking you into approving a sign-in on _their_ browser, giving us an added layer of security against the kind of ‘person in the middle’ attacks that can still work against SMS or Google Prompt,” wrote Google engineer Daniel Margolis in a blog post.

Google is also expanding the types of Google Prompt challenges that users may experience if their login attempts look potentially fraudulent. “If we think an account is at a higher risk, or if we see abnormal behavior, we're more likely to use these additional security measures,” Margolis said. 

A new Google Prompt challenge will require users to connect their mobile devices to the same Wi-Fi network as the device they are attempting to log into. Similar to the security key functionality, this allows the user to prove that both mobile and computing devices are in the same location.

Google made several other security announcements at Google I/O, including plans to continue auto-enrolling Google account users into two-step verification, scaling phishing protections for Google Docs, Sheets, and Slides, as well as new security and privacy features in Android. These announcements are in addition to the recent pledge with the FIDO Alliance, Apple, and Microsoft to expand support for the FIDO Sign-in standards for passwordless authentication.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Google Will Use Mobile Devices to Thwart Phishing Attacks

Microsoft's May Patch Tuesday roundup also included critical fixes for a number of flaws found in infrastructure present in many enterprise and cloud environments.

Microsoft’s May Patch Tuesday roundup also included critical fixes for a number of flaws found in infrastructure present in many enterprise and cloud environments.

Microsoft has revealed 73 new patches for May’s monthly update of security fixes, including a patch for one flaw–a zero-day Windows LSA Spoofing Vulnerability rated as “important”—that is currently being exploited with man-in-the-middle attacks.

The software giant’s monthly update of patches that comes out every second Tuesday of the month–known as Patch Tuesday—also included fixes for seven “critical” flaws, 65 others rated as “important,” and one rated as “low.”

Given that Microsoft released a record number of patches in April, May’s patch tally is relatively low, but still includes a number of notable flaws that deserve attention, researchers said.  

“Although this isn’t a large number, this month makes up for it in severity and infrastructure headaches,” observed Chris Hass, director of security at security firm Automox, in an email to Threatpost. “The big news is the critical vulnerabilities that need to be highlighted for immediate action.”

Of the seven critical flaws, five allow for remote code execution (RCE) and two give attackers elevation of privilege (EoP). The remainder of the flaws also include a high percentage of RCE and EoP bugs, with the former accounting for 32.9 percent of the flaws patched this month, while the latter accounted for 28.8 percent of fixes, according to a blog post by researchers at Tenable.

The Windows LSA Spoofing Vulnerability, tracked as CVE-2022-26925, in and of itself was not rated as critical. However, when chained with a new technology LAN manager (NTLM) relay attack, the combined CVSSv3 score for the attack chain is 9.8, noted Allan Liska, a senior security architect at Recorded Future, in an e-mail to Threatpost.

Moreover, the flaw—which allows an unauthenticated attacker to coerce domain controllers to authenticate to an attacker-controller server using NTLM–is being exploited in the wild as a zero-day, he said. This makes it a priority to patch, Liska added, echoing guidance from Microsoft.

****Critical Infrastructure Vulnerabilities****

Of the other critical RCE flaws patched by Microsoft, four are worth noting because of their presence in infrastructure that’s fairly ubiquitous in many enterprise and/or cloud environments.

One is tracked as CVE-2022-29972 and is found in Insight Software’s Magnitude Simba Amazon Redshift ODBC Driver, and would need to be patched by a cloud provider—something organizations should follow up on, Liska said.

CVE-2022-22012 and CVE-2022-29130 are RCE vulnerabilities found in Microsoft’s LDAP service that are rated as critical. However, a caveat by Microsoft in its security bulletin noted that they are only exploitable “if the MaxReceiveBuffer LDAP policy is set to a value higher than the default value.” That means that systems with the default value of this policy would not be vulnerable, the company said.

While “having the MaxReceiveBuffer set to a higher value than the default” seems an “uncommon configuration,” if an organization has this setting, it should prioritize patching these vulnerabilities, Liska observed.

Another critical RCE, CVE-2022-26937, is found in the Network File System (NFS) and has broad impact for Windows Server versions 2008 through 2022. However, this vulnerability only affects NFSV2 and NFSV3, and Microsoft has included instructions for disabling these versions of the NFS in the bulletin.

At the same time, Microsoft characterized the ease of exploitation of these vulnerabilities as “Exploitation More Likely,” as was the case with a similar vulnerability, CVE-2021-26432, an actively exploited zero day in the TCP/IP protocol stack in Windows server that was patched in August 2021.

“Given the similarities between these vulnerabilities and those of August of 2021, we could all be in store for a rough May,” Liska noted.

****Another Important Flaw Fixed****

Of the other flaws, another “important” one to note is CVE-2022-22019, a companion vulnerability to three previously disclosed and patched flaws found in Microsoft’s Remote Procedure Call (RPC) runtime library.

The vulnerability, discovered by Akamai researcher Ben Barnea, takes advantage of three RPC runtime library flaws that Microsoft had patched in April–CVE-2022-26809, CVE-2022-24492 and CVE-2022-24528, he revealed in a blog post Tuesday. The flaws affected Windows 7, 8, 10 and 11, and Windows Servers 2008, 2012, 2019 and 2022, and could allow a remote, unauthenticated attacker to execute code on the vulnerable machine with the privileges of the RPC service.

Akamai researchers discovered that the previous patch only partially addressed the problem, allowing the new vulnerability to create the same integer overflow that was supposed to be fixed, he explained.

“During our research, we found that right before allocating memory for the new coalesced buffer, the code adds another 24 bytes to the allocation size,” Barnea wrote in the post. “These 24 bytes are the size of a struct called ‘rpcconn\_request\_hdr\_t,’ which serves as the buffer header.”

The previous patch performs the check for integer overflow before adding the header size, so it does not take into account this header–which can lead to the same integer overflow that the patch was attempting to mitigate, he explained.

“The new patch adds another call to validate that the addition of 24 bytes does not overflow,” mitigating the problem, Barnea wrote.

Actively Exploited Zero-Day Bug Patched by Microsoft

A previously undocumented remote access trojan (RAT) written in the Go programming language has been spotted disproportionately targeting entities in Italy, Spain, and the U.K.
Called Nerbian RAT by enterprise security firm Proofpoint, the novel malware leverages COVID-19-themed lures to propagate as part of a low volume email-borne phishing campaign that started on April 26, 2022.
"The newly

A previously undocumented remote access trojan (RAT) written in the Go programming language has been spotted disproportionately targeting entities in Italy, Spain, and the U.K.

Called **Nerbian RAT** by enterprise security firm Proofpoint, the novel malware leverages COVID-19-themed lures to propagate as part of a low volume email-borne phishing campaign that started on April 26, 2022.

"The newly identified Nerbian RAT leverages multiple anti-analysis components spread across several stages, including multiple open-source libraries," Proofpoint researchers said in a report shared with The Hacker News.

"It is written in operating system (OS) agnostic Go programming language, compiled for 64-bit systems, and leverages several encryption routines to further evade network analysis."

The messages, amounting to less than 100 in number, purport to be from the World Health Organization about safety measures related to COVID-19, urging potential victims to open a macro-laced Microsoft Word document to access the "latest health advice."

Enabling the macros displays COVID-19 guidance, including steps for self-isolation, while in the background, the embedded macro triggers an infection chain that delivers a payload called "UpdateUAV.exe", which acts as dropper for Nerbian RAT ("MoUsoCore.exe") from a remote server.

The dropper also makes use of the open-source Chacal "anti-VM framework" to make reverse engineering difficult, using it to carry out anti-reversing checks and terminating itself should it encounter any debuggers or memory analysis programs.

The remote access trojan, for its part, is equipped to log keystrokes, capture screenshots, and execute arbitrary commands, before exfiltrating the results back to the server.

While both the dropper and the RAT are said to have been developed by the same author, the identity of the threat actor remains unknown as yet.

Furthermore, Proofpoint cautioned that the dropper could be customized to deliver different payloads in future attacks, although in its current form, it can only retrieve the Nerbian RAT.

"Malware authors continue to operate at the intersection of open-source capability and criminal opportunity," Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, said in a statement.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#microsoft