The stealthy crypter, active since 2015, has been used to deliver a wide range of information stealers and RATs at a rapid, widespread clip.

Researchers this week warned of a sophisticated, evasive crypter that several threat actors are using to distribute a range of information stealers and remote-access Trojans (RATs).

The crypter, dubbed "DarkTortilla," is pervasive and persistent, and it packs multiple features designed to help it avoid anti-malware and forensics tools. The .NET-based crypter can be configured to deliver numerous malicious payloads, and can potentially be used to plant illegal content on a victim's system. It's also capable of tricking both users and sandboxes into believing it is benign.

Researchers from Secureworks, who first spotted DarkTortilla last October, believe it has been active since at least August 2015. Rob Pantazopoulos, senior security researcher at Secureworks' Counter Threat Unit (CTU), says threat actors have used DarkTortilla in the past to deliver a wide range of other malware, including Remcos, BitRat, FormBook, WarzoneRat, Snake Keylogger, LokiBot, QuasarRat, NetWire, and DCRat. On a few occasions, the crypter has also been used in targeted attacks to deliver payloads such as Metaspolit and Cobalt Strike.

Most recently, it's been used mainly to deliver malware such as the RATs AgentTesla, NanoCore, and AsyncRat, as well as the information-stealer RedLine.

Somewhat unusually for such a widely used malware distributor, there have been just nine instances where a threat actor used DarkTortilla to distribute ransomware — and seven of those involved the Babuk ransomware family.

**Pervasive and Versatile**

"DarkTortilla first came into focus for Secureworks in October 2021 when we detected a threat actor leveraging a Microsoft Exchange remote code execution vulnerability (CVE-2021-34473) to execute malicious PowerShell within customer environments," Pantazopoulos says. "The attack chain eventually led to the download and execution of the .NET malware that we now call DarkTortilla."

Secureworks researchers said that between January 2021 through May, they spotted an average of 93 unique DarkTortilla samples being uploaded to VirusTotal every week. The security vendor says it has counted more than 10,000 unique DarkTortilla samples since it began tracking the malware. Like many malware tools, attackers have been using spam emails with file attachments such as .ISO, .ZIP, and .IMG to distribute DarkTortilla. In some instances, they have also used malicious documents to deliver the malware.

**Highly Configurable**

What makes DarkTortilla dangerous is its high degree of configurability and the various anti-analysis and anti-tampering controls it packs to make detection and analysis highly challenging. The malware, for instance, uses open source tools such as DeepSea and ConfuserEX to obfuscate its code, and its main payload gets executed entirely in memory, Pantazopoulos says.

Also, DarkTortilla's initial loader, which is the only component of the malware that touches the file system, contains minimal functionality, making it hard to spot.

"Its only job is to retrieve, decode, and load the core processor, which is typically stored as encrypted data within the initial loader's resources," he notes. The code itself is generic in nature and tends to vary between samples depending on the obfuscation tools that have been applied. As a result, Secureworks has only been able to identify a handful of consistent markers for the malware — which too are likely to change soon, the researcher says.

The security vendor's analysis of DarkTortilla showed that it migrates execution to the Windows %TEMP% directory during initial execution, a feature that Pantazopoulos says is troublesome for defenders. One benefit in doing this — from the attacker's perspective — is that it allows DarkTortilla to hide on an infected system.

"Second, if the %Delay% configuration element is defined within the DarkTortilla configuration, the amount of time from when DarkTortilla is run to when the main payload gets executed increases exponentially," he says. For instance, with just a few configuration changes, attackers can set the malware to execute its main payload several minutes after the DarkTortilla executable is run.

"The impact here is that, when defenders submit the sample to most popular sandboxes, the sample will likely timeout without doing anything malicious and the sandbox may report that the sample was benign."

**Bag of Tricks**

DarkTortilla's bag of tricks includes a message box that attackers can use to display customizable, fake messages about the malware being a legitimate application, about the execution failing, or about the software being corrupted. The goal here, again, is to trick users into believing the malware that is executing on their system is benign.

"From a features perspective, we find DarkTortilla's ability to deliver numerous additional payloads in the form of 'addons' to be very interesting," Pantazopoulos notes. In one instance, the configured addon was a benign decoy Excel spreadsheet that opened as the malware was executing in the background. In another instance, Secureworks discovered the configured addon was a legitimate application installer that ran when the malware was executing. Thus the victim assumed they were installing a legitimate application.

In a handful of instances, Secureworks observed threat actors using DarkTortilla to drop addons to disk that were then not run later. Of the more than 600 DarkTortilla addons that Secureworks has observed so far, only seven were dropped to disk and not executed.

The file types ranged from executables and configuration files to PDF documents and were typically dropped to the victim's My Documents folder. "Though we've yet to see it used this way, it is very possible that a threat actor could leverage DarkTortilla to plant illegal content on a victim's file system without their knowledge," Pantazopoulos says.

'DarkTortilla' Malware Wraps in Sophistication for High-Volume RAT Infections

The state-sponsored group particularly targets organizations working on behalf of the Uyghurs, Tibet, and Taiwan, looking to gather intel that could lead to human-rights abuses, researchers say.

The RedAlpha advanced persistent threat (APT) group, thought to be linked to the Chinese state, has been spying on global humanitarian, think tank, and government organizations thanks to a massive phishing campaign that's been active for years.

That's the word from Recorded Future's the Insikt Group, which also found that the intelligence collection is likely used to support human rights abuses orchestrated by the Chinese Communist Party (CCP).

RedAlpha (aka Deepcliff or Red Dev 3) specializes in mass credential-harvesting, which it accomplishes via convincing phishing emails with attached PDFs that lead to purported login pages. The group has been operational at a "high tempo" since at least 2015, Insikt researchers note, though it didn't spark the notice of security researchers until 2018. And since 2019, the activity has ramped up even further, analysts say.

"Over the past three years, we have observed RedAlpha registering and weaponizing hundreds of domains spoofing organizations such as the International Federation for Human Rights (FIDH), Amnesty International, the Mercator Institute for China Studies (MERICS), Radio Free Asia (RFA), the American Institute in Taiwan (AIT), and other … organizations," according to a blog post on Tuesday from Insikt.

Last year, RedAlpha stood up at least 350 domains overall, representing a big spike in its activity, analysts said. In many cases, the observed phishing pages mimicked legitimate email login portals for these specific targets, suggesting the attackers intended to target individuals directly affiliated with the organizations, as opposed to using the branding of the entities to target other third parties.

In particular, the APT has been observed directly targeting ethnic and religious minorities such as the Tibetan and Uyghur communities and protesters such as Falun Gong members, and it has been particularly interested in anything Taiwan-related. In short, the targets align closely with Chinese interests. Thus, the idea is to gain access to email accounts and other online communications of victims, in order to eavesdrop and gather political intel on the targets, researchers surmise.

Casey Ellis, founder and CTO at Bugcrowd, says that the intel gleaned can be weaponized not just for guiding kinetic or physical strikes against the persons of interest but also for counter-messaging meant to undermine their activities.  

"China has an enormous population of very astute technologists, a vast security research and hacking community, and a large government-sponsored team with offensive capability ranging from information warfare to targeted exploit development and R&D," he says. "Data stolen for nation-state espionage isn't, for example, likely to be used for fraud if the threat actor is Chinese. The main threat, as is true for most nation-state threat actors, is dis/misinformation, weaponized memes, and subversive propaganda through social networks and traditional media."

The spoofing also has included impersonating well-known email service providers in an effort to look legitimate, including Yahoo (135 typosquatted domains), Google (91 typosquatted domains), and Microsoft (70 typosquatted domains).

"Chinese state-sponsored groups continue to aggressively target dissident and minority groups and individuals, both domestically through state surveillance and internationally through cyber-enabled intrusion activity," the researchers note. "This targeting of sensitive and vulnerable communities, many of which have security budget and resources constraints, is particularly concerning.  

**Sprawling Phishing Infrastructure**

According to Insikt's analysis, the group maintains large clusters of operational infrastructure, beyond the hundreds of phishing domains that imitate and spoof specific organizations.

The researchers say that other consistent characteristics of the group's efforts include the use of \*resellerclub\[.\]com nameservers; using the virtual private server (VPS) hosting provider Virtual Machine Solutions (VirMach); similar domain-naming conventions, such as the use of “mydrive-”, “accounts-”, “mail-”, “drive-”, and “files-” strings across hundreds of domains; overlapping WHOIS registrant names, email addresses, phone numbers, and organizations; and the use of specific server-side technology components and fake HTTP 404 Not Found errors.  

Phil Neray, vice president of cyber-defense strategy at CardinalOps, says that this kind of large footprint allows for significant espionage outcomes, which is one of the hallmarks of Chinese APTs.

"China has been a top nation-state threat for many years, given their strategic use of cyber-espionage to obtain expertise in key technologies such as biotech, semiconductors, defense, and energy, by stealing proprietary intellectual property from the West," he says. "They've also targeted PII in attacks against government organizations such as the Office of Personnel Management (OPM) and large health insurance organizations like Anthem, which were two of the largest data breaches in history."   

**Phishing Is Phishing Is Phishing**

The tactics in this case are tried and true, even if the perpetrators occupy "top-tier" status in the cybercrime pantheon.

"When it comes to phishing, threat actors at all levels generally rely on conventional aesthetic-based tactics to lure in their victims," Darren Guccione, CEO and co-founder at Keeper Security, tells Dark Reading. "Innocent people who are not trained on phishing prevention generally focus on the 'pinstripes' of the email. This means that the aesthetics they are familiar with, such as the logo and colors of a humanitarian, think tank, or government site, are used to lure them into a malicious link or form field."

It's important, however, not to underestimate the fallout from this familiar social-engineering approach. 

"Cybersecurity threats which ultimately result in breaches due to weak passwords, stolen credentials, or phishing emails are pervasive," Guccione says. "They can have devastating and long-term adverse consequences, particularly when a broad-scope espionage campaign is used to support human rights abuses."

Any organization should bolster user awareness and employ basic defenses to avoid being on the hook from phishing, Guccione adds.

"We tend to believe what we see, which is why aesthetics and a compelling user interface often trump awareness of a nefarious and incorrect URL," he notes. "The key to training is to ensure users are checking that the URL matches the authentic website. A password manager that can automatically identify when a site's URL doesn't match is a critical tool for preventing the most common password-related attacks, including phishing and credential stuffing."

CardinalOps' Neray adds that when it comes to civil-society targets specifically, "Organizations of all sizes must protect themselves by deploying continuous monitoring at all levels of their infrastructures — endpoints, network, cloud, identity — and ensuring they have SOC detection policies in place that match the latest adversary techniques employed by Chinese attackers, as documented in the MITRE ATT&CK framework."

China-Backed RedAlpha APT Builds Sprawling Cyber-Espionage Infrastructure

Red Hat Security Advisory 2022-6073-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. Issues addressed include privilege escalation and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: kernel security update  
Advisory ID:       RHSA-2022:6073-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6073  
Issue date:        2022-08-16  
CVE Names:         CVE-2022-32250  
====================================================================  
1. Summary:

An update for kernel is now available for Red Hat Enterprise Linux 7.7  
Advanced Update Support, Red Hat Enterprise Linux 7.7 Telco Extended Update  
Support, and Red Hat Enterprise Linux 7.7 Update Services for SAP  
Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Server AUS (v. 7.7) - noarch, x86_64  
Red Hat Enterprise Linux Server E4S (v. 7.7) - noarch, ppc64le, x86_64  
Red Hat Enterprise Linux Server Optional AUS (v. 7.7) - x86_64  
Red Hat Enterprise Linux Server Optional E4S (v. 7.7) - ppc64le, x86_64  
Red Hat Enterprise Linux Server Optional TUS (v. 7.7) - x86_64  
Red Hat Enterprise Linux Server TUS (v. 7.7) - noarch, x86_64

3. Description:

The kernel packages contain the Linux kernel, the core of any Linux  
operating system.

Security Fix(es):

* kernel: a use-after-free write in the netfilter subsystem can lead to  
privilege escalation to root (CVE-2022-32250)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

The system must be rebooted for this update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2092427 - CVE-2022-32250 kernel: a use-after-free write in the netfilter subsystem can lead to privilege escalation to root

6. Package List:

Red Hat Enterprise Linux Server AUS (v. 7.7):

Source:  
kernel-3.10.0-1062.68.1.el7.src.rpm

noarch:  
kernel-abi-whitelists-3.10.0-1062.68.1.el7.noarch.rpm  
kernel-doc-3.10.0-1062.68.1.el7.noarch.rpm

x86_64:  
bpftool-3.10.0-1062.68.1.el7.x86_64.rpm  
bpftool-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-debug-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-debug-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-debug-devel-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-debuginfo-common-x86_64-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-devel-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-headers-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-tools-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-tools-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-tools-libs-3.10.0-1062.68.1.el7.x86_64.rpm  
perf-3.10.0-1062.68.1.el7.x86_64.rpm  
perf-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm  
python-perf-3.10.0-1062.68.1.el7.x86_64.rpm  
python-perf-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm

Red Hat Enterprise Linux Server E4S (v. 7.7):

Source:  
kernel-3.10.0-1062.68.1.el7.src.rpm

noarch:  
kernel-abi-whitelists-3.10.0-1062.68.1.el7.noarch.rpm  
kernel-doc-3.10.0-1062.68.1.el7.noarch.rpm

ppc64le:  
bpftool-3.10.0-1062.68.1.el7.ppc64le.rpm  
bpftool-debuginfo-3.10.0-1062.68.1.el7.ppc64le.rpm  
kernel-3.10.0-1062.68.1.el7.ppc64le.rpm  
kernel-bootwrapper-3.10.0-1062.68.1.el7.ppc64le.rpm  
kernel-debug-3.10.0-1062.68.1.el7.ppc64le.rpm  
kernel-debug-debuginfo-3.10.0-1062.68.1.el7.ppc64le.rpm  
kernel-debuginfo-3.10.0-1062.68.1.el7.ppc64le.rpm  
kernel-debuginfo-common-ppc64le-3.10.0-1062.68.1.el7.ppc64le.rpm  
kernel-devel-3.10.0-1062.68.1.el7.ppc64le.rpm  
kernel-headers-3.10.0-1062.68.1.el7.ppc64le.rpm  
kernel-tools-3.10.0-1062.68.1.el7.ppc64le.rpm  
kernel-tools-debuginfo-3.10.0-1062.68.1.el7.ppc64le.rpm  
kernel-tools-libs-3.10.0-1062.68.1.el7.ppc64le.rpm  
perf-3.10.0-1062.68.1.el7.ppc64le.rpm  
perf-debuginfo-3.10.0-1062.68.1.el7.ppc64le.rpm  
python-perf-3.10.0-1062.68.1.el7.ppc64le.rpm  
python-perf-debuginfo-3.10.0-1062.68.1.el7.ppc64le.rpm

x86_64:  
bpftool-3.10.0-1062.68.1.el7.x86_64.rpm  
bpftool-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-debug-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-debug-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-debug-devel-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-debuginfo-common-x86_64-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-devel-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-headers-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-tools-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-tools-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-tools-libs-3.10.0-1062.68.1.el7.x86_64.rpm  
perf-3.10.0-1062.68.1.el7.x86_64.rpm  
perf-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm  
python-perf-3.10.0-1062.68.1.el7.x86_64.rpm  
python-perf-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm

Red Hat Enterprise Linux Server TUS (v. 7.7):

Source:  
kernel-3.10.0-1062.68.1.el7.src.rpm

noarch:  
kernel-abi-whitelists-3.10.0-1062.68.1.el7.noarch.rpm  
kernel-doc-3.10.0-1062.68.1.el7.noarch.rpm

x86_64:  
bpftool-3.10.0-1062.68.1.el7.x86_64.rpm  
bpftool-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-debug-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-debug-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-debug-devel-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-debuginfo-common-x86_64-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-devel-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-headers-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-tools-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-tools-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-tools-libs-3.10.0-1062.68.1.el7.x86_64.rpm  
perf-3.10.0-1062.68.1.el7.x86_64.rpm  
perf-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm  
python-perf-3.10.0-1062.68.1.el7.x86_64.rpm  
python-perf-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm

Red Hat Enterprise Linux Server Optional AUS (v. 7.7):

x86_64:  
bpftool-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-debug-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-debuginfo-common-x86_64-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-tools-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-tools-libs-devel-3.10.0-1062.68.1.el7.x86_64.rpm  
perf-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm  
python-perf-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm

Red Hat Enterprise Linux Server Optional E4S (v. 7.7):

ppc64le:  
bpftool-debuginfo-3.10.0-1062.68.1.el7.ppc64le.rpm  
kernel-debug-debuginfo-3.10.0-1062.68.1.el7.ppc64le.rpm  
kernel-debug-devel-3.10.0-1062.68.1.el7.ppc64le.rpm  
kernel-debuginfo-3.10.0-1062.68.1.el7.ppc64le.rpm  
kernel-debuginfo-common-ppc64le-3.10.0-1062.68.1.el7.ppc64le.rpm  
kernel-tools-debuginfo-3.10.0-1062.68.1.el7.ppc64le.rpm  
kernel-tools-libs-devel-3.10.0-1062.68.1.el7.ppc64le.rpm  
perf-debuginfo-3.10.0-1062.68.1.el7.ppc64le.rpm  
python-perf-debuginfo-3.10.0-1062.68.1.el7.ppc64le.rpm

x86_64:  
bpftool-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-debug-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-debuginfo-common-x86_64-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-tools-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-tools-libs-devel-3.10.0-1062.68.1.el7.x86_64.rpm  
perf-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm  
python-perf-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm

Red Hat Enterprise Linux Server Optional TUS (v. 7.7):

x86_64:  
bpftool-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-debug-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-debuginfo-common-x86_64-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-tools-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm  
kernel-tools-libs-devel-3.10.0-1062.68.1.el7.x86_64.rpm  
perf-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm  
python-perf-debuginfo-3.10.0-1062.68.1.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-32250  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYvvc19zjgjWX9erEAQi1cRAAjEUt0r1F8jjtVp0d8kroL7hrs8EHBJ0Q  
qJyhWBmqx6rPsRG9BjxRp7/ghaiz6CG/UT1nv/nZ+fUBG83LCvZ46o8WcI6K0Fvy  
JerDv3tWnpPMJCh6Mk20L0Dc/1N4VT93aXLxZImYZ4lbglzuYnVG7padfPw1hKfJ  
0mMRAW0Jq5no1Z+TbIw15UYH5VM9jHe3HUSEbQAmWd07rKNmYzrb7lmMVCKzLgKY  
OpoE5DBPzC2vmYy4uD5yFJAqb16udSc75O1lwJSm0NemThecm0UKmHvYShYQVFst  
PReb3FBLKkxp/cIn8agD45FLI6bmwx/G+Vf+ULKWLHKYAEb++VJMPeV/AZOMTXkZ  
pgAvjOmU+GW+Ff5caqFKIZpdPVrnckJ+OZAntAxlsfdoIi6zAayedi13CGjOT2YF  
LZJL1bZ5OvT+C/dDuFdouBc5vh6gUSvqFCIdChCcFISZTGD2pdqih0MrltYElYZQ  
aMyqT0Rbtb5tDTdiPsAOlEZdu27FwqwY3c3UKutAQZdNfiegGzrTEvqJUc/bAWck  
Nyr1jA2bfxIoAUeAZebg1BBIHDelDlIQ4jhR0rlmVddRLY/R0nlSUPDFYlhXSZ9a  
je2i1vKkqty8xO0u6E3y4hw5LtzKU4zg7Nithiko9iBeBeQl6jLWJbNFf6sNxwed  
y2wGB25IIfc=ZdRy  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6073-01

The North Korean APT is using a fake job posting for Coinbase in a cyberespionage campaign targeting users of both Apple and Intel-based systems.

The North Korean APT is using a fake job posting for Coinbase in a cyberespionage campaign targeting users of both Apple and Intel-based systems.

North Korean APT Lazarus is up to its old tricks with a cyberespionage campaign targeting engineers with a fake job posting that attempt to spread macOS malware. The malicious Mac executable used in the campaign targets both Apple and Intel chip-based systems.

The campaign, identified by researchers from ESET Research Labs and revealed in a series of tweets posted Tuesday, impersonates cryptocurrency trader Coinbase in a job description claiming to seek an engineering manager for product security, researchers divulged.

Dubbed Operation In(ter)ception, the recent campaign drops a signed Mac executable disguised as a job description for Coinbase, which researchers discovered uploaded to VirusTotal from Brazil, they wrote.“Malware is compiled for both Intel and Apple Silicon,” according to one of the tweets. “It drops three files: a decoy PDF document Coinbase\_online\_careers\_2022\_07.pdf, a bundle http\[://\]FinderFontsUpdater\[.\]app and a downloader safarifontagent.”

**Similarities to Previous Malware**

The malware is similar to a sample discovered by ESET in May, which also included a signed executable disguised as a job description, was compiled for both Apple and Intel, and dropped a PDF decoy, researchers said.

However, the most recent malware is signed July 21, according to its timestamp, which means it’s either something new or a variant of the previous malware. It uses a certificate issued in February 2022 to a developer named Shankey Nohria and which was revoked by Apple on Aug. 12, researchers said. The app itself was not notarized.

Operation In(ter)ception also has a companion Windows version of the malware dropping the same decoy and spotted Aug. 4 by Malwarebytes threat intelligence researcher Jazi, according to ESET.

The malware used in the campaign also connects to a different command and control (C2) infrastructure than the malware discovered in May, https:\[//\]concrecapital\[.\]com/%user%\[.\]jpg, which did not respond when researchers tried to connect to it.

**Lazarus on the Loose**

North Korea’s Lazarus is well known as one of the most prolific APTs and already is in the crosshairs of international authorities, having been sanctioned back in 2019 by the U.S. government.

Lazarus is known for targeting academics, journalists and professionals in various industries—particularly the defense industry–to gather intelligence and financial backing for the regime of Kim Jong-un. It has often used impersonation ploys similar to the one observed in Operation In(ter)ception to try to get victims to take the malware bait.

A previous campaign identified in January also targeted job-seeking engineers by dangling fake employment opportunities at them in a spear-phishing campaign. The attacks used Windows Update as a living-off-the-land technique and GitHub as a C2 server.

Meanwhile, a similar campaign uncovered last year saw Lazarus impersonating defense contractors Boeing and General Motors and claiming to seek job candidates only to spread malicious documents.

**Changing It Up**

However, more recently Lazarus has diversified its tactics, with the feds revealing that Lazarus also has been responsible for a number of crypto heists aimed at padding the regime of Jong-un with cash.

Related to this activity, the U.S. government levied sanctions against cryptocurrency mixer service Tornado Cash for helping Lazarus launder cash from its cybercriminal activities, which they believe in part are being to fund North Korea’s missile program.

Lazarus even has dipped its toe in ransomware amid its frenzy of cyberextortion activity. In May, researchers at cybersecurity firm Trellix tied the recently emerged VHD ransomware to the North Korean APT.

APT Lazarus Targets Engineers with macOS Malware

A Chinese state-sponsored threat activity group named RedAlpha has been attributed to a multi-year mass credential theft campaign aimed at global humanitarian, think tank, and government organizations.
"In this activity, RedAlpha very likely sought to gain access to email accounts and other online communications of targeted individuals and organizations," Recorded Future disclosed in a new

A Chinese state-sponsored threat activity group named **RedAlpha** has been attributed to a multi-year mass credential theft campaign aimed at global humanitarian, think tank, and government organizations.

"In this activity, RedAlpha very likely sought to gain access to email accounts and other online communications of targeted individuals and organizations," Recorded Future disclosed in a new report.

A lesser-known threat actor, RedAlpha was first documented by Citizen Lab in January 2018 and has a history of conducting cyber espionage and surveillance operations directed against the Tibetan community, some in India, to facilitate intelligence collection by deploying the NjRAT backdoor.

"The campaigns \[...\] combine light reconnaissance, selective targeting, and diverse malicious tooling," Recorded Future noted at the time.

Since then, malicious activities undertaken by the group have involved weaponizing as many as 350 domains that spoof legitimate entities like the International Federation for Human Rights (FIDH), Amnesty International, the Mercator Institute for China Studies (MERICS), Radio Free Asia (RFA), and the American Institute in Taiwan (AIT), among others.

The adversary's consistent targeting of think tanks and humanitarian organizations over the past three years falls in line with the strategic interests of the Chinese government, the report added.

The impersonated domains, which also include legitimate email and storage service providers like Yahoo!, Google, and Microsoft, are subsequently used to target proximate organizations and individuals to facilitate credential theft.

Attack chains start with phishing emails containing PDF files that embed malicious links to redirect users to rogue landing pages that mirror the email login portals for the targeted organizations.

"This means they were intended to target individuals directly affiliated with these organizations rather than simply imitating these organizations to target other third parties," the researchers noted.

Alternatively, the domains used in the credential-phishing activity have been found hosting generic login pages for popular email providers such as Outlook, alongside emulating other email software such as Zimbra used by these specific organizations.

In a sign of the campaign's evolution, the group has also impersonated login pages associated with Taiwan, Portugal, Brazil, and Vietnam's ministries of foreign affairs as well as India's National Informatics Centre (NIC), which manages IT infrastructure and services for the Indian government.

The RedAlpha cluster further appears to be connected to a Chinese information security company known as Jiangsu Cimer Information Security Technology Co. Ltd. (formerly Nanjing Qinglan Information Technology Co., Ltd.), underscoring the continued use of private contractors by intelligence agencies in the country.

"\[The targeting of think tanks, civil society organizations, and Taiwanese government and political entities\], coupled with the identification of likely China-based operators, indicates a likely Chinese state-nexus to RedAlpha activity," the researchers said.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Link Multi-Year Mass Credential Theft Campaign to Chinese Hackers

More than 1.31 million users attempted to install malicious or unwanted web browser extensions at least once, new findings from cybersecurity firm Kaspersky show.
"From January 2020 to June 2022, more than 4.3 million unique users were attacked by adware hiding in browser extensions, which is approximately 70% of all users affected by malicious and unwanted add-ons," the company said.
As many as

More than 1.31 million users attempted to install malicious or unwanted web browser extensions at least once, new findings from cybersecurity firm Kaspersky show.

"From January 2020 to June 2022, more than 4.3 million unique users were attacked by adware hiding in browser extensions, which is approximately 70% of all users affected by malicious and unwanted add-ons," the company said.

As many as 1,311,557 users fall under this category in the first half of 2022, per Kaspersky's telemetry data. In comparison, the number of such users peaked in 2020 at 3,660,236, followed by 1,823,263 unique users in 2021.

The most prevalent threat is a family of adware called WebSearch, which masquerade as PDF viewers and other utilities, and comes with capabilities to collect and analyze search queries and redirect users to affiliate links.

WebSearch is also notable for modifying the browser's start page, which contains a search engine and a number of links to third-party sources like AliExpress that, when clicked by the victim, help the extension developers earn money through affiliate links.

"Also, the extension modifies the browser's default search engine to search.myway\[.\]com, which can capture user queries, collect and analyze them," Kaspersky noted. "Depending on what the user searched for, most relevant partner sites will be actively promoted in the search results."

A second set of extensions involve a threat named AddScript that conceals its malicious functionality under the guise of video downloaders. While the add-ons do offer the advertised features, they are also designed to contact a remote server to retrieve and execute a piece of arbitrary JavaScript code.

Over one million users are said to have encountered adware in H1 2022 alone, with WebSearch and AddScript targeting 876,924 and 156,698 unique users.

Also found were instances of information-stealing malware like FB Stealer, which aim to steal Facebook login credentials and session cookies of logged-in users. FB Stealer has been responsible for 3,077 unique infection attempts in H1 2022.

The malware primarily singles out users on the lookout for cracked software on search engines, with FB Stealer delivered through a trojan called NullMixer, which propagates through cracked installers for software such as SolarWinds Broadband Engineers Edition.

"FB Stealer is installed by the malware rather than by the user," the researchers said. "Once added to the browser, it mimics the harmless and standard-looking Chrome extension Google Translate."

These attacks are also financially-motivated. The malware operators, after getting hold of the authentication cookies, log in to the target's Facebook account and hijack it by changing the password, effectively locking out the victim. The attackers can then abuse the access to ask the victim's friends for money.

The findings come a little over a month after Zimperiumm disclosed a malware family called ABCsoup that masquerades as a Google Translate extension as part of an adware campaign targeting Russian users of Google Chrome, Opera, and Mozilla Firefox browsers.

To keep the web browser free of infections, it's recommended that users stick to trusted sources for downloading software, review extension permissions, and periodically review and uninstall add-ons that "you no longer use or that you do not recognize."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Malicious Browser Extensions Targeted Over a Million Users So Far This Year

The North Korea-backed Lazarus Group has been observed targeting job seekers with malware capable of executing on Apple Macs with Intel and M1 chipsets.
Slovak cybersecurity firm ESET linked it to a campaign dubbed "Operation In(ter)ception" that was first disclosed in June 2020 and involved using social engineering tactics to trick employees working in the aerospace and military sectors into

The North Korea-backed Lazarus Group has been observed targeting job seekers with malware capable of executing on Apple Macs with Intel and M1 chipsets.

Slovak cybersecurity firm ESET linked it to a campaign dubbed "Operation In(ter)ception" that was first disclosed in June 2020 and involved using social engineering tactics to trick employees working in the aerospace and military sectors into opening decoy job offer documents.

The latest attack is no different in that a job description for the Coinbase cryptocurrency exchange platform was used as a launchpad to drop a signed Mach-O executable. ESET's analysis comes from a sample of the binary that was uploaded to VirusTotal from Brazil on August 11, 2022.

"Malware is compiled for both Intel and Apple Silicon," the company said in a series of tweets. "It drops three files: a decoy PDF document 'Coinbase\_online\_careers\_2022\_07.pdf', a bundle 'FinderFontsUpdater.app,' and a downloader 'safarifontagent.'"

The decoy file, while sporting the .PDF extension, is in reality a Mach-O executable that functions as a dropper to launch FinderFontsUpdater, which, in turn, executes safarifontsagent, a downloader designed to retrieve next-stage payloads from a remote server.

ESET stated that the lure was signed on July 21 using a certificate issued in February 2022 to a developer named Shankey Nohria. Apple has since moved to revoke the certificate on August 12.

It's worth noting the malware is cross-platform, as a Windows equivalent of the same PDF document was used to drop an .EXE file named "Coinbase\_online\_careers\_2022\_07.exe" earlier this month, as revealed by Malwarebytes researcher Hossein Jazi.

The Lazarus Group has emerged an expert of sorts when it comes to posing as HR representatives on social media platforms like LinkedIn to target companies that are of strategic interest.

Last month, it came to light that the $620 million Axie Infinity hack attributed to the collective was the result of one of its former employees getting duped by a fraudulent job offer on LinkedIn.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

North Korea Hackers Spotted Targeting Job Seekers with macOS Malware

In this article, we explore what Red Hat Insights and Red Hat Satellite have to offer individually, and then we will look at how you can have a heightened experience of the two products with the use of Cloud Connector.

In this article, we explore what **Red Hat Insights** and **Red Hat Satellite** have to offer individually, and then we will look at how you can have a heightened experience of the two products with the use of Cloud Connector. We then evaluate both offerings by performing a feature-by-feature comparison of the tools for a better understanding of how they compare.

Insights and Satellite are frequently used by customers for a myriad of use cases — some similar and some vastly different — including managing their IT estate. Ultimately, customers are able to proactively streamline the security posture of their IT estate with both or either of these products.

**Red Hat Insights and Red Hat Satellite overview**

Insights is a Software-as-a-Service (SaaS) offering, available through the Hybrid Cloud Console with a Red Hat Enterprise Linux (RHEL) or Satellite subscription. Insights continuously analyzes platforms and applications to predict risk and recommend actions. This aids in the more effective management of your hybrid cloud environments overall.

_Figure 1: Insights dashboard on Hybrid Cloud Console_

Insights gathers configuration and utilization data on an ongoing basis, then analyzes and provides insights from that data via the web UI, API or integrations through notifications or webhooks. Insights gives you a Red Hat view of how you should prioritize taking action, when and where needed, based on our unique experience in supporting Red Hat products.

With a holistic view of your IT estate in mind, how does an organization manage its IT environment? It is important for customers to have a systematic way to manage their infrastructure. Without standard processes, their organization could at best have inefficiencies, and at worst be open to all kinds of security breaches, compliance issues and audit difficulties.

In relation to scalability, Satellite automates workflow and streamlines content management. This can make administrators much more efficient, giving them more time to work on strategic initiatives rather than spending all day on tedious, manual and error-prone tasks. Other advantages of Satellite include that it provides lifecycle management across your Red Hat infrastructure, that it streamlines your content management and that it is able to scale.

**Introducing Cloud Connector**

Satellite can work with Insights for the advanced remediation of issues through the use of Cloud Connector. Cloud Connector ties the technologies together so that you can find issues with Insights and fix them with Satellite at scale.

_Figure 2: Insights and Satellite (with Cloud Connector) enables push-button remediation of issues identified by Insights_

The connected experience between Insights and Satellite is illustrated in Figure 2. All of the data collected on Insights is automatically proxied through Satellite without you having to do any manual configuration. Configuring Cloud Connector enables the "Execute Remediation" button inside of the Insights Remediations service.

_Figure 3: Remediations service on Insights console_

It really is as simple as clicking a button and running the playbook and having the issue fixed in a matter of minutes. 

Our goal at Red Hat is to do what we can to help you solve your business needs and keep your organization performing at its best. With this in mind, Insights is able to help detect and address IT security issues beyond patching, compliance, performance and availability as well as consistency issues; all of these can result in reduced efficiency and increased costs.

Satellite will help detect and address problems such as the remediation of issues, lifecycle and content management, provisioning and patching at scale across your entire environment.

**Feature comparison**

Here's a comparison of Insights and Satellite features. This is not an all-encompassing list, but provides key functionality comparisons in different focus areas.

**Focus area: Vulnerability**

 

Red Hat Insights

Red Hat Satellite

Dashboard

Displays only CVEs with errata. If there is no CVE resolution, Insights won’t show it.

All vulnerabilities with an errata are shown. By default, you can only see a vulnerability that affects your environment.

Risk scoring

Uses standard common vulnerability scoring system (CVSS). Can score business risk and change status for CVE.

Uses standard common vulnerability scoring system (CVSS).

Reporting

PDF or CSV

CSV

**Focus area: Compliance**

 

Red Hat Insights

Red Hat Satellite

Configuration

Better known for compliance; knows the compatibility matrix, avoiding false positives.

Does not know the compatibility matrix.

OpenSCAP

Manual installation required, but can be simplified using Red Hat Connector.

Manual installation. Required to then automate the process.

Policy customisation

Can edit as needed within the compliance service. Cannot tailor value of a rule, but can tailor to include/exclude policies.

Can edit policy within OpenSCAP Workbench (UI) and can tailor the value of a rule.

Additional configuration

Each host will need OpenSCAP and RHEL security packages installed. Assign host to a policy.

Enable OpenSCAP on a capsule, assign an OpenSCAP capsule.

SCAP Import

Does not support any import/export functionality as of today.

SCAP content must be imported into Satellite Server before being applied in a policy.

**Focus area: Patching**

 

Red Hat Insights

Red Hat Satellite

Usage

Centralized view of impact of your entire state registered to Insights.

Robust content management and lifecycle management — not offered as part of Insights. Satellite would likely not be used to manage the same set of systems.

Capability

High-level; using subscription manager or yum, providing access to all appropriate packages on the Red Hat CDN.

Robust content and lifecycle management and is purpose-built for patching (and provisioning etc.) of RHEL. Content views to filter and curate available packages in Red Hat, third party and custom repos.

**Focus area: Remediations**

 

Red Hat Insights

Red Hat Satellite

Execution

Manual; download playbook and transfer to system with an Ansible setup. Can connect Red Hat Ansible Automation Platform or Tower to Insights, or use Red Hat Connector with RHEL 8.4+ to seamlessly interact directly with hosts; execute playbook button enabled.

Satellite configured with Red Hat Connector has  a remediate playbook button, and Satellite server can run the playbook at the click of a button on connected hosts.

Cloud connector required

No

Required to create connection between Satellite servers and Insights to remediate playbooks. Multiple satellites can be connected.

GUI access to Insights services

Available on Hybrid Cloud Console. Access to all Insights services.

Satellite GUI only displays Advisor service.

To summarize, Red Hat Insights and Red Hat  Satellite can help you to achieve your organization’s overall security goals. Combining Insights and Satellite through the use of Cloud Connector allows you to unlock a connected experience when managing your environment.

Learn more

*   Red Hat Insights: Predictive analytics for Red Hat Enterprise Linux
    
*   Automation analytics and Red Hat Insights for Red Hat Ansible Automation Platform
    
*   Save administrator time and effort by activating Red Hat Insights
    
*   Boost Red Hat Enterprise Linux efficiency with Red Hat Insights
    
*   Red Hat Satellite: How to obtain Insights Advisor recommendations

Streamlining IT security operations with Red Hat Insights and Red Hat Satellite

SWFTools commit 772e55a2 was discovered to contain a segmentation violation via gfxline_getbbox at /lib/gfxtools.c.

CVE-2022-35100: bug found in swftools-pdf2swf · Issue #182 · matthiaskramm/swftools

XPDF commit ffaf11c was discovered to contain a heap-buffer overflow via DCTStream::readScan() at /xpdf/Stream.cc.

Hi, in the lastest version of this code \[ ps: commit id ffaf11c\] I found something unusual.

**crash sample**

8id103\_heap\_buffer\_overflow\_in\_readScan.zip

**command to reproduce**

./pdftops -q [crash sample] /dev/null

**crash detail**

    =================================================================
    ==115797==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fcb48dd5800 at pc 0x00000074635f bp 0x7ffcc31156f0 sp 0x7ffcc31156e8
    READ of size 4 at 0x7fcb48dd5800 thread T0
        #0 0x74635e in DCTStream::readScan() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2549:18
        #1 0x7401e0 in DCTStream::reset() /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2257:7
        #2 0x68912e in Object::streamReset() /home/bupt/Desktop/xpdf/xpdf/./Object.h:282:13
        #3 0x68912e in Lexer::Lexer(XRef*, Object*) /home/bupt/Desktop/xpdf/xpdf/Lexer.cc:74:12
        #4 0x581714 in Gfx::display(Object*, int) /home/bupt/Desktop/xpdf/xpdf/Gfx.cc:641:33
        #5 0x6a76a1 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:360:10
        #6 0x6d5f6e in PSOutputDev::checkPageSlice(Page*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PSOutputDev.cc:3276:11
        #7 0x6a7172 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:328:13
        #8 0x6a6f81 in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/Page.cc:308:3
        #9 0x6af9b4 in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:384:27
        #10 0x6af9b4 in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/bupt/Desktop/xpdf/xpdf/PDFDoc.cc:397:5
        #11 0x796d81 in main /home/bupt/Desktop/xpdf/xpdf/pdftops.cc:342:10
        #12 0x7fcb4b949c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #13 0x41d5d9 in _start (/home/bupt/Desktop/xpdf/xpdf/pdftops+0x41d5d9)
    
    0x7fcb48dd5800 is located 0 bytes to the right of 131072-byte region [0x7fcb48db5800,0x7fcb48dd5800)
    allocated by thread T0 here:
        #0 0x4afba0 in malloc /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x7aa7fa in gmalloc /home/bupt/Desktop/xpdf/goo/gmem.cc:102:13
        #2 0x7aa7fa in gmallocn /home/bupt/Desktop/xpdf/goo/gmem.cc:168:10
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bupt/Desktop/xpdf/xpdf/Stream.cc:2549:18 in DCTStream::readScan()
    Shadow bytes around the buggy address:
      0x0ff9e91b2ab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff9e91b2ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff9e91b2ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff9e91b2ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff9e91b2af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0ff9e91b2b00:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff9e91b2b10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff9e91b2b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff9e91b2b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff9e91b2b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff9e91b2b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==115797==ABORTING

Tag

#pdf