February 2024: Latest Malware, Vulnerabilities and Exploits

Welcome to Picus Security's monthly cyber threat intelligence roundup! 

Each month, our goal is to provide insights into the most recent and key malware attacks and vulnerability exploitation campaigns that could potentially affect your industry and region. Recognizing that a blog might not fully cater to your specific threat intelligence requirements, we're excited to introduce a new platform. This platform is crafted to deliver the most customized cyber threat intelligence, directly addressing your unique needs.

Our Picus CTI platform will enable you to identify threats targeting your region, understand your security posture in comparison to similar organizations, and receive easy-to-implement mitigation signatures from a variety of vendors. Additionally, it will offer a report that you can use to communicate with your peers or within your organization, ensuring that you are well-informed and prepared to address cyber threats effectively.

Top Threat Actors Observed in the Wild: February 2024

Here are the most active threat actors that have been observed in February in the wild.

CISA Releases IOCs for Phobos Ransomware as a Service Group

The advisory released on February 29, 2024, by the FBI, CISA, and MS-ISAC outlines the threat of Phobos ransomware, which operates under a ransomware-as-a-service (RaaS) model [1]. Since May 2019, Phobos has been actively targeting sectors such as

• state and local governments,
• emergency services,
• education, and
• public healthcare.

This widespread targeting underscores the ransomware's capability to infiltrate and paralyze critical infrastructure and services.

Phobos attackers gain initial access through vulnerabilities in Remote Desktop Protocol (RDP) ports, utilizing phishing techniques and brute-force attacks to compromise networks. Subsequent to gaining access, they deploy tools like Smokeloader, enhancing their ability to execute the ransomware, escalate their privileges, and navigate through the compromised networks all while evading detection by manipulating system settings.

The core of Phobos's malicious activity involves the encryption of essential files, followed by ransom demands for the decryption keys. To mitigate the threat posed by Phobos, the advisory emphasizes the importance of securing RDP ports, strictly limiting the use of RDP and any other remote desktop services, remediating known vulnerabilities, and deploying Endpoint Detection and Response (EDR) solutions.

BlackCat Ransomware Group Targeting Finance and Healthcare Sectors

The ALPHV/Blackcat ransomware gang has targeted the financial and mortgage lending sectors, claiming responsibility for breaches at Prudential Financial and loanDepot [2]. These incidents exposed personal information of millions and highlighted vulnerabilities within major Fortune 500 companies and one of the largest U.S. nonbank retail mortgage lenders. ALPHV's actions, including the theft and intended sale or release of sensitive data, underscore the escalating threats ransomware groups pose to critical financial institutions and their customers' privacy.

The finance sector was not the only target of the BlackCat ransomware group; healthcare also had its share of attacks. UnitedHealth Group has confirmed that the BlackCat/ALPHV ransomware group orchestrated the cyberattack on its subsidiary, Optum, which disrupted the Change Healthcare payment exchange platforms on February 21 ([3], [4]). This disruption, critical to the U.S. healthcare system's billing processes across hospitals, clinics, and pharmacies, caused a nationwide disruption in prescription processing. The attack impacted over 100 applications across various healthcare services, leading to an immediate system shutdown. Despite efforts to isolate the compromised systems, Change Healthcare is still in the process of restoring affected service.

Following this, on February 27, the FBI, CISA, and the Department of Health and Human Services (HHS) issued a warning to U.S. healthcare organizations [5] regarding targeted ALPHV/Blackcat ransomware attacks. BlackCat is now exploiting the ScreenConnect vulnerability CVE-2024-1709 for initial access. For more information about this vulnerability, please refer to our latest update blog.

LockBit Ransomware Group Has Returned Within Four Days

The National Crime Agency, in collaboration with nine other international law enforcement agencies, initiated Operation Cronos on February 20th, 2024 [6], targeting the LockBit ransomware group, a dominant force responsible for 40% of ransomware attacks in the latter half of 2023. This operation aimed to disrupt LockBit's extensive criminal network, known for its Ransomware-as-a-Service (RaaS) model, double extortion schemes, and collaborations with Initial Access Brokers (IABs). LockBit's infrastructure, including their data leak websites, negotiation sites, and affiliate panels, were crucial for exerting pressure on victims to pay ransoms by threatening the release of stolen sensitive data.

During Operation Cronos, law enforcement successfully seized 34 servers across various countries and released a decryptor for LockBit 3.0 Black, offering a temporary reprieve to victims. This action disrupted LockBit's operations, revealing the group had 188 affiliates and significant Bitcoin holdings in unspent seized crypto-wallets. Despite these efforts, the operation failed to capture the elusive LockBitSupp, the mastermind behind LockBit, nor permanently dismantle the group's operations.

Just four days post-operation, LockBitSupp announced the restoration of their infrastructure, signaling a swift recovery and a significant setback for law enforcement [7]. The resilience of LockBit was attributed to their backup servers not reliant on PHP, which were untouched by Operation Cronos. This strategic foresight by LockBit highlights the advanced and decentralized nature of their operations, making it exceedingly difficult for law enforcement to enact lasting damage on such well-prepared cybercriminal networks. LockBit's rapid return to activity post-Operation Cronos underscores the ongoing challenges faced by global law enforcement in the battle against sophisticated and adaptable ransomware groups.

Latest Vulnerabilities and Exploits in February 2024

In this section, we will provide information on the latest vulnerabilities and exploits being targeted by adversaries in the wild, the affected products, and the available patches.

CVE-2024-21412: Windows Defender SmartScreen Zero-Day Vulnerability

This vulnerability is rooted in a failure to apply the "Mark-of-the-Web" (MotW), a security feature used by Windows to identify files originating from potentially untrusted sources, such as internet downloads, WebDAV, and SMB shares. Under normal circumstances, files downloaded from the web are tagged with MotW, prompting Windows Defender SmartScreen to issue alerts when such files attempt to execute or when a user tries to directly execute them. This mechanism acts as a critical defense, preventing unauthorized or malicious code from running without user knowledge or consent.

However, CVE-2024-21412 allowed attackers to bypass these protections by exploiting a flaw in the handling of internet shortcuts (.URL files) and other mechanisms [8]. Through crafted spear phishing campaigns and the use of compromised websites, the attackers distributed these malicious .URL files. When executed, these files did not carry the MotW tag, effectively blinding SmartScreen to their malicious intent. This oversight permitted the execution of the DarkMe malware without triggering the usual security warnings that would alert users to the potential danger.

By sidestepping SmartScreen's defenses, Water Hydra was able to execute its attack chain discreetly, infecting victims' machines without detection. The attack exploited the trust Windows places in files lacking the MotW designation, assuming they are safe and originate from a trusted source within the user's environment. This exploitation represents a significant breach of trust in the security mechanisms designed to protect users from the very type of attack Water Hydra orchestrated.

Released by Zero Day Initiative, there is a video explaining the patch of the CVE-2024-21412 vulnerability.

CVE-2024-1709 & CVE-2024-1708: ConnectWise ScreenConnect Vulnerability

ConnectWise has addressed two critical vulnerabilities, 

• CVE-2024-1709 and 

• CVE-2024-1708, 

in all on-premise ScreenConnect versions prior to 23.9.7 with an urgent security patch released on February 19, 2024 [9].

CVE-2024-1709, an authentication bypass vulnerability with a critical severity rating of 10/10, compromises ScreenConnect by allowing unauthorized users to manipulate URL access (exp. /SetupWizard.aspx/anygivenstring) to the setup wizard, potentially gaining full administrative privileges and executing arbitrary code.

On the other hand, CVE-2024-1708 exposes a path traversal vulnerability that attackers can exploit by altering file paths during ZIP archive extractions, specifically targeting ScreenConnect extensions, to achieve directory traversal and insert malicious files beyond intended directories. This naturally requires administrator-level privileges. This is why adversaries are exploiting these two vulnerabilities in collaboration, where they can create administrative accounts (with CVE-2024-1709) and leverage the new privileges to download malicious ZIP files (with CVE-2024-1708) on the target server.

The issued patch by ConnectWise significantly improves security measures by tightening access controls to the setup wizard and enhancing path validation procedures for ZIP file extractions. These improvements are designed to prevent unauthorized setup wizard access and ensure extracted files from ZIP archives are confined to specified directories, addressing the root causes of these two vulnerabilities. 

Despite the availability of patches, the inherent risks and the ease of exploiting these vulnerabilities underline the urgency for ScreenConnect users to apply the updates promptly to safeguard against potential attacks, emphasizing the importance of maintaining security in critical organizational tools.

CVE-2023-22527: Atlassian Confluence Vulnerability Explained

A critical vulnerability, identified as CVE-2023-22527, has been discovered in Atlassian Confluence, presenting a severe security risk with a CVSS score of 10 [10]. This vulnerability stems from a template injection flaw within the Object-Graph Navigation Language (OGNL), a component widely used in web applications for creating server-side templates. 

Specifically, older versions of Confluence Data Center and Server are susceptible to remote code execution (RCE) attacks due to this flaw. Attackers can exploit this vulnerability by manipulating template files that accept user input without proper sanitization. This oversight allows an unauthenticated attacker to inject malicious OGNL expressions, leading to the execution of arbitrary code on the server hosting the Confluence instance.

The exploitation method involves attackers targeting specific .vm template files within Confluence, which improperly handle user-supplied input. For example, the vulnerability was pinpointed in the /confluence/template/aui/text-inline.vm file, where attackers could inject malicious code through parameters intended for legitimate page functions. This file, among others, failed to adequately sanitize input, enabling attackers to execute commands remotely on the affected system.

Addressing this vulnerability, Atlassian has released updates for Confluence Data Center and Server, particularly version 8.5.4 and later, which include patches to mitigate the risk of exploitation. These updates correct the vulnerability by ensuring that user input is properly sanitized and by removing or securing the affected template files. 

Recent Malware Attacks in February 2024

In February 2024, a variety of malware attacks were recorded, highlighting the persistent threat landscape. Below is a detailed list of the active malware incidents for the month. For those seeking a more comprehensive analysis or interested in the Indicators of Compromise (IOCs), please refer to the respective sections within this blog.

• Fileless Revenge RAT Malware

• DarkMe RAT and DarkMe RAT Loader Malware

• TicTacToe Malware Dropper

• Nood RAT Malware

Fileless Revenge RAT Malware

The Revenge RAT malware is a sophisticated threat that operates in a fileless manner, making detection and mitigation particularly challenging. It begins its infection chain by wrapping itself around legitimate tools, such as smtp-verifier and Email-To-Sms, thereby obscuring its malicious activities from users [11]. 

The malware executes by first generating and running a malicious file named Setup.exe, which is set to be hidden, making it invisible in Windows Explorer under normal conditions. This setup file is responsible for further malicious activities, including the generation of additional malware components like svchost.exe, which is also hidden and registered in the system's registry for persistence. 

These components engage in various nefarious activities, including connecting to a command and control server disguised as a legitimate blog, downloading and executing further payloads, and ultimately deploying the Revenge RAT. This RAT is capable of collecting and exfiltrating sensitive information from the infected machine, including system and user details, antivirus and firewall products being used, and more. 

The malware employs evasion techniques to bypass antivirus detection, such as using CMSTP evasion and registering malware files as exceptions in Windows Defender. The ultimate goal of the attackers is to execute the Revenge RAT in a fileless manner, highlighting the importance of caution when using open-source or publicly available tools and the necessity of downloading software from official sources.

DarkMe RAT and DarkMe RAT Loader Spreading via CVE-2024-21412

The DarkMe Loader and RAT represent sophisticated malware employed by the Water Hydra APT group (a.k.a DarkCasino) [12], known for targeting the 

• financial industry, 
• including banks, 
• cryptocurrency platforms, 
• forex, 
• stock trading platforms, and 
• gambling sites. 

These malicious binaries, marked by advanced obfuscation techniques, are utilized in highly orchestrated campaigns, enabling Water Hydra to compromise systems, evade security measures like Microsoft Defender SmartScreen, and execute a broad range of commands for financial espionage and data exfiltration.

The DarkMe Loader exhibits characteristics of a Win32 DLL compiled with Microsoft Visual Basic 6. Upon execution, it assembles a DarkMe payload by merging binary contents from files named a1 and a2, resulting in the creation of "C:\Users\admin\AppData\Roaming\OnlineProjects\OnlineProject.dll." 

This loader employs encoded hexadecimal strings within the binary to obfuscate crucial information, which is later decoded during execution. The malware then constructs and executes commands utilizing the reg.exe utility, importing registry settings from the "kb.txt" file, ultimately registering the DarkMe payload as a COM server.

On the other hand, the DarkMe RAT serves as the final module delivered in this attack. Also compiled with Microsoft Visual Basic 6, it features heightened obfuscation and junk code. This DLL communicates with its Command and Control (C&C) server through a custom TCP protocol. Upon execution, DarkMe RAT collects system information, such as computer name, username, installed antivirus software, and active window title, subsequently registering the victim's system with the C&C server. Network communication is facilitated through a hidden window named SOCKET_WINDOW, using the CreateWindowEx Windows API. 

The RAT supports various functionalities, including directory enumeration, shell command execution, directory creation and deletion, system drive information retrieval, and ZIP file generation. The C&C registration packet structure and periodic heartbeat traffic ensure ongoing communication between the RAT and the attacker.

The Polish TicTacToe Dropper Malware Evading Detections

The "TicTacToe dropper" is a sophisticated malware delivery system that has been actively distributing various types of malware throughout 2023, targeting victims through phishing emails with .iso file attachments. Named for a Polish language string found in its code (Kolko_i_krzyzyk) [13], the dropper is designed to evade detection by employing multiple layers of obfuscation and memory-only loading of payloads. 

Upon execution, the dropper, initially contained in an executable such as 'ALco.exe', sequentially unpacks and executes further obfuscated .NET PE DLL files ('Hadval.dll' followed by 'cruiser.dll', and finally 'Farinell2.dll') directly in memory. This process avoids leaving traces on the disk, making detection by traditional antivirus software challenging. 

The final payload varies but has included a range of remote access tools (RATs) and information stealers such as Leonem, AgentTesla, and LokiBot, indicating a broad spectrum of cybercriminal activities aimed at espionage, data theft, and system compromise. 

The victims of this campaign have been diverse, indicating that the attackers behind the TicTacToe dropper have wide-ranging objectives and targets, leveraging the dropper's versatility and stealth to infect multiple victims across different sectors.

Nood RAT Malware

Nood RAT, a Linux-focused variant of the well-known Gh0st RAT, has been actively used in cyberattacks since its first detection in 2018 [14]. Originating from the C. Rufus Security Team of China, Gh0st RAT's source code was made public, leading to the development of various variants, including Nood RAT, by malware authors. This variant, despite the dominance of its Windows counterparts, represents a significant threat to Linux systems.

The attack flow of Nood RAT typically begins with the exploitation of vulnerabilities, notably a WebLogic vulnerability identified as CVE-2017-10271. This method was notably used in the past to facilitate the Cloud Snooper APT attack, which aimed to hijack control of AWS servers through backdoor malware installation.

Upon execution, Nood RAT disguises itself as a legitimate process to evade detection. It uses the RC4 algorithm to decrypt its configuration data, which includes C&C server addresses, activation times, and communication intervals. This stealthy operation allows it to bypass network detection and carry out its malicious activities without immediate detection.

The malware's capabilities are extensive, including remote command execution, file management, proxy use, and port forwarding. These functions enable attackers to steal information, execute further malicious commands, and even use the infected system for lateral movements within the targeted network.

References

[1] “#StopRansomware: Phobos Ransomware,” Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060a. [Accessed: Feb. 29, 2024]

[2] S. Gatlan, “ALPHV ransomware claims loanDepot, Prudential Financial breaches,” BleepingComputer, Feb. 16, 2024. Available: https://www.bleepingcomputer.com/news/security/alphv-ransomware-claims-loandepot-prudential-financial-breaches/. [Accessed: Feb. 28, 2024]

[3] I. Arghire, “State-Sponsored Group Blamed for Change Healthcare Breach,” SecurityWeek, Feb. 26, 2024. Available: https://www.securityweek.com/state-sponsored-group-blamed-for-change-healthcare-breach/. [Accessed: Feb. 28, 2024]

[4] J. Lyons, “ALPHV/BlackCat responsible for Change Healthcare cyberattack,” The Register, Feb. 26, 2024. Available: https://www.theregister.com/2024/02/26/alphv_healthcare_unitedhealth/. [Accessed: Feb. 28, 2024]

[5] S. Gatlan, “FBI, CISA warn US hospitals of targeted BlackCat ransomware attacks,” BleepingComputer, Feb. 27, 2024. Available: https://www.bleepingcomputer.com/news/security/fbi-cisa-warn-us-hospitals-of-targeted-blackcat-ransomware-attacks/. [Accessed: Feb. 28, 2024]

[6] E. Kovacs, “Law Enforcement Hacks LockBit Ransomware, Delivers Major Blow to Operation,” SecurityWeek, Feb. 20, 2024. Available: https://www.securityweek.com/law-enforcement-hacks-lockbit-ransomware-delivers-major-blow-to-operation/. [Accessed: Feb. 28, 2024]

[7] H. C. Yuceel, “LockBit Returns: Lessons Learned From Operation Cronos,” Feb. 27, 2024. Available: https://www.picussecurity.com/resource/blog/lockbit-returns-lessons-learned-from-operation-cronos. [Accessed: Feb. 28, 2024]

[8] “CVE-2024-21412: Water Hydra Targets Traders with Microsoft Defender SmartScreen Zero-Day,” Trend Micro, Feb. 13, 2024. Available: https://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html. [Accessed: Feb. 28, 2024]

[9] S. Özeren, “CVE-2024-1709 & CVE-2024-1708: ConnectWise ScreenConnect Vulnerability Exploitations,” Feb. 27, 2024. Available: https://www.picussecurity.com/resource/blog/cve-2024-1709-cve-2024-1708-connectwise-screenconnect-vulnerability-exploitations. [Accessed: Feb. 28, 2024]

[10] “Unveiling Atlassian Confluence Vulnerability CVE-2023-22527: Understanding and Mitigating Remote Code Execution Risks,” Trend Micro, Feb. 07, 2024. Available: https://www.trendmicro.com/en_us/research/24/b/unveiling-atlassian-confluence-vulnerability-cve-2023-22527--und.html. [Accessed: Feb. 28, 2024]

[11] Eswar, “Fileless Revenge RAT Abuses Legitimate Tools to Hide Malicious Activity,” GBHackers on Security | #1 Globally Trusted Cyber Security News Platform, Feb. 13, 2024. Available: https://gbhackers.com/fileless-revenge-rat-legitimate-tools/. [Accessed: Feb. 28, 2024]

[12] “CVE-2024-21412: Water Hydra Targets Traders with Microsoft Defender SmartScreen Zero-Day,” Trend Micro, Feb. 13, 2024. Available: https://www.trendmicro.com/tr_tr/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html. [Accessed: Feb. 28, 2024]

[13] A. Gat and M. Robson, “TicTacToe Dropper,” Fortinet Blog, Feb. 14, 2024. Available: https://www.fortinet.com/blog/threat-research/tictactoe-dropper. [Accessed: Feb. 28, 2024]

[14] Sanseo, “Analysis of Nood RAT Used in Attacks Against Linux (Gh0st RAT’s Variant),” ASEC BLOG, Feb. 26, 2024. Available: https://asec.ahnlab.com/en/62144/. [Accessed: Feb. 28, 2024]