Ankura CTIX FLASH Update - March 24, 2023
Wednesday, March 29, 2023

Malware Activity

Information-Stealer "BlackGuard" Variant Observed with Advanced Capabilities

Researchers have identified a new variant of "BlackGuard", an information-stealing malware first discovered in March 2022 being sold as malware-as-a-service (MaaS) in Russian-speaking forums. BlackGuard is known for its attempts at exfiltrating "cookies and credentials stored in web browsers, cryptocurrency wallet browser extension data, desktop crypto wallet data, information from messaging and gaming apps., email clients, and FTP or VPN tools." The active malware is constantly evolving, and the new variant has updated, advanced features. The malware now has the ability to propagate through removable devices, such as USBs, and automatically infect new machines. The BlackGuard variant can also establish persistence between system reboots by adding itself under the "Run" registry key as well as copying malware files with random names to every folder within the C: drive. Researchers explained that this capability may be to increase the difficulty of removing the malware, but also noted that it could just be for annoyance. The malware can also download additional payloads from the command-and-control (C2) server and "execute them directly in the breached computer's memory using the 'process hallowing' method" in order to bypass antivirus detection. Another new feature is a crypto wallet clipper module that replaces crypto addresses copied to the Windows clipboard with the operator's address. Additionally, BlackGuard has broadened its target scope to include fifty-seven (57) crypto browser extensions and wallets to attempt to exfiltrate the data and crypto assets. Additional technical details and indicators of compromise (IOCs) can be viewed in the report linked below.

Threat Actor Activity

North Korean Hackers Target German/South Korean Experts

Government agencies from Germany and South Korea issued a statement this week about a new campaign targeting experts of the Korean Peninsula. The group behind these attacks is a well-known North Korean threat organization tracked as Kimsuky, also known as Thallium or Konni Group. Active since 2012, this group initially focused on targeting assets from South Korea but has now shifted to include Russia, Europe, United States, and United Nations to their target list. Kimsuky consistently goes after intelligence from foreign policy and national security issues tied to the region, nuclear industry, and sanctions. These actors were also responsible for the 2014 Korean Nuclear Power Co. compromise alongside Operation Stolen Pencil, Operation Kabar Cobra, and Operation Smoke Screen, all which occurred between 2018 and 2019. The recent campaign unveiled that Kimsuky threat actors were spearphishing Korean experts by impersonating administrators. These email correspondences included a malicious payload where a Chromium-based extension was installed on the user’s device unknowingly. Once the user opened their respective mail application, the malicious code would harvest the user’s entire email inbox and upload it to actor-controlled command-and-control servers. CTIX continues to monitor threat actor activity globally and will provide additional updates accordingly.

Vulnerabilities

PoC Exploit Published on Github for Exploiting Critical Vulnerability in Veeam Backup & Replication Solution

A cross-platform proof-of-concept (PoC) exploit has been published on Github by researchers from Horizon3's Attack Team for a critical remote code execution (RCE) vulnerability affecting the digital security provider Veeam. Veeam Software is a US-based information technology company that develops backup, disaster recovery and modern data protection software for virtual, cloud-native, software-as-a-service (SaaS), Kubernetes and physical workloads. According to Veeam, its Veeam Backup & Replication (VBR) solution is very popular, leveraged by more than 450,000 customers across the world including "82% of Fortune 500 companies and 72% of Global 2,000." The flaw, tracked as CVE-2023-27532, exists in "Veeam.Backup.Service.exe", running on TCP port 9401 by default. It affects all VBR versions, and successful exploitation could allow unauthenticated threat actors to request encrypted credentials stored in the VeeamVBR configuration database. This would allow them to gain access to backup infrastructure hosts by exfiltrating the stolen credentials and gaining RCE with SYSTEM privileges. From there, the actors can move laterally across the network, drop malware, and exfiltrate sensitive data. This vulnerability was reported in February 2023, and was subsequently patched on March 7, 2023. CTIX analysts recommend that all VBR administrators ensure that they have updated their platform to prevent exploitation.  Veeam also published a workaround for customers who cannot immediately patch their systems. If taking their servers offline would create too much of a negative impact to critical business processes, administrators can protect their vulnerable servers from this exploit by blocking all non-critical external connections to TCP port 9401 through their firewall.

Honorable Mention

New Malicious ChatGPT Chrome Extension Targets Facebook Accounts

Google has removed a malicious version of the ChatGPT Chrome browser extension from its Web Store that was stealing Facebook session cookies to take over accounts. The trojanized version of the legitimate ChatGPT extension, called “ChatGPT for Google”, was originally uploaded to the Web Store on February 14, 2023, however the threat actor only started promoting it with Google Search advertisements on March 14, 2023. The extension had gained over 9,000 installations since March 14, 2023, and advertised the ability to improve search results when integrated. In actuality, the extension added code that covertly captured Facebook-related cookies and exfiltrated them to a remote server in an encrypted manner. The malware abuses the Chrome Extension API to acquire a list of the Facebook-related cookies before encrypting them using an AES key and attaching them to the X-Cached-Key HTTP header value. The stolen data is exfiltrated via a GET request to the attacker’s server which can then be decrypted, ultimately hijacking the victim’s Facebook sessions. Once the threat actor has the victim’s cookies, they can proceed to take control of their Facebook accounts, change the passwords, profile names, and pictures, and even use it to disseminate misinformation or extremist propaganda. The extension is communicating with the same infrastructure used in a previous Chrome add-on campaign that had amassed 4,000 installations before Google removed it from the Chrome Store earlier this month. The latest extension was a backup for when the earlier version was reported and removed. However, it’s likely that the threat actor will have a backup plan via another “parked” extension waiting to be published, facilitating the next wave of infections. This exploitation trend underscores how cybercriminals are adapting their campaigns to capitalize on the popularity of ChatGPT to distribute malware and stage opportunistic attacks.

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins