Cybersecurity threats to organizations’ regular operations and infrastructure are increasing rapidly, prompting leaders to become more aware of potential deficiencies in their company’s overall cybersecurity strategy. Threat hunt queries are a key strategy Marcum Technology’s Security Operations team uses to identify potential threats in the client’s environment. In the past month, SaaS malware has become even more sophisticated as it proliferates across diverse networks via increasingly clever methods of initial access and evasion.
Below are the top five threats from the past month that your organization should monitor:
Officials have observed a new malware dropper being used to infect Windows devices with as many as a dozen malware families simultaneously. The main method of infection is promoting fake software crackers on malicious sites in Google Search results. Acting as a “funnel,” the malware dropper can launch as many as two dozen different infections on a single device. Examples include password stealers, backdoor RATs, spyware, bankers, fake system cleaners, clipboard readers, and crypto miners. Trying to download from these sites (found in Google results) redirects to another malicious site that drops a password-protected ZIP file containing NullMixer.
There does not currently seem to be a phishing campaign backing NullMixer, but that does not mean it cannot be delivered just as easily via one. Searching “software crack” on Google is the most common way users are directed to this malware. NullMixer’s purpose is not yet known, however it is possible it could grow to become a persistent, powerful threat. The fact that it poses as a software crack could be a crutch for its inability to slip by a system’s antivirus, although this could change down the road.
Patching vulnerabilities is a critical part of threat mitigation, but it is not always possible if a business is using outdated software or if upgrading is too prohibitive. In any case, this still leaves existing vulnerabilities open and creates a larger attack surface. For example, consider Common Vulnerability and Exposures (CVEs) 2017-0199 and 2017-11882. Both vulnerabilities are over five years old but are still actively exploited.
Enter SmokeLoader, also known as Dofoil, a malware variant that exploits these CVEs. This software has been around since 2011, when it was being sold by a member named SmokeLdr on the underground portals grabberz[.]com and xaker[.]name. It is used primarily to support the distribution of other malware families like Trickbot. It was recently observed being used to deploy zgRAT, a less common payload than usual, but itself featuring functions used for stealing sensitive data.
The latest iteration of SmokeLoader begins its attack like so many others: through a phishing email. The email starts by urging the recipient to review a purchase order and check for dates related to shipping times to ensure they are correct. The text in the email is a mix of Chinese and English, and it does include a signature and contact details to try to appear as legitimate as possible. The email was initially sent to a webmail address owned by a large telecommunications company in Taiwan. The email is sent with an attached file: ‘Purchase Order FG-20220629.xlsx.’ When opened, it begins the infection process. The recipient is presented with a view of a pixelated image and fake Microsoft instructions on viewing protected content. There is a lock icon on the second sheet that indicates an encrypted or protected sheet. Tools like oledump from Didier Stevens show there is an encrypted stream in the file. Another tool by Didier, msoffcrypto-crack.py, reveals a password: “VelvetSweatshop.” The decrypted file stream then attempts to download the file ‘receipt.doc.’ It is able to bypass most mitigation measures and downloads SmokeLoader.
3. Caffeine PhaaS
A low-cost phishing-as-a-service (Phaas) platform called Caffeine is being used by cybercriminals. This toolkit has an open registration process and templates that allow most anyone with an email to easily arrange phishing campaigns. It also features the ability to manage redirect pages, dynamically generate URLs that host the payloads, and track the success of the campaigns.
According to a blog post by Mandiant, the general techniques for deployment are “compromised web administrator user accounts, exploitation of vulnerabilities in web infrastructure platforms and technologies, and the abuse of web applications configured in a vulnerable way. The attacker’s ultimate goal is to achieve file-write capabilities on hosted web infrastructure. Once this is achieved, they simply upload the files from their kit, and ensure all relevant dependencies are resolved.” If all of these steps are successful, the final lure presents as a Microsoft 365 login page. As with most phishing threats, organizations can take various measures to defend against Caffeine: periodically check public-facing web infrastructure for compromises; apply behavioral analytics to URLs in web logs; maintain optimal security policies for credential use and renewal; and require MFA on all accounts that access enterprise environments from an external source.
4. IcedID New Attack Chains
IcedID remains a persistent threat, and the attackers responsible for releasing it are in a constant state of refinement to diversify their possible ingresses depending on their target. Recently, they have explored different attack chains to evaluate what they should use moving forward. IcedID began in 2017 as a modular banking trojan but now stands as a prolific and powerful multifunction malware dropper used to gain an initial foothold in corporate networks, later deploying more powerful payloads.
Often a user of IcedID sells that access to another organization or criminal that then uses the established beachhead to fulfill their goals and launch deeper attacks into the environment. So far, many different initial access methods (all via phishing) have been observed, ranging from ISO files or archives to documents with macro functions.
IcedID is known for its ability to remain undetected. Diligence on the part of the end user remains the most important factor in preventing infection via the various phishing methods utilized.
5. Lockbit 3.0
The analysis team at the AhnLab Security Emergency Response Center (ASEC) has identified that the LockBit 3.0 ransomware is distributed via Word documents. The specific distribution channel has not yet been identified but considering that the file names include the names of people, for example ‘Lim Gyu Min.docx’ or ‘Jeon Chae Rin.docx,’ it is likely they were disguised as job applications. When a user is successfully fooled into downloading the .docx, ransomware comes along with it in NSIS format — a language that is used to declare the logic and tasks for software installers and often references files and folders to install, as well as Windows registry actions .
This threat is yet another example of how Microsoft Office documents, PDFs, and image files can contain embedded threats in hidden scripts that are not always detected by anti-malware engines. To reduce risk and ensure files contain no hidden threats, it is best to remove any possible embedded objects by using a methodology called content disarm and reconstruction (CDR). CDR is also known as data sanitization. It assumes all files are malicious and sanitizes and rebuilds each file, ensuring full usability with safe content.
Interested in learning more about identifying potential threats to your organization and how Marcum Technology can help? View all of our cybersecurity offerings here.