Tecplix ThreatTrack Insights - May II

1. New Malware Loader Latrodectus Emerges as Potential IcedID Successor

Researchers have identified a surge in email phishing campaigns distributing Latrodectus, a novel malware loader suspected to be the successor to IcedID.

The attack chain begins with phishing emails posing as QuickBooks invoices shown in the above image, urging users to install Java by clicking on an embedded link that leads to a malicious Java archive (JAR). The JAR file acts as a conduit to run a PowerShell script responsible for downloading and launching DarkGate via an AutoIT script. Social engineering campaigns have also employed an updated version of a phishing-as-a-service (PhaaS) platform called Tycoon to harvest Microsoft 365 and Gmail session cookies and bypass multi-factor authentication (MFA) protections.

Key Takeaways

• Latrodectus exhibits functionalities typical of malware loaders, including deploying additional payloads like QakBot, DarkGate, and PikaBot.
• The malware employs advanced techniques to evade detection, such as source code obfuscation, self-deletion, and anti-analysis checks.
• It establishes persistence on compromised systems and communicates with a command-and-control server for further instructions.
• Latrodectus possesses features to enumerate files, retrieve process ancestry, and potentially download IcedID, suggesting a possible connection between the two malware strains.

Impact

Latrodectus poses a significant threat as it enables attackers to conduct various malicious activities on infected systems, including data theft, lateral movement, and deployment of additional malware.

Who is Affected?

Organizations and individuals susceptible to phishing attacks are at risk of Latrodectus infection. This encompasses a broad range of entities, as phishing campaigns often employ generic lures.

Recommendations

• Educate users about the dangers of phishing emails and the importance of verifying the legitimacy of links and attachments before clicking or downloading them.
• Verify before installing any applications that look suspicious.
• Install and update the anti-malware solutions to identify the malware signatures.
• Maintain up-to-date backups of critical data and systems

2. SolarMarker Malware Evolves with Multi-Tiered Infrastructure

SolarMarker, a sophisticated information-stealing malware, has developed a complex infrastructure to evade detection and takedown efforts. SolarMarker, known by the names Deimos, Jupyter Infostealer, Polazert, and Yellow Cockatoo, is a sophisticated threat that has exhibited a continuous evolution since its emergence in September 2020.

Over the years, the malware authors have focused their development efforts on making it stealthier through increased payload sizes, the use of valid Authenticode certificates, novel Windows Registry changes, and the ability to run it directly from memory rather than disk. Infection pathways typically involve hosting SolarMarker on bogus downloader sites advertising popular software that can be visited by a victim either inadvertently or due to search engine optimization (SEO) poisoning or via a link in a malicious email.

Key Takeaways

• SolarMarker utilizes a multi-tiered infrastructure with distinct clusters for active operations and potential testing/targeting.
• The malware's layered architecture enhances its adaptability and resilience against countermeasures.
• SolarMarker targets a broad range of industries, including education, government, healthcare, and businesses.

Impact

• Increased difficulty in detecting and eradicating SolarMarker due to its evolving infrastructure.
• Potential theft of sensitive data from various sectors, including universities, government agencies, and healthcare providers.

Who is Affected?

• Organizations across multiple sectors, including education, government, healthcare, hospitality, and small and medium-sized businesses.
• Users are susceptible to visiting malicious download sites or clicking links in phishing emails.

Recommendations

• Ensure having reputable security software installed on all devices and keep it up-to-date with the latest patches and definitions.
• Use strong and unique passwords for all your online accounts.
• Implementing advanced threat detection solutions alongside traditional antivirus software.
• Implement endpoint security solutions that provide features like application control and behavior monitoring.

3. Comprehensive Risk Assessment for Organizations in 2024

75% of organizations struggle to keep up with improving risk management practices. (PwC Pulse Survey)

Risk assessments help organizations make informed decisions and guide investments. It offers critical foresight, enabling streamlined operations and maximizing efficiency. A culture of calculated risk-taking fosters innovation, where potential pitfalls are identified and proactively addressed. Comprehensive risk assessments are not mere checkboxes on a compliance list; they form the foundation of organizational resilience, paving the way for sustainable success in an ever-changing world. A well-executed risk assessment helps businesses understand their vulnerabilities, prioritize risks, and develop effective risk management strategies. In this blog post, we will guide you through the process of conducting a comprehensive risk assessment for your organization.

How to Conduct a Comprehensive Risk Assessment

1. Define the Scope: Start by clearly defining the scope of your risk assessment. Identify the areas, processes, and assets that need to be assessed. This could include operational risks, financial risks, information security risks, regulatory compliance risks, and more.

2. Identify Potential Risks: Next, brainstorm and identify potential risks that could impact your organization. This can be done through various methods such as interviews, workshops, and reviewing historical data. Consider both internal and external factors that could pose risks to your organization.

3. Assess Likelihood and Impact: Once you have identified potential risks, assess their likelihood of occurring and their possible impact on your organization. Use a risk matrix or scoring system to categorize risks based on their likelihood and impact levels. This will help prioritize risks and allocate resources accordingly.

4. Evaluate Existing Controls: Evaluate the effectiveness of existing controls in place to mitigate identified risks. Determine if the controls are adequate, properly implemented, and monitored. Identify any gaps or weaknesses in the controls that need to be addressed…Read More.

4. Malicious Crypto Mining Campaign Exploits Vulnerable Drivers (REF4578)

A sophisticated crypto mining campaign, codenamed REF4578, has been discovered leveraging a novel malware called GhostEngine. GhostEngine exploits vulnerabilities in system drivers to disable security software and deploy the XMRig crypto miner on compromised devices.

The attack starts with the execution of a file named 'Tiworker.exe,' which masquerades as a legitimate Windows file. This executable is the initial staging payload for GhostEngine, a PowerShell script that downloads various modules to conduct different behaviors on an infected device.

When Tiworker.exe is executed, it will download a PowerShell script named 'get.png' from the attacker's command and control (C2) server, which acts as GhostEngine's primary loader. This PowerShell script downloads additional modules and their configurations, disables Windows Defender, enables remote services, and clears various Windows event logs.

Key Takeaways

• GhostEngine utilizes a disguised executable (Tiworker.exe) to download a PowerShell script (get.png) that acts as the primary loader.get.png disables security software, enables remote services, and creates scheduled tasks for persistence.
• GhostEngine leverages vulnerable kernel drivers (aswArPots.sys and IObitUnlockers.sys) to disable and remove Endpoint Detection and Response (EDR) software.
• The campaign ultimately deploys XMRig to mine cryptocurrency for the attacker's benefit.

Impact

This campaign can significantly impact organizations by:

• Reducing system performance due to crypto mining activity.
• Exposing compromised systems to further attacks due to disabled security software.
• Potential data exfiltration if EDR software is disabled or removed.

Who is Affected?

Organizations running vulnerable systems, particularly those with outdated Avast or IObit drivers, are at increased risk.

Recommendations

• Defenders are suggested to look out for suspicious PowerShell execution, unusual process activity, and network traffic pointing to crypto-mining pools.
• Additionally, deploying vulnerable drivers and creating associated kernel mode services should be treated as red flags in any environment.
• An aggressive measure is to block file creation from vulnerable drivers like aswArPots.sys and IobitUnlockers.sys.

In Crisis?

If you suspect a compromise or face a critical security issue, connect with us to unlock rapid, expert protection. Your Security and Business Continuity is our top Priority!

Get in touch with our security team by filling out this form or call at +91 6366 600 700.