Ransomware/Malware Activity
New Linux Remote Access Trojan "Krasue" Targets Thai Telecom Sector
A newly discovered Remote Access Trojan (RAT) for Linux has been seen targeting telecommunications firms in Thailand as reported by Group-IB. Named RAT Krasue in reference to a Thai nocturnal spirit, this malware is quite dangerous to those networks it has infected. What is notable about this RAT is that it has been undetected on the infected networks since 2021, much longer than many campaigns are capable of. It has been able to accomplish this through a multitude of factors, some of which include UPX packing to both obfuscate the code and make the size of the malware smaller. It can also run itself as a background process and install additional rootkits based on the user’s permissions. Additionally, it uses fake metadata to rename itself as various VMWare applications and programs to further avoid suspicion. RAT Krasue uses a designated IP as the master command-and-control (C2) server and uses the Real Time Streaming Protocol (RTSP) to send signals back to the C2 server without arousing suspicion. This protocol is typically used for applications such as video streaming to endpoint devices. One of the more novel approaches to hiding the malware has been to hijack the ‘kill()’ system call so it cannot be used against any of the malware processes and can be used to direct the rootkit via parameters passed to the ‘kill()’ call. This allows the threat actors to interact with the malware without raising alarm. Researchers also believe that the code for Krasue appears to be based on the rootkits Diamorphine, Suterusu, and Rooty. CTIX analysts will continue to monitor the effects of Krasue on telecommunication firms.
Threat Actor Activity
Undocumented Threat Actors, AeroBlade, Targeting US Aerospace Organizations
A new, previously undocumented hacking group coined 'AeroBlade' was recently discovered targeting United States aerospace organizations in what are believed to be a series of attacks as part of a cyber espionage campaign. The group's origins are currently unknown, and it has yet to be determined whether the attacks were successful, but researchers speculate the purpose of mission was likely motivated by data theft or extortion. The attacks consisted of two (2) stages. The first stage began in September 2022 with the deployment of spear-phishing emails containing a document (docx) attachment with an embedded remote template injection to download the second-stage DOTM file. The second stage connects the attacker's command and control (C2) server by executing malicious VBA macros that enable a reverse shell on the target's system. During the first stage delivery mechanism, the victim opens a readable Microsoft Word document that appears legitimate while simultaneously dropping the next-stage payload that's executed once the victim manually clicks the "Enable Content" lure message. The second stage of the attacks didn't occur until July 2023, leading to the reverse shell payload consisting of a heavily obfuscated dynamic-link library (DLL) connecting to a hard-coded C2 server that transmited system information, including lists of all directories on the compromised computer, back to the attacker. The obfuscated DLL file features anti-analysis and anti-disassembly techniques that make detection and analysis difficult, while also skipping execution on sandboxed environments. Lastly, the payload established persistence on the system by means of a Task Scheduler, with a task named "WinUpdate2". Between the time of the two (2) attack phases, it was observed that the threat actor put a considerable amount of effort into the development of additional resources, indicating the evolution of their tools and growing sophistication capabilities of their attacks.
Vulnerabilities
Known Adobe ColdFusion Vulnerability Still being Targeted in Unpatched Environments
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has notified that a known critical vulnerability in Adobe ColdFusion that was patched in March 2023 is still under active exploitation by threat actors attempting to gain access and control over government servers. Adobe ColdFusion is an application server and rapid scripting environment for developing and deploying web applications using ColdFusion Markup Language (CFML). The flaw, tracked as CVE-2023-26360, is an improper access control vulnerability which, if exploited, could allow threat actors to execute arbitrary code in the target environment. When the vulnerability was originally exploited as a zero-day in March, CISA did not disclose the name of the affected entity. In the December 2023 alert, America's Cyber Defense Agency warned that the flaw was being continuously exploited, and that in June 2023, the vulnerability led to the compromise of at least two (2) public-facing servers after threat actors successfully dropped malware payloads via "HTTP POST commands to the directory path associated with ColdFusion." Once they had gained access to the servers, threat actors attempted exfiltrating registry files as well as security account manager (SAM) information. Although the threat actors were able to gain access, the malicious activity was detected and blocked before they could exfiltrate data or move laterally across the network. This flaw was added to CISA's Known Exploited Vulnerabilities (KEV) catalog when it was originally exploited in March, meaning all Federal Civilian Executive Branch (FCEB) agencies are required to patch the bug. CTIX analysts recommend that any administrators responsible for Adobe ColdFusion servers patch this vulnerability immediately to prevent being compromised.
