This month focuses on the Satanstealer Malware, a new attack technique exploiting Microsoft Management Console Files, a malvertising campaign deploying Oyster backdoor, and the rise in IoT vulnerabilities.

Satanstealer Malware

A newly discovered malware, dubbed “Satanstealer,” has been found to target browser cookies and passwords.

Summary

• Satanstealer infiltrates systems via phishing emails or malicious downloads.
• Once installed, it scans for stored cookies and passwords in the browser.
• The malware can hijack active sessions and gain unauthorized access to accounts.
• Stolen passwords are sent to attackers’ servers for further misuse or sale on the dark web.
• Satanstealer employs advanced evasion techniques to avoid antivirus detection.
• It is recommended that users update software, enable 2FA, be cautious with emails/downloads, and regularly change passwords to protect against Satanstealer.
• Read more about Satanstealer here.

New Attack Technique Exploits Microsoft Management Console Files

Threat actors are exploiting a novel attack technique using specially crafted management saved console (MSC) files for full code execution via Microsoft Management Console (MMC).

Summary

• Researchers named the approach GrimResource after discovering a malicious MSC file uploaded to VirusTotal on June 6, 2024.
• The technique exploits a vulnerability in an MMC library when a malicious console file is imported, allowing adversary code execution, including malware.
• Attackers can combine GrimResource with DotNetToJScript to achieve arbitrary code execution, leading to unauthorized access and system takeover.
• Using uncommon file types like MSC files is an alternative method to evade security measures such as disabled macros in Office files.
• The North Korea-linked Kimsuky hacking group previously used a malicious MSC file to deliver malware, as reported by South Korean cybersecurity firm Genians.
• GrimResource exploits a cross-site scripting (XSS) flaw in the apds.dll library, reported in 2018 but still unpatched, to execute arbitrary JavaScript code in MMC.
• The technique bypasses ActiveX warnings and can launch a .NET loader component named PASTALOADER, paving the way for Cobalt Strike.
• Microsoft recognizes MSC files as potentially dangerous and has defenses like Microsoft Defender and Smart App Control, but users should avoid downloading or opening files from unknown sources.
• Read more here

Malvertising Campaign Deploys Oyster Backdoor

Researchers discovered a malvertising campaign tricking users into downloading malicious installers for software like Google Chrome and Microsoft Teams.

Summary

• The malicious installers drop a backdoor identified as Oyster, also known as Broomstick, which then deploys additional payloads.
• Users are directed to typo-squatted websites via search engines, believing they are downloading legitimate software.
• The malware uses an Authenticode certificate issued to fake companies to appear legitimate, like “Shanxi Yanghua HOME Furnishings Ltd” and “Shanghai Ruikang Decoration Co., Ltd.”
• The Oyster backdoor, first spotted in September 2023, gathers host information, communicates with hard-coded command-and-control (C2) addresses, and provides remote code execution capabilities.
• The binary MSTeamsSetup_c_l_.exe drops two files: CleanUp30.dll and a legitimate Microsoft Teams installer to avoid suspicion.
• CleanUp30.dll creates a scheduled task to execute itself every three hours and decodes C2 addresses using a unique decoding function.
• The backdoor fingerprints the infected machine, collects system information, and sends it to malicious domains via HTTP POST requests.
• Follow-on activities like the execution of PowerShell scripts creating persistence mechanisms and additional payloads were also observed.
• Read more on the technical details here.

Rise in IoT Vulnerabilities

Vulnerabilities in IoT devices have increased by 136% from last year, with 33% of IoT devices analyzed in 2024 found to be vulnerable, up from 14% in 2023.

Summary

• The most vulnerable IoT devices include wireless access points, routers, printers, VoIP, and IP cameras, which are often targeted by attackers for lateral movement and data exfiltration.
• Internet of Medical Things (IoMT) devices also pose significant risks, with 5% containing vulnerabilities, particularly in medical information systems, electrocardiographs, and medication dispensing systems.
• Network infrastructure devices, such as routers and wireless access points, are the riskiest IT devices, with IT devices accounting for 58% of vulnerabilities, down from 78% in 2023.
• Operational Technology (OT) devices, including UPS, DCS, PLC, robotics, and building management systems, also show vulnerabilities, with 4% of OT devices found to be at risk.
• Attackers are increasingly targeting unmanaged devices, such as wireless access points and hypervisors, which have been entry points for major compromises, including ransomware attacks. Read more here

If you suspect a breach or want to report any digital security concerns, kindly contact our helpdesk (help@cchub.africa).

Sources

• https://cybersecuritynews.com/new-satanstealer-malware/
• https://thehackernews.com/2024/06/new-attack-technique-exploits-microsoft.html
• https://www.rapid7.com/blog/post/2024/06/17/malvertising-campaign-leads-to-execution-of-oyster-backdoor/
• https://www.infosecurity-magazine.com/news/iot-vulnerabilities-entry-point/