Intel Wrap – June

July 11, 2024
Musa Nadir Sani

This month focuses on the Satanstealer Malware, a new attack technique exploiting Microsoft Management Console Files, a malvertising campaign deploying Oyster backdoor, and the rise in IoT vulnerabilities.

Satanstealer Malware

A newly discovered malware, dubbed “Satanstealer,” has been found to target browser cookies and passwords.


  • Satanstealer infiltrates systems via phishing emails or malicious downloads.
  • Once installed, it scans for stored cookies and passwords in the browser.
  • The malware can hijack active sessions and gain unauthorized access to accounts.
  • Stolen passwords are sent to attackers’ servers for further misuse or sale on the dark web.
  • Satanstealer employs advanced evasion techniques to avoid antivirus detection.
  • It is recommended that users update software, enable 2FA, be cautious with emails/downloads, and regularly change passwords to protect against Satanstealer.
  • Read more about Satanstealer here.


New Attack Technique Exploits Microsoft Management Console Files

Threat actors are exploiting a novel attack technique using specially crafted management saved console (MSC) files for full code execution via Microsoft Management Console (MMC).


  • Researchers named the approach GrimResource after discovering a malicious MSC file uploaded to VirusTotal on June 6, 2024.
  • The technique exploits a vulnerability in an MMC library when a malicious console file is imported, allowing adversary code execution, including malware.
  • Attackers can combine GrimResource with DotNetToJScript to achieve arbitrary code execution, leading to unauthorized access and system takeover.
  • Using uncommon file types like MSC files is an alternative method to evade security measures such as disabled macros in Office files.
  • The North Korea-linked Kimsuky hacking group previously used a malicious MSC file to deliver malware, as reported by South Korean cybersecurity firm Genians.
  • GrimResource exploits a cross-site scripting (XSS) flaw in the apds.dll library, reported in 2018 but still unpatched, to execute arbitrary JavaScript code in MMC.
  • The technique bypasses ActiveX warnings and can launch a .NET loader component named PASTALOADER, paving the way for Cobalt Strike.
  • Microsoft recognizes MSC files as potentially dangerous and has defenses like Microsoft Defender and Smart App Control, but users should avoid downloading or opening files from unknown sources.
  • Read more here

Malvertising Campaign Deploys Oyster Backdoor

Researchers discovered a malvertising campaign tricking users into downloading malicious installers for software like Google Chrome and Microsoft Teams.


  • The malicious installers drop a backdoor identified as Oyster, also known as Broomstick, which then deploys additional payloads.
  • Users are directed to typo-squatted websites via search engines, believing they are downloading legitimate software.
  • The malware uses an Authenticode certificate issued to fake companies to appear legitimate, like “Shanxi Yanghua HOME Furnishings Ltd” and “Shanghai Ruikang Decoration Co., Ltd.”
  • The Oyster backdoor, first spotted in September 2023, gathers host information, communicates with hard-coded command-and-control (C2) addresses, and provides remote code execution capabilities.
  • The binary MSTeamsSetup_c_l_.exe drops two files: CleanUp30.dll and a legitimate Microsoft Teams installer to avoid suspicion.
  • CleanUp30.dll creates a scheduled task to execute itself every three hours and decodes C2 addresses using a unique decoding function.
  • The backdoor fingerprints the infected machine, collects system information, and sends it to malicious domains via HTTP POST requests.
  • Follow-on activities like the execution of PowerShell scripts creating persistence mechanisms and additional payloads were also observed.
  • Read more on the technical details here.

Rise in IoT Vulnerabilities

Vulnerabilities in IoT devices have increased by 136% from last year, with 33% of IoT devices analyzed in 2024 found to be vulnerable, up from 14% in 2023.


  • The most vulnerable IoT devices include wireless access points, routers, printers, VoIP, and IP cameras, which are often targeted by attackers for lateral movement and data exfiltration.
  • Internet of Medical Things (IoMT) devices also pose significant risks, with 5% containing vulnerabilities, particularly in medical information systems, electrocardiographs, and medication dispensing systems.
  • Network infrastructure devices, such as routers and wireless access points, are the riskiest IT devices, with IT devices accounting for 58% of vulnerabilities, down from 78% in 2023.
  • Operational Technology (OT) devices, including UPS, DCS, PLC, robotics, and building management systems, also show vulnerabilities, with 4% of OT devices found to be at risk.
  • Attackers are increasingly targeting unmanaged devices, such as wireless access points and hypervisors, which have been entry points for major compromises, including ransomware attacks. Read more here

If you suspect a breach or want to report any digital security concerns, kindly contact our helpdesk (



Related Posts

Scroll to Top