Hackers spread Vidar and IcedID malware through cloned websites and targeted phishing attacks

SISA Weekly Threat Watch - 23 January 2022

Over the past week, there has been a rise in sophisticated cyberattacks, with threat actors employing more complex techniques to get past security defenses, spread malware, compromise networks, and steal credentials. These attacks are primarily targeted and tailored, making them difficult to detect and defend against. Experts predict that numerous new variants of such threats with enhanced features will emerge in the coming months.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Dark Pink APT group targets governments and military in APAC region

A string of cyber-attacks targeting government and military entities in the APAC region have been attributed to a new APT group, tracked as both Dark Pink and Saaiwc Group. Dark Pink APT probably goes to job boards to modify its messages and pretend to be a person applying as an intern for a job in PR and communications. However, the goal is to implement TelePowerBot and KamiKakaBot, which can carry out commands received via a Telegram bot.

After that, the organization utilizes the Ctealer and Cucky tools to steal cookies and login information from web browsers. The effort made use of many infection chains, with the first one beginning with phishing emails that contained a link to an ISO image file that was rigged to launch malware. To avoid being discovered, the group also used malicious template documents. To protect against phishing attacks, it is recommended to provide sufficient user training and education and implement an email security solution to monitor emails. Additionally, limit the access to file-sharing resources and monitor the creation of LNK files in unusual locations.

2. Scattered Spider hackers use old Intel Driver to bypass security

Scattered Spider, a financially motivated threat actor, attempted a Bring Your Own Vulnerable Driver (BYOVD) attack to bypass EDR (Endpoint Detection and Response) security software. A high-severity vulnerability (CVE-2015-2291) in the Intel Ethernet diagnostics driver was observed being exploited by these hackers. An attacker can use specially crafted calls to exploit this issue and execute arbitrary code with kernel privileges.

The threat actors use these drivers to disable EDR, which lowers the visibility and prevention capabilities of the defenders and positions the targeted networks for further attacks. The target drivers are patched at hard-coded offsets after the driver starts up by decrypting a hard-coded string of targeted security products. Microsoft advises that to defend against these BYOVD threats, Windows users must enable the driver blocklist.

3. Over 1,300 fake AnyDesk sites push Vidar info-stealing malware

A large-scale campaign involving more than 1,300 domain names that imitate the legitimate AnyDesk website is in progress. These domains are all redirected to a Dropbox folder which is currently distributing the Vidar information-stealing malware. The hostnames list contains typosquats for various programs, such as AnyDesk, MSI Afterburner, 7-ZIP, Blender, Dashlane, Slack, VLC, OBS, and cryptocurrency trading apps. Despite the different names, they all direct to the same AnyDesk clone website.

The sites were distributing a ZIP file, named ‘AnyDeskDownload.zip’, which purported to be an installer for the AnyDesk software. When installed, the malicious code would harvest victims’ browser history, account credentials, passwords, cryptocurrency wallet data, banking information and other sensitive data and send it back to the perpetrators. To prevent data compromise through such attacks, it is recommended to bookmark the websites used to download software and avoid clicking on Google Search advertising or promoted results.

4. IcedID malware strikes again: Active Directory Domain compromised within 24 Hours

In a recent IcedID malware attack, the threat actor used methods from other companies like Conti to achieve its goals and was able to breach the Active Directory Domain of an unnamed victim in less than 24 hours after initially gaining access. Instead of using conventional phishing-based attacks to send documents with macros, the attackers used ISO and LNK files to create a virtual drive, execute rundll32.exe and dump a DLL file.

In a matter of minutes after infection, the attacker uses net.exe to scan the whole network in search of data on the domain, users in the admin group, and the workstation. Within 19 hours following the initial attack, the attackers successfully compromise the network domain after acquiring access to file servers and upgrading access permissions to execute a DCSync attack. To avoid this infection technique to succeed, consider disabling auto-mounting of disk image files (.iso, .img, .vhd, and .vhdx) globally through GPOs.

5. FortiOS flaw exploited as zero-day in attacks on government and organizations

Attacks targeting governments and other major businesses used a zero-day flaw in FortiOS SSL-VPN that Fortinet patched last month. A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests. The ultimate aim was to deploy a generic Linux implant modified for FortiOS that could compromise Fortinet’s intrusion prevention system (IPS) software and connect to a remote server to download additional malware and run commands.

The modus operandi also demonstrates obfuscation to thwart analysis and advanced capabilities to manage FortiOS logging and terminate logging processes to remain undetected. The attacker’s Windows sample was found to include traces that suggested it had been generated on a machine in the UTC+8 time zone, which includes Singapore, Australia, China, and other Eastern Asian nations. It is highly recommended for enterprises to upgrade to a version of FortiOS that is not affected as soon as possible, and to check their current systems for signs of compromise as suggested by FortiGuard.

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.

For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.

SISA’s Latest
close slider