Tecplix ThreatTrack Insights - June I

1. Fake Browser Updates Spreading Remote Access Trojans and Information Stealers

A new wave of cyber threats involves fake web browser updates used to deliver remote access trojans (RATs) and information-stealing malware like BitRAT and Lumma Stealer. These deceptive updates have been linked to numerous infections, including those from the notorious SocGholish malware.

The attack chain commences when prospective targets visit a booby-trapped website that contains JavaScript code designed to redirect users to a bogus browser update page ("chatgpt-app[.]cloud"). The redirected web page comes embedded with a download link to a ZIP archive file ("Update.zip") that's hosted on Discord and downloaded automatically to the victim's device.

Present within the ZIP archive file is another JavaScript file ("Update.js"), which triggers the execution of PowerShell scripts responsible for retrieving additional payloads, including BitRAT and Lumma Stealer, from a remote server in the form of PNG image files. Also retrieved in this manner are PowerShell scripts to establish persistence and a .NET-based loader that's primarily used for launching the final-stage malware

Key Takeaways:

• Cyber attackers are leveraging fake browser update notifications to trick users into downloading malware.
• Victims are redirected to a malicious page hosting a ZIP file ("Update.zip") that initiates the infection process.
• The malware delivered includes BitRAT and Lumma Stealer, capable of extensive data theft and system compromise.
• Attack vectors include JavaScript-based redirects, drive-by downloads, and deceptive instructions to execute malicious PowerShell scripts.

Impact:

• The deployment of BitRAT and Lumma Stealer poses significant risks to infected systems. BitRAT facilitates data harvesting, cryptocurrency mining, and remote control of compromised hosts.
• Lumma Stealer, a subscription-based malware, extracts sensitive information from web browsers, crypto wallets, and other sources. The consequences of these infections include data breaches, financial losses, and unauthorized access to critical systems.

Who is Affected?

Organizations and individuals who inadvertently visit compromised websites and follow misleading browser update prompts are at risk. This includes users across various sectors who may be targeted through drive-by downloads, malvertising, and phishing tactics that exploit their trust in browser updates.

Recommendations:

• Install and update the anti-malware solutions regularly to identify the potential threats in the system.
• Do not store sensitive information, such as passwords, credit card details, personal information, etc., in the browser cache.
• Before using any open-source solutions provided on any websites like stack overflow, run a test in virtual machines to avoid credential theft and identity theft

2. Active Exploitation of Critical Vulnerabilities in WordPress Plugins

Cybersecurity researchers have identified multiple high-severity vulnerabilities in several WordPress plugins that are currently being exploited by malicious actors. These flaws are primarily unauthenticated stored cross-site scripting (XSS) vulnerabilities, which allow attackers to inject malicious scripts due to inadequate input sanitization and output escaping.

Key Takeaways:

Vulnerabilities are present in the following plugins:

• CVE-2023-6961 (CVSS score: 7.2): WP Meta SEO <= 4.5.12
• CVE-2023-40000 (CVSS score: 8.3): LiteSpeed Cache <= 5.7
• CVE-2024-2194 (CVSS score: 7.2): WP Statistics <= 14.5

Impact:

Attack chains exploiting these vulnerabilities involve injecting payloads pointing to obfuscated JavaScript files hosted on external domains. These scripts facilitate the creation of rogue administrator accounts, insertion of backdoors, and deployment of tracking scripts. The backdoors, written in PHP, are inserted into the plugin, and theme files while tracking scripts send HTTP GET requests with HTTP host information to a remote server at "ur.mystiqueapi[.]com/?ur".

Who is Affected?

Website administrators and users running vulnerable versions of the affected plugins are at risk. To mitigate these threats, immediate patching and updates are recommended.

Recommendations:

• It's recommended that WordPress site owners review their installed plugins, apply the latest updates, and audit the sites for signs of malware or the presence of suspicious administrator users.
• Be cautious of users with admin privileges. Specifically, look out for a user with the username admin and email admin[@]mystiqueapi[.]com.
• Look for any unexpected outbound requests, particularly those leading to Yandex tracking links or to "ur.mystiqueapi[.]com/?ur".

3. Enhanced Security With IAM: A Comprehensive Guide

According to Verizon, 61% of all security breaches involved credential thefts acquired through social engineering methods or hacked using brute force tactics.

Another study reveals that 44% of security experts believe implementing an Identity and Access Management (IAM) solution can address their current security vulnerabilities.        

IAM incorporates management of the entire lifecycle of user identities and access across all enterprise resources, whether in data centers or the cloud. The identity manager regulates access and entitlements through defined roles, policies, and tools, extending privileges to network entities (users and devices) for diverse applications, both on-premises and in the cloud.

IAM’s objective is to grant a single digital identity for each individual or item. Where, users encompass customers, partners, and employees, while devices span computers, smartphones, routers, servers, controllers, and sensors. Once established, the digital identity is maintained, modified, and monitored throughout each user’s or device’s access lifecycle.

Identity Management in Practice

In a broader sense, identity management facilitates access to enterprise assets, aligning with user and device entitlements within specific contexts. This encompasses onboarding users and systems, authorizing permissions, and timely offboarding of users and devices...Read more.

4. AutoHotKey-based DarkGate Malware Campaigns Target the U.S., Europe, and Asia

Cyber-attacks involving the DarkGate malware-as-a-service (MaaS) operation have shifted their delivery mechanism from AutoIt scripts to AutoHotkey, marking a significant evolution in their tactics to evade detection. This transition was observed in version 6 of DarkGate, released in March 2024 by its developer RastaFarEye, who markets the malware to a select group of around 30 subscribers. Active since at least 2018, DarkGate continues to pose a significant threat with its advanced features and constant updates.

Key Takeaways

• Delivery Mechanism: DarkGate now employs AutoHotkey instead of AutoIt for its final payload delivery.
• Version 6 Updates: This update introduces new capabilities such as audio recording, mouse control, and keyboard management while removing some features like privilege escalation and cryptomining.
• Exploitation Techniques: Utilizes security vulnerabilities CVE-2023-36025 and CVE-2024-21412 to bypass protections via phishing emails with Excel or HTML attachments.
• Phishing Campaigns: Continues to use sophisticated phishing tactics, including Excel files with embedded macros and Remote Template Injection techniques.

Impact:

DarkGate’s latest developments highlight the persistent threat it poses to organizations worldwide. The malware’s ability to adapt rapidly by changing its delivery methods and incorporating new features while removing old ones that could lead to detection ensures it remains a formidable tool for cybercriminals. Its extensive capabilities, including command-and-control, rootkit functionalities, credential theft, and remote desktop access, enable attackers to execute a wide range of malicious activities, significantly impacting targeted organizations.

Who is Affected?

DarkGate’s recent campaigns have primarily targeted sectors such as healthcare technology, telecommunications, and fintech across the U.S., Europe, and Asia. Organizations in these industries are at heightened risk and should be particularly vigilant about phishing attacks and the evolving tactics used by threat actors behind DarkGate.

Recommendations:

• Security teams are advised to update their defenses to recognize and mitigate DarkGate's latest delivery mechanisms and techniques.
• Enhanced monitoring of email attachments and improved detection capabilities for scripting interpreters like AutoHotkey can help in identifying and blocking these sophisticated threats.

In Crisis?

If you suspect a compromise or face a critical security issue, connect with us to unlock rapid, expert protection. Your Security and Business Continuity is our top Priority!

Get in touch with our security team by filling out this form or call at +91 6366 600 700.