Threat Intel Roundup: OpenVPN, eBPF, AsyncRAT, OpenSea

  • Home
  • Report
  • Threat Intel Roundup: OpenVPN, eBPF, AsyncRAT, OpenSea

Week in Overview(7 Nov-14 Nov)

Technical Summary

1. Kernel Exploit and Rootkit Detection Using eBPF

  • Technology: eBPF (extended Berkeley Packet Filter) in Linux.
  • Purpose: Detect kernel exploits and rootkits.
  • Mechanisms:
    • wCFI (Control Flow Integrity): Monitors kernel call stack and validates return addresses against a bitmap of valid call sites.
    • PSD (Privilege Escalation Detection): Tracks changes in kernel credential structures to identify unauthorized privilege escalations.
  • Implementation: eBPF programs attached to kernel functions, submitting events to userspace for analysis.

2. Email Phishing Campaigns Targeting OpenSea Users and Developers

  • Target: OpenSea platform users and developers.
  • Method:
    • Fake developer account risk alerts.
    • Fraudulent offers.
  • Modus Operandi: Emails mimicking official communication to deceive recipients into revealing sensitive information or credentials.

3. Chrome Use-After-Free Vulnerability in WebAudio (CVE-2023-5996)

  • Vulnerability: Use-after-free in Chrome’s WebAudio component.
  • CVE ID: CVE-2023-5996.

Resolution: Ignoring channel count updates after the audio context is closed to prevent exploitation.

4. Malware Distribution via GitHub: Threat Actors Spreading AsyncRAT

  • Platform Used: GitHub.
  • Malware: AsyncRAT (Remote Access Trojan).
  • Method: Disguising malicious screensaver (.scr) files as .sln files in legitimate Visual Studio projects.
  • Exploitation: Utilizing Discord’s CDN for distribution.

5. CVE-2023-46849

  • Vulnerability: In OpenVPN versions 2.6.0 to 2.6.6.
  • Issue: Divide by zero behavior when using the –fragment option, leading to application crash and denial of service.

6. CVE-2023-4966

  • Vulnerability: In Citrix NetScaler ADC and Gateway appliances.
  • Issue: Sensitive information disclosure vulnerability allowing hijacking of authenticated sessions and bypassing multifactor authentication.
  • Exploitation: Observed in the wild since late August 2023.

7. Vidar Stealer

  • Update: Major changes in C2 (Command and Control) communications, mimicking Stealc.
  • Capabilities:
    • Downloads legitimate third-party DLLs.
    • Harvests data from browsers, crypto wallets, and more.
    • Exfiltrates data file by file.
    • Uses Dynamic Data Exchange (DDR) for communication.
  • Impact: Improved evasion capabilities, even if detected by antivirus software.

🚨 Vulnerability of the Week

OpenVPN CVE-2023-46849

CVE-2023-46849 is a vulnerability identified in OpenVPN, specifically affecting versions 2.6.0 to 2.6.6. This vulnerability is related to the use of the –fragment option in certain configuration setups of OpenVPN.

  • Vulnerability: The issue arises when the –fragment option is used inappropriately, leading to a divide by zero behavior.
  • Impact: This divide by zero error can cause an application crash, resulting in a denial of service (DoS).
  • Affected Versions: OpenVPN versions from 2.6.0 to 2.6.6.


As of now, the CVSS (Common Vulnerability Scoring System) score for CVE-2023-46849 has not been provided by NIST (National Institute of Standards and Technology). The severity of this vulnerability is still under analysis, and no official score or metrics have been published.

References and Advisories

Several advisories and resources provide more information about CVE-2023-46849:

🥵 Malware or Ransomware

The blog post from SEKOIA.IO provides an in-depth analysis of the Stealc malware, highlighting its similarities with other infostealers like Vidar and Raccoon. Here’s a summary of the key points related to the major update in Vidar Stealer’s Command and Control (C2) communications, which now closely mimic those of Stealc:

  • Use of Legitimate Third-Party DLLs: Unlike previous versions that downloaded a ZIP file, the updated Vidar Stealer now downloads legitimate third-party DLLs. This change likely helps the malware evade detection by blending in with normal software operations.
  • Malware Configurations: The malware is configured to target specific data from browsers, cryptocurrency wallets, and other valuable information through a grabber module. This targeted approach allows for more efficient data harvesting.
  • Exfiltration of Harvested Data: The updated method involves exfiltrating harvested data file by file. This step-by-step approach can potentially improve the “knock rate” or “knock time,” which refers to the efficiency and speed of data transmission back to the C2 servers.
  • Use of DDR: DDR (Dynamic Data Exchange) is a method of interprocess communication. In the context of this malware, it could be used to facilitate the transfer of stolen data or commands between processes, potentially making detection more difficult.
  • C2 Servers: The post lists several IP addresses identified as C2 servers for the malware. These servers are crucial for the malware’s operation, as they receive the stolen data and send commands.
  • Improved Evasion Capabilities: The modification in the malware’s communication and data exfiltration methods is likely aimed at improving its ability to evade detection. Even if antivirus software detects the malware, the step-by-step data exfiltration process might allow some data to be transmitted before the malware is neutralized.

💦 Malware Distribution Sites

A phishing HTML file, named “GFT000567.html,” has successfully evaded the majority of antivirus (AV) solutions, raising significant concerns in the cybersecurity community.

Detection and Analysis

  • VirusTotal Detection: The file has a remarkably low detection rate of 1 out of 60 AV solutions on VirusTotal, indicating its sophistication in evading security measures.
  • Filename: GFT000567.html
  • MD5 Hash: 2017a1ec0479724dae5ad5cd95781841

Indicators of Compromise (IOCs)

  • Malicious URLs:
    • pub-91c76ad75ccd43f3a4351ea91d50ae83[.]r2[.]dev/execo.html#[email protected]
    • sulzer[.]shop/campi/excelphp1.php
  • These URLs are likely used for phishing attacks, data exfiltration, or directing users to download further malicious payloads.

DOCGuard Reports

  • Primary Sample Report: A detailed analysis of the phishing file is available on DOCGuard, which can provide insights into its behavior, embedded scripts, and evasion techniques. The report can be accessed here.
  • Similar Sample Report: Another report on a similar sample, which could provide comparative insights, is available here.

📱 Mobile Malware

Google has initiated legal action against scammers for distributing malware under the guise of its Bard AI chatbot. The scammers, believed to be based in Vietnam, created social media pages and ads, misleading users into downloading a fake version of Bard, which in reality was malware.

Method of Attack

  • Social Media Deception: The scammers set up social media accounts, using names like “Google AI,” “AIGoogle,” and similar variations. They promoted posts on platforms like Facebook, falsely advertising the download of Google’s Bard AI chatbot.
  • Misuse of Google’s Branding: The fraudulent entities used Google’s trademarks and logos to lend credibility to their scheme, misleading users into believing the authenticity of their offering.
  • Malware Distribution: The download links provided by the scammers did not contain the Bard AI chatbot but malware. This malware was designed to steal social media credentials and potentially other sensitive information from the users’ devices.


  • Credential Theft: The primary objective of the malware was to siphon off login details of users, particularly targeting small businesses and their social media accounts.
  • Financial Risks: By gaining access to social media accounts, the scammers could potentially access financial information or defraud businesses and their contacts.
  • Brand Damage: The use of Google’s trademarks in the scam could lead to reputational damage for Google, misleading users about the security and reliability of its products.


  • Vigilance in Downloads: Users should only download software from verified, official sources.
  • Awareness of Scams: Be aware of the increasing use of AI and popular brand names in online scams.
  • Credential Protection: Use multi-factor authentication and regularly update passwords, especially for business-related social media accounts.

🦮 Art of Detection

The malware, humorously proposed to be named “Electrocuted Stealer,” is a type of infostealer. It has been identified through a sample available on the ANY.RUN malware analysis service. This malware is initially categorized as “Win32/Unknown Infostealer.”

Unique Characteristics

  • Folder Naming: The malware uses a peculiar method for naming folders, such as \Temp\YUOhtyugjKgdfgjFGghj676jj\. This naming pattern is notably random and chaotic, possibly reflecting an attempt to avoid pattern detection.
  • Proposed Name: “Electrocuted Stealer” – This name humorously suggests the seemingly random and jumbled nature of the folder naming convention, as if the author was “electrocuted” while typing.

Detection Strategies

  • Anomalous Folder Names: Security systems can be configured to flag unusually named folders, especially those with a high degree of randomness and length, as seen in this malware.
  • Behavioral Analysis: Utilizing tools like ANY.RUN to observe the behavior of suspected malware in a safe, controlled environment. This can help in identifying unusual patterns of behavior that are indicative of infostealers.
  • Signature-Based Detection: While the malware is initially categorized as “Win32/Unknown,” updates to antivirus databases with its signature, once fully analyzed, can help in its detection.
  • Heuristic Analysis: Employing heuristic analysis to detect new, unknown variants of malware based on similarities to known infostealers.
  • Network Traffic Monitoring: Infostealers often communicate with a C2 server. Monitoring for unusual outbound network traffic can help in detecting such malware.

File System Monitoring: Watching for changes in file systems, especially in system directories like \Temp, can be a red flag.

Analysis and Reporting Tools

  • ANY.RUN: A cloud-based malware analysis service that provides a detailed report of malware behavior. The specific report for this malware can be accessed here.

🦮 Art of Detection#2

Threat actors are increasingly utilizing GitHub, a popular platform for software development, to spread malware. A recent incident involved the distribution of malicious screensaver files (.scr), which were disguised as .sln files within a legitimate Visual Studio project. This tactic was used to distribute AsyncRAT, a remote access trojan, by exploiting Discord’s Content Delivery Network (CDN).

Analysis from ANY.RUN

The detailed analysis of this malware distribution strategy is provided by ANY.RUN, an interactive malware hunting service. Unfortunately, the specific content of the analysis from the provided ANY.RUN link is not accessible due to technical limitations. However, the general approach of these threat actors can be outlined based on known tactics and the summary provided.

Tactics and Implications

  • Disguised Files: The .scr files, typically used for screensavers, are disguised as .sln (solution) files, which are part of Visual Studio projects. This disguise is intended to trick users into executing the malware, believing it to be a harmless component of the project.
  • Use of GitHub: By placing these malicious files in a seemingly legitimate project on GitHub, attackers leverage the trust and popularity of the platform to spread the malware.
  • Exploitation of Discord CDN: The use of Discord’s CDN for distributing AsyncRAT indicates a sophisticated approach to bypassing standard security measures. CDNs are typically trusted networks, and their abuse can lead to widespread malware distribution.
  • AsyncRAT: This remote access trojan allows attackers to control infected systems remotely, posing significant risks to data security and privacy.

🐙 Proxylife

BumbleBee, a newly identified malware, has been observed in a campaign labeled “Documents!” by the cybersecurity community. This campaign is notable for its use of advanced techniques and has been linked to the botnet “rar0409.”

Execution Flow

The malware’s execution flow is relatively straightforward but effective:

  • Initial Contact: Via an HTML file.
  • Delivery Mechanism: The malware is packed in a RAR archive.
  • Execution: The final payload is an executable file (.exe).

Key Features

  • HTML Smuggling: BumbleBee utilizes HTML smuggling techniques. This involves using legitimate HTML5 features to create and deliver malicious files while bypassing security controls.
  • Exploitation of CVE-2023-38831: The malware exploits this specific vulnerability, although details about the nature of this vulnerability are not provided in the brief.

Botnet Association

  • Botnet Name: rar0409

The association with this botnet suggests a broader infrastructure and possibly a wider range of attack capabilities.

Triage and Analysis

  • Dynamic Generation Algorithm (DGA): Interesting findings include the use of a DGA seed, counter, and length. This indicates a sophisticated command and control (C2) mechanism, where the malware can dynamically generate domain names for C2 communications.
  • Files and Samples: For further analysis and research, files related to this campaign can be found on the Bazaar.

🥷 TTP Analysis

The report focuses on a sophisticated malware known as SystemBC, also referred to as Coroxy. This malware is multifaceted, functioning as a socks5 proxy, bot, backdoor, and Remote Access Trojan (RAT). It has been utilized by various threat actors in cyber-attacks.

Malware Characteristics

  • Category: Socks5 proxy, bot, backdoor, RAT
  • Usage: By several threat actors

Operational Flow

The operational flow of SystemBC is as follows:

  • Loader/Other Malware: Initial infection vector.
  • SystemBC Activation: Acts as a secondary payload.
  • Mutex Creation: Ensures unique instance.
  • Temporary Copy Creation: For execution and persistence.
  • Persistence Mechanism: Ensures long-term access.
  • Sensitive Information Harvesting: Collects valuable data.
  • Network Information Gathering: For further exploitation.
  • Command and Control (C&C) Communication: For remote control and data exfiltration.

Tactics, Techniques, and Procedures (TTP)

The TTPs associated with SystemBC include:

  • [T1547.001] Registry Run Keys: For persistence.
  • [T1070] Stop Process: To evade detection.
  • [T1140] Decode Network Information: For data extraction.
  • [T1082] System Information Discovery: To understand the environment.
  • [T1033] System Owner/User Discovery: Identifying potential targets.
  • [T1560] Archive Collected Data: For data exfiltration.
  • [T1497] Virtualization/Sandbox Evasion: To avoid analysis.
  • [T1071] Application Layer Protocol: For communication.

Indicators of Compromise (IOC)

  • The IOCs related to SystemBC are:
  • Domains:
    • payload[.]su
    • mxstat215dm[.]xyz
    • mxstex725dm[.]xyz
    • zl0yy[.]ru
    • r0ck3t[.]ru
  • IP Addresses:
    • 91[.]191[.]209[.]110
    • 5[.]42[.]65[.]67

💦 Leakage

The security of user data in web applications is critical. However, vulnerabilities like Insecure Direct Object Reference (IDOR) can significantly compromise data integrity. This report examines a real-world case of an IDOR vulnerability within a web application, particularly focusing on the exploitation of the ‘v’ parameter, which led to the exposure of all users’ Personally Identifiable Information (PII).

Analyzing the ‘v’ Parameter

The ‘v’ parameter in question is 64 characters long, making it unpredictable and lengthy. It consists of a mix of constant and changeable parts. The constant parts are enclosed in curly braces, such as {xrjo}, {tgx}, {tgyj}, {mrzo}, {tnkxn}, {qnjn}, and {irgirnittghn}. The characters outside these braces are changeable, and this variability is what can be exploited.

Exploiting the Vulnerability

The exploitation process involves making partial and unpredictable changes to the characters outside the curly braces while keeping the constant parts intact. By altering these characters in different requests, it becomes possible to access different users’ data. For example, by changing the original ‘v’ parameter from vnnt {xrjo} nnnr {tgx} ntkx {tgyj} yinvr {mrzo} jyg {tnkxn} ugor {qnjn} zyjr {irgirnittghn} to various altered forms, each alteration potentially leads to the exposure of a different user’s data.

Tools Used for Exploitation

  • Intruder: A tool used to automate the brute-forcing of these portions.
  • Python Script: A script was written to generate altered ‘v’ parameters. This script takes the original parameter, splits it into constant and changeable parts, and then randomly changes some characters in the changeable part while keeping the constant parts intact.

👹 Scam Contract

OpenSea, a popular platform in the NFT (Non-Fungible Token) space, has recently become the target of email phishing campaigns. These campaigns are specifically designed to deceive OpenSea’s users and developers. It’s important to be aware of the nature of these scams to protect personal and financial information.

Types of Phishing Scams

  • Fake Developer Account Risk Alert: This scam involves sending emails that appear to be from OpenSea, warning developers of some risk or issue with their accounts. The goal is to trick recipients into revealing sensitive information or credentials.
  • Fake Offer: Another common tactic is sending emails that mimic legitimate offers from OpenSea. These emails may contain links to fraudulent websites where users are prompted to enter personal details or connect their digital wallets, leading to potential theft of assets or personal information.

The Domain “docs-opensea[.]io”

  • The mentioned domain, docs-opensea[.]io, seems to be part of this phishing campaign. However, accessing this domain resulted in an error, indicating it might be down or not accessible at the moment.
  • It’s crucial to note that such domains are often created to appear legitimate, mimicking the official website’s look and feel to deceive users.

🟥 1Day

The “Tianfu Cup 2023” highlighted a significant vulnerability in Google Chrome, specifically a use-after-free issue in the WebAudio component, tracked as CVE-2023-5996. This vulnerability was addressed by modifying how Chrome handles channel count updates after the audio context is closed.

The Vulnerability

  • Component Affected: The issue was in the WebAudio component of Chrome.
  • Nature of Vulnerability: It was a use-after-free vulnerability, a type of memory corruption issue that can lead to arbitrary code execution.
  • CVE ID: CVE-2023-5996.

The Fix

Google implemented a fix by ignoring channel count updates after the audio context is closed. The key aspects of the fix include:

  • Checking Context State: The new code checks if the audio context’s state is ‘closed’. If so, any changes to the channel count are ignored.
  • Maintaining Stability: The fix ensures that the audio rendering thread is not activated unexpectedly, which could lead to instability or exploitation of the use-after-free condition.

Code Analysis

The provided code snippet demonstrates the logic implemented to address the vulnerability:

  • Channel Count Check: The code first retrieves the old channel count and sets a new channel count. If there’s an exception or the channel count remains unchanged, it bypasses the recreation of the platform destination.
  • Context State Validation: The fix includes a check for the context state (AudioContext::kClosed). If the context is closed, or other conditions are met (same channel count or exception state), the function returns early, avoiding further processing.
  • Recreation of Platform Destination: If the conditions are not met, the destination is stopped, recreated, and started again to apply the new channel count, ensuring the integrity of the audio processing.

Broader Context: Linux Kernel Security and Google’s kernelCTF

The discussion around CVE-2023-5996 leads to a broader conversation about Linux kernel security. The kernel, being the core of many systems, is a critical security component. Google’s kernelCTF program is an initiative to encourage the discovery and mitigation of vulnerabilities in the Linux kernel.

🌶️ Trending Exploit

The exploit related to CVE-2023-4966 in Citrix NetScaler ADC and Gateway appliances is a significant cybersecurity concern. Here’s a detailed overview:


  • Date of Security Bulletin: Citrix released a security bulletin on October 10, 2023, addressing a sensitive information disclosure vulnerability identified as CVE-2023-4966.
  • Affected Appliances: The vulnerability impacts NetScaler ADC (Application Delivery Controller) and NetScaler Gateway appliances.

Nature of the Vulnerability

  • Exploitation in the Wild: Mandiant reported that this vulnerability has been exploited in the wild since late August 2023.
  • Consequences of Exploitation: Successful exploitation allows attackers to hijack existing authenticated sessions. This bypasses multifactor authentication or other strong authentication mechanisms.
  • Persistence of Sessions: Even after deploying the update to mitigate CVE-2023-4966, some hijacked sessions may persist.
  • Session Hijacking Incidents: There have been instances where session data was stolen before the patch deployment and then used by threat actors.

🕯️ The Topic of the Week

VED (Vault Exploit Defense)-eBPF is an innovative approach to enhancing kernel security in Linux systems. It utilizes eBPF (extended Berkeley Packet Filter), an in-kernel virtual machine, to monitor kernel activities and detect potential exploits or rootkits without altering the kernel source code.

eBPF Overview

  • Functionality: eBPF allows for the execution of code within the kernel space, providing a high degree of flexibility and efficiency.
  • Application: It can be attached to various kernel events like tracepoints and kprobes, enabling detailed analysis and data collection.

VED-eBPF’s Approach

VED-eBPF leverages eBPF to trace security-sensitive behaviors within the kernel, focusing on detecting anomalies that could indicate exploits or rootkits. It primarily provides two detection mechanisms:

  • wCFI (Control Flow Integrity):
    • Purpose: Detects control flow hijacking attacks.
    • Method: Utilizes a bitmap of valid call sites and validates each return address against this map.
    • Implementation: Traces the kernel call stack, validating return addresses and monitoring stack pointer and kernel text region changes.
  • PSD (Privilege Escalation Detection):
    • Purpose: Identifies unauthorized privilege escalations.
    • Method: Monitors changes to credential structures within the kernel.
    • Implementation: Attaches to functions like commit_creds and prepare_kernel_cred, analyzing credentials before and after execution.

How it Works

  • eBPF Program Attachment: VED-eBPF attaches eBPF programs to specific kernel functions to trace execution flows and gather security events.
  • Data Submission: These events are then submitted to userspace for analysis via perf buffers.

Detailed Mechanisms

  • wCFI:
    • Stack Tracing: On each function call, it dumps the stack and assigns an ID.
    • Validation: Checks return addresses against a precomputed bitmap of valid call sites.
    • Event Generation: If a corrupted stack is detected, it generates a wcfi_stack_event with details like stack trace, ID, and invalid return address.
  • PSD:
    • Credential Monitoring: Extracts credential information during key function calls.
    • Comparison: Analyzes changes in credentials to spot unauthorized escalations.
    • Event Generation: Produces a psd_event with credential details in case of illegal privilege escalation.

Current Status and Future Work

VED-eBPF is in the proof-of-concept stage, showcasing the potential of eBPF for kernel security. Ongoing and future work includes:

  • Expanding Attack Coverage: Broadening the scope to detect a wider range of exploits.
  • Performance Optimization: Enhancing efficiency to minimize impact on system performance.
  • Support for Additional Kernel Versions: Adapting the tool for various kernel releases.
  • Integration with Security Analytics: Combining with analytical tools for comprehensive security insights.

Leave a Reply

Your email address will not be published. Required fields are marked *