Threat Intel Roundup: ownCloud, APT-Q-36, AlfaC2, ActionRunner

admin
November 28, 2023
No Comments

Technical Summary

1. Vulnerability Report: CVE-2023-49103 in ownCloud

Issue: Critical vulnerability in ownCloud’s “graphapi” app.
CVE ID: CVE-2023-49103.
Severity: CVSS rating of 10/10.
Impact: Exposes admin passwords, mail server credentials, and license keys.
Affected Versions: ownCloud versions 0.2.0 to 0.3.0.
Mitigation: Deleting specific directories and changing compromised secrets.

2. Advanced Persistent Threat (APT) Report: The Mahagrass Organization (APT-Q-36) and Spyder Downloader

APT Group: Mahagrass (APT-Q-36), active in South Asia.
Tools Used: Spyder downloader and Remcos Trojan.
Target Regions: Asia, specifically Pakistan, Bangladesh, Afghanistan.
Tactics: Cyber espionage with updated malware tools to avoid detection.

3. Report on Abusing .NET Core CLR Diagnostic Features and CVE-2023-33127

Focus: Exploitation of .NET Core CLR diagnostic features.
CVE ID: CVE-2023-33127.
Method: Abusing CLR profiler loading and diagnostic port.
Impact: Potential for privilege escalation and unauthorized access.
Mitigation: Defensive strategies and Sigma rules for detection.

4. Report on Malicious One File Evading Antivirus Solutions

Issue: Evasion of antivirus solutions by malicious one-file executables.
Techniques: Polymorphism, obfuscation, and fileless execution.
Detection Challenge: Difficulty in identifying due to evolving tactics.
Recommendations: Enhanced heuristic analysis and behavior-based detection.

5. Report on WebDAV Server and XWorm V5.2 Malware Campaign

Campaign: Utilization of WebDAV servers in distributing XWorm V5.2 malware.
Method: Exploiting server vulnerabilities for malware delivery.
Impact: Data theft, system compromise, and network infiltration.
Mitigation: Patching server vulnerabilities and network monitoring.

6. Analysis of “AlfaC2” Malware Spotted in Italy

Malware: “AlfaC2”.
Region Affected: Primarily Italy.
Capabilities: Command and control operations, data exfiltration.
Detection Difficulty: High due to sophisticated evasion techniques.
Countermeasures: Advanced endpoint protection and network traffic analysis.

7. Report on the Art of Detection in Breach Report Collection

Focus: Strategies for detecting breaches and collecting relevant reports.
Challenges: Diverse attack vectors and stealth techniques.
Solutions: Implementing a combination of automated tools and expert analysis.
Best Practices: Continuous monitoring, anomaly detection, and threat intelligence integration.

🚨 Vulnerability of the Week

ownCloud CVE-2023-49103

A critical vulnerability in ownCloud, designated as CVE-2023-49103, has been publicly disclosed and is being actively exploited in the wild. ownCloud is a widely used file server and collaboration platform, known for secure storage, sharing, and synchronization of sensitive files. This vulnerability has a severity rating of 10 out of 10 on the CVSS scale, indicating its critical nature.

Details of the Vulnerability

Affected Component: The vulnerability exists in the “graphapi” app within ownCloud.
Affected Versions: Versions 0.2.0 to 0.3.0 of the “graphapi” app are impacted.
Nature of Vulnerability: The flaw stems from a third-party library used in the “graphapi” app, which exposes sensitive PHP environment configurations, including admin passwords, mail server credentials, and license keys.
Scope of Impact: Both containerized and non-containerized instances of ownCloud are vulnerable. However, Docker containers created before February 2023 are not affected.
Exploitation in the Wild: GreyNoise has observed mass exploitation of this vulnerability as early as November 25, 2023.

Mitigation Measures

Immediate Actions: The vendor’s disclosure advises manual actions such as deleting a specific directory and changing any compromised secrets.
Long-Term Solutions: Users are urged to update to patched versions of ownCloud as soon as they become available.

Related Vulnerabilities

CVE-2023-49105: An authentication bypass flaw in ownCloud.
CVE-2023-49104: A critical vulnerability related to the oauth2 app in ownCloud.

🥵 Malware or Ransomware

https://twitter.com/1ZRR4H/status/1729196411843985530/photo/4

A sophisticated malware campaign involving a WebDAV server and the XWorm V5.2 has been identified. This campaign utilizes a series of interconnected components to execute a multi-stage attack, primarily targeting Windows systems.

Attack Chain

Initial Link (LNK File): The attack begins with a WebDAV server link \\109.107.190[.]43@80\Downloads\passportscan.pdf.lnk. This LNK file is designed to deceive users into thinking it is a legitimate PDF document.
HTA File Download: When executed, the LNK file connects to http://217.197.107[.]49/passportscan.hta. HTA (HTML Application) files are commonly used in attacks due to their ability to execute scripts on Windows systems.
Executable File (EXE): The HTA file then leads to the download of http://217.197.107[.]49/file1.exe, which is likely the primary payload of the attack.
VBS Script Execution: The attack also involves a VBS (Visual Basic Script) C:\Windows\System32\SyncAppvPublishingServer.vbs that constructs and executes a URL to download the HTA file. This script is a clever method to bypass some security measures.
Open Directory: The server hosting these malicious files, http://217.197.107.49/, is an open directory, potentially containing more malicious files and tools.

XWorm V5.2

Command and Control (C2) Server: 5.182.87.154:7000. This server is likely used for controlling the malware and possibly exfiltrating data.
AES Key: <123456789>. The use of an AES key suggests that the malware employs encryption, either for securing its communication or for encrypting files on the victim’s machine.

Malware Samples

Passportscan.hta: Available at Abuse.ch. This file is a critical component of the attack, initiating the download of the executable payload.
File1.exe (filer.exe): Available at Abuse.ch. This executable is likely the main payload, responsible for carrying out the intended malicious activities.

This campaign demonstrates a high level of sophistication, using multiple stages and techniques to evade detection. The use of a WebDAV server, HTA files, and a VBS script highlights the attackers’ efforts to leverage less commonly monitored file types and protocols.

💦 Malware Distribution Sites

https://twitter.com/doc_guard/status/1729242250788433994

A highly evasive and malicious file has been reported, demonstrating the ability to bypass the majority of antivirus (AV) solutions. This file is notable for embedding both an executable (EXE) and a private key within a single file.

File Details

Filename: The malicious file is named http://iphone12-2023-11-19-09-32-78766565.one.
MD5 Hash of the File: ffcd27d697ef7a366196878eccef2469. This unique identifier is used to verify the file’s integrity and identify it across systems.

VirusTotal Detection

Detection Rate: The file has a remarkably low detection rate of 7 out of 60 on VirusTotal, indicating that it can evade most antivirus solutions.

Indicators of Compromise (IOCs)

MD5 Hashes:
- 7e884518c0253e54c48967c794b7b8b5
- 8b7620c18cf0cecd2a4cdf5f87dc72d7
- 7e884518c0253e54c48967c794b7b8b5 (duplicate)
- ee9c386377ee066b3bcd63d22d801eb9
- 2ecf3a718556e3a9d7269a658d1f1bdd
Malicious URL:
- dl[.]dropboxusercontent[.]com/scl/fi/40zqfwcn5cw07ies9fvsg/clipx.exe?rlkey=kp8p2xobc0954lk2j50liglsk&dl=0T. This URL is likely used for downloading additional malicious components or for command and control communication.

The ability of this file to evade detection by a significant number of antivirus solutions is alarming. It highlights the challenges faced in detecting and preventing sophisticated cyber threats. The embedding of an EXE and a private key within a single file suggests a high level of sophistication and potential for significant harm, possibly in the form of data theft, system compromise, or ransomware deployment.

📱 Mobile Malware

Android users in India are currently facing a sophisticated malware campaign. Attackers are using social engineering tactics to distribute malicious apps via social media platforms like WhatsApp and Telegram. These apps impersonate legitimate entities such as banks, government services, and utilities. The primary objective is to harvest sensitive data including banking details, payment card information, account credentials, and personal data.

The attackers share malicious APK files, presenting them as essential banking applications. They create a sense of urgency by falsely claiming that the target’s bank accounts will be blocked if they do not update their information. Once installed, these apps prompt users to enter sensitive information, which is then transmitted to a command-and-control server. Additionally, these apps can hide their icons and intercept one-time passwords (OTPs) by requesting permission to read and send SMS messages.

Microsoft researchers have identified variants of this banking trojan capable of stealing credit card details and personal information. The Android ecosystem has also been targeted by other threats like the SpyNote trojan and the Enchant malware, focusing on cryptocurrency wallet data. Recent malicious apps discovered on the Google Play Store include those displaying intrusive ads, subscribing users to premium services without consent, and promoting investment scams.

Google has implemented new security features, including real-time code-level scanning and restricted settings in Android 13. Samsung introduced an Auto Blocker feature for Galaxy devices. Users are advised to be vigilant, checking the legitimacy of app developers, scrutinizing reviews, and vetting app permissions. Google Play Protect offers additional protection, warning or blocking apps exhibiting malicious behavior. Google has implemented specific protections against identified threats like TrojanSpy:AndroidOS/SpyBanker.Y and Trojan:AndroidOS/Banker.U.

🦮 Art of Detection

https://github.com/BushidoUK/Breach-Report-Collection by BushidoToken

This collection is particularly valuable for analyzing the Tactics, Techniques, and Procedures (TTPs) used by adversaries in these breaches. It serves as a crucial resource for understanding the nature of cyber intrusions and their impact.

Key Highlights from the Collection

Boeing (November 2023): Breached by LockBit, with details available on cisa.gov.
BeyondTrust (October 2023): Experienced a breach by an unknown adversary, reported on beyondtrust.com.
Okta (October 2023 and August 2022): Suffered breaches in October 2023 and August 2022 by unknown adversaries and 0ktapus, respectively.
BHI Energy (October 2023): Breached by Akira, as reported on documentcloud.org.
D-Link (October 2023): Experienced a breach by an adversary named “succumb”.
Microsoft (July 2023 and March 2022): Faced breaches by Storm-0558 (CN MSS) and Lapsus$, with details on microsoft.com.
JumpCloud (July 2023): Breached by UNC4899 (DPRK RGB), reported on jumpcloud.com.
Dragos (May 2023): Breached by “KyivWarrior”, as detailed on dragos.com.
Coinbase and Reddit (February 2023): Both companies were suspected to be breached by 0ktapus.
CircleCI (January 2023): Experienced a breach by an unknown adversary.
Uber (September 2022): Suspected to be breached by Lapsus$, reported on uber.com.
Cisco (May 2022): Breached by Yanluowang, with details on blog.talosintelligence.com.

GitHub (April 2022): Experienced a breach by an unknown adversary.
Kaseya (July 2021): Breached by an unknown adversary, reported on helpdesk.kaseya.com.
Viasat KA-SAT (February 2022): Breached by Sandworm (RU GRU), as detailed on news.viasat.com.
Irish HSE (May 2021): Breached by Conti, reported on hse.ie.
New Zealand Reserve Bank (January 2021): Breached by FIN11.
FireEye and SolarWinds (December 2020): Both companies were breached by CozyBear (RU SVR).
Equinix (September 2020): Breached by Netwalker.
CapitalOne (July 2019): Breached by “ERRAT1C” (aka Paige Thompson).
Avast/CCleaner (September 2016): Breached by WickedPanda (CN MSS).
Kaspersky (June 2015): Breached by Duqu 2.0.
RSA (April 2011): Breached by CN PLA.

🐙 Proxylife

🔥NEW MALWARE🔥 "AlfaC2" spotted in #Italy

Establish network connection via WebSocket

EML>URL(sharepoint)>.rar(psw protected)>.js>.dat(.exe)https://t.co/Q1AWCMiSVa

S1
s://agence-perinel,fr/cache/pointcross.dat
C2
p://213.183.63,99 pic.twitter.com/g0291jxv1G
— Mangusta (@Tac_Mangusta) November 27, 2023

The “AlfaC2” malware has been recently identified in Italy, showcasing a sophisticated infection chain. This malware establishes a network connection using WebSocket, indicating a high level of technical sophistication in its deployment and operation.

Infection Chain

The infection process of “AlfaC2” follows a multi-stage approach:

Initial Email (EML): The attack begins with an email containing a malicious link.
URL Redirect (SharePoint): The link in the email redirects to a SharePoint site, which hosts the malware.
Rar Archive (Password Protected): The malware is contained within a password-protected RAR file, adding a layer of obfuscation.
JavaScript File (.js): Upon extraction, a JavaScript file is used to initiate the next stage of the infection.
Executable Data File (.dat/.exe): The final payload is a .dat file, which is essentially an executable (.exe), triggering the malicious activities.

Command and Control (C2) Servers

The malware communicates with its command and control (C2) servers, which are crucial for its operation:

Stage 1 (S1): agence-perinel.fr/cache/pointcross.dat – This server is likely used for the initial command and control communications.
Stage 2 (C2): 213.183.63.99 – This IP address represents the secondary C2 server, possibly used for further instructions or data exfiltration.

🥷 TTP Analysis

The Mahagrass Organization, also known as Patchwork, White Elephant, Hangover, Dropping Elephant, and internally tracked as APT-Q-36, has been identified using the Spyder downloader to deliver the Remcos Trojan. This organization, believed to be based in South Asia, has been active since November 2009, primarily targeting Asian countries in government, military, power, industry, research, education, diplomacy, and economic sectors.

Event Overview

Spyder Malware Association: Linked to the Mahagrass organization, Spyder’s primary function is to download and execute files from a C2 server.
Recent Updates: Spyder has undergone at least two updates since July, with the latest versions deploying the Remcos Trojan.
Encryption and Communication Changes: Key strings in Spyder are now XOR-encrypted, and the communication format with the C2 server has been adjusted.
Victim Targeting: Inferred targets include Pakistan, Bangladesh, Afghanistan, and others.

Detailed Analysis

Sample Information:
- Spyder versions 1, 2, and 3, and Remcos versions 4.8.0, 4.9.0, and 4.9.1 Pro were analyzed.
- Digital signatures from GREATIV LIMITED, SYNTHETIC LABS LIMITED, and RUNSWITHSCISSORS LTD were used in the samples.
Spyder Updates:
- Version 2: Introduced XOR encryption for plaintext strings and changed the POST request data format.
- Version 3: Shifted to JSON string data representation for C2 server interaction, base64 encoded.
Remcos Trojan Deployment:
- Deployed via Spyder, pulling executable files from specified URLs.
- Observed methods include remapping .text sections of kernel32.dll and ntdll.dll, sending HTTP requests to obfuscate traffic, and loading Remcos Trojan in memory after RC4 decryption.

C2 Configuration Information for Remcos Trojan

C2 Domains:
- morimocanab.com:443 (active)
- grand123099ggcarnivol.com:443
- Omeri12oncloudd.com:443
Delimiter: 0x1E used to separate the domain groups.

👹 Scam Contract

Inferno Drainer, a notorious crypto wallet-draining service, has announced its shutdown after a significant period of criminal activity. This service gained infamy in the crypto community for aiding phishing scammers in stealing approximately $70 million in cryptocurrencies. Inferno Drainer’s operation involved providing a wallet-draining software kit for hire, which was used extensively by cybercriminals to execute phishing attacks and steal crypto assets from unsuspecting victims.

Impact: Since its rise to prominence in early 2023, Inferno Drainer has been responsible for the theft of nearly $70 million from over 100,000 victims, as reported by Web3 anti-scam platform Scam Sniffer. The team behind Inferno Drainer, however, claimed that the total amount stolen surpassed $80 million. The service operated by taking a 20% cut from the stolen assets, making it a lucrative venture for both the service providers and its users.

Conclusion and Recommendations: The shutdown of Inferno Drainer, while a positive development, does not eliminate the broader threat posed by similar services in the crypto ecosystem. Users and organizations must remain vigilant and adopt robust security measures to protect their digital assets. This includes educating about phishing tactics, using secure wallets, enabling multi-factor authentication, and regularly monitoring transactions. The crypto community and security firms must continue to collaborate to detect, report, and mitigate such threats to safeguard the integrity of the blockchain and cryptocurrency environment.

🟥 1Day

Abusing .NET Core CLR Diagnostic Features (+ CVE-2023-33127)

This report delves into the exploitation of diagnostic features in the .NET Core Common Language Runtime (CLR), including a specific vulnerability identified as CVE-2023-33127. It builds on insights from a presentation at the MCTTP 2023 Conference.

Background on .NET and CLR

.NET Framework: Launched in the early 2000s, it’s Microsoft’s implementation of the Common Language Infrastructure (CLI).
.NET Core: Released in 2016, it’s the first open-source, cross-platform version of .NET.
Common Language Runtime (CLR): A key component of .NET, responsible for executing programs, memory management, and more. In open-source .NET, it’s known as Core CLR (coreclr.dll).

.NET Native Inclusion

Default in Windows: .NET Framework (4.8.x) remains the default .NET implementation in Windows.
.NET Native: A pre-compilation technology used in Universal Windows Platform (UWP) apps, containing an instance of the Core CLR runtime.

Runtime Configuration & Diagnostics

CLR Configuration Knobs: Used for controlling CLR behavior for development, debugging, and diagnostics.
Diagnostic Extension: The profiling API in .NET Framework CLR allows monitoring of another application’s execution.

CLR Profiler Abuse

.NET Framework CLR Profiler Loading: Involves setting environment variables to load an unmanaged “profiler” DLL.
.NET Core CLR Profiler Loading: Similar to the .NET Framework but with different environment variables for open-source .NET.

.NET Core CLR Diagnostics

CLR Diagnostic Port: An IPC diagnostic endpoint enabled by default in the Core CLR.
Diagnostic Applications & Tools: Microsoft provides tools like dotnet-counters, dotnet-dump, dotnet-monitor, and dotnet-trace for diagnostics.
Diagnostic API: Microsoft offers an API for deeper interaction with the diagnostic port of .NET applications.

CVE-2023-33127: .NET Cross Session Local Privilege Escalation

Motivation: Research into offensive tradecraft led to the discovery of potential vulnerabilities in CLR diagnostic features.
Discovery Methodology: Focused on Component Object Model (COM) and cross-session attack opportunities.
Exploitation Walkthrough:
- Race Condition: Creating tampered named pipes before the target .NET application.
- Continuous COM Activation: Using Session Monikers for continuous activation of target DCOM objects.
- Payload Delivery: Utilizing the AttachProfiler capability to deliver a malicious DLL payload.

🌶️ Trending Exploit

https://twitter.com/SBousseaden/status/1729106989350085041

The PowerToys.ActionRunner.exe file, part of Microsoft’s PowerToys suite, has been identified as a potential “Living Off the Land Binary” (LOLBAS). This term refers to legitimate software that can be abused by attackers to execute malicious programs or scripts.

Analysis of PowerToys GitHub Repository

The specific code in question is located in the PowerToys GitHub repository, particularly in the elevation.h file at line 355. This line of code is part of the PowerToys utility, which is a set of tools designed to enhance Windows productivity.

The concern arises from the fact that PowerToys.ActionRunner.exe is a Microsoft-signed executable. Attackers often leverage such signed binaries to bypass security measures, as these files are generally trusted by security systems. By using PowerToys.ActionRunner.exe, an attacker could potentially execute arbitrary programs without raising immediate suspicion.

A discussion on Twitter, initiated by a user with the handle @SBousseaden, highlights this issue. However, due to restrictions in accessing the content from Twitter, specific details from this discussion are not available. Typically, such discussions in the cybersecurity community bring attention to potential vulnerabilities and misuse scenarios of legitimate software.

The identification of PowerToys.ActionRunner.exe as a LOLBAS is significant for cybersecurity. It underscores the need for continuous monitoring and analysis of even trusted, signed binaries within an organization’s network. Security teams should be aware of the potential misuse of such tools and implement appropriate monitoring and control measures.

Analysis of PowerToys GitHub Repository

🕯️ The Topic of the Week

https://twitter.com/g0njxa/status/1728124246591742317

The interview focuses on the resurgence of the Raccoon Stealer malware, now known as Raccoon Stealer 2.0 or Recordbreaker. This follows the arrest of a Ukrainian national linked to the original Raccoon Stealer operations in 2022.

Key Points from the Interview:

Raccoon Stealer’s Comeback: After law enforcement’s disruption of the original Raccoon Stealer operations, the malware has been revived as Raccoon Stealer 2.0, also referred to as Recordbreaker.
Development and Features:
- The project was entirely rewritten, including the build, front, and backend.
- The new build is significantly smaller but retains all previous functions and adds new features.
- Enhanced dynamic log information sending and SSL support.
- Improved control panel with modern libraries, powerful search, tags, and other functionalities.
- Backend improvements include abandoning common proxies for better responsiveness and reliability.
- Addition of a Telegram bot for log sending and flexible configuration.
Software Specifications:
- Complete rewrite in C++, with reduced dependencies.
- Dynamic import of functions and part-wise data sending during collection.
- Support for various wallets like Coinbase, MetaMask, Brave, and Ronin.
- Loader and Grabber features for diverse operational purposes.

Front-end Features:
- Maintains a concise and modern style.
- Flexible search system, log statuses, and on-the-fly configuration changes.
- New features like a dynamic log table and wallet block explorer.
User Agent Strategy:
- Recordbreaker uses custom User Agents for communication with C2 servers.
- Notable tracking of these User Agents by prominent threat analysts in the malware hunting community.
Future Outlook:
- The interview hints at the possibility of a Raccoon V3 if Recordbreaker faces termination.
- The developer seems to anticipate a long period of activity for Recordbreaker.