Threat Intel Roundup: XZ, Konni, ALPC, WallEscape

  • Home
  • Report
  • Threat Intel Roundup: XZ, Konni, ALPC, WallEscape
Threat Intel Roundup: XZ, Konni, ALPC, WallEscape

Technical Summary

  • Backdoor in Upstream XZ/Liblzma (CVE-2024-3094):
    • Vulnerability: Backdoor injected into XZ repository tarballs.
    • Exploit: Modifies liblzma Makefile, leading to SSH server compromise.
    • Impact: Slows down SSH logins, potential unauthorized access.
    • Mitigation: Upgrade to patched versions, monitor system performance.
  • Unusual Storage Method in LNK Files:
    • Technique: Self-extracting Windows Shell Link Binary File.
    • Storage: Hidden command lines, acts as a container for multiple files.
    • Exploitation: Exploits Windows character limit using excessive whitespace.
    • Extraction: Embedded files extracted via command line script.
  • APT Groups Operations in the Middle East:
    • Target: Operations by Advanced Persistent Threat groups.
    • Region: Middle East.
    • Activities: Espionage, data exfiltration, possibly nation-state sponsored.
  • Universal Local Privilege Escalation Exploit (CVE-2024-1086):
    • Vulnerability: Universal local privilege escalation exploit.
    • Impact: Allows unauthorized users to gain elevated privileges.
    • Exploitation: Utilizes a flaw in the affected system’s security model.
    • Mitigation: Apply patches or security updates provided by vendors.

5. Android Malware Vultur Expansion:

  • Malware: Vultur.
  • Expansion: Increasing its scope and capabilities.
  • Targets: Android devices, potential data theft, and unauthorized access.
  • Mitigation: Deploy robust mobile security solutions, avoid downloading from untrusted sources.

6. WallEscape Vulnerability in util-linux (CVE-2024-28085):

  • Vulnerability: WallEscape vulnerability in util-linux.
  • Impact: Local privilege escalation exploit.
  • Exploitation: Allows attackers to escape the confinement of restricted environments.
  • Mitigation: Apply patches or security updates, restrict access to vulnerable systems.

7. Chaining N-days to Compromise All: Windows Kernel LPE (CVE-2024-XXXX):

  • Technique: Chaining multiple zero-day vulnerabilities.
  • Exploit: Escapes Chrome sandbox, compromises Windows kernel.
  • Impact: Local privilege escalation on Windows systems.
  • Mitigation: Apply patches, update security configurations, monitor for suspicious activities.

🚨 Vulnerability of the Week

On March 29th, 2024, alarming news surfaced in the realm of cybersecurity. A malicious code had infiltrated XZ Utils, a fundamental package in major Linux distributions, unleashing a backdoor for unauthorized remote SSH access. The discovery sent shockwaves through the Open Source Software (OSS) community, as XZ Utils had long been considered a trusted and rigorously vetted project.

The perpetrators behind this nefarious scheme demonstrated a sophisticated understanding of OSS development practices. They had masqueraded as legitimate OSS developers over several years, managing to evade detection through highly obfuscated code. The malicious payload, embedded within versions 5.6.0 and 5.6.1 of XZ Utils, operated within the same process as the OpenSSH server (SSHD). By manipulating decryption routines within OpenSSH, the attackers facilitated remote access to specific adversaries possessing a particular private key. This exploit allowed for the execution of arbitrary payloads through SSH even before the authentication process, effectively compromising the entire system.

The rapid response from the OSS community led to the swift detection of the malicious code, preventing widespread infection. However, the incident underscored the vulnerability of the software supply chain and highlighted the critical need for enhanced security measures.

Who is Affected by CVE-2024-3094?

The impact of CVE-2024-3094 varied across different Linux distributions:

  • Affected Distributions: Fedora 40, 41, Rawhide (active development), Debian testing, unstable (sid), experimental, Alpine Edge (active development), Kali (installations updated between March 26th to March 29th), OpenSUSE Tumbleweed, Arch Linux.
  • Unaffected Distributions: Red Hat Enterprise Linux, Ubuntu, Amazon Linux, Wolfi, Gentoo.

How to Detect CVE-2024-3094

Detecting whether your system is vulnerable to CVE-2024-3094 involves checking the installed version of the ‘xz’ package:

strings `which xz` | grep ‘5\.6\.[01]’

A vulnerable output would indicate the presence of XZ Utils versions 5.6.0 or 5.6.1.

How to Remediate CVE-2024-3094

If your system is affected, immediate action is necessary. Options for remediation include:

  • Downgrade XZ Utils: Immediately revert to an earlier version, such as 5.4.6, which remains unaffected by the exploit.
  • Restart SSH: After downgrading XZ Utils, reboot your machine or restart the OpenSSH server to purge the patched code from memory.
  • Implement Kill Switch: Alternatively, if upgrading is not feasible, you can disable the backdoor functionality by adding a specific string to ‘/etc/environment’.

Art of Exploitation

In this post, we delve into the intricacies of escaping the Chrome sandbox by exploiting a critical Windows kernel vulnerability, specifically CVE-2023–21674, known as a Use-After-Free vulnerability in the NTOS kernel.

This exploit marks a significant milestone as it represents the first Windows kernel In-The-Wild vulnerability in 2023. Leveraging our threat intelligence service, Fermium-252, we’ve had access to both a Proof of Concept (PoC) and an exploit for this vulnerability since January 2023.

Understanding Advanced Local Procedure Call (ALPC)

At the core of our exploit lies the Advanced Local Procedure Call (ALPC), a crucial inter-process communication feature introduced in Windows Vista. ALPC facilitates rapid message communication between processes, enhancing efficiency compared to the synchronous communication mechanisms of older Windows NT kernels.

Key features of ALPC include:

  • Fast Message Communication: ALPC enables swift data exchange between processes, enhancing overall system performance.
  • Asynchronous Communication: Unlike its predecessors, ALPC supports asynchronous communication, eliminating the need for processes to wait for messages, thereby improving system responsiveness.

Exploiting CVE-2023–21674: The Use-After-Free Vulnerability

The crux of our exploit lies in the exploitation of CVE-2023–21674, a Use-After-Free vulnerability present within the NTOS kernel. This type of vulnerability arises when memory is improperly accessed after it has been freed, leading to potentially exploitable conditions.

Attack Vector

Our exploit leverages the inherent vulnerability within the Windows kernel to execute arbitrary code within the context of the Chrome browser. By carefully crafting a sequence of actions, we can trigger the Use-After-Free condition, allowing us to escape the Chrome sandbox and gain elevated privileges within the operating system.


The successful exploitation of CVE-2023–21674 poses severe implications for system security. With the ability to escape the Chrome sandbox, attackers can execute malicious code with elevated privileges, potentially compromising sensitive data and system integrity.

Art of Detection

Recent discoveries in cyber threat intelligence have unveiled a novel approach adopted by threat actors to conceal and deploy malicious payloads through the manipulation of Windows Shell Link Binary Files (LNK). These findings shed light on the evolving tactics of cyber adversaries and emphasize the importance of robust cybersecurity measures in detecting and mitigating such threats.

Key Insights:

  • Oversized LNK Files as Container: LNK files, typically used as shortcuts, are being repurposed by attackers as containers for multiple files, including hidden command lines and payloads. This unconventional storage method allows threat actors to bypass traditional security measures and evade detection.
  • Exploiting Windows Character Limit: Attackers exploit Windows’ character limit by inserting excessive whitespace symbols into LNK files, rendering the command line invisible in the file properties. This stealthy technique aims to deceive security solutions and facilitate covert operations.
  • Self-Extracting Payload: Embedded files within LNK files are extracted via command line scripts, enabling attackers to execute malicious payloads discreetly. The use of PowerShell scripts, disguised as legitimate processes like rshell.exe, serves to obfuscate malicious activities and evade detection mechanisms.
  • Execution Chain: The execution chain involves a series of steps orchestrated by the malicious script, including reading data from the LNK file, creating decoy documents, unpacking ZIP files, and executing malicious scripts using Windows Script Host (WSCRIPT). This intricate process highlights the sophistication of modern cyber threats and the need for proactive defense strategies.

Detection and Mitigation:

  • Threat Intelligence Queries: Security teams can proactively search for similar files through threat intelligence platforms using specific queries such as CommandLine:”*rshell.exe” and FileName:”.lnk$”. This enables the identification of potential threats and facilitates timely response measures.
  • Behavioral Analysis: Conducting behavioral analysis of LNK files and associated scripts can uncover anomalous patterns and activities indicative of malicious intent. By monitoring execution chains and analyzing file interactions, security professionals can detect and mitigate threats more effectively.
  • Dynamic Analysis: Leveraging dynamic analysis platforms like Any.Run allows security analysts to examine the behavior of suspicious files in a controlled environment. This enables the identification of malicious activities and provides insights into the tactics, techniques, and procedures (TTPs) employed by threat actors.

🥵 Malware or Ransomware

The notorious Android banking malware, Vultur, has recently undergone significant upgrades, with its authors introducing new technical features that enhance their ability to remotely interact with infected devices. These enhancements include advanced capabilities such as file management, control over Accessibility Services, and circumvention of security measures like Keyguard. Additionally, Vultur has adopted sophisticated evasion techniques, including encryption of its command-and-control (C2) communication and masquerading as legitimate applications to conceal its malicious activities.

Key Takeaways:

  • Vultur, initially discovered in March 2021, has evolved with new features allowing:
    • File management functionalities such as downloading, uploading, deleting, and installing files.
    • Remote control of infected devices using Android Accessibility Services.
    • Evasion of security measures like preventing apps from running and disabling Keyguard.
  • Despite the new features, Vultur maintains its remote access capabilities using AlphaVNC and ngrok.
  • Vultur has improved its evasion techniques through modifications of legitimate apps, use of native code for payload decryption, and AES encryption for C2 communication.

Vultur, a pioneering Android banking malware, has long been recognized for its screen recording capabilities and keylogging functionalities, primarily targeting banking applications for illicit gains. Initially discovered in March 2021, Vultur has since evolved, demonstrating connections with other malware families and adopting sophisticated distribution techniques.

Infection Chain:

Vultur employs a hybrid attack strategy involving SMS messages and phone calls to deceive victims into installing the malware. The dropper, disguised as a modified version of the McAfee Security app, delivers three payloads to the infected device, each enhancing the malware’s control and surveillance capabilities.

New Features in Vultur:

The latest iteration of Vultur introduces several notable enhancements:

  • Advanced Remote Control: Leveraging Android Accessibility Services, Vultur can now perform various actions remotely, including clicks, scrolls, and swipe gestures.
  • File Management: Vultur gains the ability to manage files on infected devices, enabling downloading, uploading, deleting, and installing files.
  • App Blocking: The malware can prevent specified apps from running, enhancing its ability to evade detection and control the victim’s device.
  • Custom Notifications: Vultur can display custom notifications in the device’s status bar, further enhancing its disguise as legitimate applications.

🥷 TTP Analysis

The Middle East serves as a prominent target for Advanced Persistent Threat (APT) groups due to its strategic significance in global affairs and its burgeoning technological landscape. With a flourishing economy fueled by natural resource extraction, particularly in oil production, alongside a burgeoning industrial sector and extensive government infrastructure, the region presents a lucrative target for cybercriminals seeking to exploit vulnerabilities in information systems.

APT Groups’ Interest in the Middle East

Our analysis has uncovered a substantial volume of successful cyberattacks on Middle Eastern countries, with over 80% being targeted assaults. The primary motivation for these attacks is the theft of valuable information, ranging from personal data and login credentials to confidential corporate documents. Dark web markets frequently feature discussions around these pilfered assets, highlighting their desirability among cybercriminals.

Targeted Industries

Top-ranking industries subjected to APT attacks include government institutions, energy sectors, military-industrial complexes, media outlets, and telecommunications. These sectors, crucial to the region’s stability and economic prosperity, attract the attention of cyber adversaries seeking political, economic, and military advantages.

Techniques Employed by APT Groups

Pre-Attack Preparation

APT groups meticulously prepare for their campaigns, conducting extensive reconnaissance to identify potential vulnerabilities and suitable targets. Techniques such as network scanning, gathering employee information, and reconnaissance on social media platforms enable attackers to tailor their attacks for maximum impact.

🟥 1Day

A newly discovered vulnerability, CVE-2024-28085, known as “WallEscape,” has emerged, affecting the “wall” command within the util-linux package. This vulnerability poses a significant risk to Linux distributions such as Ubuntu and Debian, potentially exposing users’ passwords or allowing for clipboard alteration.

CVE-2024-28085, dubbed WallEscape by security researcher Skyler Ferrante, exploits a flaw in the util-linux wall command, specifically related to improper neutralization of escape sequences in command line arguments. This vulnerability was introduced in a commit made in August 2013.


The vulnerability allows unprivileged users to inject arbitrary text onto other users’ terminals, provided that the mesg utility is set to “y” (enabled) and the wall command has setgid permissions. This opens the door for potential exploitation scenarios, including tricking users into entering passwords via fake sudo prompts and altering clipboards through escape sequences on select terminals.

Affected Systems

Ubuntu 22.04 and Debian Bookworm are confirmed to be vulnerable, as they meet the criteria of having mesg set to “y” and wall command setgid permissions. However, CentOS is not susceptible to this vulnerability, as the wall command does not have setgid permissions.

Exploitation and Mitigation

Exploiting CVE-2024-28085 can lead to severe consequences, such as leaking user passwords and unauthorized clipboard alterations. To mitigate this vulnerability, users are strongly advised to update util-linux to version 2.40 or later.

Detection and Indicators

On Ubuntu 22.04, an incorrect password prompt may indicate an attack, along with the user’s password appearing in their command history. It’s crucial for users to remain vigilant and promptly update their systems to prevent exploitation.

🌶️ Trending Exploit

A Proof-of-Concept (PoC) exploit for CVE-2024-1086 has emerged, capable of escalating privileges locally on most Linux kernels between versions 5.14 and 6.6. This exploit, which has a remarkable success rate of 99.4% in KernelCTF images, poses a significant threat to systems running affected versions of Linux, including Debian, Ubuntu, and KernelCTF.

Exploit Details

The exploit, documented in a comprehensive write-up on the Flipping Pages blogpost, targets a vulnerability present in Linux kernels from version 3.15 to version 6.8-rc1, excluding patched stable branches. The exploit affects versions from 5.14 to 6.6, with patched branches v5.15.149>, v6.1.76>, v6.6.15> being immune to the vulnerability.


Several caveats must be considered when utilizing the exploit:

  • Kernel Configuration Requirements: The exploit relies on specific kernel configurations, including the presence of user namespaces (CONFIG_USER_NS=y), unprivileged user namespaces (kernel.unprivileged_userns_clone = 1), and enabled nf_tables (CONFIG_NF_TABLES=y).
  • Stability Concerns: The exploit may exhibit instability on systems with high network activity or WiFi adapters, particularly in environments with heavy WiFi network usage.
  • Configuration Flexibility: Users can adjust configuration parameters in src/config.h to accommodate different setups or distributions.


The default configuration settings are suitable for Debian, Ubuntu, and KernelCTF environments. Users should verify that kernel configurations match the target system if operating on untested distributions.

🕯️ The Topic of the Week

Recent investigations by security researcher Andres Freund have unveiled a critical security vulnerability affecting the upstream XZ repository, specifically within the liblzma component. This vulnerability, present in versions 5.6.0 and 5.6.1, involves a backdoor injected into the distributed tarballs, potentially leading to the compromise of systems where affected versions are installed.

Background: Andres Freund noticed anomalous behavior in Debian sid installations involving liblzma, such as excessive CPU usage during SSH logins and valgrind errors. Upon further analysis, he discovered that the upstream XZ repository and its associated tarballs had been compromised, allowing threat actors to inject malicious code.

Details of the Compromise: The compromised release tarballs contain an obfuscated script injected into the configure process, which modifies the Makefile of liblzma under certain conditions. This modification includes executing a script that ultimately leads to the injection of malicious code into the system.

Impact and Observations: The injected code targets x86-64 Linux systems, particularly those using glibc. It intercepts execution by replacing certain resolver functions and performs various environment checks to determine whether to proceed with the exploit. SSH servers using libsystemd may experience significant slowdowns due to the backdoor.

Detection and Mitigation:

  • Upgrade: Immediately upgrade affected systems to versions of XZ/liblzma that are not compromised (versions 5.6.2 and later).
  • Vulnerability Detection: Utilize detection scripts provided by Vegard Nossum to identify potentially vulnerable systems.
  • Monitoring: Monitor system performance and SSH login times for any signs of abnormal behavior.
  • Communication: Report any instances of compromise to relevant security mailing lists and authorities.


  • Organizations and individuals using XZ/liblzma are strongly urged to update their software to patched versions to mitigate the risk of exploitation.
  • Security teams should conduct thorough assessments of their systems to detect any signs of compromise and take appropriate remedial actions.

Leave a Reply

Your email address will not be published. Required fields are marked *