Seemingly helpful NOTROBIN is actually a backdoor.
FireEye describes the activities of a particular threat actor who's exploiting CVE-2019-19781 to deploy code on Citrix's NetScaler ADC devices. The code, which FireEye calls "NOTROBIN," acts as a backdoor which allows the attacker to retain exclusive access to a NetScaler device.
NOTROBIN initially seemed to be the work of an altruistic Robin Hood, as researchers at DCSO pointed out. When the code is deployed on a device, it searches for malware already present on the device and deletes it. After this, the code continuously monitors the device for known malware and blocks subsequent attempts to exploit CVE-2019-19781 by instantly deleting new files that show up in commonly targeted directories. Up to this point, the attacker seems to be doing the victim a favor; FireEye observed one case in which NOTROBIN cleaned up multiple prior infections on a device and successfully blocked "more than a dozen" further attacks over the next three days.
However, FireEye's researchers found that NOTROBIN won't delete files that contain a specific hardcoded key, so the attacker can push down any files they like as long as they include the key. As a result, FireEye concludes that "this actor may be quietly collecting access to NetScaler devices for a subsequent campaign."
JhoneRAT utilizes cloud providers.
Cisco Talos outlines a new remote access Trojan targeting Arabic-speaking countries in the Middle East and North Africa. The researchers have dubbed the Trojan "JhoneRAT," and they describe it as a Python-based "homemade RAT that works in multiple layers hosted on cloud providers." These cloud providers are Google Drive, Twitter, Google Forms, and image hosting service ImgBB.
The malware is distributed via phishing emails containing malicious Microsoft Office documents. The macros in these documents will download another macro-laden document from Google Drive, which will try to determine if the code is being run in a virtual machine by checking for a serial number of the disks in the compromised machine. If it locates a serial number, it will conclude that it's probably not in a virtual machine and will continue its execution. The rest of the macro's code downloads an image from another Google Drive link. This image will be a JPEG file depicting a cartoon with a base64-encoded binary attached to the end of the data. This binary, once decoded, will download the final payload, which is JhoneRAT.
JhoneRAT receives commands via tweets by the Twitter account @jhone87438316, which has since been suspended by Twitter (although the researchers note that it would be trivial for the attacker to resume operations under a new handle). The tweeted commands could be tailored to each victim based on their unique identifiers, or they could be sent to all compromised machines at once. The RAT exfiltrates screenshots by uploading them to ImgBB, and it can send the results of certain commands to Google Forms. It can also download and execute additional base64-encoded files from Google Drive.
The JhoneRAT campaign has been ongoing since November 2019, and is targeting users with keyboard layouts matching Saudi Arabia, Iraq, Egypt, Libya, Algeria, Morocco, Tunisia, Oman, Yemen, Syria, UAE, Kuwait, Bahrain and Lebanon.
Rekoobe has been operating undetected.
Intezer's researchers have discovered new versions of the Rekoobe malware, a Trojan that targets Linux systems. Rekoobe was believed to have shut down in 2016, but the new variants appear to have been active since 2018. While earlier versions of Rekoobe had high detection rates, the new samples were undetected on VirusTotal when Intezer came across them, even though the source code hasn't been significantly changed. The researchers believe the malware has remained undetected because, unlike the old versions, the new variants are compiled statically rather than dynamically, and because the developers "have removed every attributive string from older variants in their new samples." Additionally, due to the time gap, the newer versions would have been generated with a newer version of the GCC compiler, resulting in different assembly code.
Chameleon attacks can help spread disinformation on social media.
Researchers at Ben-Gurion University have published a paper on an attack technique they call "Chameleon," in which social media posts are changed without notifying people who have already liked, retweeted, or commented on the posts. The technique can be used for spreading disinformation and causing reputational damage, as well as for promoting spam and clickbait. The platforms examined in the study are Facebook, Twitter, and LinkedIn, each of which was found to be vulnerable to this form of manipulation. These platforms have some mitigations in place—Facebook allows users to inspect the edit history of a post, LinkedIn marks a post as edited, and Twitter doesn't allow tweets to be edited—but they still allow link previews to be updated.
When a user posts a redirect link on one of these platforms, the post will display a preview of the page at the end of the redirect chain. If this page is changed, the preview in the post will be changed as well. Facebook users who have liked or commented on such a post will not be notified of the change, although shared posts will retain the original link preview. The same is true for likes and comments on Twitter and LinkedIn, but retweets and shares on these platforms will be updated with the new preview.
One of the BGU researchers, Dr. Rami Puzis, told ZDNet that "the repercussions from indicating support by liking something you would never do (Biden vs. Trump, Yankees vs. Red Sox, ISIS vs. US) from employers, friends, family, or government enforcement unaware of this social media scam can wreak havoc in just minutes." The researchers conducted experiments and found that social media users will accept the legitimacy of these types of posts unless they're made aware of the technique beforehand.