At a glance.
- "Trojan Source" technique can conceal vulnerabilities in code.
- BlackMatter affiliate uses custom tool for data exfiltration.
- New malware loader.
- Android malware gains root access.
"Trojan Source" technique can conceal vulnerabilities in code.
Researchers from the University of Cambridge have disclosed an attack technique affecting most modern programming languages, in which an attacker can insert vulnerabilities into code that are invisible to the human eye. The issue was found to affect C, C++, C#, JavaScript, Java, Rust, Go, and Python, as well as GitHub, BitBucket, VS Code, Atom, SublimeText, Notepad++, vim, and emacs. The researchers believe the vulnerability also affects most other languages and tools, including GitLab. The vulnerability relates to the fact that most programming languages have the ability to display languages left-to-right (such as English) and right-to-left (such as Arabic). The definition of the vulnerability, tracked as CVE-2021-42574, is as follows:
"An issue was discovered in the Bidirectional Algorithm in the Unicode Specification through 14.0. It permits the visual reordering of characters via control sequences, which can be used to craft source code that renders different logic than the logical ordering of tokens ingested by compilers and interpreters. Adversaries can leverage this to encode source code for compilers accepting Unicode such that targeted vulnerabilities are introduced invisibly to human reviewers."
The researchers offer the following recommendations to begin addressing this problem:
"Compilers, interpreters, and build pipelines supporting Unicode should throw errors or warnings for unterminated bidirectional control characters in comments or string literals, and for identifiers with mixed-script confusable characters.
"Language specifications should formally disallow unterminated bidirectional control characters in comments and string literals.
"Code editors and repository frontends should make bidirectional control characters and mixed-script confusable characters perceptible with visual symbols or warnings."
BlackMatter affiliate uses custom tool for data exfiltration.
Researchers at Symantec have observed an affiliate of the BlackMatter ransomware-as-a-service group using a custom-made tool for exfiltrating data from its victims:
"At least one affiliate of the BlackMatter ransomware operation has begun using a custom data exfiltration tool in its attacks. Exmatter, which was discovered by Symantec’s Threat Hunter Team, is designed to steal specific file types from a number of selected directories and upload them to an attacker-controlled server prior to deployment of the ransomware itself on the victim’s network.
"This is the third time a custom data exfiltration tool appears to have been developed by ransomware operators, following the earlier discovery of the Ryuk Stealer tool and StealBit, which is linked to the LockBit ransomware operation."
Symantec has observed several versions of this tool, indicating that its developers are continuing to improve it.
New malware loader.
Cisco Talos says a new malware loader dubbed "SQUIRRELWAFFLE" is being used to deliver Qakbot and Cobalt Strike. The researchers note that the malware "could become the next big player in the spam space," and is helping to fill the void that was left after Emotet's disruption by law enforcement:
"Beginning in mid-September 2021, we observed malspam campaigns being used to deliver malicious Microsoft Office documents that function as the initial stage of the infection process and are used to infect systems with SQUIRRELWAFFLE. Similar to what has been observed in previous threats like Emotet, these campaigns appear to be leveraging stolen email threads, as the emails themselves appear to be replies to existing email threads."
Android malware gains root access.
Lookout has spotted a sophisticated Android malware dubbed "AbstractEmu" that has the ability to gain root access on Android devices. The researchers state:
"We named the malware 'AbstractEmu' after its use of code abstraction and anti-emulation checks to avoid running while under analysis. A total of 19 related applications were uncovered, seven of which contain rooting functionality, including one on Play that had more than 10,000 downloads. To protect Android users, Google promptly removed the app as soon as we notified them of the malware.
"This is a significant discovery because widely-distributed malware with root capabilities have become rare over the past five years. As the Android ecosystem matures there are fewer exploits that affect a large number of devices, making them less useful for threat actors."