"Trojan Source" technique can conceal vulnerabilities in code. BlackMatter affiliate uses custom tool for data exfiltration. Android malware gains root access.

Summary

By the CyberWire staff

At a glance.

"Trojan Source" technique can conceal vulnerabilities in code.
BlackMatter affiliate uses custom tool for data exfiltration.
New malware loader.
Android malware gains root access.

"Trojan Source" technique can conceal vulnerabilities in code.

Researchers from the University of Cambridge have disclosed an attack technique affecting most modern programming languages, in which an attacker can insert vulnerabilities into code that are invisible to the human eye. The issue was found to affect C, C++, C#, JavaScript, Java, Rust, Go, and Python, as well as GitHub, BitBucket, VS Code, Atom, SublimeText, Notepad++, vim, and emacs. The researchers believe the vulnerability also affects most other languages and tools, including GitLab. The vulnerability relates to the fact that most programming languages have the ability to display languages left-to-right (such as English) and right-to-left (such as Arabic). The definition of the vulnerability, tracked as CVE-2021-42574, is as follows:

"An issue was discovered in the Bidirectional Algorithm in the Unicode Specification through 14.0. It permits the visual reordering of characters via control sequences, which can be used to craft source code that renders different logic than the logical ordering of tokens ingested by compilers and interpreters. Adversaries can leverage this to encode source code for compilers accepting Unicode such that targeted vulnerabilities are introduced invisibly to human reviewers."

The researchers offer the following recommendations to begin addressing this problem:

"Compilers, interpreters, and build pipelines supporting Unicode should throw errors or warnings for unterminated bidirectional control characters in comments or string literals, and for identifiers with mixed-script confusable characters.

"Language specifications should formally disallow unterminated bidirectional control characters in comments and string literals.

"Code editors and repository frontends should make bidirectional control characters and mixed-script confusable characters perceptible with visual symbols or warnings."

BlackMatter affiliate uses custom tool for data exfiltration.

Researchers at Symantec have observed an affiliate of the BlackMatter ransomware-as-a-service group using a custom-made tool for exfiltrating data from its victims:

"At least one affiliate of the BlackMatter ransomware operation has begun using a custom data exfiltration tool in its attacks. Exmatter, which was discovered by Symantec’s Threat Hunter Team, is designed to steal specific file types from a number of selected directories and upload them to an attacker-controlled server prior to deployment of the ransomware itself on the victim’s network.

"This is the third time a custom data exfiltration tool appears to have been developed by ransomware operators, following the earlier discovery of the Ryuk Stealer tool and StealBit, which is linked to the LockBit ransomware operation."

Symantec has observed several versions of this tool, indicating that its developers are continuing to improve it.

New malware loader.

Cisco Talos says a new malware loader dubbed "SQUIRRELWAFFLE" is being used to deliver Qakbot and Cobalt Strike. The researchers note that the malware "could become the next big player in the spam space," and is helping to fill the void that was left after Emotet's disruption by law enforcement:

"Beginning in mid-September 2021, we observed malspam campaigns being used to deliver malicious Microsoft Office documents that function as the initial stage of the infection process and are used to infect systems with SQUIRRELWAFFLE. Similar to what has been observed in previous threats like Emotet, these campaigns appear to be leveraging stolen email threads, as the emails themselves appear to be replies to existing email threads."

Android malware gains root access.

Lookout has spotted a sophisticated Android malware dubbed "AbstractEmu" that has the ability to gain root access on Android devices. The researchers state:

"We named the malware 'AbstractEmu' after its use of code abstraction and anti-emulation checks to avoid running while under analysis. A total of 19 related applications were uncovered, seven of which contain rooting functionality, including one on Play that had more than 10,000 downloads. To protect Android users, Google promptly removed the app as soon as we notified them of the malware.

"This is a significant discovery because widely-distributed malware with root capabilities have become rare over the past five years. As the Android ecosystem matures there are fewer exploits that affect a large number of devices, making them less useful for threat actors."

Selected Reading

Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign (Lookout) Security researchers at the Lookout Threat Labs have identified a new rooting malware distributed on Google Play and prominent third-party stores such as the Amazon Appstore and the Samsung Galaxy Store.

UltimaSMS: A widespread premium SMS scam on the Google Play Store (Avast) An array of scam apps, including a fake photo editor, camera filter, and various games, have been promoted via Instagram and TikTok channels.

1,000,000 Sites Affected by OptinMonster Vulnerabilities (Wordfence) Note: To receive disclosures like this in your inbox the moment they’re published, you can subscribe to our WordPress Security Mailing List. On September 28, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for several vulnerabilities we discovered in OptinMonster, a WordPress plugin installed on over 1,000,000 sites. These flaws made it ...Read More

Microsoft finds new macOS vulnerability, Shrootless, that could bypass System Integrity Protection (Microsoft Security Blog) Microsoft found a vulnerability (CVE-2021-30892) that could allow an attacker to bypass System Integrity Protection (SIP) in macOS. We shared our findings with Apple via coordinated vulnerability disclosure, and a fix was released October 26.

SQUIRRELWAFFLE Leverages malspam to deliver Qakbot, Cobalt Strike (Cisco Talos) A blog from the world class Intelligence Group, Talos, Cisco's Intelligence Group

APT trends report Q3 2021 (Securelist) This is our latest APT trends report, focusing on cyber espionage activities and malicious campaigns that we observed during Q3 2021.

Chaos Ransomware Variant in Fake Minecraft Alt List Brings Destruction to Japanese Gamers | FortiGuard Labs (Fortinet Blog) FortiGuard Labs recently discovered a variant of the Chaos ransomware that not only encrypts certain files but also destroys others and appears to target Minecraft gamers in Japan. Our threat analy…

TA575 Uses ‘Squid Game’ Lures to Distribute Dridex malware (Proofpoint) Proofpoint identified the large cybercrime actor TA575 distributing Dridex malware using Squid Game lures. The threat actor is purporting to be entities associated with the Netflix global phenomenon using emails enticing targets to get early access to a new season of Squid Game or to become a part of the TV show casting.

BlackMatter: New Data Exfiltration Tool Used in Attacks (Symantec) Development of custom tool suggests ransomware attackers are attempting to increase the speed of their attacks.