At a glance.
- New ransomware is speedy and sophisticated.
- RedGolf continues deploying KEYPLUG backdoor.
- Rilide, a new strain of malware, is in active use.
- Mantis cyberespionage group uses new, robust tools and tactics.
- AlienFox targets misconfigured servers.
- Super FabriXss.
New ransomware is speedy and sophisticated.
Check Point has observed a new strain of ransomware the company is calling "Rorschach," which "is one of the fastest ransomware observed, by the speed of encryption." The ransomware is also deployed via "DLL side-loading of a Cortex XDR Dump Service Tool, a signed commercial security product, a loading method which is not commonly used to load ransomware." The researchers notified Palo Alto Networks of this technique, and Palo Alto stated that Rorschach "is detected and blocked by Cortex XDR Agent 7.7 and later versions with CU-240 and later content updates." The security firm added that an update will be released next week to further mitigate this technique.
Check Point's researchers conclude:
"Our analysis of Rorschach reveals the emergence of a new ransomware strain in the crimeware landscape. Its developers implemented new anti-analysis and defense evasion techniques to avoid detection and make it more difficult for security software and researchers to analyze and mitigate its effects. Additionally, Rorschach appears to have taken some of the ‘best’ features from some of the leading ransomwares leaked online, and integrated them all together. In addition to Rorschach’s self-propagating capabilities, this raises the bar for ransom attacks. The operators and developers of the Rorschach ransomware remain unknown. They do not use branding, which is relatively rare in ransomware operations."
RedGolf continues deploying KEYPLUG backdoor.
Recorded Future's Insikt Group outlines the activities of "RedGolf," a Chinese state-sponsored threat actor that exhibits close overlaps with APT41. The threat actor has been deploying the KEYPLUG malware against Windows and Linux systems, alongside Cobalt Strike, PlugX, and Dynamic DNS (DDNS) domains, which the researchers note are all commonly used by Chinese APTs. Insikt Group says "RedGolf remains highly active within a wide range of geographies and is known to target aviation, automotive, education, government, media, information technology, and religious organizations."
Rilide, a new strain of malware, is in active use.
A new strain of Chromium-based browser malware, “Rilide,” has been uncovered by Trustwave SpiderLabs. In a 4 April blog post SpiderLabs wrote “Rilide malware is disguised as a legitimate Google Drive extension and enables threat actors to carry out a broad spectrum of malicious activities, including monitoring browsing history, taking screenshots, and injecting malicious scripts to withdraw funds from various cryptocurrency exchanges.” Rilide has been found by SpiderLabs in at least two malware campaigns since April of 2022. The first was involved with the Epikia RAT (remote access Trojan), malware that used Microsoft Publisher and relied on the user ignoring a warning pop-up and executing a macro. SpiderLabs notes ”Microsoft Publisher was not affected by Microsoft's decision to block macros from executing files downloaded from the Internet.” The second seems to be using Google Ads, disguising itself as legitimate Team Viewer installers or an NVIDIA Drivers installer.
Mantis cyberespionage group uses new, robust tools and tactics.
Symantec, a Broadcom company, discovered that Mantis (aka Arid Viper, Desert Falcon, APT-C-23) is now mounting attacks against Palestinian targets with a new set of tools. In its report published on 4 April, Symantec explains that though this targeting isn’t new (Symantec previously uncovered attacks against persons in The Palestinian territories in 2017) the tools they're using are. Mantis operates from the Palestinian territories against Palestinian individuals.
In 2022 Mantis began using “updated versions of its custom Micropsia and Arid Gopher backdoors to compromise targets before engaging in extensive credential theft and exfiltration of stolen data.” Mantis seems to compartmentalize its attacks by using “three distinct versions of the same toolset on three groups of computers.” This affords redundancy: if one group of tools is discovered and neutralized, then the other two may remain unaffected. “The attackers also used a custom exfiltration tool to exfiltrate data stolen from targeted organizations” reports Symantec. The researchers describe Mantis as a determined adversary with the demonstrated ability to compartmentalize attacks against one organization and rewrite malware to maintain an edge against its targets.
AlienFox targets misconfigured servers.
SentinelOne describes “AlienFox,” a toolset designed to steal credentials and API keys from at least eighteen cloud service providers. The toolset is being sold on Telegram, and is under active development. AlienFox opportunistically targets misconfigured web servers hosting web frameworks such as Laravel, Drupal, Joomla, Magento, Opencart, Prestashop, and WordPress. The toolkit will then dump the server’s configuration files and extract cloud API keys and secrets. The researchers state that “[t]he spread of AlienFox represents an unreported trend towards attacking more minimal cloud services, unsuitable for cryptomining, in order to enable and expand subsequent campaigns.”
Super FabriXss.
Researchers at Orca Security discovered a Cross-Site Scripting (XSS) vulnerability affecting Azure Service Fabric Explorer (SFX). The vulnerability, which Orca calls “Super FabriXss,” can allow “remote attackers to leverage an XSS vulnerability to achieve remote code execution on a container hosted on a Service Fabric node without the need for authentication.”
The researchers explain, “The vulnerability arises from a vulnerable ‘Node Name’ parameter, which can be exploited to embed an iframe in the user’s context. This iframe then retrieves remote files from a server controlled by the attacker, eventually leading to the execution of a malicious PowerShell reverse shell. This attack chain can ultimately result in remote code execution on the container which is deployed to the cluster, potentially allowing an attacker to take control of critical systems.”
Microsoft issued a patch for the flaw in its March 2023 Patch Tuesday fixes. Organizations that have updated Service Fabric Explorer to the latest version are protected against this vulnerability.