At a glance.
- CryptoClippy, a crypto currency stealing malware.
- Nexx security devices may have security flaws.
- Fast-encrypting Rorschach ransomware uses DLL sideloading.
- Zimbra vulnerability exploited by Winter Vivern added to CISA's KEV.
- Proxyjackers exploiting Log4j vulnerabilities.
CryptoClippy, a crypto currency stealing malware.
Unit 42 released a report on April 5th about a new malware campaign using a malware they call CryptoClippy. The campaign which targets Portuguese speakers “aims to redirect cryptocurrency away from legitimate users’ wallets and into wallets controlled by threat actors instead.” The victims come from a variety of business sectors including manufacturing, IT services, and real estate industries.
Unit 42 explains that “To deliver the malware to users’ computers, threat actors in this campaign used both Google Ads and traffic distribution systems (TDS) to redirect victims to malicious domains that are impersonating the legitimate WhatsApp Web application. They use this to ensure victims are real users, and also that they’re Portuguese speakers. For users who are sent to malicious domains, the threat attempts to trick them into downloading malicious files, including either .zip or .exe files, that lead to the final payload." They continue “A CryptoClippy infection begins with SEO poisoning, so that when a person searches for “WhatsApp Web,” the result leads them to a threat actor-controlled domain.” It then will replace crypto wallet addresses in the victim’s clipboard with ones belonging to the threat actor causing the victim to input the incorrect wallet address and send the crypto currency to the threat actor.
Nexx security devices may have security flaws.
Sam Sebetan, an independent cyber security analyst working with CISA (the US Cybersecurity and Infrastructure Security Agency), posted “I discovered a series of critical vulnerabilities in Nexx’s smart device product line… These vulnerabilities enabled remote attackers to open and close garage doors, take control of alarms, and switch smart plugs on and off for any customer.” This is the last thing users would expect when installing a security device. Sebetan’s blog explains the vulnerability, noting that Nexx’s servers “fail to verify if the bearer token in the Authorization header corresponds to the alarm trying to connect...” Nexx has not so far patched the vulnerability and Sebetan and CISA attempted to reach NEXX to explain this vulnerability but were reportedly unable to reach the company. Sebetan recommends that Nexx users deactivate their devices and write to the company requesting a fix.
Fast-encrypting Rorschach ransomware uses DLL sideloading.
Check Point is tracking a new strain of ransomware called “Rorschach,” which “is one of the fastest ransomware observed, by the speed of encryption.” The researchers note that “the ransomware was deployed using DLL side-loading of a Cortex XDR Dump Service Tool, a signed commercial security product, a loading method which is not commonly used to load ransomware.” Check Point notified Palo Alto Networks, and Palo Alto stated, “Palo Alto Networks has verified that Cortex XDR 7.7, and newer versions, with content update version 240 (released November, 2021), and later content updates, detect and block the ransomware. A new content update will be released next week to detect and prevent the usage of this DLL side-loading technique.”
Zimbra vulnerability exploited by Winter Vivern added to CISA's KEV.
Proofpoint's report last week on Winter Vivern (also known as TA473) described the Russian threat actor's exploitation of a Zimbra vulnerability, CVE-2022-27926 to gain access to Zimbra-hosted webmail portals from with the threat actor can gain access to NATO organizations involved with support for Ukraine. Winter Vivern impersonates Western organizations to conduct highly targeted, carefully prepared phishing operations against its targets. On Monday CISA, the US Cybersecurity and Infrastructure Security Agency, added CVE-2022-27926 to its Known Exploited Vulnerabilities (KEV) Catalog.
Proxyjackers exploiting Log4j vulnerabilities.
Sysdig reports a wave of proxyjacking against devices vulnerable to Log4j exploitation for remote code execution. It's a criminal-to-criminal play and illicit version of legitimate proxy sharing arrangements in which users agree to rent out their bandwidth. In proxyjacking, the arrangement is not only uncompensated but it's also forced into a device without the owner's consent. There's an obvious analogy with cryptojacking. As Sysdig explains, proxyjacking is a foil to cryptojacking in that it mainly aims to make use of network resources, leaving a minimal CPU footprint.