Two RAT infestations. Ghosts of sites past. Trends in identity security. Detecting deepfakes may prove more difficult than you think.

Dave Bittner: SeroXen is a new elusive evolution of the Quasar RAT that seems to live up to its hype, and DogeRAT is a cheap Trojan targeting Indian Android users. Salesforce ghost sites see abuse by malicious actors. A look into identity security trends. People may be overconfident in their ability to detect deepfakes. Deepen Desai from Zscaler describes a campaign targeting Facebook users. CW Walker from SpyCloud outlines identity exposure in the Fortune 1000. And a blurring of the lines between criminal, hacktivist, and strategic motivations. I'm Dave Bittner with your CyberWire intel briefing for Wednesday, May 31st, 2023.

SeroXen, a new elusive evolution of the Quasar RAT.

Dave Bittner: AT&T has reported their discovery of a new fileless remote access trojan, SeroXen. The tool is advertised as legitimate, giving access to computers while flying under the radar for the very low cost of only $30 a month, or $60 for a lifetime. This RAT seems to live up to its hype. AT&T says it's performing well at evading detections, and that it effectively combines open-source projects, including Quasar RAT, SeroXen's progenitor. Quasar RAT, released in 2014 as xRAT, has been used by the Gaza Cybergang group and MenuPass Group since 2017. AT&T writes that SeroXen was first observed on a Twitter account in 2022, with the advertiser appearing to be an English-speaking teen. The carrier writes that "The same Twitter handle published a review of the RAT on YouTube. The video approached the review from an attacking and Red Team point of view, encouraging people to buy the tool because it is worth the money. The reviewers were claiming to be a reseller of the tool." AT&T's Alien Lab regards the SeroXen RAT as elusive, hard to detect, and worth keeping an eye on.

DogeRAT, a cheap Trojan targeting Indian Android users. 

Dave Bittner: Citing research by CloudSek, Hacker News reports that another new remote access Trojan RAT, DogeRAT, has been observed targeting Indian Android users. The malware seems to have been created in June of 2022, shortly after which it was advertised on its Indian developer's Telegram page. DogeRAT, like its namesake cryptocurrency, is regarded as cheap at $30 a month, and is viewed as an effective money-making scheme. It exploits consumers by masquerading as legitimate premium applications like Netflix, OpenAI's ChatGPT, or YouTube Premium. CloudSek reports that once the RAT is installed, sensitive data is accessed, including contacts, messages, and banking credentials. They add that the malware is capable of controlling the victim's device and "performing malicious actions, such as sending spam messages, making unauthorized payments, modifying files, viewing call records, and even taking photos via both the front and rear cameras of the infected device." Experts recommend not downloading free versions of premium services from social media pages: they're too often malicious. And, in the end, they often cost more than the premium services they impersonate.

Salesforce ghost sites.

Dave Bittner: Unmaintained and incorrectly deactivated Salesforce sites remain accessible online, and so unfortunately accessible to threat actors, Varonis reported today. If the host header is manipulated, malicious actors may be able to gain access to personally identifiable information and sensitive business information. The Salesforce sites allow for collaboration among customers and partners within an organization's Salesforce implementation. However, these "ghost sites," as Varonis has aptly labeled them, are often merely set aside when they're no longer in use, not fully deactivated as sound practice would dictate. This means that the security measures implemented on the sites are often not up to par with current cybersecurity protections. On top of a lack of updates to the ghost sites' security measures, they also remain untested against newer vulnerabilities that appear after the site is no longer actively used. Many companies only modify the DNS records of their Salesforce site to direct to an alternative, but researchers say that companies often "do not remove the custom domain in Salesforce, nor do they deactivate the site. Instead, the site continues to exist, pulling data and becoming a ghost site." Since the ghost site remains accessible in Salesforce, a change to the host header tricks Salesforce into believing the actor is connecting to the original site, and grants access to the malicious actor. Varonis advises full deactivation of unused Salesforce sites to prevent such attacks from lifting sensitive data that may be left exposed otherwise.

Trends in identity security.

Dave Bittner: The Identity Defined Security Alliance (the IDSA) released its 2023 Trends in Identity Security report, conducted by Dimensional Research. The report discusses identity security and its place in cyber, and how it impacts security challenges and outcomes. Identity security remains a major cybersecurity focal point: 90% of those surveyed reported an identity-related breach within the last year. 17% of respondents say digital identity security is their top priority, 44% place it in their top three, and 25% put it in their top five. A majority of respondents report being targeted by phishing attacks in the last twelve months, with 57% reporting that employees clicked on a phishing email without realizing it. Shared passwords between work and personal accounts were said by 37% of the respondents to be a factor in identity-based attacks. The cost of breach recovery, alongside distraction from business operations, and a damaged reputation, were cited as the top business impacts from identity security breaches.

Survey finds people may be overconfident in their ability to detect deepfakes. 

Dave Bittner: A global survey by Jumio found that 52% of its respondents who were aware of generative AI and deepfakes believed that they could detect a deepfake video. Jumio asserts that this is an example of overconfidence with the consumer, as deepfakes have reached a level of sophistication which would prevent an unaided human from detecting them. Jumio says that "the data also shows a steady uptick in the use of increasingly sophisticated deepfakes across the globe and across industries, with a heavier presence in the payments and crypto sectors." Jumio suspects that training will find it difficult to keep pace with the growing quality of AI-created media.

Motivations: criminal, hacktivist, and strategic.

Dave Bittner: And finally, Trend Micro describes the recent activity of Void Rabisu, "a malicious actor believed to be associated with the RomCom backdoor." It's a Russian or at least a Russophone gang, and until the last few months, its activities and motivations have generally been assumed to be straightforwardly criminal, motivated by financial gain. Also known as "Tropical Scorpius," Void Rabisu has been associated with the Russian intelligence-linked Cuba ransomware operation, and since late 2022, the gang's targeting has increasingly matched Russian state interests. Trend Micro writes that "Void Rabisu's associated RomCom backdoor was reported to have been used in attacks against the Ukrainian government and military," and specifically note a December 2022 phishing campaign that impersonated the Ukrainian army’s DELTA situational awareness website.. The target selection is that of an intelligence service; the tactics, techniques, and procedures are those of a criminal gang. Trend Micro thinks that Void Rabisu's targeting has been connected to Russian strategic goals since October of 2022. The group's evolution shows the continued blurring of lines between hacktivists, intelligence services, and criminal gangs. Of those three, in Russia's case, the intelligence services are clearly in the saddle.

Dave Bittner: Deepen Desai from Zscaler describes a campaign targeting Facebook users. CW Walker from SpyCloud outlines identity exposure in the Fortune 1000. Stay with us.

Dave Bittner: CW Walker is director of Security Product Strategy at SpyCloud, a cybercrime analytics firm. They recently released results from their latest Identity Exposure report, focusing on the Fortune 1000.

CW Walker: By looking at the Fortune 1000, it looks very specifically at companies that are most likely to become targets for some of most nefarious stuff. It's true that a small mom-and-pop shop can become a target for ransomware or fraud or theft. The impacts though on citizens globally is probably a little bit smaller, if it's local dance studio versus a regional bank, right? So that's sort of -- that's where we drew the line in the sand is with the Fortune 1000.

Dave Bittner: Yeah, fair enough. Well, let's go through some of the findings here. What are some of the things that really caught your eye?

CW Walker: Yeah. So this year, we analyzed on a little over 2 billion, I think it's 2.2 some odd billion, exposed to dark web assets, which included 423 million PII assets. Which is kind of wild. And that comes from two sources, primarily. One of is data breaches. So databases that have their entire user tables siphoned off. And then the other place that we see a lot of this is with malware infected devices. So stealer logs and that type of thing. So tied more specifically to individuals that are interacting with or that are employed by Fortune 1000 companies that have, unfortunately during the course of their digital lives, interacted with a piece of malware.

Dave Bittner: One thing that you track here are the trends so that you're tracking over time, of course. And what are some of the things that stood out to you there?

CW Walker: I think the thing that probably shocked me the most was an almost 800% increase over our last year's consumer infected devices in the financial sector. Which kind of surprised me. And so part of that we believe is looking at the way that criminals are trying to monetize things. So we've got some speculation on why that might be. Over the past year, we saw the value of cryptocurrency change pretty dramatically. And so maybe they're more interested in fiat -- going back after our hard dollars and cents. But we also are seeing a 300% year-over-year increase in malware infected employees tied to financial companies. Which I think also gives an interesting view into the types of fraud that they're able to commit. And those are different types of activities. They're related more to things like trying to unfreeze accounts, to empty accounts that have been compromised but maybe have a block technologically to prevent that type of fraud. So trying to leverage those infections for insider threat type of situations.

Dave Bittner: One of the things that caught my eye when I was looking through the report was the degree that some of these organizations are still struggling with the basics, you know, things like password hygiene.

CW Walker: Oh, yes. You know, as an industry, I think we're really excited about new and powerful things. Pass keys has been on everyone's lips the past couple of weeks with Google moving to -- having the option to move to pass keys instead of passwords. But adoption for even things as simple as complex passwords or two-factor authentication is still very, very, very low. And we even see password reuse among employees in the Fortune 1000. It's still at 62%. And the financial sector still have the worst password reuse rate at 68%. So you're right, some of the simple things are still tripping I think a lot of industries up. But we are seeing things improve, well, marginally on some of those things.

Dave Bittner: Good to be half full, right?

CW Walker: [Laughter] Half full, yeah. It's a bad percentage. But it did change one percentage point in a positive direction, so we'll take what we can get.

Dave Bittner: Okay, all right. Well, based on the information that you all have gathered here, what are your recommendations then?

CW Walker: So our recommendations are still using unique passwords and complex passwords for each account that we're using, whether in our employee lives or our personal lives. That is by far the biggest thing that individuals can do to protect their security. And whether you're using a password manager -- if that's something that interests you -- or you're using the operating system password manager -- you know, an iOS or Android -- creating a unique password to save in that password manager is pretty important, and so we recommend that. And on the enterprise side, what we're really looking at is for those enterprises that do have a pretty sophisticated program, that has multifactor or is moving to pass keys, to consider new ways to gain visibility beyond authentication into session identities. That's where the criminals are getting really excited is how they can get into accounts that have a really stellar login protection but stealing, for example, a device cookie or a session token after authentication so that they bypass that completely. Those are the two things we recommend.

Dave Bittner: You allude to the fact that maybe we are slowly heading in the right direction here. Are you optimistic that we can get a handle on these things?

CW Walker: I'm eternally optimistic, yeah, I am. I think that what we will do is we secure what we can and we increase the costs of operation for criminals. And even if we're not able to completely eliminate the things that we have challenges with, if we can eliminate a percentage of it, that makes a meaningful difference for individuals and companies. And I think that that's something to be proud of as an industry. We can always do better, but I'm optimistic that we're moving in the right direction and that we are making some changes that will help.

Dave Bittner: That's CW Walker from SpyCloud.

And I'm pleased to be joined once again by Deepen Desai. He is the global CISO and head of Security Research and Operations at Zscaler. Deepen, always a pleasure to welcome you back to the show. There is something that you and your colleagues have been looking into here. It's something called Album Stealer. This is targeting folks on Facebook. What's going on here?

Deepen Desai: Yeah. So look, there are so many information stealing malware that we in the threat landscape today. ThreatLabz team discovered a new Stealer family. We dubbed it as Album Stealer. It's actually targeting Facebook adult only content seekers. And I'll explain what I mean by that. And so what we saw was that there was an Album Stealer which is disguised as a photo album, has some adult content. It will drop some decoy adult images while performing malicious activity in the background. So the way the attack starts is there is a Facebook fake profile page, which is where this album supposedly exists. When the user falls for it, they will download a zip file which will be hosted on a compromised site or even OneDrive is what we saw in one of the attack chains. The zip file contains album.exe file. This is what will have an icon that makes you feel like it's an image. When you click on it, it will open an image file, but in the background, it loads a DLL -- downloads and loads a DLL, which is the malicious executable. And the goal over here for the threat actor is to steal cookies, stored credentials from victims' web browsers. It's also able to steal information from Facebook Ads Manager, business accounts, API Graph. And then it obviously leverages this information to perform financial fraud, sell this information to make more money, and in future, conduct follow-up attacks as well.

Dave Bittner: It doesn't strike me as being terribly sophisticated in its targeting here. Is this one of the ones where maybe it's in our best interest to sort of spread the word about it, let people know that on the chance that you're looking for this sort of thing on Facebook, that maybe you need to think twice?

Deepen Desai: Yeah. I mean, look, the sophistication, the only piece I'll mention on that one is they are using this technique called DLL sideloading. So that technique, in combination with some level of obfuscation. They're using -- and I'm kind of going geeky over here on this podcast, but complex dictionary class. Which basically masks out all the strings and data in this executable file. So DLL sideloading will allow it to evade certain end-point detection if they're not looking for this. And then the obfuscation is standard. That's where they will try to evade the network as well. But you're right, I mean, if you're in an office, if you're an enterprise user, you're looking for this content on Facebook using your work laptop, that's probably not the right thing to do.

Dave Bittner: It's an interesting little bit of social engineering I think also. That, as you mentioned, you know, it uses an icon that is going to be alluring to someone and hoping that that'll make them overlook the fact that it's actually an executable.

Deepen Desai: Exactly. Yep, there is definitely a social engineering element starting from the fake Facebook profile page to the file using that icon, and even showing the image. The user may not even know what happened in the back-end, because the user saw the image and they're like, oh, okay, that's the only thing they got.

Dave Bittner: All right, well, something to be aware of, for sure. Deepen Desai, thanks for joining us.

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at the cyberwire.com. We'd love to know what you think of this podcast. You can email us at cyberwire@n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K strategic workforce intelligence optimizes the value of your biggest investment: your people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tre Hester, with original music by Elliott Peltzman. The show was written by Rachel Gelfand. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.