FakeBat Loader Malware Spreading Rapidly

FakeBat Loader Malware Spreading Rapidly

by | Jul 11, 2024 | Threat Advisories

FakeBat Loader Malware Spreading Rapidly

DOWNLOAD PDF

Summary

FakeBat, a loader-as-a-service (LaaS) utilizes the drive-by download technique to download and execute payloads like IcedID, Lumma, RedLine, SmokeLoader, SectopRAT, and Ursnif.

 

Technical Details

Drive-by attacks involve methods like search engine optimization (SEO) poisoning, malvertising, and injecting malicious code into compromised websites to trick users into downloading fake software installers or browser updates.

FakeBat (aka EugenLoader and PaykLoader) has been available as a loader-as-a-service (LaaS) on underground forums by a Russian-speaking threat actor named Eugenfest (aka Payk_34) since at least December 2022. FakeBat is designed to evade security controls and allows customers to generate trojanized builds of legitimate software. It includes an administration panel to monitor installations over time. FakeBat initially used an MSI format for its malware builds, transitioning to an MSIX format in 2023 that incorporates a digital signature with a valid certificate to bypass Microsoft SmartScreen protections.

List of software targeted by FakeBat malveritsing campaigns:

  • 1Password
  • Advanced SystemCare
  • AnyDesk
  • Bandicam
  • Craavos
  • Cisco Webex
  • Epic Games
  • Google Chrome
  • Inkscape
  • MS OneNote
  • MS Teams
  • Notion
  • OBS Studio
  • OpenProject
  • Pay WGT Golf
  • Python
  • Shapr3D
  • Todoist
  • Trading View
  • Trello
  • VMware
  • Webull
  • WinRAR
  • Zoom

 

The malware is priced at $1,000 per week or $2,500 per month for the MSI format, $1,500 per week or $4,000 per month for the MSIX format, and $1,800 per week or $5,000 per month for a combined MSI and signature package. According to reaserchers at Sekoia, different activity clusters have been detected disseminating FakeBat through three primary approaches: impersonating popular software via malicious Google ads, fake web browser updates on compromised sites, and social engineering schemes on social networks. These campaigns are likely associated with groups such as FIN7, Nitrogen, and BATLOADER. Additionally, FakeBat’s command-and-control servers likely filter traffic based on characteristics such as User-Agent value, IP address, and location.

 

Indicators of Compromise (IoCs)

FakeBat C2 servers:

  • 0212top[.]online
  • 0212top[.]site
  • 0212top[.]top
  • 0212top[.]xyz
  • 0909kses[.]top
  • 11234jkhfkujhs[.]online
  • 11234jkhfkujhs[.]site
  • 11234jkhfkujhs[.]top
  • 11234jkhfkujhs[.]xyz
  • 1212stars[.]online
  • 1212stars[.]site
  • 1212stars[.]top
  • 1212stars[.]xyz
  • 2311foreign[.]xyz
  • 2311forget[.]online
  • 2311forget[.]site
  • 2311forget[.]xyz
  • 2610asdkj[.]online
  • 2610asdkj[.]site
  • 2610asdkj[.]top
  • 2610asdkj[.]xyz
  • 2610kjhsda[.]online
  • 2610kjhsda[.]site
  • 2610kjhsda[.]top
  • 2610kjhsda[.]xyz
  • 3010cars[.]online
  • 3010cars[.]site
  • 3010cars[.]top
  • 3010cars[.]xyz
  • 3010offers[.]online
  • 3010offers[.]site
  • 3010offers[.]top
  • 3010offers[.]xyz
  • 343-ads-info[.]top
  • 364klhjsfsl[.]top
  • 465jsdlkd[.]top
  • 756-ads-info[.]site
  • 756-ads-info[.]top
  • 756-ads-info[.]xyz
  • 875jhrfks[.]top
  • 98762341tdgi[.]online
  • 98762341tdgi[.]site
  • 98762341tdgi[.]top
  • 98762341tdgi[.]xyz
  • 999-ads-info[.]top
  • ads-info[.]ru
  • ads-info[.]site
  • aipanelnew[.]ru
  • aipanelnew[.]site
  • cdn-ads[.]ru
  • cdn-ads[.]site
  • cdn-dwnld[.]ru
  • cdn-dwnld[.]site
  • cdn-new-dwnl[.]ru
  • clk-brom[.]ru
  • clk-brom[.]site
  • clk-brood[.]online
  • clk-brood[.]top
  • clk-info[.]ru
  • clk-info[.]site
  • cornbascet[.]ru
  • cornbascet[.]site
  • dns-inform[.]top
  • fresh-prok[.]ru
  • fresh-prok[.]site
  • ganalytics-api[.]com
  • gotrustfear[.]ru
  • gotrustfear[.]site
  • infocdn-111[.]online
  • infocdn-111[.]site
  • infocdn-111[.]xyz
  • new-prok[.]ru
  • new-prok[.]site
  • newtorpan[.]ru
  • newtorpan[.]site
  • prkl-ads[.]ru
  • prkl-ads[.]site
  • test-pn[.]ru
  • test-pn[.]site
  • topttr[.]com
  • trust-flare[.]ru
  • trust-flare[.]site
  • trustdwnl[.]ru
  • ads-analyze[.]online
  • ads-analyze[.]site
  • ads-analyze[.]top
  • ads-analyze[.]xyz
  • ads-change[.]online
  • ads-change[.]site
  • ads-change[.]top
  • ads-change[.]xyz
  • ads-creep[.]top
  • ads-creep[.]xyz
  • ads-eagle[.]top
  • ads-eagle[.]xyz
  • ads-forget[.]top
  • ads-hoop[.]top
  • ads-hoop[.]xyz
  • ads-moon[.]top
  • ads-moon[.]xyz
  • ads-pill[.]top
  • ads-pill[.]xyz
  • ads-star[.]online
  • ads-star[.]site
  • ads-star[.]top
  • ads-star[.]xyz
  • ads-strong[.]online
  • ads-strong[.]site
  • ads-strong[.]top
  • ads-strong[.]xyz
  • ads-tooth[.]top
  • ads-tooth[.]xyz
  • ads-work[.]site
  • ads-work[.]top
  • ads-work[.]xyz
  • cdn-inform[.]com
  • udr-offdips[.]com
  • urd-apdaps[.]com
  • usm-pontic[.]com
  • utd-corts[.]com
  • utd-forts[.]com
  • utd-gochisu[.]com
  • utd-horipsy[.]com
  • utm-adrooz[.]com
  • utm-adschuk[.]com
  • utm-adsgoogle[.]com
  • utm-adsname[.]com
  • utm-advrez[.]com
  • utm-drmka[.]com
  • utm-fukap[.]com
  • utm-msh[.]com
  • utr-gavlup[.]com
  • utr-jopass[.]com
  • utr-krubz[.]com
  • utr-provit[.]com
  • amydlesk[.]com
  • notilon[.]co
  • notliion[.]com
  • notlon[.]top
  • notlilon[.]co
  • findreaders[.]com
  • findreaders[.]com
  • ilusofficial[.]com

 

Fake web browser updates:

  • brow-ser-update[.]top
  • hxxps://brow-ser-update[.]top/download/dwnl.php
  • hxxps://brow-ser-update[.]top/GoogleChrome-x86.msix
  • photoshop-adobe[.]shop
  • hxxps://photoshop-adobe[.]shop/download/dwnl.php
  • c336d98d8d4810666ee4693e8c3a2a34191bad864d6b46e468a7eed36e7085f4 (GoogleChrome[1]x86.msix)
  • b5ed2f42359e809bf171183a444457c378355d07b414f5828e1e4f7b35bb505f (boci.ps1)

 

Social engineering schemes on social networks:

  • getmess[.]io
  • hxxps://app.getmess[.]io/
  • hxxps://app.getmess[.]io/download/dwnl.php
  • hxxps://getmess[.]download/Getmess.msix
  • utd-corts[.]com • hxxp://utd-corts[.]com/buy/
  • 12ea41f2dfa89ad86f082fdf80ca57f14cd8a8f27280aca4f18111758de96d15 (Getmess.msix)
  • 72a1f6e7979daae38d8e0e14893db4c182b8362acc5d721141ed328ed02c7e28 (ynwje.ps1)

 

Hashes:

  • c336d98d8d4810666ee4693e8c3a2a34191bad864d6b46e468a7eed36e7085f4
  • 7265ffdbe31dd96d6e6c8ead5a56817c905ff012418546e2233b7dce22372630
  • 9aa39f017b50dcc2214ce472d3967721c676a7826030c2e34cb95c495dba4960
  • 1bb51d62457f606e947a4e7ce86198e9956ae1fe4e51e4e945370cc25fe6bfff
  • 400277618bd2591efb2eb22ac0041c1c5561d96c479a60924ef799de3e2d290c
  • f3ebb23bdcc7ac016d958c1a057152636bc2372b3a059bf49675882f64105068
  • 12ea41f2dfa89ad86f082fdf80ca57f14cd8a8f27280aca4f18111758de96d15
  • 3bd95eadb44349c7d88ea989501590fb3652ae27eded15ab5d12b17e2708969f
  • 67663233f9e3763171afd3a44b769dc67a8a61d4a159f205003c5fdb150e2ca1
  • f0e0aea32962a8a4aecd0c4b0329dc7e901fa5b103f0b03563cf9705d751bbe1
  • 8f88a86d57b93cd7f63dfdf3cb8cc398cdce358e683fb04e19b0d0ed73dd50ee
  • 3d3a9cd140972b7b8a01dde2e4cd9707913f2eba09a3742c72016fd073004951
  • 96bd6abb1c8ec2ede22b915a11b97c0cd44c1f5ed1cda8bee0acfee290f8f580
  • f1d72a27147c42a4f4baf3e10a6f03988c70546bb174a1025553a8319717ba95
  • 806d08e6169569eb1649b2d1f770ad30a01ff55beedfe93aebccac2bc24533c0
  • 763bdd0b5413bb2e0e3c4a68a7542586bbd638665b7ca250dbd9c7558216e427
  • 9a2268162982113c12d163b1377dc4e72c93f91e26bd511d16c1b705262ca03c
  • e5b94c001fc3c1c1aa35c71a3d1e9909124339e0ade09f897b918fe0729c12e1
  • 9e800a05e65efe923a35815157129652980f03cbcf95cf0d64676f6da73471de
  • f312e59be5ddbf857d92de506d55ae267800b0cbc2b82665ce63c889a7ae9414
  • 7c7dc62ed7af2f90aeafdd5c3af5284c5539aeded7d642d39f5fd5f187d33c87
  • 409a2a2a4e442017e6d647524fdec11507515a9f58a314e74307e67059bd8149
  • 1d5d671bf680d739ded1e25e78970b38d00e8182816171a7c6a186504a79eeee
  • aa998fde06a6a6ab37593c054333e192ce4706a14d210d8fc6c0de3fd2d74ce2
  • 767dd301dc5297828a35eaba81f84bd0f50d61fe1a9208b8d89b5eaba064d65e
  • 7d0aaf734f73c1cf93e53703e648125bba43e023203be9a938f270dfe3492718
  • 6e0179344ca0bbc42dce77027f5a6a049844daf34595fd184d9f094e8c74325c
  • 49a7668d60e8df9d0a57ba9e0e736c1eb48700da19711cc0ec0f3c94a56ce507
  • 2e8a82f07de254848615f81272f08e0cf9af474d1c20f67d9ddbdf439f1d8fde
  • f0f77c85c7da4391e34d106c4b5f671eb606ba695dc11401a6ee8ae53e337cbe
  • d1da457b0891b68df16ce86e2a48a799b9528c1631bccc379623551f873c0eed
  • 175fcb7495c0814a5c18afa6244d467f0daeb0f02ad93c0ab4d3af8cbbacb537
  • 7316ed0cb0fdbede33a0b6d05d0be1fe3c616ef7c1098dfcc9a2339c793e7020
  • 90641a72a4ea6f1fca57ec5e5daec4319ec95bec53dd2bf0fa58d1f9ade42ad4
  • 6fb502d83b7b5181abcb53784270239cc3e4143344e1f64101537aa3848c8c95
  • 2b033fc28ad12cb57c7c691bd40911ca47dd2a8e495a2d253557d2c6bcd40c5e
  • 4029e194864e2557786e169c7f2c101b9972164de7b4f1ffadf89382317cf96c
  • 020cd2e4ec27185550bf736b490d8ace0d244fe09315f9f7e18362de659bc7ad
  • b5ed2f42359e809bf171183a444457c378355d07b414f5828e1e4f7b35bb505f
  • 5ee273180702a54f32520be02c170ad154588893b63eefe2062cdb34ad83712c
  • 1c5cadde01f10a730cd8f55633c967c3a7259f4906f961477b7e095e7db326b7
  • 72a1f6e7979daae38d8e0e14893db4c182b8362acc5d721141ed328ed02c7e28
  • 00e7e8a0e8495189bb7feca21864fbd6c61a5aa680462186504de02536e0c2f9
  • 088ed84658a7c3bef4401601ef67a6953492fb0200a3b580bfabb21cd3ac8236
  • b7aa4697e16bbafe0df02ab3b8d0be8ec6e4abf6e6ca7d787d3d3684ca8f4b63
  • f138728ce2cc87201a51c9250fa87cbab20354012a8f566e1b2cd776cc1a66af
  • 0c4cef985c90ed764f041c2ccab6820fdbe38edaaddebe01a5b8d31d93204b88
  • f8ab48848ab915d1b23e3ee51dd20a2699bd4f277bde218a727d7a55a572d174
  • 07a0986ab43f717e181a32d6742b11f788403ce582ad5fcbb9d20d0bd40d410b
  • 5e5c134cea48e57da9604981c0a7fd6ef1704c4151b540f29de685e0017fa730
  • e3f18df1d8f5e27a41221246cc63236487c56354ba0c926a3fdaea70db901adb
  • 4e39fa74e49be2bf26fbfbbcea12d1374fa2f1607ff7fa2a0c8c323e697959ad
  • d069437eda843bd7a675a1cca7fd4922803833f39265d951fa01e7ad8e662c60
  • 904ce1b1ffa601f9aeb0a6d68bc83532c5e76b958029bd1c889937fa7cf1867f
  • 00ea5d43f2779a705856a824a3f8133cb100101e043cb670e49b163534b0c525
  • cea1c4f2229e7aa0167c07e22a3809f42ec931332da7cc28f7d14b9e702af66b
  • ae641dda420f2cf63ac29804f7009ba1c248c702679fbccef35e4d9319d77d2d

 

Recommendations

  • Ensure that all software and systems are kept up to date with the latest security patches.
  • Implement comprehensive security solutions that include anti-malware, anti-phishing, and firewall protection.
  • Use MFA for accessing sensitive systems and data to add an extra layer of security.
  • Conduct regular training sessions on recognizing phishing and social engineering attacks.
  • Continuously monitor network traffic for unusual activity and signs of malicious behavior.
  • Implement URL filtering to block access to known malicious websites.
  • Allow only approved applications to run on your systems.

 

References

 

FakeBat Loader Malware Spreading Rapidly

Threat Advisory *CRITICAL* – regreSSHion: Critical Vulnerability in OpenSSH (CVE-2024-6387)

by | Jul 5, 2024 | Threat Advisories

Threat Advisory *CRITICAL* – regreSSHion: Critical Vulnerability in OpenSSH (CVE-2024-6387)

DOWNLOAD PDF

Summary

The critical OpenSSH vulnerability impacts almost every Unix-like and Linux system (except OpenBSD), is due to a serious flaw known as “regreSSHion,” (CVE-2024-6387), and exposes Linux environments to remote unauthenticated code execution. The potential impact of this vulnerability is extensive, posing a risk to numerous servers and infrastructure components worldwide.

 

Risk Score

CVE-ID                                       CVSSv3 Score

CVE-2024-6387                   8.1

 

Threat intelligence

PoC available on GitHub

 

Vulnerability Details

“regreSSHion,” exposes Linux environments to remote unauthenticated code execution, potentially leading to root-level access and does not require user interaction. The vulnerability stems from a signal handler race condition in OpenSSH’s server (sshd) affecting versions 8.5p1 to 9.8p1 on glibc-based Linux systems because the syslog() function calls async-signal-unsafe functions like malloc() and free(), resulting in unauthenticated remote code execution with root privileges. This issue arises because sshd’s privileged code is not sandboxed and operates with full privileges. OpenBSD is not affected because its signal alarm (SIGALRM) handler uses syslog_r(), an async-signal-safe version of syslog().

 

This issue is a regression of an older vulnerability (CVE-2006-5051) and can be exploited by attackers through precise timing to manipulate system memory. The complexity of the exploit requires multiple attempts and significant skill, but the potential impact is severe.

 

PoC Exploit

The “regreSSHion” proof of concept exploit on GitHub uses a complex race condition in OpenSSH that requires precise timing and potentially thousands of attempts to succeed. It targets 32-bit systems and has been tested on Debian-based, glibc-based Linux distributions. Key aspects of the exploit include:

  • Timing and Duration: The exploit takes about 10,000 attempts to succeed, approximately 3-4 hours to win the race condition, and 6-8 hours to bypass ASLR and gain remote root shell access.
  • prepare_heap() Function: Sets up memory in a specific way, creating and freeing small chunks, then creating pairs of large and small chunks filled with specific data to create a predictable memory layout.
  • attempt_race_condition() Function: Tries to exploit the race condition by sending a crafted packet to the server, timing the final byte to be sent just before the server times out the connection. This aims to manipulate the server’s memory, allowing the attacker to run code with root permissions.

 

Affected Products

  • OpenSSH version 8.5p1 to 9.7p1
  • Older versions prior to 4.4p1 if unpatched for CVE-2006-5051 and CVE-2008-4109

 

Solution

  • OpenSSH version 9.8p1

 

Recommendations

  • Update to OpenSSH version 9.8p1 or later.
  • If immediate updating is not possible, administrators can set the login timeout to zero (LoginGraceTime=0 in sshd_config) as a temporary mitigation. However, developers warn that this makes the SSH server more susceptible to DDoS attacks.
  • Limit SSH access to necessary IP addresses and networks using firewall rules.
  • Use jump hosts or bastion servers for additional access control.
  • Deploy host-based intrusion prevention tools like fail2ban to monitor and block suspicious SSH activity.
  • Adjust sshd_config settings:
    • Set LoginGraceTime to 0.
    • Reduce MaxStartups to limit unauthenticated connections (e.g., MaxStartups 10:30:100).
    • Set PerSourceMaxStartups to a small number (e.g., 5) to limit connections from a single IP.
  • Implement strict network segmentation using VLANs or network zones to isolate critical systems.
  • Implement multi-factor authentication (MFA) for SSH access.
  • Establish robust logging and monitoring for SSH services with alerts for unusual activity.
  • Consider alternative secure remote access methods that don’t rely on SSH, such as VPN solutions with strong authentication.

 

References

 

June InfraGard Houston Tech CSC CISO Roundtable

June InfraGard Houston Tech CSC CISO Roundtable

by | Jun 28, 2024 | News

Blackswan Cybersecurity CEO, Dr. Mike Saylor, led an interactive discussion at the June InfraGard Houston Tech CSC CISO Roundtable on 6/27.

Dr. Saylor covered how CISOs can manage their attack surface, as well as new threats from AI, and defensive measures against DDoS Attacks and Ransomware.

INFRAGARD HOUSTON JUNE 2024

FakeBat Loader Malware Spreading Rapidly

SolarWinds Ser-U File Transfer Flaw Being Exploited

by | Jun 26, 2024 | Threat Advisories

SolarWinds Ser-U File Transfer Flaw Being Exploited

DOWNLOAD PDF

Summary

A high-severity flaw in SolarWinds Serv-U file transfer software (CVE-2024-28995) is being actively exploited. This is a directory traversal vulnerability that allows attackers to read sensitive files on the host machine.

THREAT ADVISORY

 

CVE-ID                                  CVSSv3 Score

CVE-2024-28995             8.6

 

Threat intelligence

  • Exploitation attempts have been seen in the wild
  • Exploit is trivial
  • Proof of Concept is publicly available

 

Vulnerability Details

The vulnerability is a directory traversal bug affecting all versions of Serv-U software, allowing unauthenticated attackers to read any arbitrary file on the host machine, if they know the file path and the file is not locked.

Rapid7 described the flaw as trivial to exploit, enabling external attackers to access critical files on the host. This vulnerability could be used in “smash-and-grab” attacks where adversaries quickly exfiltrate data from file transfer solutions to extort victims.

Exploits of this vulnerability have been actively observed in the wild, with attempts recorded from China to access files like /etc/passwd. Additionally, GreyNoise reported opportunistic attacks using the flaw against its honeypot servers.  Contrast Security researchers noted that successful exploitation could lead to further attacks by chaining the vulnerability to access credentials and system files, potentially compromising other systems and applications.

 

Affected Products

All versions of the software prior to and including:

  • Serv-U 15.4.2 HF 1
  • Serv-U FTP Server 15.4
  • Serv-U Gateway 15.4
  • Serv-U MFT Server 15.4
  • Serv-U File Server 15.4

 

Solution

  • Serv-U version 15.4.2 HF 2 (15.4.2.157)

 

Recommendations

  • Update to Serv-U version 15.4.2 HF 2 (15.4.2.157) immediately.
  • Monitor network traffic for unusual activity indicative of exploitation attempts.
  • Restrict access to sensitive files and directories.
  • Implement strong access controls and authentication mechanisms.
  • Use intrusion detection systems to detect and respond to potential attacks.
  • Conduct regular security audits and vulnerability assessments on all systems.
  • Ensure all security tools and defenses are up-to-date and properly configured.

 

References

FakeBat Loader Malware Spreading Rapidly

Adobe Commerce and Magento Sites Exposed to CosmicSting Vulnerability

by | Jun 25, 2024 | Threat Advisories

Adobe Commerce and Magento Sites Exposed to CosmicSting Vulnerability

DOWNLOAD PDF

Summary

A recently discovered “CosmicSting” vulnerability affecting Adobe Commerce and Magento websites remains unpatched across the majority of deployed sites, risking catastrophic attacks. Sansec reports that three-quarters of affected websites have not applied the patch, leaving them vulnerable to XML external entity injection (XXE) and remote code execution (RCE).THREAT ADVISORY

CVE-ID CVSSv3 Score
CVE-2024-34102 9.8

Threat intelligence

  • No reported exploits in the wild.
  • Highly exploitable.

Vulnerability Details

The CosmicSting vulnerability (CVE-2024-34102) is a critical flaw that affects Adobe Commerce and Magento platforms, allowing attackers to read sensitive files and potentially execute remote code. This vulnerability is considered the most severe flaw in these platforms over the past two years.

The primary risk stems from XML external entity injection (XXE) and can escalate to remote code execution (RCE) when combined with the iconv bug in Linux.

Sansec statistics show that about 75% of websites using the affected platforms have not applied the patch for CosmicSting, leaving them vulnerable. Attack methods are easily inferred from the patch code, making the vulnerability highly exploitable. CosmicSting has the potential to rank among the most devastating attacks in e-commerce history, comparable to ‘Shoplift’, ‘Ambionics’, and ‘Trojan Order.

Affected Products

  • Adobe Commerce: Versions up to 2.4.7, including 2.4.6-p5, 2.4.5-p7, 2.4.4-p8
  • Adobe Commerce Extended Support: Versions up to 2.4.3-ext-7, 2.4.2-ext-7, 2.4.1-ext-7, 2.4.0-ext-7, 2.3.7-p4-ext-7
  • Magento Open Source: Versions up to 2.4.7, including 2.4.6-p5, 2.4.5-p7, 2.4.4-p8
  • Adobe Commerce Webhooks Plugin: Versions 1.2.0 to 1.4.0

Solution

  • Adobe Commerce: 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9
  • Adobe Commerce Extended Support: 2.4.3-ext-8, 2.4.2-ext-8, 2.4.1-ext-8, 2.4.0-ext-8, 2.3.7-p4-ext-8
  • Magento Open Source: 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9
  • Adobe Commerce Webhooks Plugin: 1.5.0

Recommendations

  • Immediately update to the patched versions listed above.
  • Switch to ‘Report-Only’ mode before upgrading to avoid checkout functionality issues.
  • For those unable to update immediately, check for the vulnerable glibc library using the provided command and upgrade as required.
  • Add the emergency fix code to ‘app/bootstrap.php’ to block most attacks.
  • Regularly monitor and apply security updates to ensure protection against new vulnerabilities.

References