LokiBot Malware Exploits Microsoft Word Vulnerabilities for Widespread Distribution

by jdpoteet | Jul 21, 2023 | Threat Advisories

LokiBot Malware Exploits Microsoft Word Vulnerabilities for Widespread Distribution

OVERVIEW
Researchers recently uncovered a LokiBot info-stealer campaign exploiting well-known Microsoft Office related vulnerabilities.

First observed in May 2023, researchers found that threat actors exploited two remote code execution vulnerabilities (CVE-2021-40444 and CVE-2022-30190) embedding malicious macros in Microsoft documents, specifically Word documents.  Infected files were named “document.xml.rels” and had an MHTML link.  Executing this file triggered the deployment of exploits for the second vulnerability.

More recent versions of this attack include an embedded VBA script within the Word document. The VBA script generates an INF file that calls a DLL file, which then downloads a second-stage code injector from a specific URL.  The code injector is capable of evasion techniques and will execute the LokiBot malware in the final stage.

Researcher’s examination of the command-and-control (C2) traffic showed that the LokiBot version (March’23) deployed in these campaigns has an MD5 hash that acts as a mutex to prevent multiple instances of the malware from running concurrently.

INDICATORS OF COMPROMISE

Command and Control:

• 95[.]164[.]23[.]2

Related Files:

• 17d95ec93678b0a73e984354f55312dda9e6ae4b57a54e6d57eb59bcbbe3c382
• 23982d2d2501cfe1eb931aa83a4d8dfe922bce06e9c327a9936a54a2c6d409ae
• 9eaf7231579ab0cb65794043affb10ae8e4ad8f79ec108b5302da2f363b77c93
• da18e6dcefe5e3dac076517ac2ba3fd449b6a768d9ce120fe5fc8d6050e09c55
• 2e3e5642106ffbde1596a2335eda84e1c48de0bf4a5872f94ae5ee4f7bffda39
• 80f4803c1ae286005a64ad790ae2d9f7e8294c6e436b7c686bd91257efbaa1e5
• 21675edce1fdabfee96407ac2683bcad0064c3117ef14a4333e564be6adf0539
• 4a23054c2241e20aec97c9b0937a37f63c30e321be01398977e13228fa980f29

RECOMMENDATIONS
• Patch Management – Patch and Update all instances of Microsoft Office.

• Training and Awareness – Educate users about the risks associated with opening suspicious email attachments or clicking on untrusted links.
• Cybersecurity Controls (End-Points) – Deploy and effectively manage and monitor advanced endpoint protection solutions that include anti-malware, intrusion detection, and prevention systems.
• Cybersecurity Controls (Network) – Deploy 24×7 Network Traffic Monitoring capabilities to identify and block suspicious communication with command-and-control (C2) servers.
• Email Filtering: Enable all available capabilities to scrutinize incoming emails, blocking malicious attachments and links commonly used in malware distribution.
• Multi-Factor Authentication (MFA): Enforce the use of MFA for all sensitive accounts and systems to provide an additional layer of protection against unauthorized access. This helps mitigate the risk of LokiBot stealing credentials.

REFERENCES

• https://www.fortinet.com/blog/threat-research/lokibot-targets-microsoft-office-document-using-vulnerabilities[1]and-macros
• https://thehackernews.com/2023/07/cybercriminals-exploit-microsoft-word.htm

A Vulnerability in FortiOS and FortiProxy Could Allow for Remote Code Execution

by jdpoteet | Jul 18, 2023 | Threat Advisories

A Vulnerability in FortiOS and FortiProxy Could Allow for Remote Code Execution

DOWNLOAD PDF

OVERVIEW
A vulnerability has been discovered in Fortinet FortiOS and FortiProxy, which could allow for remote code execution. FortiOS is the Fortinet’s proprietary Operation System which is utilized across multiple product lines. FortiProxy is a secure web gateway that attempts to protects users against internet-borne attacks, and provides protection and visibility to the network against unauthorized access and threats. Successful exploitation of this vulnerability could allow for remote code execution in the context of the affected service account. Depending on the privileges associated with the service account an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Service accounts that are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

THREAT INTELLIGENCE
There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED

• FortiOS version 7.2.0 through 7.2.3
• FortiOS version 7.0.0 through 7.0.10
• FortiProxy version 7.2.0 through 7.2.2
• FortiProxy version 7.0.0 through 7.0.9

RISK

Government:

• Large and medium government entities: High
• Small government entities: Medium

Businesses:

• Large and medium business entities: High
• Small business entities: Medium

Homes: Low

TECHNICAL SUMMARY
A vulnerability has been discovered in Fortinet FortiOS and FortiProxy, which could allow for remote code execution. Details of the vulnerability are as follows:

Tactic: Initial Access (TA0001):

Technique: Exploit Public-Facing Application (T1190):

• CVE-2023-33308 – A stack-based overflow vulnerability in FortiOS & FortiProxy may allow a remote attacker to execute arbitrary code or command via crafted packets reaching proxy policies or firewall policies with proxy mode alongside SSL deep packet inspection.

Successful exploitation of this vulnerability could allow for remote code execution in the context of the affected service account. Depending on the privileges associated with the service account an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Service accounts that are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

RECOMMENDATIONS
We recommend the following actions be taken:

Apply appropriate updates provided by FortiNet to vulnerable systems immediately after appropriate testing. (M1051: Update Software)

• • Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
  • Safeguard 7.2: Establish and Maintain a Remediation Process: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
  • Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
  • Safeguard 7.6: Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets: Perform automated vulnerability scans of externally-exposed enterprise assets using a SCAP-compliant vulnerability scanning tool. Perform scans on a monthly, or more frequent, basis.
  • Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
  • Safeguard 12.1: Ensure Network Infrastructure is Up-to-Date: Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support.
  • Safeguard 18.1: Establish and Maintain a Penetration Testing Program: Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
  • Safeguard 18.2: Perform Periodic External Penetration Tests: Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
  • Safeguard 18.3: Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.

    Utilize vulnerability scanning to find potentially exploitable software vulnerabilities to remediate them. (M1016: Vulnerability Scanning)

    • Safeguard 16.13: Conduct Application Penetration Testing: Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing.Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.

      Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)

      • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
      • Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
      • Safeguard 5.5: Establish and Maintain an Inventory of Service Accounts: Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.
      • Safeguard 6.8: Define and Maintain Role-Based Access Control: Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently.

REFERENCES

• Fortinet:
  https://www.fortiguard.com/psirt/FG-IR-23-183
• CVE:
  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-33308

Multiple Vulnerabilities in VMware Products Could Allow for Arbitrary Code Execution

by jdpoteet | Jun 26, 2023 | Threat Advisories

Multiple Vulnerabilities in VMware Products Could Allow for Arbitrary Code Execution

DOWNLOAD PDF 

OVERVIEW
Multiple vulnerabilities have been discovered in VMware vCenter Server and Cloud Foundation, the most severe of which could allow for arbitrary code execution. VMware vCenter Server is the centralized management utility for VMware. VMware Cloud Foundation is a multi-cloud platform that provides a full-stack hyperconverged infrastructure (HCI) that is made for modernizing data centers and deploying modern container-based applications. Successful exploitation of these vulnerabilities could allow for arbitrary code execution in the context of the administrator account. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

THREAT INTELLIGENCE
There are no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED

• VMware – VMware vCenter Server (vCenter Server) versions prior to 8.0 U1b
• VMware – VMware vCenter Server (vCenter Server) versions prior to 7.0 u3m
• VMware – VMware Cloud Foundation (vCenter Server) versions prior to 7.0 U3m, 8.0 U1b

RISK

Government:

• Large and medium government entities: High
• Small government entities: Medium

Businesses:

• Large and medium business entities: High
• Small business entities: Medium

Homes: Low

TECHNICAL SUMMARY
Multiple vulnerabilities have been discovered in VMware vCenter Server and Cloud Foundation, most severe of which could allow for arbitrary code execution. Details of these vulnerabilities are as follows:

Tactic: Initial Access (TA0001):

Technique: Exploit Public-Facing Application (T1190):

• CVE-2023-20892 – VMware vCenter Server heap-overflow vulnerability – The vCenter Server contains a heap overflow vulnerability due to the usage of uninitialized memory in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may exploit heap-overflow vulnerability to execute arbitrary code on the underlying operating system that hosts vCenter Server.
• CVE-2023-20893 – VMware vCenter Server use-after-free vulnerability – The VMware vCenter Server contains a use-after-free vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may exploit this issue to execute arbitrary code on the underlying operating system that hosts vCenter Server.

Details of lower-severity vulnerability are as follows:

• CVE-2023-20894 – The VMware vCenter Server contains an out-of-bounds write vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger an out-of-bound write by sending a specially crafted packet leading to memory corruption.
• CVE-2023-20895 – The VMware vCenter Server contains a memory corruption vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger a memory corruption vulnerability which may bypass authentication.
• CVE-2023-20896 – The VMware vCenter Server contains an out-of-bounds read vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger an out-of-bounds read by sending a specially crafted packet leading to denial-of-service of certain services (vmcad, vmdird, and vmaf

Successful exploitation of these vulnerabilities could allow for arbitrary code execution in the context of the administrator account. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
|

RECOMMENDATIONS
We recommend the following actions be taken:

• Apply appropriate updates provided by VMware to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
  • Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
  • Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
  • Safeguard 7.6: Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets: Perform automated vulnerability scans of externally-exposed enterprise assets using a SCAP-compliant vulnerability scanning tool. Perform scans on a monthly, or more frequent, basis.
  • Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.

• Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
  • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
  • Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.

• Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc. (M1035: Limit Access to Resource Over Network)

• Use intrusion detection signatures to block traffic at network boundaries. (M1031: Network Intrusion Prevention)
  • Safeguard 13.3: Deploy a Network Intrusion Detection Solution: Deploy a network intrusion detection solution on enterprise assets, where appropriate. Example implementations include the use of a Network Intrusion Detection System (NIDS) or equivalent cloud service provider (CSP) service.
  • Safeguard 13.8: Deploy a Network Intrusion Prevention Solution: Deploy a network intrusion prevention solution, where appropriate. Example implementations include the use of a Network Intrusion Prevention System (NIPS) or equivalent CSP service.

• Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)

Safeguard 13.10:  Performing Application Layer Filtering:  Perform application layer filtering. Example implementations include a filtering proxy, application layer firewall, or gateway.

REFERENCES

• https://www.vmware.com/security/advisories/VMSA-2023-0014.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20896
• https://kb.vmware.com/s/article/88287
• ​​​​​​https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20892
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20893
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20894
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20895

RDStealer Malware Targeting Remote Desktop

by jdpoteet | Jun 22, 2023 | Threat Advisories

RDStealer Malware Targeting Remote Desktops

DOWNLOAD PDF

SUMMARY
Bitdefender researchers published a warning related to new malware that is actively targeting the remote desktop protocol in an effort to steal client data.

The Bitdefender warning comes after the malware’s first appearance as part of a cyber espionage operation called RedClouds, which targeted an east Asian IT company.  The malware, written in Golang, is called RDStealer and looks for RDP connections with client drive mapping enabled.  It then infects connecting RDP clients with a Logutil backdoor and begins exfiltrating data.  The RedClouds operation was active for more than a year with the end goal of compromising credentials and data exfiltration.

TECHNICAL DETAILS
The attack employs an evasion tactic of using Microsoft Windows folders that are likely to be excluded from scanning by security software, like System32 and Program Files, to store the Logutil backdoor payload.  In addition, the sub-folder “C:Program FilesDellCommandUpdate,” has also been observed, which is a legitimate folder containing the Dell application called Dell Command | Update.   Researchers at Bitdefender said all the machines infected over the course of the incident were Dell computers, suggesting that the threat actors deliberately chose this folder to hide the malicious activity.  Threat actors also registered command-and-control (C2) domains such as “dell-a[.]ntp-update[.]com”.

A server-side backdoor called RDStealer is the primary data harvester, which specializes in continuously gathering clipboard content and keystroke data from the host.  In this case, however, RDStealer is also “monitoring incoming RDP [Remote Desktop Protocol] connections and compromising remote machines if client drive mapping is enabled”.   When a new RDP client connection is detected, commands are issued by RDStealer to exfiltrate sensitive data, such as browsing history, credentials, and private keys from apps like mRemoteNG, KeePass, and Google Chrome.  In addition, the connecting RDP clients are infected with another Golang-based custom malware known as Logutil to maintain a persistent foothold on the victim network using DLL side-loading techniques and facilitate command execution.

INDICATORS OF COMPROMISE (IOCs)

MD5

• e89cb63e1352a1c9f86e03e4c744b5cd
• f51e88b159b5661f0b83c3947f3e0b24
• 61ac19b0f812b10e7690109430cba4a5
• d80827879b2e15b18a9c0feaf5a3c859
• 1d6b37bd2dfc9d6b4a811f90f6f48dce
• 2af313bdd3c54d95303c14786a3ad58d
• d5cdeba19d1a31b5be424a82210e3417
• de9233ed6689f84286fe0b7da8bc89e9
• e7121980263c08d2a759df827f97ecae
• 78a7df158236edd372946347a156e5bc
• 2b1130775c44be96990b2916ba071f40
• 211ffebfbf679b713148c6dad94ec1df
• 3b8424499183af6f886f722d85353abf
• 5a5e02256c0a8b65b2db8a0f88887744
• 1325ad15712a875ff61de3bbb0eccebd
• dec5b1c097b8d547666f76b55c5d0fdc
• b7538226437cea21297b94f37d2c2813
• 6cf0007b0d487f899fbd05ffc3401211
• 3294710063ee0dc7d6dfffc4de337b68
• 003d6351a2a2a2835f2b64a999963ec1
• e89cb63e1352a1c9f86e03e4c744b5cd
• 20ef20fd88dc7a5e90908f1667c08d11
• f18eb7a820f75e51b619b14967c83bb2
• b7538226437cea21297b94f37d2c2813
• 43b238bf6829e6f1056749bebdc01dbe
• a83cdb7efbe7bbc4dafa1c11578e6372
• f14a812c6c377e52fb98f8d4c1ed0abd
• 2a421eec6784f1675585e9b428c1b68c
• 5c613c1f1f426d7b4630673966a125ba
• ea4cee8027df495c0da7b22e5a9d8457
• 32efbf302aaa2845d3a2b76a50840dc2
• 47a02b5f59bbc62b7f4be0f4ce7574cd
• 13f5490acf5f5fab2f43f71999563bb9
• 9fc12edb2e5f193ed4ae365a57c47ffb

File Paths

• %SYSTEM32%\wbem\ncobjapi.dll
• %SYSTEM32%\wbem\ncobjapi.dll
• vcruntime140.dll
• %PROGRAM_FILES%\dell\md storage software\mdconfiguration utility\modular disk service daemon.exe
• %SYSTEM32%\wbem\lzsrv64.dll
• %SYSTEM32%\mcpbroker.dll
• %SYSTEM32%\wbem\efsmgr32.dll
• %SYSTEM32%\wbem\secure64.dll
• %SYSTEM32%\splsys64.dll
• %SYSTEM32%\mcpbroker.dll
• %SYSTEM32%\bithostw.dll
• %SYSTEM32%\bithosts.dll
• %SYSTEM32%\efsmgr32.dll
• %SYSTEM32%\efsmgr32.dll
• %SYSTEM32%\lzsrv64.dll
• %SYSTEM32%\splsys64.dll
• %SYSTEM32%\efsmgr32.dll
• wspack.dll • %SYSTEM32%\bithostw.dll
• %SYSTEM32%\wbem\bithosts.dll
• %WINDOWS%\temp\__deleted.dat
• %PROGRAM_FILES%\f-secure\psb\diagnostics\fs_ui.exe
• %PROGRAM_FILES%\f-secure\psb\diagnostics\fs_ui.exe
• %PROGRAM_FILES_x86%\dell\commandupdate\wbemwork.dll
• %WINDOWS%\temp\__to_be_deleted.dat
• %SYSTEM32%\bithostw.dll
• %SYSTEM32%\winrpc32.dll
• %PROGRAM_FILES_x86%\dell\commandupdate\wbemwork2.dll
• %PROGRAM_FILES_x86%\dell\commandupdate\dellcommandservice.exe
• %SYSTEM32%\msvcp150.dll
• %SYSTEM32%\edbr.dat • %PROGRAM_FILES_x86%\dell\commandupdate\dellcommandupdate.exe
• %PROGRAM_FILES_x86%\dell\commandupdate\msvcp140.dll
• ea4cee8027df495c0da7b22e5a9d8457 %SYSTEM32%\msvcp150.dll
• %WINDOWS%\security\database\msvcp150.dll
• %WINDOWS%\security\database\msprotect.dll
• %WINDOWS%\security\database\edbt.dat Domains
• a-ad-tml[.]ntp-update[.]com • rps-a[.]ntp-update[.]com
• a-rps[.]ntp-update[.]com • dns-a[.]ntp-update[.]com
• a-tb[.]ntp-update[.]com • alast[.]sun-java[.]com
• alast[.]ntp-update[.]com • dell-a[.]ntp-update[.]com
• a-sp-rps[.]0g6666[.]com • og8888[.]0g6666[.]com
• windows[.]javaupdate-cdn[.]com
• adobe[.]javaupdate-cdn[.]com
• flash[.]javaupdate-cdn[.]com
• linux[.]0g6666[.]com
• ad[.]ntp-update[.]com
• linux[.]ntp-update[.]com
• windows[.]0g6666[.]com
• www[.]0g6666[.]com
• wt[.]ntp-update[.]com
• aliyun[.]ntp-update[.]com
• cloud[.]ntp-update[.]com
• fe[.]ntp-update[.]com
• wtech[.]ntp-update[.]com
• imp[.]ntp-update[.]com
• ogplus[.]ntp-update[.]com
• organization[.]0g6666[.]com
• global[.]ntp-update[.]com
• kaiy[.]0g6666[.]com
• kaiy[.]ntp-update[.]com
• ky[.]0g6666[.]com
• oriental[.]ntp-update[.]com
• guard[.]ntp-update[.]com
• oglive[.]ntp-update[.]com
• guard[.]0g6666[.]com
• plus[.]ntp-update[.]com
• oglty[.]0g6666[.]com
• oglty[.]ntp-update[.]com
• oglty-ml[.]ntp-update[.]com
• esxi-lty[.]ntp-update[.]com
• ml-lty[.]ntp-update[.]com
• telegram[.]ntp-update[.]com
• easyh[.]ntp-update[.]com
• weblog[.]ntp-update[.]com
• weblog-ml[.]ntp-update[.]com
• o-fsh[.]ntp-update[.]com
• idn-tb[.]ntp-update[.]com
• tb-ndi2[.]ntp-update[.]com
• ml-ndi[.]ntp-update[.]com
• vct[.]0g6666[.]com
• windows-i-tb[.]ntp-update[.]com
• ubuntu-ndi[.]ntp-update[.]com
• windows-qc-tb-i[.]ntp-update[.]com
• windows-tb-i[.]ntp-update[.]com
• a-fms[.]ntp-update[.]com
• plus[.]0g6666[.]com
• aprotect[.]sun-java[.]coM

IP Addresses

• 34.96.222[.]22
• 35.220.144[.]179
• 35.220.202[.]191
• 34.96.235[.]162
• 35.220.190[.]145
• 35.220.183[.]209
• 35.208.179[.]162
• 34.92.13[.]119
   

RECOMMENDATIONS

• Minimize your exposed attack surfaces.
• Utilize tools and technologies that provide behavioral and anomaly detection.

REFERENCES

• https://www.bitdefender.com/files/News/CaseStudies/study/431/Bitdefender-Labs-Report-X-creat6958-en-EN.pdf
• https://www.itpro.com/security/malware/researchers-uncover-novel-rdstealer-malware-targeting-remote-desktop-protocol
• https://siliconangle.com/2023/06/20/bitdefender-warns-new-exfiltration-malware-targeting-rdp-workloads/
• https://www.bleepingcomputer.com/news/security/new-rdstealer-malware-steals-from-drives-shared-over-remote-desktop/
• https://thehackernews.com/2023/06/experts-uncover-year-long-cyber-attack.htm