The Feed 2025-01-14

  • How A Large-Scale Russian Botnet Operation Stays Under the Radar : A large botnet that takes advantage of misconfigured DNS records is able to send malware via spam and remain undetected.

Original Link: https://blogs.infoblox.com/threat-intelligence/one-mikro-typo-how-a-simple-dns-misconfiguration-enables-malware-delivery-by-a-russian-botnet/

  • Sneaky 2FA: exposing a new AiTM Phishing-as-a-Service : The Sneaky 2FA phishing kit is a new adversary in the middle (AiTM) phishing kit that targets Microsoft 365 accounts and is sold as Phishing-as-a-Service (PhaaS) via Telegram.

Original Link: https://blog.sekoia.io/sneaky-2fa-exposing-a-new-aitm-phishing-as-a-service/

  • Sugarcoating KANDYKORN a sweet dive into a sophisticated MacOS backdoor. : KANDYKORN is a novel macOS backdoor that was discovered by Elastic Security Labs during an intrusion targeting blockchain engineers at a prominent crypto exchange platform.

Original Link: https://info.spamhaus.com/hubfs/Botnet%20Reports/Jul-Dec%202024%20Botnet%20Threat%20Update.pdf

  • Threat Brief: CVE-2025-0282 and CVE-2025-0283 : Details of a new attack, potentially conducted by UNC5337, targeting Ivanti Connect Secure appliances that leverages a zero-day RCE exploit (CVE-2025-0282) to compromise devices and move laterally into networks.

Original Link: https://unit42.paloaltonetworks.com/threat-brief-ivanti-cve-2025-0282-cve-2025-0283/

How A Large-Scale Russian Botnet Operation Stays Under the Radar

Summary

This article details a large-scale botnet operation that is able to stay undetected by taking advantage of misconfigured DNS records to deliver malware through spam campaigns. The attackers are impersonating the shipping company DHL and sending emails that contain malicious zip files. The IP address of the command and control server is 62.133.60[.]137
The botnet consists of approximately 13,000 hijacked MikroTik devices that have had SOCKS enabled, allowing the devices to operate as TCP redirectors and masking the true origin of the malicious traffic. The campaign involved approximately 20,000 sender domains that had misconfigured SPF records which allowed any address to send emails for the domains.

Technical Details

  • Initial Access - Exploitation of vulnerable MikroTik devices. Possible exploitation of a hardcoded admin account with a blank password.
  • Execution - Javascript in a zip file creates and executes a PowerShell script that initiates an outbound connection to the C2.
  • Command and Control - Outbound connection to C2 server.
  • Defense Evasion - Use of SOCKS proxies to mask the origin of the malicious traffic. Spoofing sender domains in email by taking advantage of misconfigured DNS records.
  • Persistence - Placing a script on compromised devices that enables SOCKS.

    Countries

    Russia

    Industries

    Shipping and Delivery

    Recommendations

    Disable the hard-coded ‘admin’ user account with a blank password on Mikrotik devices.
    Ensure SPF records are properly configured to prevent spoofing and unauthorized email sending.

    Hunting methods

    dig +short txt example.com | grep spf

    nslookup -type=txt example.com | Select-String -Pattern spf

    IOC

    IP Addresses: 62.133.60[.]137

Original link: https://blogs.infoblox.com/threat-intelligence/one-mikro-typo-how-a-simple-dns-misconfiguration-enables-malware-delivery-by-a-russian-botnet/

Sneaky 2FA: exposing a new AiTM Phishing-as-a-Service

Summary

This article details a new adversary-in-the-middle (AiTM) phishing kit called Sneaky 2FA that targets Microsoft 365 accounts and is sold as a Phishing-as-a-Service (PhaaS) via Telegram. The Sneaky 2FA phishing kit utilizes various techniques to bypass multi-factor authentication (MFA) including auto-filling the victim’s email address on a fake login page, employing Cloudflare Turnstile or reCAPTCHA to avoid detection by bots, and using anti-debugger methods to prevent analysis. The phishing pages are often hosted on compromised infrastructure such as WordPress websites and utilize obfuscation techniques to evade detection. Sneaky 2FA redirects users who fail its checks to Wikipedia pages using the href[.]li redirection service. When successful, the victim is redirected to a legitimate Microsoft URL, hxxps://outlook.office365[.]com/Encryption/ErrorPage.aspx?src=0&code=10&be=DM8PR09MB6088&fe=1. The phishing kit operates by checking the validity of a license key with a central server, indicating a subscription-based model. The kit’s source code appears to be based on the W3LL OV6 AiTM phishing kit, suggesting a potential connection between the two. Analysis of the Sneaky 2FA source code reveals that it communicates with the Microsoft 365 API directly from the phishing server, unlike other AiTM kits that use proxies. The Sneaky 2FA phishing kit is advertised and sold through a Telegram bot (@SneakyLog_bot) operated by the PhaaS service.
The Sneaky Log Telegram bot offers three tools:
• 365 Cookie Page - The AiTM phishing kit itself
• B2B Sender - An email sender tool designed for spamming
• Redirect & Attachment - A tool for redirecting and attaching files
The Sneaky Log bot utilizes a multi-cryptocurrency payment system and accepts Bitcoin (BTC), Tether USD on TRON (USDT-TRC20), Ethereum (ETH), Litecoin (LTC), and Tether USD on BNB Chain (USDT-BEP2).
The bot employs a strategy for obfuscating cryptocurrency transactions to make tracing payment flows difficult. For BTC and LTC, the bot uses new addresses for every transaction, while for USDT-TRC20 and ETH, it selects addresses from an existing pool with substantial transaction history. Sneaky 2FA exploits the Microsoft authentication flow, where each step generates an event in the Microsoft 365 audit log with the authentication step name (RequestType) and the User-Agent string of the client. The phishing kit uses distinct hardcoded User-Agent strings for every HTTP request, creating a unique sequence of User-Agents that allows for the identification of the kit. \

Technical Details

Initial Access - Phishing emails containing QR codes that redirect to a Sneaky 2FA landing page. Exploiting vulnerable or compromised web servers to host the phishing kit. Execution - The phishing kit uses Javascript to dynamically fetch the victim’s information including tenant branding and email addresses. Reconnaissance - The kit checks the visitor’s IP address to determine if it originated from a data center, cloud provider, bot, proxy, VPN, or is associated with known abuse. If any of these criteria are met, the visitor is redirected to a Wikipedia page. Defense Evasion - Uses Cloudflare Turnstile and reCaptcha to determine if the visitor is human. Uses anti-debugger techniques to evade analysis with web browser developer tools. Utilizes HTML and Javascript obfuscation techniques. Redirects users to Wikipedia pages that are related to Microsoft to evade detection. Uses blurred images as the background for fake Microsoft authentication pages. Uses a different User-Agent string for nearly every HTTP request to evade detection. Persistence - The phishing kit utilizes a licensing server and checks in to ensure that the license has not expired. Command and Control - The kit directly communicates with Microsoft 365 API, unlike other AiTM phishing kits that use proxies. Employs distinct address management strategies for different cryptocurrencies (BTC, LTC, USDT-TRC20, ETH) to obfuscate transactions. Exfiltration - Exfiltrates the victim’s session cookie from the Microsoft 365 account.

Countries

The article does not specify any targeted countries.

Industries

The article does not specify any targeted industries. However, it can be inferred that industries that rely heavily on Microsoft 365 services are potential targets.

Recommendations

The article does not explicitly provide technical recommendations. However, it does highlight the following:

  • User-Agent Anomalies: Monitor Microsoft 365 audit logs for unusual sequences of User-Agent strings as an indicator of potential AiTM phishing activity, particularly related to the Sneaky 2FA kit.
  • Domain Monitoring: Track the domains associated with Sneaky 2FA and other AiTM phishing kits for early detection of phishing campaigns.
  • Phishing Awareness: Educate users about the dangers of AiTM phishing attacks, particularly targeting Microsoft 365 accounts, and how to identify and avoid such threats.

    Hunting methods

    ``` rule: Microsoft 365 Sign-In Via Known AiTM Phishing Kit (Sneaky 2FA) description: >- Detects a sign-in attempt with an impossible device shift characteristic of the adversary-in-the-middle phishing kit Sneaky 2FA. correlation: | name: login_safari_ios detection: selection: office365.auth.request_type: ‘Login:login’ user_agent.original: ‘Mozilla/5.0 (iPhone; CPU iPhone OS 13_2_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.3 Mobile/15E148 Safari/604.1’ condition: selection — name: resume_edge_windows detection: selection: office365.auth.request_type: ‘Login:resume’ user_agent.original: ‘Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Edg/128.0.0.0 OS/10.0.22635’ condition: selection — action: correlation type: temporal rule:

    • login_safari_ios
    • resume_edge_windows group-by:
    • office365.context.correlation.id timespan: 10m ordered: false ```

IOC

IP Addresses: 101.99.92[.]124
185.125.100[.]81

Domains: africanagrirnarket[.]com
alliedhealthcaresolution[.]com
allorganicitems[.]com
allorginichomes[.]xyz
apppowerappsportals[.]top
baptihealth[.]com
bhlergroup[.]com
claytoncontsruction[.]net
desirenetwork[.]in
docuinshare[.]top
dolh6growth[.]online
drop-project[.]top
emailsay[.]com
emea-nec[.]com
erhakalip[.]com
files42[.]com
florenceorganics[.]us
glamorouslengths[.]su
greyscaleal[.]com
guardiansresearch[.]org
hsrcxeeae[.]mypi[.]co
intertrustsgroup[.]com
lovencareurology[.]in
matcocomponent[.]com
may-april[.]com
metin2odisey[.]com
ms-consulting-dom[.]fr
o7t5dgbx-staging[.]dreamwp[.]com
oempcworlds[.]org
ohconnects[.]org
ol[.]advanceplastics-ke[.]com
omnirayoprah[.]cfd
organichoicehome[.]com
outsourcel[.]com[.]au
portalpowerfiles[.]top
portalpowerstorages[.]top
profitminers[.]in
reintergestna[.]org
reliant-rehabs[.]com
rockandrevenue[.]com
rurrasqueamos[.]click
stillmanconsulting[.]net
storageorder[.]sbs
sysarchirnc[.]com
thumenectrics[.]es
tvsyndciate[.]com
urbanumbrella[.]org
usfightingsystems[.]com
webitww[.]com
welcomehomeproject[.]org
windstreaim[.]com
wwgle[.]com
yushengusa[.]com
docsafybeifur2mabbggrihscauthenticnotes[.]online
historischeverenigingmarum[.]online
loginoffice365commonauth00000365user1153196333[.]empreendendocomgrafica[.]com
loginoffice365commonauth00000365user6867620079[.]empreendendocomgrafica[.]com
Some domains that might be compromised:
allorganichome[.]com
auxin[.]co[.]in
aweitapp[.]com
carpetcleaningmanitoba[.]ca
cchosting[.]co[.]za
cnphys[.]com
coysem[.]com
drgoelsdmd[.]com
eto1908[.]org
forcainvicta[.]com[.]br
funnelflex[.]co
globalservicesqtr[.]com
iziloyer[.]com
kagumigroup[.]id
leanstartupatelier[.]co
meliorahospital[.]com
mscserv[.]com
mysilverfox[.]com[.]my
nashnights[.]com
pipaltree[.]ngo
powa[.]co[.]zw
printserve[.]co[.]ke
senangwasap[.]com
snatched-beautybar[.]com
sukrajclasses[.]com
thewoodlandretreat[.]in
unalkardesler[.]net
vlsbali[.]com
wordtex[.]com
www[.]fabribat[.]com
www[.]northernaid[.]org
yaharaho[.]com
yogatrapezepoint[.]com
yugaljeeautomotive[.]com
101.99.92[.]124
185.125.100[.]81
sneakylog[.]store
tesla-apply-job.com
allorginichomes[.]com
empreendendocomgrafica[.]com
tesla-apply-job.com
yushengusa[.]com

URLs: hxxps://outlook.office365[.]com/Encryption/ErrorPage.aspx?src=0&code=10&be=DM8PR09MB6088&fe=1

Original link: https://blog.sekoia.io/sneaky-2fa-exposing-a-new-aitm-phishing-as-a-service/

SUGARCOATING KANDYKORN: A SWEET DIVE INTO A SOPHISTICATED MACOS BACKDOOR

Summary

This article details a novel macOS backdoor called KANDYKORN. KANDYKORN was discovered while investigating an intrusion targeting blockchain engineers at a cryptocurrency exchange. The intrusion began when the victim was socially engineered into downloading what they believed to be a cryptocurrency arbitrage bot. In reality, it was a multi-stage malware designed to compromise their macOS device. The malware utilizes a variety of techniques, including obfuscation, reflective binary loading, and execution flow hijacking to evade detection and maintain persistence.

SHA-256 Hashes:
3ea2ead8f3cec030906dcbffe3efd5c5d77d5d37
5d4a54cca03bfe8a6cb59940
2360a69e5fd7217e977123c81d3dbb60bf4763a9
dae6949bc1900234f7762df1

Domains:
tp-globa[.]xyz

IP Addresses:
192.119.64[.]43
23.254.226[.]90

URLs:
http://tp-globa[.]xyz//OdhLca1mLUp/ lZ5rZPxWsh/7yZKYQI43S/fP7savDX6c/bfC

RC4 Keys:
D9F936CE628C3E5D9B3695694D1CDE79E470E938
064D98FBF4EF980A5558D1C90C7E650C2362A21B
914ABD173ABA5C0E5837C47B89F74C5B23A7294C
C1CFD11B

Technical Details

Initial Access - The attacker impersonated members of the blockchain engineering community on Discord and socially engineered the victim into downloading a ZIP archive containing malicious code. The victim believed they were downloading a cryptocurrency arbitrage bot. Execution - Upon execution, the initial Python script downloads and executes additional payloads from Google Drive, leading to the execution of the main backdoor, KANDYKORN. The malware leverages reflective binary loading to execute its payloads directly in memory without writing them to disk. KANDYKORN forks itself and runs as a daemon in the background. Persistence - The malware establishes persistence by employing execution flow hijacking of the Discord chat application. It renames the legitimate Discord binary and replaces it with a malicious loader. This loader executes both the original Discord application and a hidden payload, ensuring the backdoor remains active even after system restarts. The malware also creates a configuration file at /Library/Caches/com.apple.safari.ck to store C2 settings. Defense Evasion - The malware employs multiple layers of obfuscation, including packing the main code of the SUGARLOADER component. SUGARLOADER utilizes junk instructions, opaque predicates, and indirect jumps in memory to make analysis difficult. The malware was also compiled in debug mode which initially resulted in zero detections on VirusTotal. Command and Control - KANDYKORN communicates with its C2 server using a custom network protocol that employs RC4 encryption. The initial handshake involves predictable random values and nonce exchanges to authenticate the client. The protocol uses a common schema for binary objects, sending content length followed by the payload for data exchange. The malware includes a sleepInterval setting that defines the time between actions. The configuration file supports the use of a primary and secondary C2 server. Exfiltration - KANDYKORN possesses various capabilities to exfiltrate data from the compromised machine, including listing directory contents, uploading files to the C2 server, downloading files from the victim’s computer, archiving and exfiltrating directories, and capturing screenshots.

Countries

The article suggests a potential link to the DPRK’s Lazarus Group based on code-signing techniques observed in HLOADER, a component of KANDYKORN. The article notes that Elastic Security Labs has recognized this technique as an indicator of DPRK campaigns. However, definitive attribution is not provided in the article.

Industries

The primary target mentioned in the article is a cryptocurrency exchange platform, specifically targeting blockchain engineers.

Recommendations

The article does not provide specific technical recommendations for mitigating the threat posed by KANDYKORN. However, it highlights the importance of understanding and detecting the tactics and techniques employed by this malware. The development of a custom tool to simulate the C2 server for KANDYKORN is mentioned as a way to facilitate research and the development of effective detection mechanisms.

Hunting methods

The article does not provide any specific hunting queries in Yara, Sigma, KQL, SPL, or other languages.

IOC

SHA-256 Hashes:
3ea2ead8f3cec030906dcbffe3efd5c5d77d5d37
5d4a54cca03bfe8a6cb59940
2360a69e5fd7217e977123c81d3dbb60bf4763a9
dae6949bc1900234f7762df1

Domains:
tp-globa[.]xyz

IP Addresses:
192.119.64[.]43
23.254.226[.]90

URLs:
http://tp-globa[.]xyz//OdhLca1mLUp/ lZ5rZPxWsh/7yZKYQI43S/fP7savDX6c/bfC

RC4 Keys:
D9F936CE628C3E5D9B3695694D1CDE79E470E938
064D98FBF4EF980A5558D1C90C7E650C2362A21B
914ABD173ABA5C0E5837C47B89F74C5B23A7294C
C1CFD11B

Original link: https://info.spamhaus.com/hubfs/Botnet%20Reports/Jul-Dec%202024%20Botnet%20Threat%20Update.pdf

Threat Brief: CVE-2025-0282 and CVE-2025-0283

Summary

This article provides an analysis of two vulnerabilities (CVE-2025-0282 and CVE-2025-0283) found in Ivanti Connect Secure, Policy Secure, and ZTA gateway products. CVE-2025-0282 allows a remote unauthenticated attacker to execute arbitrary code, while CVE-2025-0283 enables a local authenticated attacker to elevate privileges. The article describes how attackers exploit CVE-2025-0282 to gain initial access to a network, then utilize various tools and techniques for credential harvesting, lateral movement, defense evasion, and persistence. The report highlights the use of custom tools like the Perl script ldap.pl for credential theft, package.dll for potential LSASS memory dumping, and DLL side-loading techniques involving vixDiskLib.dll and deelevator64.dll for backdoor creation.

Technical Details

The primary vulnerability, CVE-2025-0282, is a stack-based buffer overflow that can be exploited remotely without authentication. Attackers target internet-exposed Ivanti appliances, sending specially crafted requests to trigger the vulnerability. Successful exploitation allows them to establish a foothold within the network and potentially move laterally to other systems.

Once inside the network, attackers use a multi-phase attack process:

  • Initial Access: Attackers likely exploit the CVE-2025-0282 vulnerability by manipulating IFT connections in Ivanti Connect Secure (ICS) VPN appliances. They may use tools like Tor and Nord VPN to mask their activity during this phase.
  • Credential Harvesting and Lateral Movement: A custom Perl script named ldap.pl is deployed to extract and decrypt passwords from the compromised Ivanti appliance. Attackers utilize stolen credentials to move laterally within the network, employing protocols like RDP to access other systems. For credential harvesting on Windows hosts, they use package.dll, a simple memory dumping tool, likely aimed at dumping LSASS process memory.
  • Defense Evasion: Attackers engage in anti-forensic techniques to hinder detection and analysis. They delete crucial log files on the Ivanti appliance, including debug.log files and files in the /var/cores directory, to erase evidence of their activities.
  • Persistence: Attackers deploy various tools for persistence on both the Ivanti appliance and within the victim’s network. These include tools such as SPAWNMOLE (tunneler), SPAWNSNAIL (SSH backdoor), and SPAWNSLOTH (log tampering utility). They also leverage system services like DcomSrv and scheduled tasks like /mail for persistent backdoor access.

The attack also features DLL side-loading techniques using files like vixDiskLib.dll and deelevator64.dll. These malicious DLLs are loaded by legitimate Windows executables, providing a stealthy way to execute malicious code. The DLLs load additional files, such as error.dat and temp.log, which are decrypted in memory and injected into processes like svchost.exe via process hollowing. These injected processes then communicate with C2 servers for further instructions.

Countries

The article does not specify any targeted countries. However, it mentions an observed activity cluster, CL-UNK-0979, which shares some similarities with the UNC5337 group reported by Mandiant. While there are overlaps in observed tactics, the article notes that there isn’t enough evidence to confirm if CL-UNK-0979 is definitively linked to UNC5337.

Industries

The article explicitly mentions that Ivanti Connect Secure appliances are the primary targets of attacks exploiting CVE-2025-0282. These appliances are often used by organizations to facilitate remote access to their networks, suggesting a broad range of industries could be affected.

Recommendations

The article highlights the importance of applying the security patch provided by Ivanti to mitigate the vulnerabilities. It also advises organizations to utilize Ivanti’s Integrity Checker Tool (ICT) to detect suspicious activities.

Hunting methods

The article doesn’t explicitly mention hunting queries. However, it provides details on specific file paths and log locations targeted by attackers for potential log analysis. For example, security teams could focus on monitoring the /data/runtime/logs/log.events.vc0 and /data/var/dlogs/debuglog files for signs of deletion or tampering. Additionally, the presence of specific files like ldap.pl, package.dll, vixDiskLib.dll, deelevator64.dll, error.dat, and temp.log could be used as indicators of compromise.

IOC

IPV4 Addresses:
185.219.141[.]95
185.195.71[.]244
193.149.180[.]128
168.100.8[.]144

SHA256 Hashes:
7144B8C77D261985205AE2621EB6242F43D6244E18B8D01D05048337346B6EFD
AAE291AC5767CFE93676DACB67BA50C98D8FD520F5821FB050FD63E38B000B18
366635c00b8e6f749a4d948574a0f1e7b4c842ca443176de27af45debbc14f71
3526af9189533470bc0e90d54bafb0db7bda784be82a372ce112e361f7c7b104
43363AA0D1FDAB0174D94BD5A9E16D47CBB08B4B089C5A12E370133AB8E640A6
1dc0a3a5904ec35103538a018ef069fbe95b0a3c26cb0ff9ba0d1c268d1aaf98
f9ca95119b32a18491e3cc28c7020ee00f6e7a45ae089c876d87252e754e5a2e
723711ccbb3eaf1daea3d5b00aa6aaee48a359be395d9500d8a56609ec5238e9
75a3d53c1d63ecb338d4b2d6f5b3d980b0caceb77808ed81ab73b49138cc0a26
a6b24fcef2e018c9ef634aa21e26a74ff94ea508a8b132fad38d48f5ab10fcd3

Original link: https://unit42.paloaltonetworks.com/threat-brief-ivanti-cve-2025-0282-cve-2025-0283/