The Feed 2025-01-28
AI Generated Podcast
https://open.spotify.com/episode/333UefDNrdUCa1ggaiRrfP?si=lvD_IKEmRzmDRzwoDi6P2Q
Summarized Sources
- Clone2Leak: Your Git Credentials Belong To Us : This article details multiple vulnerabilities in Git-related projects that allow for the leakage of user credentials through improper handling of newline and carriage return characters in the Git Credential Protocol.
Original link: https://flatt.tech/research/posts/clone2leak-your-git-credentials-belong-to-us/
- No Honour Among Thieves: Uncovering a Trojanized XWorm RAT Builder Propagated by Threat Actors and Disrupting Its Operations : This article discusses a trojanized XWorm RAT builder spread through various channels, designed to steal data from victims, and the efforts taken to disrupt its operations.
Original link: https://cloudsek.com/blog/no-honour-among-thieves-uncovering-a-trojanized-xworm-rat-builder-propagated-by-threat-actors-and-disrupting-its-operations
- Qbot is Back.Connect : This article details the re-emergence of Qbot malware, a modular information stealer, after law enforcement actions, including its new backConnect module and associated infrastructure.
Original link: https://medium.com/walmartglobaltech/qbot-is-back-connect-2d774052369f
-
**SocGholish Happy Hunting** : This article describes the SocGholish malware campaign that uses compromised websites to distribute malware, often disguised as browser updates, and the techniques used for threat hunting the malware.
Original link: https://www.youtube.com/watch?v=WIUJE-AzAzI
- Targeted supply chain attack against Chrome browser extensions : This article discusses a supply chain attack where threat actors compromised multiple Chrome extensions using phishing emails to steal sensitive data.
Original link: https://blog.sekoia.io/targeted-supply-chain-attack-against-chrome-browser-extensions/
Clone2Leak: Your Git Credentials Belong To Us
Summary
This article discusses vulnerabilities found in Git-related projects that allow for credential leakage through the exploitation of how these tools handle newline and carriage return characters within the Git Credential Protocol. The vulnerabilities arise from improper parsing of messages between Git and credential helpers. These issues affect GitHub Desktop, Git Credential Manager, and Git LFS. The vulnerabilities could allow an attacker to send a malicious request that would cause the victim’s Git credentials to be sent to a malicious server. The article also covers a vulnerability in GitHub CLI and a misconfiguration in GitHub Codespaces that can lead to credential leaks.
Technical Details
The core of the vulnerabilities lies in how various Git clients and credential helpers parse messages in the Git Credential Protocol. The protocol uses newline characters (\n) as message delimiters. However, some implementations, like GitHub Desktop, use regular expressions that treat carriage returns (\r), line separators (\u2028), and paragraph separators (\u2029) as line terminators, which allows for the smuggling of additional parameters into credential requests. This means an attacker could inject a crafted URL containing carriage returns into a Git repository, causing the credential helper to return the credentials for a different host than intended. Git Credential Manager’s use of the .NET StreamReader class, which also interprets carriage returns as line delimiters, is another source of vulnerability. While Git itself validates URLs to prevent newline injections, Git LFS does not, which allows for the injection of newline characters via a specially crafted .lfsconfig file. Additionally, GitHub CLI’s IsEnterprise function incorrectly identifies non-GitHub-owned instances as enterprise servers, leading to the leakage of access tokens. Finally, the default credential helper in GitHub Codespaces always returns the GITHUB_TOKEN to Git, regardless of the requested host.
Recommendations
Git has introduced a credential.protectProtocol configuration, which when set to true will reject URLs containing carriage returns. The article recommends that credential helper scripts should validate the requested host and only return the credential if it matches or configure the credential helper on a per-host basis.
Original link: https://flatt.tech/research/posts/clone2leak-your-git-credentials-belong-to-us/
No Honour Among Thieves: Uncovering a Trojanized XWorm RAT Builder Propagated by Threat Actors and Disrupting Its Operations
Summary
This article discusses a trojanized XWorm RAT builder that threat actors are propagating through various channels, specifically targeting individuals new to cybersecurity, often referred to as “script kiddies”. The malware is spread primarily through a GitHub repository but also via file-sharing services, Telegram channels, and forums. This trojanized builder allows attackers to deploy a Remote Access Trojan (RAT) with advanced capabilities, including system reconnaissance, data exfiltration, and command execution. The malware uses Telegram as its command and control (C&C) infrastructure. Researchers were able to disrupt operations by leveraging the malware’s “kill switch” feature. The malware has compromised over 18,459 devices globally, with Russia, the USA, India, Ukraine, and Turkey being the top victim countries. The malware is capable of exfiltrating sensitive data such as browser credentials, Discord tokens, Telegram data, and system information.
Technical Details
The attack involves a trojanized XWorm RAT builder distributed across multiple platforms. The builder is weaponized, allowing threat actors to create and deploy their own RATs, which are then used to compromise systems. The malware conducts virtualization checks by reading registry keys associated with NdisVirtualBus and VirtualRender to identify virtual environments. If it detects a virtual environment, it does not spread the infection. The malware also modifies registry entries to ensure persistence. Specifically, the command ` /machine_id*startupadd ` adds entries to the Windows Registry to run the malware upon system startup. The malware uses Telegram bot tokens and API calls for command and control, issuing commands to infected devices and exfiltrating stolen data. The malware uses the sendDocument endpoint of the Telegram API to exfiltrate browser data and cookies. Discord tokens, system information, and other data are sent via the sendMessage endpoint of the Telegram API. The malware also takes screenshots and steals Telegram data. After initial data exfiltration, the malware listens for commands from the C&C server using the getUpdates method of the Telegram API. Commands are structured as /machine_id*command, allowing attackers to execute various actions on infected systems. The malware uses a variety of commands including: capturing screenshots, grabbing browser data, exfiltrating system info, keylogging, executing commands, and more. The malware also uses a “kill switch” command /uninstall, which was used to disrupt the botnet by researchers. The command was sent by the researchers to all the machine ID’s they had observed or brute forced from 1 to 9999.
Countries
Russia, USA, India, Ukraine, and Turkey are the top victim countries.
Industries
Not specified.
Recommendations
The article provides the following recommendations for mitigation:
- Deploy Endpoint Detection and Response (EDR) solutions to monitor unusual system behaviors, such as unauthorized registry modifications or Telegram API usage.
- Use Intrusion Detection and Prevention Systems (IDPS) to identify and block communication to malicious C&C servers.
- Quarantine compromised machines to prevent further data exfiltration.
- Report and request the suspension of Telegram bots used for C&C operations.
- Update threat intelligence feeds with indicators of compromise (IOCs) from malicious repositories, Telegram channels, and file-sharing services.
- Educate employees on recognizing phishing links and malicious downloads.
- Block access to malicious GitHub repositories, file-sharing links, and Telegram channels.
- Regularly update software to patch vulnerabilities.
- Restrict the execution of unauthorized programs on endpoints.
- Use the
/uninstallcommand to remove the malware from accessible infected devices. - Remove malicious registry keys and startup scripts and do a deep system scan to eradicate the RAT.
- Collaborate with authorities to prosecute the actors and with platforms to remove malicious content.
IOC
File Hashes:
67d9b4b35c02a19ab364ad19e1972645eb98e24dcd6f1715d2a26229deb2ccf5 - Command Receiver.exe
e92707537fe99713752f3d3f479fa68a0c8dd80439c13a2bb4ebb36a952b63fd - XHVNC.exe
ea9258e9975b8925a739066221d996aef19b4ef4fc91524f82e39d403f25579 - XWorm RAT V2.1.exe
aa8f8d093a10f1b25cb99ac059f30f056d2bb5924114a00a02cf83b0de04fae3 - generated (10).exe
43812885c033ef342d147df053715761886fbec06d08e901419fcc9c969088e - extractor.exe
Domains:
api.telegram.org
ip-api.com
Telegram Channels:
https://t.me/HAX_CRYPT
https://t.me/inheritedeu
Threat Actor Aliases:
@shinyenigma
@milleniumrat
Email:
frutosall@proton.me
AWS address:
ec2-18-191-85-60.us-east-2.compute.amazonaws.com
Original link: https://cloudsek.com/blog/no-honour-among-thieves-uncovering-a-trojanized-xworm-rat-builder-propagated-by-threat-actors-and-disrupting-its-operations
Qbot is Back.Connect
Summary
This article discusses the resurgence of Qbot, a modular information stealer also known as Qakbot or Pinkslipbot, which has been active since around 2007. It was initially known as a banking Trojan, stealing financial data, and a loader using C2 servers for payload delivery. Law enforcement disrupted Qbot’s activities on May 30th, 2024, but the operators are now showing signs of re-emergence. The article details a new backConnect malware that uses a side-loading technique via a legitimate “OneDriveStandaloneUpdater.exe” to load a malicious “winhttp.dll”. This DLL then decrypts a “.dat” file containing a PE file. The malware hooks low-level process creation and exit functions and checks for a hardcoded registry key before initiating a connection. The malware gathers system information from infected machines, like DNS servers, primary domain name, logon server, and network interfaces. This new malware is believed to be linked to the BlackBasta ransomware operation. A debugging tool associated with Qbot was discovered, and it can send commands such as shutdown commands to the bot.
Technical Details
Qbot is known for stealing financial data and using C2 servers. The new campaign involves a side-loading technique where a legitimate “OneDriveStandaloneUpdater.exe” loads a malicious “winhttp.dll”. This DLL decrypts a “settingsbackup.dat” file containing a PE file using RC4 with a hardcoded 0x80 byte key. The decrypted PE file is a new backConnect module. This backConnect module hooks low-level CreateProcess and ExitProcess functions. It checks for running copies of itself and initiates a sleep loop while checking for a hardcoded registry key Software\\TitanPlus. The value of this registry key is then parsed and passed to the nattun_client_loop function. The malware gathers system information including DNS servers, primary domain name, logon server, and network interfaces before initiating the connection to the C2 server. Analysis of the PDB paths revealed several files related to Qbot. A debugging tool was identified, capable of sending shutdown commands and performing other functions. The backConnect module has been tied to the BlackBasta ransomware operation.
Countries
Not specified.
Industries
Not specified.
Recommendations
The article provides a yara rule to help identify the samples:
rule new_bc{
strings:
$a1 = {4a6869736864694932556873766f6339346b65696f6a6e376e7331396d30646f}
condition:all of them
}
Hunting methods
- Use the provided yara rule to identify the samples.
- Monitor for the registry key
Software\\TitanPlus. - Monitor network traffic for connections to the listed IPs and domains.
IOC
File Hashes:
22c5858ff8c7815c34b4386c3b4c83f2b8bb23502d153f5d8fb9f55bd784e764
98d38282563c1fd09444724eacf5283626aeef36bcb3efa9d7a667db7314d81f
c8bddb338404a289ac3a9d6781d139314fab575eb0e6dd3f8e8c37410987e4de
bf861f5bd384707e23148716240822208ceeba50c132fb172b784a6575e5e555
9cdef45dc9f7c667a54effa9b8187ef128d64ea49c97bdae4e9567d866c63f5a
651e49a45b573bb39e21746cb99fcd5d17679e87e04201f4cc6ca10ff2d166e4
4cad17ef867f03081eb690b1c16d7f4d5c937c3f20726af0442d7274413e3620
a197804c6ae915f59add068e862945b79916c92a508c0287a97db718e72280a3
Domains:
vector123[.]xyz
upd5[.pro
IPs:
80.66.89[.]100
146.19.128[.]138
Registry:
Software\\TitanPlus
Original link: https://medium.com/walmartglobaltech/qbot-is-back-connect-2d774052369f
SocGholish | Happy Hunting
Summary
This article discusses the SocGholish malware campaign, active since 2017, which compromises trusted websites to distribute malware, often disguised as fake browser update prompts. Users are tricked into downloading malicious JavaScript files that initiate complex infection chains. The attackers use PowerShell and obfuscation techniques to deliver secondary payloads, including ransomware and tools like Cobalt Strike. The attackers use the Keitaro traffic distribution system to filter potential victims by device type, location, and behavior to optimize targeting. SocGholish is primarily linked to the Evil Corp threat actor group. The campaign has a significant reach, generating at least 1.5 million interactions with end users in one observed campaign in late October 2024. The article also details threat hunting techniques for SocGholish, specifically focusing on identifying scheduled tasks executing from abnormal locations using Windows event logs and Sysmon.
Technical Details
The SocGholish campaign begins with the compromise of trusted websites, including WordPress sites, that users encounter through organic searches. These sites are rigged to deliver malware, often disguised as browser update prompts, such as a fake Microsoft Edge update. The user is then tricked into downloading a JavaScript file, which initiates the infection chain. The infection chain involves JavaScript and PowerShell, with typical obfuscation techniques used to hide malicious code. After the initial infection, attackers use it as a loader to deploy secondary payloads, such as ransomware like Wasted Locker and penetration testing frameworks like Cobalt Strike. The attackers use a traffic distribution system called Keitaro, intended for advertisers, to filter and target victims based on metrics like browser type, device type, and geographic location. This filtering allows them to target specific types of victims, such as those in organizations that are likely to pay a ransom. The attackers leverage scheduled tasks for persistence and execution. They use scheduled tasks to run arbitrary code and, in some cases, delete the task afterward. The scheduled tasks often execute from abnormal locations, like the public directory or perflogs, which are not typical locations for legitimate executables. The abuse of scheduled tasks is identified through specific event codes, such as Windows event code 4698, which captures details about the task, including the task name, command, and arguments. Also, process creation event codes, like Windows event code 4688 and Sysmon event code 1, can be used to identify scheduled task execution, especially when created via command scripting interpreters like command.exe and PowerShell. The attackers are linked to the Evil Corp group, which also goes by other names including Mustard Tempest, Dev 0206, TA 569, and Unk 1543.
Recommendations
The article provides the following recommendations for mitigation:
- Monitor for scheduled tasks executing from abnormal locations.
- Analyze Windows event logs, especially event code 4698, for the creation of scheduled tasks.
- Monitor process creation events using Windows event code 4688 or Sysmon event code 1.
- Pay attention to task names, task commands, and task arguments within these logs.
- Identify unusual locations, such as the public directory, perflogs, and recycle bin, for scheduled task execution.
- Correlate process command-line arguments with scheduled task telemetry.
Hunting methods
The following KQL query is provided for threat hunting:
DeviceProcessEvents
| project Timestamp, DeviceName, ActionType, AccountName, AccountDomain, FileName, FolderPath, ProcessId, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessParentId, InitiatingProcessAccountDomain, InitiatingProcessAccountName, ProcessVersionInfoCompanyName, ProcessVersionInfoProductName, ProcessVersionInfoProductVersion, ProcessVersionInfoInternalFileName, ProcessVersionInfoOriginalFileName, ProcessVersionInfoFileDescription, FileSize, SHA256, DeviceId, ReportId
| where FolderPath endswith "schtasks.exe" or ProcessCommandLine has_any (
"\\at",
"schtask"
)
| where ProcessCommandLine has_any (
"Users",
"Public",
"Perflogs",
"$Recycle",
"ProgramData"
)
| where not (ProcessCommandLine has_any (
"\\Windows Defender\\",
"\\Microsoft\\Windows\\Application",
"\\Microsoft\\ClickToRun"
))
| sort by Timestamp
This query looks for scheduled tasks that execute from abnormal locations. The query identifies processes where the file path ends with schtasks.exe or that have \at or schtask in the command line. It also filters for command lines that contain file paths such as “Users,” “Public,” “Perflogs,” “$Recycle,” or “ProgramData”. The query excludes paths related to Windows Defender, Microsoft Windows Applications and ClickToRun. This allows threat hunters to identify malicious scheduled tasks based on their execution paths. Additionally, the article mentions using Splunk to analyze Windows Event Logs, focusing on event code 4698, and analyzing process command-line arguments from Sysmon. The article also mentions looking for process command line activity using Sysmon, specifically the command line arguments.
Original link: https://www.youtube.com/watch?v=WIUJE-AzAzI
Targeted supply chain attack against Chrome browser extensions
Summary
This article details a supply chain attack targeting Chrome browser extensions, where attackers compromised developer accounts via phishing to upload malicious extension versions. The attackers successfully compromised around a dozen extensions, potentially affecting hundreds of thousands of users. The malicious code harvested sensitive data such as API keys and authentication tokens from websites like ChatGPT and Facebook for Business. The threat actor used phishing emails with subjects like “Action Request:
Technical Details
The attack began with spear-phishing emails targeting Chrome extension developers, attempting to trick them into authorizing a malicious OAuth Google application. The attackers likely gathered developer emails from publicly available information on the Chrome Web Store. The phishing emails redirected developers to a legitimate Google Accounts page where a malicious OAuth application named “Privacy Policy Extensions” requested permissions to “see, edit, update, or publish” Chrome Web Store extensions. By granting these permissions, the attacker could deploy new malicious versions of the extensions. The malicious code added to the extensions included JavaScript files that were injected into all URLs visited by the user. This script then attempted to retrieve a configuration file from a C2 server which contained the specific URLs to target for data harvesting. The malicious scripts interact with the browser URLs to harvest credentials and user data when the visited URL matches the configuration. The background script of the extension was modified to send collected data to C2 servers, with actions like graphqlnetwork-completions, graphqlnetwork-redirect, graphqlnetwork-validate, and graphqlnetwork-check-errors used to perform data exfiltration and other tasks. The configuration file obtained from the C2 server specifies the target endpoints, including /api/auth/session and /backend-api/me for user authentication and /public-api/conversation_limit for service usage data. The attacker used a separate C2 server to host a MySQL database for storing exfiltrated data. The attacker’s infrastructure included phishing domains, redirection pages, and C2 servers, all hosted by VULTR. The threat actor registered numerous domains with Namecheap, using common top-level domains (TLDs) like .com, .info, .pro, .live and a consistent DNS setup. The attacker used a JARM fingerprint 1dd40d40d00040d00042d43d000000e1ea2a807a629b496b664cf07ad7c08d across their infrastructure for TLS connections. The malicious code, once injected, retrieves a configuration file from the C2 server that contains URLs for data exfiltration, demonstrating a flexible design that can target different services.
Recommendations
If a user’s browser is infected, the following actions are recommended:
- Investigate to determine if user data and credentials were harvested by checking if the configuration was fetched by searching for a file named
graphqlnetwork_ext_managein Chrome’s local storage or checking communications with configuration C2 server149.28.124[.]84or45.76.225[.]148. - Check for communication with the exfiltration C2 server
149.248.2[.]160. - Update the Chrome extension to a clean version or remove it completely.
- Revoke any potentially compromised credentials such as API keys and authentication tokens.
- Revoke session cookies and change passwords for the potentially compromised accounts.
- Monitor activity on any potentially compromised accounts.
- Enhance awareness of phishing attempts that may exploit harvested data.
Hunting methods
There are no specific hunting queries provided, however the document recommends:
- Check for a configuration file named
graphqlnetwork_ext_managein Chrome’s local storage. - Monitor for network communications with the configuration C2 servers
149.28.124[.]84or45.76.225[.]148. - Monitor for network communications with the exfiltration C2 server
149.248.2[.]160.IOC
Phishing domains:
chromewebstore-noreply[.]comchromeforextension[.]comsupportchromestore[.]com
Redirection pages:
extensionpolicyprivacy[.]compolicyextension[.]infoextensionpolicy[.]netcheckpolicy[.]site136.244.115[.]219
Compromised extensions and C2 domains:
- Proxy SwitchyOmega (V3) -
proxyswitchyomega[.]pro - GraphQL Network Inspector -
graphqlnetwork[.]pro - YesCaptcha assistant -
yescaptcha[.]pro - Castorus -
castorus[.]info - Uvoice -
uvoice[.]live - VidHelper – Video Download Helper -
videodownloadhelper[.]pro - ParrotTalks -
parrottalks[.]info - Bookmark Favicon Changer -
bookmarkfc[.]info - Internxt VPN -
internxtvpn[.]pro - Vidnoz Flex -
vidnozflex[.]live - Cyberhaven -
cyberhavenext[.]pro - Wayin AI -
wayinai[.]live - Reader Mode -
readermodeext[.]info - Primus (prev. PADO) -
primusext[.]pro - TinaMind -
tinamind[.]info - VPNCity -
vpncity[.]live
Additional C2 domains:
dearflip[.]proiobit[.]proultrablock[.]proyujaverity[.]infocensortracker[.]prowakelet[.]inkpieadblock[.]prolocallyext[.]inkmoonsift[.]store
Attacker’s C2 servers:
45.76.225[.]148137.220.48[.]214149.248.44[.]88149.28.124[.]84140.82.45[.]42136.244.115[.]219155.138.253[.]165108.61.23[.]192149.248.2[.]160
Attacker’s domains:
linewizeconnect[.]comsavgptforchrome[.]progptdetector[.]livebardaiforchrome[.]livesearchcopilot[.]cochatgptextent[.]proyoutubeadsblocker[.]livegeminiaigg[.]prochataiassistant[.]proaiforgemini[.]comchatgptextension[.]siteblockforads[.]comytbadblocker[.]comgeminiforads[.]comsavegptforyou[.]livesearchgptchat[.]infosavechatgpt[.]siteadskiper[.]netsavegptforchrome[.]comchatgptforsearch[.]comsearchaiassitant[.]infogoodenhancerblocker[.]siteinternetdownloadmanager[.]proopenaigptforgg[.]siteadsblockforyoutube[.]sitepromptheusgpt[.]infogpt4chrome[.]livesavegpt[.]progptforads[.]infogptforbusiness[.]site
File Hash:
d303047205dabec8e2d34431e920ebe3478ca80a18f57bf454da094aca0e10aa
Original link: https://blog.sekoia.io/targeted-supply-chain-attack-against-chrome-browser-extensions/