Advisory ID: ngCERT-2024-0020

Summary: 

ngCERT is aware of the resurgence of Andromeda malware, also known as Gamarue, Wauchos, and Andromeda Stealer, which is a dangerous Trojan horse with multiple malicious capabilities. This malware has been used by threat actors to create a network of infected computers, known as Andromeda Botnet, which can be used to launch further attacks by distributing other malwares such as ransomwares, banking Trojans, Distributed Denial of Service (DDos), spam bot and backdoor. Despite the takedown of the Andromeda botnet by US and Europe law enforcement agencies in 2017, new variants have been detected, infecting systems worldwide, including Nigeria. ngCERT advises individuals and organisations to take immediate steps to protect their systems and data from Andromeda and other malware threats.

Damage/Probability: CRTICAL/HIGH

Platform(s): Windows

Description: 

The Andromeda malware is a modular bot that can be modified by using plugins for keyloggers, rootkits, TeamViewers, and spreaders, to expand its attack chain and reach. The malware can infect systems through various methods, such as spear phishing emails, drive-by-downloads, infected cracks or keygens, removable drives, as well as clicking on malicious links. The malware can perform various functions, such as using anti-virtual machine and anti-debugging techniques, creating botnets, working as a backdoor, and stealing sensitive information. The malware can also receive commands from its control server for downloading and executing files, performing remote shells, or uninstalling itself from the system.

Consequences: 

Successful exploitation of the vulnerabilities could lead to:

• System compromise.
• Unauthorised access to sensitive data.
• Loss and theft of sensitive data.
• System takeover.
• Ransomware attacks.
• Financial loss.
• DDos attacks.

Solution: 

ngCERT recommends the following:

•  Avoid downloading or opening attachments in emails received from untrusted sources or unexpectedly received from trusted users.
•  Block the malicious external IP addresses and other malicious IP addresses on your network.
• Ensure that the assets/systems operating system, applications, antivirus, and plugins are up to date.
• Activate built-in security features on endpoint devices which scan applications for malware.
• Consider implementing stronger security measures, including firewalls, intrusion detection/prevention systems, anti-phishing solution, endpoint detection and response solution including anti-malware software.
• Enforce a strong password policy, implement regular password changes.
• Disable unnecessary services and open ports on endpoint devices and servers within your agency. Only enable services and open ports that are essential for day-to-day operations.

References:

• https://www.alphatechs.al/post/andromeda-botnet-a-threat-to-albanias-cybersecurity
• https://www.ncert.gov.ph/2023/05/25/collective-analysis-of-avalanche-andromeda-malware-infiltration-in-government-and-academe-sectors
• https://www.csk.gov.in/alerts/andromeda.html#:~:text=The%20malware%20mainly%20targets%20the,which%20Andromeda%20is%20associated%20with

Advisory ID: NCC-CSIRT-040624-004

Summary: 

Multiple vulnerabilities have been identified in Microsoft Edge, the popular web browser, which could potentially allow remote attackers to execute arbitrary code, bypass security restrictions, or obtain sensitive information.Users are advised to upgrade their products to the latest versions as recommended. 

Threat Type(s): Denial of Service. Remote Code Execution, Information Disclosure

Impact/Vulnerability: CRITICAL/MEDIUM

Product(s): Microsoft Edge (Stable) prior to 125.0.2535.85

Platform(s): Microsoft Edge Browsers

CVE(s): CVE-2024-5493, CVE-2024-5494, CVE-2024-5495, CVE-2024-5496, CVE-2024-5497, CVE-2024-5498, CVE-2024-5499

Version(s): All Versions

Description: 

Multiple vulnerabilities were identified in Microsoft Edge and Microsoft has rolled out a new update for the Edge browser in the Stable Channel. Version 125.0.2535.85 is now available with fixes for seven Chromium vulnerabilities of high severity. This is a security-only update, and it does not contain any new features or notable changes.

Consequences: 

A remote attacker could exploit some of these vulnerabilities to trigger denial of service condition, remote code execution and sensitive information disclosure on the targeted system.

Solution: 

To mitigate the risks associated with these vulnerabilities, it is highly recommended that users take the following step.

• Update to Microsoft Edge (Stable) version 125.0.2535.85 or later, or visit the software vendor's website for more information.
• Avoid clicking on suspicious links or downloading files from untrusted sources while browsing the web. Be cautious when connecting with content or websites you are not familiar with.

References:

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-5495
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-5496
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-5497
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-5498
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-5499

Advisory ID: ngCERT-2024-0019

Summary: 

Grandoreiro, a multi-component banking trojan that runs as Malware-as-a-Service (MaaS), is targeting more than 1,500 banks globally. According to reports, the malware has infected banking applications and websites in more than 60 countries, including Central and South America, Africa, Europe, and the Indo-Pacific. Investigation further revealed that the malware has infected more than 41 banking applications in Nigeria. The new version includes significant changes such as string decryption and DGA calculation, allowing at least 12 different C2 domains per day. Grandoreiro's attack chain includes obtaining email addresses from affected hosts and delivering more phishing attempts through the Microsoft Outlook client. Cybercriminals could use the software to gather sensitive financial data, potentially resulting in financial losses. This underscores the need for network and system administrators as well as device users to emplace safeguards to prevent likely attacks.  

Damage/Probability: CRITICAL/HIGH

Platform(s): Windows & Android

Description: 

The Grandoreiro banking trojan is spread through large-scale phishing campaigns, where threat actors send emails impersonating government entities and financial institutions. These emails entice recipients to click on links to view documents or notices such account statements, make payments, leading to the download of a ZIP file containing a loader executable. The loader is designed to evade antivirus detection by inflating its size and presenting a CAPTCHA to distinguish real users from automated systems. Once executed, the loader checks the environment to avoid sandboxes or unprotected Windows 7 machines and collects victim data such as computer and user names, operating system version, antivirus name, public IP address, and running processes. This information is encrypted and sent to a command & control (C2) server. The malware also checks for Microsoft Outlook clients, crypto wallets, and specific banking security products. To ensure persistence, the malware modifies the Windows registry and uses a Domain Generation Algorithm (DGA) for C2 communication. It harvests email addresses from Outlook, sending further phishing emails from the victim’s account after disabling Outlook alerts. It avoids collecting certain email addresses like those with "noreply" or "newsletter" and scans victim folders for files with specific extensions to find more addresses. The malware sends spam emails based on templates from its C2 server, ensuring the emails are sent when the user is inactive for a certain period, and immediately deletes all the sent emails from the victim’s mailbox. Besides its banking trojan capabilities, the malware allows cybercriminals to control the infected computer, perform keylogging, manage windows and processes, open a browser and execute JavaScript, upload or download files, and send emails. 

Consequences: 

The following could happen if this banking malware is successfully installed:

• Compromise of systems and banking applications.
• Sensitive data exfiltration.
• It can spread through infected victim inboxes via email.
• Financial fraud through compromised systems.
• Invasion of privacy.
• Denial of Service (DoS) attack.
• Identity theft. 

Solution: 

It is recommended that system administrators and users should:

• Refrain from opening suspicious emails that prompt file downloads or request sensitive information.
• Verify the sender’s authenticity before clicking on any links or downloading attachments.
• Download software from official websites and direct download links.
• Update installed programs through implemented functions or tools provided by official software developers.
• Regularly scan the operating system for threats with a reputable antivirus or anti-spyware suite and keep this software up to date.
• Install and configure robust endpoint security solutions that can detect and block malicious activities
• Monitor network traffic for unusual activity, such as multiple consecutive requests to IP geolocation services like http://ip-api.com/json, which could indicate an infection.
• Block known malicious domains and pre-calculated DGA domains at the DNS level to prevent the malware from communicating with its C2 servers.
• Educate employees about phishing tactics and the importance of cyber security hygiene.
• Regularly check Windows registry keys used for persistence, such as HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. 

References:

• https://securityintelligence.com/x-force/grandoreiro-banking-trojan-unleashed/
• https://thehackernews.com/2024/05/grandoreiro-banking-trojan-resurfaces.html
• https://www.infosecurity-magazine.com/news/grandoreiro-banking-trojanmajor
• https://cyberfraudcentre.com/understanding-and-preventing-the-grandoreiro-banking-trojan

Advisory ID: ngCERT-2024-0018

Summary: 

Security investigations revealed that a self-propagating USB malware released in 2020, is still active and spreading across systems worldwide, through infected USB drives. Over the past 6 months, monitoring of the PlugX worm variant revealed that about 2.5 million IP addresses were infected, in over 170 countries including Nigeria. Currently, over 100,000 unique IPs still send daily requests to the sinkhole, indicating that the botnet remains active. It is worthy to note that 15 out of the 170 countries affected by the malware spread, account for 80% of the infections recorded, Nigeria inclusive. Like other Remote Access Trojans (RAT), the PlugX malware can be used to obtain unauthorized access to systems, steal sensitive data, as well as carry out other malicious activities on compromised systems. Thus, the likelihood that the malware was developed to collect intelligence on strategic and security concerns from various countries cannot be ruled out. This underscores the need for network and system administrators as well as device users to emplace safeguards to prevent likely attacks.. 

Damage/Probability: CRITICAL/HIGH

Description: 

PlugX worm is very sophisticated and acts as a backdoor, allowing malicious actors to remotely access and take full control of infected machines. The attack begins with the wormable component of the PlugX infecting connected USB flash drives by adding to them a Windows shortcut file taking the name of the infected flash drive, and a DLL side loading triad (legitimate executable, malicious DLL and binary blob) inside the drive RECYCLER.BIN hidden folder. The legitimate content of the USB devices is moved to a new directory whose name is the non-breaking space character (hexadecimal ascii code: 0xA0). when a user opens the USB device, only a shortcut with the name of the USB device is presented to him, pushing him to click on it. By clicking on the shortcut, the PlugX infection chain is executed. PlugX starts by closing the current window and reopening a new one in the directory (as previously mentioned named 0xA0) containing the legitimate files. Then, it copies itself to the host inside %userprofile%/AvastSvcpCP/, and enables its persistence by creating a new key under HKCU[…]\CurrentVersion\Run registry Key. Finally, it re-executes itself from the host before terminating. Once executed from the host, the worm component of this PlugX variant checks every 30 seconds for the connection of a new flash drive to automatically infect. Its self-propagating capability, coupled with its tenacity mechanism enables it to stay active allowing it to control a broad network of compromised computers globally. Despite losing control over the botnet, anyone with interception abilities can still use the compromised hosts for malicious purposes.

Consequences: 

A successful attack could result to the following:

• Unauthorized access to systems.
• Invasion of privacy.
• Data losses and exfiltration.
• Remote storage of illegal files.
• Denial of Service (DoS) attacks.

Solution: 

The following are hereby recommended: 

• Security administrators should block the IoCs on all applicable security solutions post validation.
• System administrators should regularly take Backup of the applications, databases, and all critical data.
• Ensure systems are regularly patched or updated.
• Avoid downloading and executing files from untrusted websites.
• Adopt strong reputable antivirus and anti-malware solutions.
• Implement measures to secure USB ports and also educate users on the potential dangers associated with using untrusted USB devices.

References:

• https://www.securityweek.com/self-spreading-plugx-usb-drive-malware-plagues-over-90k-ip-addresses/
• https://varutra.com/ctp/threatpost/postDetails/Over-90,000-IP-Addresses-Affected-by-Self-Spreading-PlugX-USB-Drive-Malware/YTVBRWdLL1psTWRXMXQ1UEszcnY1UT09
• https://therecord.media/plugx-malware-infections-more-than-170-countries
• https://blog.sekoia.io/unplugging-plugx-sinkholing-the-plugx-usb-worm-botnet/