Advisory ID: ngCERT-2024-0009

Summary: 

Several critical zero-day and high severity vulnerabilities have been reported in Mozilla products including the Google Chrome browser. Attackers could leverage these vulnerabilities to run arbitrary code, circumvent security measures, or cause crashes on vulnerable systems. Nonetheless, Mozilla and Google have issued security updates to address the discovered vulnerabilities. As a result, users are advised to upgrade their products to the latest versions as recommended.

Damage/Probability: HIGH/HIGH

Platform(s): 

The Mozilla products critical zero-day vulnerabilities are identified as Out-of-bounds memory access vulnerability (CVE-2024-29943) and Privileged JavaScript Execution vulnerability (CVE-2024-29944). The out-of-bounds memory access vulnerability exists in the JavaScript engine and can be exploited by attackers to corrupt memory and potentially execute arbitrary code, while the privileged JavaScript execution vulnerability exists in the management of event handlers that allows attackers to inject malicious code into privileged objects. This vulnerability can be exploited to gain complete control over the browser process. Furthermore, in google chrome the critical vulnerabilities identified are known as the Use-After-Free (UAF) and a type confusion vulnerability. Attackers could exploit Use-After-Free (UAF) vulnerabilities to perform malicious operations such as arbitrary reading, writing back, and code execution. Also, once an attacker obtains process information, it will be easier to bypass system security defense tools. These vulnerabilities could allow a remote attacker to potentially exploit heap corruption via a crafted HTML page to execute arbitrary code. Other high severity vulnerabilities in the Mozilla products includes, CVE-2024-2615, CVE-2024-2605, CVE-2024-2606, CVE-2024-2607, CVE-2024-2608, CVE-2024-2614, CVE-2024-0743, and CVE-2024-2616.

Consequences: 

Exploitation of the aforementioned vulnerabilities could lead to:

• Unauthorised access.
• System compromise
• Data breach and exfiltration.
• Damage to reputation.
• Denial of Service (DoS)

Solution: 

Exploitation of the aforementioned vulnerabilities could lead to:

• Unauthorised access.
• System compromise
• Data breach and exfiltration.
• Damage to reputation.
• Denial of Service (DoS)

References:

• https://www.mozilla.org/en-US/security/advisories/mfsa2024-15/  
• https://chromereleases.googleblog.com

Advisory ID: ngCERT-2024-0006

Summary: 

Security researchers have revealed a new tactic deployed by cyber criminals to hack Windows systems. The elaborate attack campaign nicknamed DEEP#GOSU, is likely associated with the group tracked as Kimsuky. This campaign is an eight-stage attack chain that employs the use of PowerShell and VBScript malware to infect Windows systems and harvest sensitive information, with implications for data and financial losses. Users of Windows system are therefore advised to take proactive steps provided herein to mitigate the threats.

Damage/Probability: CRTICAL/HIGH

Description: 

The malware payloads deployed in the DEEP#GOSU represent a sophisticated, multi-stage attack designed to operate stealthily on Windows systems particularly from a network monitoring perspective. The attack chain involves keylogging, clipboard monitoring, dynamic payload execution, and data exfiltration, as well as persistence using both RAT software for complete remote access, scheduled tasks, and self-executing PowerShell scripts via jobs. Notably, the infection procedure leverages legitimate services such as Dropbox or Google Docs for command-and-control (C2), thus allowing the threat actor to blend undetected into regular network traffic. Additionally, the use of such cloud services to stage the payloads creates an avenue for the threat actor to update the functionality of the malware, while delivering additional modules.

The starting point of the attack involves the distribution of phishing/malicious email attachments containing a ZIP archive with a rogue shortcut file (.LNK) that masquerades as a PDF file ("IMG_20240214_0001.pdf.lnk"). The .LNK file comes embedded with a PowerShell script as well as a decoy PDF document, with the former also reaching out to an actor-controlled Dropbox infrastructure to retrieve and execute another PowerShell script ("ps.bin"). The second-stage PowerShell script, for its part, fetches a new file from Dropbox ("r_enc.bin"), a .NET assembly file in binary form that's actually an open-source remote access trojan known as TruRat (aka TutRat or C# RAT) with capabilities to record keystrokes, manage files, and facilitate remote control. The later stages of the attack install a script that randomly executes in a matter of hours to help monitor and control systems and provide persistence. The final stage monitors user activity through logging keystrokes on the compromised system.

Consequences: 

A successful attack could result to the following:

• Data exfiltration.
• Financial losses.
• Denial of Service (DoS).
• Fraudulent activity using compromised accounts.
• Additional breach of other linked account.
• Ransomware attacks.

Solution: 

It is therefore recommended that Windows users should:

• Avoid opening suspicious mails.
• Avoid clicking on untrusted links.
• Patch and update software as soon as options are  available.
• Avoid downloading files or attachments from external sources, especially if the source was unsolicited.
• Monitor common malware staging directories, especially script-related activity in world-writable directories. In the case of this campaign the threat actors staged in subdirectories in %APPDATA%.
• Deploy robust endpoint logging capabilities.

References:

• https://thehackernews.com/2024/03/new-deepgosu-malware-campaign-targets.html/
• https://www.darkreading.com/vulnerabilities-threats/north-korea-linked-group-level-multistage-cyberattack-on-south-korea/
• https://www.securonix.com/blog/securonix-threat-research-security-advisory-new-deepgosu-attack-campaign/ 

Advisory ID: ngCERT-2024-0005

Summary: 

AdLoad is a persistent and intrusive malware that mainly targets the Mac Operating System (MacOS), but also known to infect systems running the Windows Operating System (WinOS).

Damage/Probability: MODERATE/HIGH

Description: 

AdLoad is a Trojan malware that creates a backdoor into an affected system so that other malware or Potentially Unwanted Programs (PUPs) can be introduced into the system. It can also collect system information and transmit it to its command-and-control (C2) server.

Consequences: A compromised system could allow threat actors to perform the following functions:

• Turn affected machines into bots for malicious campaigns.
• Redirect users to malicious websites.
• Insert rogue advertisements into web pages to generate advertisement revenue.
• Affect the performance of infected systems.
• Install key-loggers to steal personal credentials.

Detection: 

The most effective method of detecting rouge applications such as AdLoad, is by using anti-malware applications. However, below are other methods of detecting the malware on an infected system:

• Reduced system performance.
• Unsolicited popup advertisement in browsers or search engine results.
• It is also commonly known to store its LaunchDaemon file in the local domain Library and the LaunchAgent file in the local user Library on MacOS. For example, if the malware uses the name "DataSearch", it stores "com.DataSearch.plist" in "~/Library/LaunchAgents/" and targets the executable file in "~/Library/Application Support/com.DataSearch/DataSearch".

Solution:

Guidance for End Users:

• Perform regular system scans using reputable antivirus programes.
• Ensure operating systems and applications are kept up to date.
• Ensure antivirus applications are updated.
• Avoid using binaries from free file-hosting sites, file-sharing networks, and third-party installers.
• Avoid installing additional apps or offers that are displayed during installation.
• Change passwords regularly for devices and shopping sites.

Guidance for Enterprise Administrators:

• Restrict access to privileged resources like Launchdaemons, LaunchAgents folders, or Sudoers file through OSX enterprise management solutions. This helps in mitigating common persistence and privilege escalation techniques.
• Encourage users to use web browsers that support SmartScreen, which identifies and blocks malicious websites.
• Turn on network protection to block connections to malicious domains and IP addresses.
• Install apps from trusted sources.
• Check your perimeter firewall and proxy to restrict servers from making arbitrary connections to the internet to browse or download files. Such restrictions help inhibit malware downloads and command-and-control (C2).
• Prevent the use of unauthorized apps with application control.
• Run the latest version of operating systems and applications.
• Deploy latest security updates and patches when available.
• Educate end users on preventing malware infections. Encourage end users to practice good credential hygiene limit the use of accounts with local or domain admin privileges. 

References:

• https://info.lse.ac.uk/staff/divisions/dts/services/infosec/Malware-targeting-LSE-devices-Adload

• https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Adware:MacOS/Adload.A&threatId=312991

• https://www.malwarebytes.com/blog/detections/trojan-adload

Advisory ID: NCC-CSIRT-200224-005

Summary: 

Group-IB researchers have uncovered a novel Android and iOS malware called 'GoldPickaxe,' which utilizes social engineering tactics to deceive users into scanning their faces and ID documents. These materials are suspected to be utilized for generating deepfakes to gain unauthorized access to banking services. The methods employed by this malware have the potential to be effective on a global scale, posing a risk of adoption by other strains of malware. 

Threat Type(s): Malware, Social Engineering, Phishing, and  Smishing  

Impact/Vulnerability: HIGH/HIGH

Product(s): Android and iOS Mobile Devices 

Platform(s): Android, iOS Operating Systems 

Version(s): All Versions.

Description: 

As per the researchers' findings, individuals targeted by the GoldPickaxe malware receive phishing or smishing messages via the LINE app, often in their native language, posing as government entities or services. These messages aim to deceive recipients into installing deceptive applications, such as a counterfeit 'Digital Pension' app, hosted on websites masquerading as Google Play. 

Once installed on a mobile device under the guise of a fraudulent government application, the malware operates semi-autonomously. It secretly performs background functions, including capturing the user's facial data, intercepting incoming SMS messages, soliciting ID documents, and rerouting network traffic through the compromised device using 'MicroSocks.' 

For iOS users, the threat actors initially directed victims to a TestFlight URL to install the malicious app, avoiding standard security reviews. Subsequently, upon Apple's removal of the TestFlight app, the attackers transitioned to convincing users into downloading a malicious Mobile Device Management (MDM) profile, granting them control over the devices. Conversely, the Android variant of the malware engages in more malicious activities compared to its iOS counterpart due to Apple's stricter security measures. Additionally, on Android devices, the malware utilizes over 20 different deceptive apps for camouflage. 

Consequences: 

GoldPickaxe malware can run commands on victims’ devices to access SMS, navigate the filesystem, perform clicks on the screen, upload the 100 most recent photos from the victim's album, download and install additional packages, and serve fake notifications. .

Solution: 

• Exercise utmost caution when installing applications, particularly those acquired from unofficial sources outside official app stores such as Google Play and the Apple App Store. 
• Conduct thorough research on any application before installation. Validate the developer's credentials, review user feedback, and scrutinize requested permissions to verify their alignment with the app's stated functions. 
• Maintain a healthy skepticism toward unsolicited communications claiming to originate from government agencies or service providers. 
• Be wary of messages employing urgent threats or attracting offers to pressure recipients. 
• Be vigilant for spelling errors, grammatical anomalies, or irregular formatting in hyperlinks before clicking on them. 
• Use reputable mobile antivirus and anti-malware solutions, ensuring they are consistently updated. 
• Regularly update your device's operating system and security software to mitigate vulnerabilities. 
• Implement multi-factor authentication (MFA) for your banking applications to enhance security beyond standard password protection. 
• Routinely monitor your bank account statements for any signs of unauthorized or suspicious activity. 

References:

• https://www.bleepingcomputer.com/news/security/new-gold-pickaxe-android-ios-malware-steals-your-face-for-fraud/ 
• https://hothardware.com/news/alarming-android-ios-gold-pickaxe-malware-steal-your-face 
• https://marketrealist.com/what-is-the-gold-pickaxe-malware/ 
• https://www.redpacketsecurity.com/new-gold-pickaxe-android-ios-malware-steals-your-face-for-fraud/#google_vignette 
• https://nsaneforums.com/news/security-privacy-news/new-%E2%80%98gold-pickaxe%E2%80%99-android-ios-malware-steals-your-face-for-fraud-r21746/ 
• https://www.laptopmag.com/software/antivirus-cyber-security/nasty-iphone-android-malware-breaks-into-your-banking-apps-using-your-face-heres-how-it-works