Advisory ID: ngCERT-2024-0006

Summary: 

Security researchers have revealed a new tactic deployed by cyber criminals to hack Windows systems. The elaborate attack campaign nicknamed DEEP#GOSU, is likely associated with the group tracked as Kimsuky. This campaign is an eight-stage attack chain that employs the use of PowerShell and VBScript malware to infect Windows systems and harvest sensitive information, with implications for data and financial losses. Users of Windows system are therefore advised to take proactive steps provided herein to mitigate the threats.

Damage/Probability: CRTICAL/HIGH

Description: 

The malware payloads deployed in the DEEP#GOSU represent a sophisticated, multi-stage attack designed to operate stealthily on Windows systems particularly from a network monitoring perspective. The attack chain involves keylogging, clipboard monitoring, dynamic payload execution, and data exfiltration, as well as persistence using both RAT software for complete remote access, scheduled tasks, and self-executing PowerShell scripts via jobs. Notably, the infection procedure leverages legitimate services such as Dropbox or Google Docs for command-and-control (C2), thus allowing the threat actor to blend undetected into regular network traffic. Additionally, the use of such cloud services to stage the payloads creates an avenue for the threat actor to update the functionality of the malware, while delivering additional modules.

The starting point of the attack involves the distribution of phishing/malicious email attachments containing a ZIP archive with a rogue shortcut file (.LNK) that masquerades as a PDF file ("IMG_20240214_0001.pdf.lnk"). The .LNK file comes embedded with a PowerShell script as well as a decoy PDF document, with the former also reaching out to an actor-controlled Dropbox infrastructure to retrieve and execute another PowerShell script ("ps.bin"). The second-stage PowerShell script, for its part, fetches a new file from Dropbox ("r_enc.bin"), a .NET assembly file in binary form that's actually an open-source remote access trojan known as TruRat (aka TutRat or C# RAT) with capabilities to record keystrokes, manage files, and facilitate remote control. The later stages of the attack install a script that randomly executes in a matter of hours to help monitor and control systems and provide persistence. The final stage monitors user activity through logging keystrokes on the compromised system.

Consequences: 

A successful attack could result to the following:

• Data exfiltration.
• Financial losses.
• Denial of Service (DoS).
• Fraudulent activity using compromised accounts.
• Additional breach of other linked account.
• Ransomware attacks.

Solution: 

It is therefore recommended that Windows users should:

• Avoid opening suspicious mails.
• Avoid clicking on untrusted links.
• Patch and update software as soon as options are  available.
• Avoid downloading files or attachments from external sources, especially if the source was unsolicited.
• Monitor common malware staging directories, especially script-related activity in world-writable directories. In the case of this campaign the threat actors staged in subdirectories in %APPDATA%.
• Deploy robust endpoint logging capabilities.

References:

• https://thehackernews.com/2024/03/new-deepgosu-malware-campaign-targets.html/
• https://www.darkreading.com/vulnerabilities-threats/north-korea-linked-group-level-multistage-cyberattack-on-south-korea/
• https://www.securonix.com/blog/securonix-threat-research-security-advisory-new-deepgosu-attack-campaign/ 

Advisory ID: ngCERT-2024-0005

Summary: 

AdLoad is a persistent and intrusive malware that mainly targets the Mac Operating System (MacOS), but also known to infect systems running the Windows Operating System (WinOS).

Damage/Probability: MODERATE/HIGH

Description: 

AdLoad is a Trojan malware that creates a backdoor into an affected system so that other malware or Potentially Unwanted Programs (PUPs) can be introduced into the system. It can also collect system information and transmit it to its command-and-control (C2) server.

Consequences: A compromised system could allow threat actors to perform the following functions:

• Turn affected machines into bots for malicious campaigns.
• Redirect users to malicious websites.
• Insert rogue advertisements into web pages to generate advertisement revenue.
• Affect the performance of infected systems.
• Install key-loggers to steal personal credentials.

Detection: 

The most effective method of detecting rouge applications such as AdLoad, is by using anti-malware applications. However, below are other methods of detecting the malware on an infected system:

• Reduced system performance.
• Unsolicited popup advertisement in browsers or search engine results.
• It is also commonly known to store its LaunchDaemon file in the local domain Library and the LaunchAgent file in the local user Library on MacOS. For example, if the malware uses the name "DataSearch", it stores "com.DataSearch.plist" in "~/Library/LaunchAgents/" and targets the executable file in "~/Library/Application Support/com.DataSearch/DataSearch".

Solution:

Guidance for End Users:

• Perform regular system scans using reputable antivirus programes.
• Ensure operating systems and applications are kept up to date.
• Ensure antivirus applications are updated.
• Avoid using binaries from free file-hosting sites, file-sharing networks, and third-party installers.
• Avoid installing additional apps or offers that are displayed during installation.
• Change passwords regularly for devices and shopping sites.

Guidance for Enterprise Administrators:

• Restrict access to privileged resources like Launchdaemons, LaunchAgents folders, or Sudoers file through OSX enterprise management solutions. This helps in mitigating common persistence and privilege escalation techniques.
• Encourage users to use web browsers that support SmartScreen, which identifies and blocks malicious websites.
• Turn on network protection to block connections to malicious domains and IP addresses.
• Install apps from trusted sources.
• Check your perimeter firewall and proxy to restrict servers from making arbitrary connections to the internet to browse or download files. Such restrictions help inhibit malware downloads and command-and-control (C2).
• Prevent the use of unauthorized apps with application control.
• Run the latest version of operating systems and applications.
• Deploy latest security updates and patches when available.
• Educate end users on preventing malware infections. Encourage end users to practice good credential hygiene limit the use of accounts with local or domain admin privileges. 

References:

• https://info.lse.ac.uk/staff/divisions/dts/services/infosec/Malware-targeting-LSE-devices-Adload

• https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Adware:MacOS/Adload.A&threatId=312991

• https://www.malwarebytes.com/blog/detections/trojan-adload

Advisory ID: NCC-CSIRT-200224-005

Summary: 

Group-IB researchers have uncovered a novel Android and iOS malware called 'GoldPickaxe,' which utilizes social engineering tactics to deceive users into scanning their faces and ID documents. These materials are suspected to be utilized for generating deepfakes to gain unauthorized access to banking services. The methods employed by this malware have the potential to be effective on a global scale, posing a risk of adoption by other strains of malware. 

Threat Type(s): Malware, Social Engineering, Phishing, and  Smishing  

Impact/Vulnerability: HIGH/HIGH

Product(s): Android and iOS Mobile Devices 

Platform(s): Android, iOS Operating Systems 

Version(s): All Versions.

Description: 

As per the researchers' findings, individuals targeted by the GoldPickaxe malware receive phishing or smishing messages via the LINE app, often in their native language, posing as government entities or services. These messages aim to deceive recipients into installing deceptive applications, such as a counterfeit 'Digital Pension' app, hosted on websites masquerading as Google Play. 

Once installed on a mobile device under the guise of a fraudulent government application, the malware operates semi-autonomously. It secretly performs background functions, including capturing the user's facial data, intercepting incoming SMS messages, soliciting ID documents, and rerouting network traffic through the compromised device using 'MicroSocks.' 

For iOS users, the threat actors initially directed victims to a TestFlight URL to install the malicious app, avoiding standard security reviews. Subsequently, upon Apple's removal of the TestFlight app, the attackers transitioned to convincing users into downloading a malicious Mobile Device Management (MDM) profile, granting them control over the devices. Conversely, the Android variant of the malware engages in more malicious activities compared to its iOS counterpart due to Apple's stricter security measures. Additionally, on Android devices, the malware utilizes over 20 different deceptive apps for camouflage. 

Consequences: 

GoldPickaxe malware can run commands on victims’ devices to access SMS, navigate the filesystem, perform clicks on the screen, upload the 100 most recent photos from the victim's album, download and install additional packages, and serve fake notifications. .

Solution: 

• Exercise utmost caution when installing applications, particularly those acquired from unofficial sources outside official app stores such as Google Play and the Apple App Store. 
• Conduct thorough research on any application before installation. Validate the developer's credentials, review user feedback, and scrutinize requested permissions to verify their alignment with the app's stated functions. 
• Maintain a healthy skepticism toward unsolicited communications claiming to originate from government agencies or service providers. 
• Be wary of messages employing urgent threats or attracting offers to pressure recipients. 
• Be vigilant for spelling errors, grammatical anomalies, or irregular formatting in hyperlinks before clicking on them. 
• Use reputable mobile antivirus and anti-malware solutions, ensuring they are consistently updated. 
• Regularly update your device's operating system and security software to mitigate vulnerabilities. 
• Implement multi-factor authentication (MFA) for your banking applications to enhance security beyond standard password protection. 
• Routinely monitor your bank account statements for any signs of unauthorized or suspicious activity. 

References:

• https://www.bleepingcomputer.com/news/security/new-gold-pickaxe-android-ios-malware-steals-your-face-for-fraud/ 
• https://hothardware.com/news/alarming-android-ios-gold-pickaxe-malware-steal-your-face 
• https://marketrealist.com/what-is-the-gold-pickaxe-malware/ 
• https://www.redpacketsecurity.com/new-gold-pickaxe-android-ios-malware-steals-your-face-for-fraud/#google_vignette 
• https://nsaneforums.com/news/security-privacy-news/new-%E2%80%98gold-pickaxe%E2%80%99-android-ios-malware-steals-your-face-for-fraud-r21746/ 
• https://www.laptopmag.com/software/antivirus-cyber-security/nasty-iphone-android-malware-breaks-into-your-banking-apps-using-your-face-heres-how-it-works 

Advisory ID: ngCERT-2024-0004

Summary: 

Security researchers discovered three high-severity vulnerabilities in the Google Chrome browser (CVE-2024-1060, CVE-2024-1059, and CVE-2024-1077). According to reports, the vulnerabilities might allow threat actors to remotely exploit Chrome, potentially executing arbitrary code, stealing sensitive user data, or causing system crashes. Meanwhile, Google has released new security updates to address many vulnerabilities in its Chrome browser. Nonetheless, users must take proper actions to mitigate dangers.  

Damage/Probability: CRTICAL/HIGH

Description: 

The high severity vulnerabilities have been classified as Use-After-Free (UAF), which is a vulnerability scenario resulting from inefficient memory management while developing software applications. For instance, If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to hack the program. The UAF flaws were identified as (CVE-2024-1060, CVE-2024-1059 and CVE-2024-1077) respectively, found in the Canvas component, WebRTC component and Network component of Google Chrome. These flaws can allow an attacker to exploit heap corruption via a specially crafted HTML page, exploit stack corruption via a crafted HTML page and facilitate the remote exploitation of heap corruption via a malicious file. The affected systems are Chrome prior to 121.0.6167.139/140 for Windows and Chrome prior to 121.0.6167.139 for Mac and Linux. 

Consequences: Successful exploitation of these vulnerabilities could allow for the following:

• Arbitrary code execution in the context of the logged-on user.
• Depending on the privileges associated with the user, an attacker could install malicious programs.
• Attacker could view, change, or delete data.
• Attacker could also create new accounts with full user rights.

Solution: 

The aforementioned vulnerabilities have been patched by security update released by Google. Nonetheless, all users are encouraged to:

• Install the most recent updates for their systems, software, and gadgets.
• Remove saved login information or passwords, clear your browser's history.
• Remove cookies from your browser since they can provide hackers access to email services without a user's credentials.
• Refrain from clicking on dubious links that can corrupt your computer.

References:

• https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-google-chrome-could-allow-for-arbitrary-code-execution_2024-015
• https://its.ny.gov/2023-051