Sunday March 29, 2026

Advisory ID: ngCERT-2024-0025

Summary: 

ngCERT has detected an increase in ransomware attacks by the Phobos ransomware group, specifically targeting critical cloud service providers within our national cyberspace. We are actively collaborating with vulnerable and affected organizations to swiftly resolve these incidents and prevent further escalation. The most at-risk entities include providers of information technology and telecommunication services, such as managed cloud services, whose clients include critical government agencies, financial institutions, telecommunications, education, healthcare, service providers, and NGOs in Nigeria. It is essential for organizations to proactively implement the mitigation strategies outlined in this document to help prevent the spread of the malware

Threat Type: Ransomware  (Email: )

Extension: (.xshell)

File Format: filename.id[xxxxxx-xxxx].email.xshell 

Damage/Probability: CRTICAL/HIGH

Description: 

Phobos attackers commonly gain entry into vulnerable networks through phishing campaigns to deliver hidden payloads or by employing IP scanning tools like Angry IP Scanner to identify susceptible Remote Desktop Protocol (RDP) ports. They also leverage RDP in Microsoft Windows environments. Upon discovering an exposed RDP service, they utilize open-source brute force tools to gain access. Alternatively, they deploy spoofed email attachments containing hidden payloads like SmokeLoader to initiate infection. To execute and escalate privileges, Phobos actors execute commands such as 1saas.exe or cmd.exe to install additional Phobos payloads with elevated privileges. They leverage Windows command shell capabilities for system control and utilize Smokeloader in a three-phase process for payload decryption and deployment, ensuring evasive actions against network defenses. Furthermore, to evade detection, Phobos ransomware modifies firewall configurations, utilizes evasion tools like Universal Virus Sniffer and Process Hacker, and employs techniques such as token theft and privilege escalation through Windows API functions.

Phobos actors use tools like Bloodhound and Sharphound for active directory enumeration, Mimikatz for credential extraction, and WinSCP/Mega.io for file exfiltration. They target various data types for exfiltration, including legal, financial, technical, and database files, which are archived and later exported. After exfiltrating data, Phobos ransomware targets backups by deleting volume shadow copies and encrypts connected drives on the target system. It delivers unique ransom notes and communicates with victims via email, voice calls, and instant messaging platforms, often utilizing onion sites for data hosting and communication. 

Consequences: 

A successful attack could result to the following:

  1. System Compromise.
  2. Ransom payment.
  3. Data encryption or system lockout.
  4. Data loss and exfiltration.
  5. Financial losses.
  6. Denial of Service (DoS).
  7. Fraudulent activity using compromised systems

Solution: 

It is therefore recommended that relevant organizations:

  1. Secure RDP ports to prevent threat actors from abusing and leveraging RDP tools.
  2. Prioritize remediating known exploited vulnerabilities.
  3. Implement EDR solutions to disrupt threat actor memory allocation techniques.
  4. Disable command-line and scripting activities and permissions.
  5. Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement.
  6. Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.
  7. Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege.
  8. Implement time-based access for accounts at the admin level and higher.
  9. Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, or the cloud).
  10. Install, regularly update, and enable real time detection for antivirus software on all hosts.
  11. Disable unused ports and protocols.
  12. Consider adding an email banner to emails received from outside your organization.
  13. Disable hyperlinks in received emails.
  14. Ensure all backup data is encrypted, immutable (i.e., ensure backup data cannot be altered or deleted), and covers the entire organization’s data infrastructure.
  15. Maintain offline backups of data and regularly maintain backup and restoration (daily or weekly at minimum). By instituting this practice, an organization limits the severity of disruption to its business practices. 

References:

Advisory ID: ngCERT-2024-0025

Summary: 

ngCERT is issuing an urgent security advisory regarding a critical vulnerability within Microsoft Windows Wi-Fi drivers, designated as CVE-2024-30078. This severe Remote Code Execution (RCE) flaw affects all current Microsoft Windows versions, with particular emphasis on Windows 10 and 11. An attacker, without requiring authentication, can exploit this vulnerability by transmitting a malicious network message to a vulnerable Wi-Fi driver, leading to arbitrary code execution on the target system. This may result in unauthorized malware installation, complete system compromise, and the potential theft or manipulation of sensitive information. Users are strongly advised to implement the latest security updates from Microsoft, addressing this critical issue.

Damage/Probability: CRTICAL/HIGH

Platform(s): Windows

Description: 

The CVE-2024-30078 vulnerability represents a significant threat in the cybersecurity domain, impacting a wide array of devices operating on various Windows OS versions. This Wi-Fi driver RCE vulnerability is distinct in that it does not necessitate any special access to the victim's device, nor does it require the victim to interact with phishing links or execute files to initiate the attack. An attacker merely needs to be within the same vicinity as the target, such as public Wi-Fi areas in airports, hotels, cafes, or offices, and send a malicious packet to the compromised Wi-Fi adapter to trigger RCE and potentially deploy further malicious software.

Consequences: 

If exploited, the following outcomes may occur:

  • Complete system takeover.
  • Unauthorized retrieval of confidential data.
  • Data exfiltration.
  • Compromised account misuse.
  • Ransomware deployment.
  • Financial repercussions.

Solution: 

To mitigate this threat, ngCERT advises:

  • System Upgrades: Users on unsupported or end-of-life Windows versions should upgrade to the latest releases, which continue to receive vital security support.
  • Timely Updates: Users on supported Windows iterations should promptly apply all updates and patches, which frequently include remedies for exploitable vulnerabilities. For detailed information, please refer to the Microsoft Security Response Center (MSRC) update guide.
  • Firewall Activation: Employing a firewall can obstruct potential adjacent network attacks, serving as a protective barrier against external threats.
  • Wi-Fi Deactivation: If not in active use, disable Wi-Fi to reduce the attackable surface area, as dormant connections may still be susceptible to unauthorized activities.

For further assistance and updates, please visit ngCERT's official website or contact our support team.

References:

Advisory ID: ngCERT-2024-0020

Summary: 

ngCERT is aware of the resurgence of Andromeda malware, also known as Gamarue, Wauchos, and Andromeda Stealer, which is a dangerous Trojan horse with multiple malicious capabilities. This malware has been used by threat actors to create a network of infected computers, known as Andromeda Botnet, which can be used to launch further attacks by distributing other malwares such as ransomwares, banking Trojans, Distributed Denial of Service (DDos), spam bot and backdoor. Despite the takedown of the Andromeda botnet by US and Europe law enforcement agencies in 2017, new variants have been detected, infecting systems worldwide, including Nigeria. ngCERT advises individuals and organisations to take immediate steps to protect their systems and data from Andromeda and other malware threats.

Damage/Probability: CRTICAL/HIGH

Platform(s): Windows

Description: 

The Andromeda malware is a modular bot that can be modified by using plugins for keyloggers, rootkits, TeamViewers, and spreaders, to expand its attack chain and reach. The malware can infect systems through various methods, such as spear phishing emails, drive-by-downloads, infected cracks or keygens, removable drives, as well as clicking on malicious links. The malware can perform various functions, such as using anti-virtual machine and anti-debugging techniques, creating botnets, working as a backdoor, and stealing sensitive information. The malware can also receive commands from its control server for downloading and executing files, performing remote shells, or uninstalling itself from the system.

Consequences: 

Successful exploitation of the vulnerabilities could lead to:

  • System compromise.
  • Unauthorised access to sensitive data.
  • Loss and theft of sensitive data.
  • System takeover.
  • Ransomware attacks.
  • Financial loss.
  • DDos attacks.

Solution: 

ngCERT recommends the following:

  •  Avoid downloading or opening attachments in emails received from untrusted sources or unexpectedly received from trusted users.
  •  Block the malicious external IP addresses and other malicious IP addresses on your network.
  • Ensure that the assets/systems operating system, applications, antivirus, and plugins are up to date.
  • Activate built-in security features on endpoint devices which scan applications for malware.
  • Consider implementing stronger security measures, including firewalls, intrusion detection/prevention systems, anti-phishing solution, endpoint detection and response solution including anti-malware software.
  • Enforce a strong password policy, implement regular password changes.
  • Disable unnecessary services and open ports on endpoint devices and servers within your agency. Only enable services and open ports that are essential for day-to-day operations.

References:

Advisory ID: NCC-CSIRT-040624-004

Summary: 

Multiple vulnerabilities have been identified in Microsoft Edge, the popular web browser, which could potentially allow remote attackers to execute arbitrary code, bypass security restrictions, or obtain sensitive information.Users are advised to upgrade their products to the latest versions as recommended. 

Threat Type(s): Denial of Service. Remote Code Execution, Information Disclosure

Impact/Vulnerability: CRITICAL/MEDIUM

Product(s): Microsoft Edge (Stable) prior to 125.0.2535.85

Platform(s): Microsoft Edge Browsers

CVE(s): CVE-2024-5493, CVE-2024-5494, CVE-2024-5495, CVE-2024-5496, CVE-2024-5497, CVE-2024-5498, CVE-2024-5499

Version(s): All Versions

Description: 

Multiple vulnerabilities were identified in Microsoft Edge and Microsoft has rolled out a new update for the Edge browser in the Stable Channel. Version 125.0.2535.85 is now available with fixes for seven Chromium vulnerabilities of high severity. This is a security-only update, and it does not contain any new features or notable changes.

Consequences: 

A remote attacker could exploit some of these vulnerabilities to trigger denial of service condition, remote code execution and sensitive information disclosure on the targeted system.

Solution: 

To mitigate the risks associated with these vulnerabilities, it is highly recommended that users take the following step.

  • Update to Microsoft Edge (Stable) version 125.0.2535.85 or later, or visit the software vendor's website for more information.
  • Avoid clicking on suspicious links or downloading files from untrusted sources while browsing the web. Be cautious when connecting with content or websites you are not familiar with.

References:

Advisory ID: ngCERT-2024-0019

Summary: 

Grandoreiro, a multi-component banking trojan that runs as Malware-as-a-Service (MaaS), is targeting more than 1,500 banks globally. According to reports, the malware has infected banking applications and websites in more than 60 countries, including Central and South America, Africa, Europe, and the Indo-Pacific. Investigation further revealed that the malware has infected more than 41 banking applications in Nigeria. The new version includes significant changes such as string decryption and DGA calculation, allowing at least 12 different C2 domains per day. Grandoreiro's attack chain includes obtaining email addresses from affected hosts and delivering more phishing attempts through the Microsoft Outlook client. Cybercriminals could use the software to gather sensitive financial data, potentially resulting in financial losses. This underscores the need for network and system administrators as well as device users to emplace safeguards to prevent likely attacks.  

Damage/Probability: CRITICAL/HIGH

Platform(s): Windows & Android

Description: 

The Grandoreiro banking trojan is spread through large-scale phishing campaigns, where threat actors send emails impersonating government entities and financial institutions. These emails entice recipients to click on links to view documents or notices such account statements, make payments, leading to the download of a ZIP file containing a loader executable. The loader is designed to evade antivirus detection by inflating its size and presenting a CAPTCHA to distinguish real users from automated systems. Once executed, the loader checks the environment to avoid sandboxes or unprotected Windows 7 machines and collects victim data such as computer and user names, operating system version, antivirus name, public IP address, and running processes. This information is encrypted and sent to a command & control (C2) server. The malware also checks for Microsoft Outlook clients, crypto wallets, and specific banking security products. To ensure persistence, the malware modifies the Windows registry and uses a Domain Generation Algorithm (DGA) for C2 communication. It harvests email addresses from Outlook, sending further phishing emails from the victim’s account after disabling Outlook alerts. It avoids collecting certain email addresses like those with "noreply" or "newsletter" and scans victim folders for files with specific extensions to find more addresses. The malware sends spam emails based on templates from its C2 server, ensuring the emails are sent when the user is inactive for a certain period, and immediately deletes all the sent emails from the victim’s mailbox. Besides its banking trojan capabilities, the malware allows cybercriminals to control the infected computer, perform keylogging, manage windows and processes, open a browser and execute JavaScript, upload or download files, and send emails. 

Consequences: 

The following could happen if this banking malware is successfully installed:

  • Compromise of systems and banking applications.
  • Sensitive data exfiltration.
  • It can spread through infected victim inboxes via email.
  • Financial fraud through compromised systems.
  • Invasion of privacy.
  • Denial of Service (DoS) attack.
  • Identity theft. 

Solution: 

It is recommended that system administrators and users should:

  • Refrain from opening suspicious emails that prompt file downloads or request sensitive information.
  • Verify the sender’s authenticity before clicking on any links or downloading attachments.
  • Download software from official websites and direct download links.
  • Update installed programs through implemented functions or tools provided by official software developers.
  • Regularly scan the operating system for threats with a reputable antivirus or anti-spyware suite and keep this software up to date.
  • Install and configure robust endpoint security solutions that can detect and block malicious activities
  • Monitor network traffic for unusual activity, such as multiple consecutive requests to IP geolocation services like http://ip-api.com/json, which could indicate an infection.
  • Block known malicious domains and pre-calculated DGA domains at the DNS level to prevent the malware from communicating with its C2 servers.
  • Educate employees about phishing tactics and the importance of cyber security hygiene.
  • Regularly check Windows registry keys used for persistence, such as HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. 

References:

  1. Self-Spreading PlugX USB Drive Malware Infecting Systems.
  2. Multiple Vulnerabilities Discovered in Oracle Products
  3. New Banking Malware “Brokewell” Takes Over Android Devices, Steals Data and Access Banking apps
  4. Vultur Banking Trojan Targeting Android Devices

Page 19 of 37