Cyber Intel Brief: December 21 – 27, 2023

Phishing Email and Fake Browser Update Campaigns Deliver DarkGate and NetSupport Remote Access Trojans

Windows SmartScreen CVE-2023-36025 – DarkGate – Remote Access Trojan – NetSupport RAT – BattleRoyal Intrusion Set – Phishing Email Campaign – Fake Browser Updates – Industries/All

Threat Analysis

In the latter half of 2023, Proofpoint observed at least 20 email campaigns spreading the DarkGate malware, a new Remote Access Trojan (RAT) and loader. These campaigns all had similarities in tactics, techniques, procedures (TTPs), and arsenal, resulting in Proofpoint tracking the activity as an Intrusion Set named “BattleRoyal.” This Intrusion Set led to the discovery of a fake browser update campaign, identified as the RogueRaticate/FakeSG, that delivered the DarkGate malware. 

Phishing Emails

Between September and November 2023, Proofpoint’s research has identified at least 20 distinct email campaigns using DarkGate. These campaigns are recognizable by their use of specific GroupIDs, namely “PLEX,” “ADS5”, “user_871236672”, and “usr_871663321”. The email campaigns involved tens of thousands of emails targeting various industries, primarily in the USA and Canada. These emails were crafted to entice recipients into triggering the malware download. 

One of the first campaigns identified was notable due to using more than one traffic delivery system (TDS). The emails in this campaign contained 404 TDS URLs that, if clicked by the user, were redirected to the Keitaro TDS. The Keitaro TDS downloaded an internet shortcut (.URL) file. While other parts of the attack chain from this cluster changed or varied, .URL files were involved in every campaign and exploited CVE-2023-36025, a vulnerability in Windows SmartScreen. The BattleRoyal Intrusion Set exploited this vulnerability more than any other actor observed in Proofpoint telemetry data. Notably, this threat activity cluster exploited CVE-2023-36025 before it was published by Microsoft. 

The .URL file, when a recipient double-clicked it, downloaded a zipped VBS script. The script, in turn, downloaded and executed several shell commands (cmd.exe). The shell commands:

• Created a directory on C: drive
• Copied curl.exe from the system folder to this new directory
• Used curl to download Autoit3.exe
• Used curl to download and save an AutoIT script
• Ran the downloaded AutoIT script with the downloaded AutoIT interpreter. 
• The AutoIT script then ran the embedded DarkGate malware.

From late November to early December, Proofpoint observed the threat actor(s) replacing DarkGate with NetSupport, a legitimate remote access tool. 

Besides the payload switch, another notable change in this campaign that represents a gradual evolution of the threat actors includes using two .URL files instead of one. 

In an example campaign on 28 November 2023, the emails contained: 

Doubleclick.net URLs (hxxps[:]//adclick.g.doubleclick[.]net) that, if clicked by the user, are redirected to Keitaro TDS. 

• Keitaro TDS downloaded an Internet shortcut (.URL) file.
• The Internet shortcut, if double-clicked, downloaded another Internet shortcut (.URL) file.
• The second Internet shortcut linked to a NetSupport executable. 

Fake Browser Updates

The RogueRaticate/FakeSG campaign compromised websites to deliver fake browser update requests, using different templates depending on which browser the victim is running, to end users that dropped a DarkGate payload with the “ADS5” GroupID. On the compromised website, the threat actor injected a request to an actor-controlled domain that used .css steganography to conceal the malicious code. 

Upon visiting a compromised website, the concealed code makes a request to an actor-controlled Keitaro domain that would filter out unwanted traffic. Users who passed the traffic inspection would be presented with highly convincing fake browser update notifications. 

These notifications are carefully crafted to mimic the look and feel of legitimate update prompts from popular browsers like Chrome, Firefox, or Edge. The design of these fake updates is sophisticated and up-to-date, often matching the latest user interface elements of the respective browsers. For instance, a Chrome user might see a pop-up that closely resembles Chrome’s own update notification, complete with familiar color schemes, fonts, and logos. 

The notification typically urges the user to download an ‘urgent’ or ‘critical’ update, citing improved security or enhanced features. The language used is persuasive and creates a sense of immediacy, prompting the user to act quickly. To add to the authenticity, the notification might appear at moments that seem contextually appropriate, such as when a user first opens the browser or navigates to a new page.

When a user clicks on the ‘update’ button in these fake prompts, instead of receiving a genuine browser update, they download a similar .URL file and follow the attack chain from that point to deliver DarkGate, as observed in the email campaigns.

This particular Intrusion Set is notable for employing multiple attack chains and payloads. The DarkGate payload is capable of stealing confidential information and downloading other malware payloads. The Netsupport payload is used by threat actors to gain control over an infected host, install additional malware, and facilitate lateral movement throughout the compromised environment. 

What makes this Intrusion Set unique is the actor’s use of both email and fake update lures in their attack chains. This aligns with the overall trend of cybercriminals adopting new and varied attack chains, including TDS tools, to deliver malware. The actor’s use of both email and fake update lures shows that they are employing multiple social engineering techniques to trick users into installing the final payload.

Risk & Impact Assessment

The emergence and evolution of this Intrusion Set, particularly its use of DarkGate and subsequent switch to NetSupport RAT, presents significant risks and impacts to business operations. The sophisticated nature of the phishing campaigns and the deceptive fake browser updates increase the likelihood of successful breaches. These tactics can lead to the exfiltration of sensitive data, installation of additional malware, and potential compromise of critical systems. The shift to using NetSupport RAT, a tool that can be perceived as legitimate, further complicates detection and response efforts. This evolving threat landscape underscores the vulnerability of even well-protected networks, as threat actors continuously adapt and refine their methods to exploit new vulnerabilities and bypass security measures. The impact of such breaches extends beyond immediate data loss, encompassing long-term reputational damage, loss of customer trust, and potential disruption of business operations.

Assessing the material impact of these threats, it is evident that there is a considerable likelihood of a significant adverse effect on a company’s business operations, results of operations, or financial condition. The successful infiltration and persistence of such malware within corporate networks can lead to substantial operational disruptions, including downtime, loss of productivity, and the diversion of resources to incident response and recovery efforts. Financially, the implications are multifaceted, ranging from direct costs associated with breach mitigation, legal liabilities, and potential regulatory fines to indirect costs like increased insurance premiums and investment in strengthening cybersecurity infrastructure. 

For companies in sectors where data integrity and security are paramount, the impact can be even more pronounced, potentially leading to loss of competitive advantage and long-term financial repercussions. Therefore, it is crucial for organizations to recognize the severity of these risks and proactively implement comprehensive security measures to mitigate potential material impacts on their operations and financial health.

Source Material: Proofpoint, BattleRoyal, DarkGate Cluster Spreads via Email and Fake Browser Updates

The Severe Risks of Continuing to Use Microsoft Exchange Server 2013

Microsoft Exchange Server 2013 – Software End-of-life Risks – Ransomware – Vulnerability Exploitation – Industries/All

Threat Analysis

The cyber threat landscape surrounding the use of Microsoft Exchange Server 2013 has evolved significantly, especially following its transition to end-of-life status in April 2023. Recent trends have shown a noticeable increase in ransomware attacks targeting organizations using Exchange Server 2013. This uptick is particularly alarming given the server’s widespread adoption across various sectors, including government and corporate entities. A typical configuration for these attacks has been identified as Exchange Server 2013 with Outlook Web Access (OWA) enabled. While common for user convenience, this configuration exposes organizations to risks.

The transition of Microsoft Exchange Server 2013 to end-of-life has critical implications for security, as it means no further security updates or patches will be released by Microsoft for this version. The cessation of security updates exposes organizations using Exchange Server 2013 to emerging threats. Without ongoing updates, these systems become increasingly vulnerable to exploitation by cybercriminals. There is a concerning trend where organizations believe their systems are secure if they have applied all available security updates. However, the end-of-life status of Exchange Server 2013 means that new vulnerabilities discovered post-support will not be addressed, leaving systems at risk.

Furthermore, Microsoft does not test new security vulnerabilities on end-of-life versions of Exchange Server. When a new vulnerability is discovered, the end-of-life version of Exchange Server will not be listed as vulnerable. Because of this policy, no new vulnerabilities have been recorded in the Common Vulnerabilities and Exposures (CVE) databases for Exchange Server 2013. This absence can create a misleading perception of security. The absence of CVE entries does not mean the absence of vulnerabilities, as the maxim goes: “The absence of evidence is not evidence of absence.” In reality, it reflects the cessation of official vulnerability assessments by Microsoft, likely leaving undiscovered or undisclosed vulnerabilities in the system.

Instances have been observed where ransomware attacks successfully penetrated organizations where the apparent entry vector was a fully patched Exchange Server 2013 server with Outlook Web Access enabled. These incidents are likely the result of known vulnerabilities, given that various post-authentication Exchange Server vulnerabilities exist. However, the possibility of zero-day exploits being used cannot be ruled out, given the lack of ongoing security updates and assessments.

Exchange Server 2013 marks a significant point in the evolution of Microsoft’s Exchange Server line, introducing features and architectural changes not present in earlier versions like Exchange 2007. Some features intended to enhance functionality and integration inadvertently introduced new security challenges. Exchange Server 2013 is deeply integrated with Active Directory, which, while beneficial for system management, creates significant security risks. This integration often makes it easier for threat actors to escalate privileges once they have compromised the Exchange Server.

The codebase for Exchange Server 2013 includes components added for Exchange Online, which have been linked to various security issues. These components introduced the ProxyLogon, ProxyShell, and ProxyNotShell vulnerabilities. Despite these known vulnerabilities, Exchange Server 2013 continues to be widely used in various sectors, including critical ones like government and finance. This widespread use, coupled with the unique vulnerabilities, creates a substantial risk profile.

Despite its end-of-life status, Exchange Server 2013 remains widely used worldwide, including many organizations in critical sectors such as government, finance, and healthcare. Many organizations continue to use Exchange Server 2013 with Outlook Web App enabled, almost 25,000, due to the complexities and costs associated with upgrading to newer versions. This reluctance or delay in upgrading exacerbates the security risks. There is a general underestimation of the risks associated with using end-of-life software. Many organizations might not fully comprehend the security implications of continuing to use Exchange Server 2013. The reliance on vulnerability scanners that do not flag issues with end-of-life software further contributes to a false sense of security among these organizations.

Additionally, Exchange Server 2013 honeypot networks have recorded frequent attacks from threat actors with valid credentials into Outlook Web App over the past few months, suggesting threat actors actively seek and exploit vulnerabilities in Exchange Server 2013, even without publicly known CVEs.

The end-of-life status of Exchange Server 2013 has left it without critical security updates, making it increasingly vulnerable to exploitation. There has been a marked increase in ransomware attacks targeting Exchange Server 2013, exploiting its unique vulnerabilities and integration with critical systems like Active Directory. Many organizations, including those in sensitive sectors, continue to use Exchange Server 2013, often underestimating the risks associated with end-of-life software. The widespread practice of exposing Outlook Web Access (OWA) to the internet has notably increased the attack surface, making organizations more susceptible to cyber-attacks. 

It is imperative for organizations to recognize the heightened risks associated with Exchange Server 2013 and to reassess their reliance on this end-of-life software. Organizations must adopt proactive measures, including upgrading to supported versions of Exchange Server, implementing robust security practices, and regularly reviewing their cybersecurity posture.

Risk & Impact Assessment

The continued operation of Microsoft Exchange Server 2013 in its end-of-life phase exposes organizations to significant cybersecurity risks, primarily from heightened vulnerability to attacks like ransomware. This vulnerability is intensified by the server’s integration with critical systems, potentially leading to escalated breaches and severe data compromises. The impacts of such incidents extend beyond data loss to include operational disruptions, reputational damage, and regulatory non-compliance, especially in sensitive sectors like government, finance, and healthcare. These breaches can result in substantial financial losses, legal liabilities, and erosion of customer trust.

Assessing the material impact on a company’s business operations and financial condition reveals a high likelihood. The probability of a cyber-attack exploiting known vulnerabilities in Exchange Server 2013 and the potential severity of such an incident suggests a material impact is not only possible but probable. Companies may face considerable direct costs from operational disruptions and breach remediation, as well as indirect costs like reputational harm and loss of market confidence. For organizations in regulated industries, the compliance risks and associated penalties further heighten the potential for a material financial impact, underscoring the need for urgent and comprehensive risk management strategies.

Source Material: Kevin Beaumont, The ticking time bomb of Microsoft Exchange Server 2013

Deepwatch’s Open-source Intelligence Collection and Reporting Frequently Leads to the Discovery of Malicious Activity

IcedID – Cobalt Strike – Trojan – Rundll32 – Domain Compromise – Abnormal Parent Spawning Rundll32 – Industries/All

Threat Analysis

Our original report, “IcedID Leads to Domain Compromise, Cobalt Strike, & Data Exfiltration,” published in early January 2023, is a perfect example that highlights Deepwatch’s Adversary Tactics and Intelligence team’s post-reporting work. While focused on an IcedID infection leading to domain compromise, our post-intelligence work led to observing a technique (abnormal parent process spawning Rundll32) employed in this campaign in several customer environments. 

The Abnormal Parent Spawning “Rundll32” technique involves a parent process, like explorer.exe, spawning the child process rundll32.exe with an uncommon argument, such as “-localserver.” Cybercriminals often use this technique to execute malicious code on a victim’s computer.

For instance, a threat actor would use explorer.exe because it’s a legitimate and commonly trusted Windows process typically associated with the Windows File Explorer. Its ubiquity and trust within the operating system make it an ideal candidate for initiating less suspicious actions. The child process, rundll32.exe, is another legitimate Windows utility. Its primary function is to load and run functions stored in Dynamic Link Library (DLL) files. However, rundll32.exe can also be employed for malicious activities due to its versatility.

Using uncommon arguments, such as “-localserver” to load malicious registered COM objects, is a key aspect of this tactic. Regular day-to-day computer operations typically do not use these arguments, and their presence can strongly indicate an unusual and potentially malicious use of rundll32.exe. Threat actors favor this method for several reasons. Mainly because it offers a degree of stealth and can bypass security measures, using legitimate system processes that help to camouflage malicious activities, making them harder to detect by users, and may bypass conventional security software. 

To underscore the importance of our reporting, customers must recognize that these reports are not just educational but are instrumental in proactive defense. By staying informed through our detailed analyses, customers can better understand the evolving threat landscape and enhance their security posture. Our ability to detect and report on tactics like the ‘Abnormal Parent Spawning Rundll32’ demonstrates the value of continuous vigilance and intelligence-led security strategies. We encourage all our customers to regularly engage with our reports to avoid potential threats and safeguard their digital environments effectively.

Overview of Initial Reporting

The initial infection method employed by the cybercriminal involved the victim opening an archive containing an ISO file, which creates a virtual disk. The victim navigated to the virtual disk and clicked the only file visible, an LNK file. The LNK file runs a batch file that drops a DLL into a temporary folder and runs it with rundll32.exe, which loads the DLL to create network connections to IcedID-related domains and downloads the IcedID payload. IcedID payload is loaded into the process and establishes persistence on the machine. After gaining access with IcedID, regsvr32.exe was used to load the file “cuaf.dll,” a Cobalt Strike beacon, moving throughout the network laterally.

Risk & Impact Assessment

The implications of this technique are significant. The primary concern is the potential compromise of the system, where malicious code can be executed without immediate detection. This technique could lead to various detrimental outcomes, such as data theft, data damage, or the establishment of persistent access to the system for ongoing exploitation. This tactic’s ability to evade detection increases the likelihood of a successful attack and prolongs the attacker’s presence within the system, potentially leading to more severe consequences over time.

Source Material: Cybereason, Threat Analysis: From IcedID to Domain Compromise