Gootloader V3 Evolves, Eldorado Ransomware Targets 16 Companies, Rejetto HTTP File Server Exploited, Advanced Backdoor Uses MSBuild, New Data Leaks, and CISA Updates
In our latest Cyber Intelligence Brief, Deepwatch ATI looks at new threats and techniques to deliver actionable intelligence for SecOps organizations.
Each week we look at in-house and industry threat intelligence and provide ATI analysis and perspective to shine a light on a spectrum of cyber threats.
Contents
- Gootloader’s Evolution: What’s New in Version 3
- Eldorado Ransomware Launches, Targets 16 Companies Across Various Industries
- ASEC Report Highlights Ongoing Exploitation of Rejetto HTTP File Server Vulnerability CVE-2024-23692
- Advanced Backdoor Spread Through Shortcut File Abuses MSBuild for Evasion
- Latest Addition to Data Leak Sites
- Microsoft and Rejetto Flaws Added to CISA’s Exploited List
Gootloader’s Evolution: What’s New in Version 3
Malware – JavaScript Malware – Malware Update – Malware Loader – Website Compromises – SEO Poisoning – Gootloader – All Industries
The Rundown
Gootloader’s Version 3 introduces enhanced stealth features and advanced tactics, distinguishing it from its predecessors. This new iteration focuses on improved obfuscation techniques, refined infection chain, and persistence capabilities, making it a formidable threat.
- Gootloader is a malware delivery framework primarily used to distribute various types of malicious payloads, such as Cobalt Strike beacons and SystemBC.
- The delivery framework consists of:
- Compromising legitimate websites that use the WordPress content management system to host fake blog posts.
- The threat actors use Search Engine Optimization (SEO) poisoning techniques to have their blog post show towards the top of search engine results.
- Victims conducting searches for keywords that include “agreements” or “contracts” may be served the malicious blog posts.
- Victims will often click on these results to download templates for business use, but will actually download the Gootloader malware.
- For more detail on Gootloader’s SEO poisoning techniques, read our intelligence report “Is Gootloader Working with a Foreign Intelligence Service?” here.
Gootloader V3’s advancements challenge cybersecurity defenses and increase the potential for significant data breaches and financial losses.
- Advanced obfuscation techniques allow Gootloader V3 to evade detection effectively.
- Impact: Severe. It could lead to undetected infections, enabling the deployment of additional malware.
- The refined infection chain implements sophisticated methods to create later-stage malicious files instead of downloading them from a command and control (C2) server.
- Impact: Severe. It could lead to undetected infections, enabling the deployment of additional malware.
- Persistent infection mechanisms ensure the malware remains active despite remediation efforts.
- Impact: High. Continuous data theft and operational disruptions.
Gootloader V3 introduces several advancements and enhancements over its previous versions, making it more effective and harder to detect and remove. Here are the key changes:
Obfuscation Techniques
- Versions 2 and 3 employ advanced obfuscation techniques, scattering code across trojanized JavaScript libraries, making it harder to detect.
Infection Chain
- Previous versions downloaded the second stage from a command and control (C2) server.
- Version 3 creates the second stage file locally, avoiding detection during the download process.
Execution Flow Obfuscation
- Version 3 uses complex obfuscation, using functions within arrays and executing by index.
Persistence Mechanisms
- Version 3 uses scheduled tasks to execute Stage 2 of Gootloader.
Stage 2 Payload Size Inflation
- Previous Versions do not inflate the stage 2 payload.
- Version 3 inflates Stage 2 JavaScript file to over 30MB as an anti-analysis measure.
PowerShell Usage
- Previous Versions used PowerShell for reflective loading of post-exploitation malware.
- Version 3 uses PowerShell to handle discovery, C2 communication, and command execution for post-exploitation activities.
Source Material: Cybereason, I am Goot (Loader)
Eldorado Ransomware Launches, Targets 16 Companies Across Various Industries
Ransomware – Ransomware-as-a-Service – Eldorado Ransomware – All Industries
The Rundown
Eldorado ransomware has emerged as a formidable new player in the Ransomware-as-a-Service ecosystem, launching attacks on 16 companies across various industries and countries.
The swift rise of Eldorado ransomware underscores ransomware’s evolving and persistent threat. Eldorado’s advanced tactics and tools mark a significant escalation in ransomware operations.
What happened: In March 2024, Eldorado ransomware was discovered recruiting affiliates on the dark web forum “RAMP.” Group-IB analysts infiltrated the group, revealing advanced tools and techniques used in their operations.
Leak site by the numbers: As of June 2024, 16 companies across various countries and industries have been listed on the Eldorado ransomware leak site.
- 3 countries: U.S. (13), Italy (2), Croatia (1)
- 9 Industries:
- Real Estate and Rental and Leasing (3)
- Educational Services (2)
- Professional, Technical, and Scientific Services (2)
- Health Care and Social Services (2)
- Manufacturing (2)
- Administrative and Support and Waste Management and Remediation Services (2)
- Information (1)
- Transportation and Warehousing (1)
- Public Administration (1)
Group-IB’s analysis revealed that the Eldorado group uses advanced tools and techniques. The ransomware, written in Golang for cross-platform capabilities, employs Chacha20 for file encryption and RSA-OAEP for key encryption, targeting both Windows and Linux systems. The recruitment ad sought penetration testers, indicating the group’s strategic focus on expanding its technical expertise.
Technical details overview: Eldorado ransomware can encrypt files on shared networks using the customizable SMB protocol, allowing affiliates to specify target networks, ransom note details, and admin credentials.
- Golang-based: Eldorado ransomware uses Golang for cross-platform capabilities.
- Encryption: Employs Chacha20 for file encryption and RSA-OAEP for key encryption.
- Customization: Accepts various command line parameters for tailoring attacks.
- Cleanup: Overwrites the encryptor with random bytes before deletion and removes shadow volume copies.
Driving the threat:
- RaaS Programs: Between 2022 and 2023, the number of ads for Ransomware-as-a-Service (RaaS) increased by 1.5 times. The RAMP forum has become a central hub, with 60% of new RaaS programs advertised there.
- Surge in Attacks: In 2023, ransomware attacks published on dedicated leak sites surged by 74%, with 4,583 attacks compared to 2,629 in 2022.
Source Material: Group-IB, Eldorado Ransomware: The New Golden Empire of Cybercrime?
ASEC Report Highlights Ongoing Exploitation of Rejetto HTTP File Server Vulnerability CVE-2024-23692
Vulnerability Exploitation – Rejetto HTTP File Server CVE-2024-23692 – Remote Arbitrary Command Execution – Malware Deployment – All Industries
The Rundown
AhnLab’s latest report details ongoing cyber attacks exploiting a vulnerability in Rejetto HTTP File Server (HFS), CVE-2024-23692, to deploy malware and cryptocurrency miners.
Since the disclosure of the critical remote code execution vulnerability CVE-2024-23692 in HTTP File Server (HFS) version 2.3m in May, AhnLab Security Intelligence Center (ASEC) has observed continued exploitation attempts.
Attackers leverage this vulnerability to infiltrate systems, install CoinMiner malware, and establish backdoors. This persistent threat underscores the importance of timely software updates and robust cybersecurity practices.
Vulnerability Details: The critical remote code execution vulnerability CVE-2024-23692 affects Rejetto HTTP File Server (HFS) version 2.3m, enabling remote attackers to execute arbitrary commands on vulnerable systems by sending a specially crafted HTTP request.
Exploitation Tactics: After the vulnerability was disclosed, a Proof of Concept (PoC) was released, which allows an attacker to send a remote HTTP GET request containing commands to HFS servers.
After initial access, the attacker used commands such as “whoami” and “arp” to collect information on the system. They then added backdoor accounts to connect via RDP and hid the accounts. In many cases, HFS was terminated after the process was complete so that other attackers would not use it.
Examining the malware strains and commands leads AhnLab to assume that Chinese-speaking attackers perform most attacks.
- Crypto Miner Deployment: ASEC has documented instances where attackers leveraged this vulnerability to install XMRig cryptocurrency miners.
- Backdoor Installation: Remote Access Trojans (RATs) like Gh0stRAT and PlugX have been deployed, allowing attackers to maintain persistent access and control over compromised systems.
- GoThief Malware: Attackers have also used GoThief malware for data theft and system reconnaissance.
Source Material: AhnLab
Advanced Backdoor Spread Through Shortcut File Abuses MSBuild for Evasion
Malware – Backdoor – MSBuild – Malicious Shortcut File (LNK) – Potentially Russian Threat Actor – Potential Turla – All Industries
The Rundown
On May 9, 2024, GDATA analysts observed a malicious shortcut file was used that leverages Microsoft’s platform for building MSBuild applications to deploy a fileless backdoor into the system.
This attack, targeting systems through a file masquerading as a legitimate Philippine Statistics Authority advisory, employs memory patching, bypasses AMSI, and disables the system’s event logging features to impair defenses and enhance its evasion capabilities.
The malicious file was archived in a ZIP file and hosted on a compromised website. While the distribution method is unknown, this and advanced evasion techniques highlight the knowledge, capabilities, and resources involved in the attack.
The backdoor, loaded through MSBuild, executes actions that disable key security features, making it difficult to detect and remove. This incident underscores the importance of robust cybersecurity measures and continuous monitoring to defend against such advanced threats.
Source Material: GDATA, Turla: A Master’s Art of Evasion
Latest Additions to Data Leak Sites
Manufacturing – Construction – Information – Transportation and Warehousing – Real Estate and Rental and Leasing – Other Services – Educational Services – Professional, Scientific, and Technical Services – Health Care and Social Assistance
The Rundown
Despite a drop in activity, ransomware leak sites still exposed 42 new organizations last week, with U.S. manufacturing heavily targeted.
This decline in ransomware activity may indicate a temporary break, but the focus on critical sectors like manufacturing and a high concentration in the U.S. underscores the persistent threat to essential industries.
Industry distribution: Of the organizations listed, those in the manufacturing, construction, and information sectors were listed the most.
By the numbers:
Microsoft and Rejetto Flaws Added to CISA’s Exploited List
Microsoft Windows MSHTML Platform CVE-2024-38112 – Microsoft Windows Hyper-V CVE-2024-38080 – Rejetto HTTP File Server CVE-2024-23692
The Rundown
On July 9th, CISA added CVE-2024-38112, which affects Microsoft Windows MSHTML Platform, CVE-2024-38080, which affects Microsoft Windows Hyper-V, and CVE-2024-23692, which affects Rejetto HTTP File Server, to its Known Exploited Vulnerabilities Catalog.
The exploitation of these vulnerabilities emphasizes the urgent need for organizations to apply recommended mitigations by July 30. These vulnerabilities pose significant risks to confidentiality, integrity, and availability. Exploitation could result in data theft, local privilege escalation, and remote command execution.
CVE-2024-38112 Microsoft Windows MSHTML Platform Spoofing Vulnerability
Microsoft Windows MSHTML Platform contains a spoofing vulnerability that can severely impact confidentiality, integrity, and availability.
- Confidentiality: Attackers could exploit this flaw to gain unauthorized access to sensitive information by presenting spoofed content as legitimate.
- Integrity: This vulnerability permits attackers to alter or inject legitimate content, thereby tricking users into unintended actions.
- Availability: It could indirectly lead to a denial of service if users are duped into downloading malware or other harmful software.
This vulnerability resides in the MSHTML (Trident) rendering engine, which renders web content in Internet Explorer and other applications via embedded web browser controls.
Microsoft designates the attack complexity as high, as successful exploitation requires specific preparatory actions by the attacker, such as creating a convincing impersonation setup. User interaction is required, as the user must execute a malicious file or visit a crafted web page for successful exploitation. However, attackers do not need any pre-existing privileges to exploit this vulnerability.
Attackers could employ phishing tactics, sending emails with malicious HTML attachments or links leading to spoofed websites. Upon interaction, the user’s browser could render the malicious content in a trusted context.
Attackers can leverage CVE-2024-38112 for various malicious purposes, such as redirecting users to malicious sites to steal credentials and financial information, conducting espionage, and causing widespread damage. Given the extensive use of MSHTML across numerous applications, this vulnerability’s potential reach and impact are substantial, affecting a broad user base.
This vulnerability is not known to have been used in ransomware attacks.
Action: CISA has set a recommended mitigation date of July 30 and recommends organizations apply mitigations per vendor instructions.
CVE-2024-38080 Microsoft Windows Hyper-V Privilege Escalation Vulnerability
Microsoft Windows Hyper-V contains a privilege escalation vulnerability that allows a local attacker with user permissions to gain SYSTEM privileges. The impact on confidentiality, integrity, and availability could be substantial:
- Confidentiality: Attackers with SYSTEM privileges could access sensitive data across all VMs on the compromised Hyper-V instance.
- Integrity: With SYSTEM-level privileges, attackers could modify critical system files and configurations or install malware.
- Availability: An attacker’s activities could disrupt services by crashing the host system or causing resource exhaustion, leading to a denial of service for all hosted VMs.
CVE-2024-38080 is an integer overflow vulnerability within Microsoft’s virtualization technology Hyper-V. This vulnerability can alter program control flow or data integrity, potentially allowing an attacker to overwrite critical memory structures. Successful exploitation of this flaw could enable arbitrary code execution with elevated privileges, granting the attacker SYSTEM-level access.
To exploit the vulnerability, the attacker needs initial local access, typically via a compromised user account within a VM on the host. User accounts with minimal privileges can exploit this vulnerability. But, once the attacker has obtained local access, the vulnerability is relatively easy to exploit.
This vulnerability is not known to have been used in ransomware attacks.
Action: CISA has set a recommended mitigation date of July 30 and recommends organizations apply mitigations per vendor instructions.
CVE-2024-23692 Rejetto HTTP File Server Improper Neutralization of Special Elements Used in a Template Engine Vulnerability
Rejetto HTTP File Server contains an improper neutralization of special elements used in a template engine vulnerability. This allows a remote, unauthenticated attacker to execute commands on the affected system by sending a specially crafted HTTP request.
For additional details on the exploitation of CVE-2024-23692, see our Cyber Intel Brief titled “ASEC Report Highlights Ongoing Exploitation of Rejetto HTTP File Server Vulnerability CVE-2024-23692.”
This vulnerability is not known to have been used in ransomware attacks.
Action: CISA has set a recommended mitigation date of July 30 and recommends organizations apply mitigations per vendor instructions.
Recommendations
ATI recommends mitigative action occur according to the mitigation “Due Date” recommended by CISA.
Source Material: CISA
What We Mean When We Say
Estimates of Likelihood
We use probabilistic language to reflect the Intel Team’s estimates of the likelihood of developments or events because analytical judgments are not certain. Terms like “probably,” “likely,” “very likely,” and “almost certainly” denote a higher than even chance. The terms “unlikely” and “remote” imply that an event has a lower than even chance of occurring; they do not imply that it will not. Terms like “might” reflect situations where we are unable to assess the likelihood, usually due to a lack of relevant information, which is sketchy or fragmented. Terms like “we can’t dismiss,” “we can’t rule out,” and “we can’t discount” refer to an unlikely, improbable, or distant event with significant consequences.
Confidence in Assessments
Our assessments and projections are based on data that varies in scope, quality, and source. As a result, we assign our assessments high, moderate, or low levels of confidence, as follows:
High confidence indicates that our decisions are based on reliable information and/or that the nature of the problem allows us to make a sound decision. However, a “high confidence” judgment is not a fact or a guarantee, and it still carries the risk of being incorrect.
Moderate confidence denotes that the information is credible and plausible, but not of high enough quality or sufficiently corroborated to warrant a higher level of assurance.
Low confidence indicates that the information’s credibility and/or plausibility are in doubt, that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that we have serious concerns or problems with the sources.
Share