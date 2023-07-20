Malware Activity

"LokiBot" Campaign Identified Exploiting Known Microsoft Office Vulnerabilities

Researchers have identified a new campaign exploiting known vulnerabilities within Microsoft Office documents to deploy the "LokiBot" malware. The vulnerabilities, tracked as CVE-2021-40444 and CVE-2022-30190, are remote code execution (RCE) flaws that allow attackers to "embed malicious macros within Microsoft documents that, when executed, dropped the LokiBot malware onto the victim's system." LokiBot has been active since 2015 and is a well-known information-stealing Trojan that targets Windows devices. In their latest report, researchers explained that two types of Word documents were reviewed from the latest campaign. The first document contained an embedded link within an XML file and initially exploited CVE-2021-40444 and later in the attack chain downloads a file that exploits CVE-2022-30190. The second document contained a VBA script that downloads an injector from a specific URL for later use. Within the same folder of the injector file, researchers also noted that a file was found that loads LokiBot and connects to the command-and-control (C2) server. LokiBot's goal is to collect sensitive information from multiple sources within victim devices, including web browsers, file transfer protocol (FTP), email accounts, and various installed software tools. It should be noted that both documents had similar lure images of Word experiencing an error while opening the document and requesting the user to enable editing. Windows users should remain vigilant of unexpected emails that prompt users to open hyperlinks or attachments. Indicators of compromise (IOCs) as well as additional technical details can be viewed in the report linked below.

Threat Actor Activity

Genesis Market Purchased Three Months After FBI Seizure

An unknown entity has purchased the sanctioned dark web marketplace Genesis Market, despite seizure by the Federal Bureau of Investigation (FBI) back in April 2023. Genesis Market is a well-established English/Russian dark web marketplace where threat actors distribute packages, referred to as "bots", for a set price. These packages commonly contain user account credentials, IP addresses, browser cookie data, and browser fingerprints which provide the means for account takeover from other threat actors. Similar information is sold on other marketplaces such as Russian Market and 2easyShop; however, Genesis does not highlight the malicious programs that were used to collect the package data. Genesis Market was recently sanctioned in April 2023 by the United States, and some of their communicating domains were seized by the FBI. However, despite these obstacles an anonymous user purchased the entire Genesis Market site last week. A statement by the account "GenesisStore" stated, "A buyer has been found and a deposit has been made. The store will be handed over to a new owner next month...Accounts on the forums will not be transferred." Additional data that will be transferred to the predicted new instance of Genesis includes all databases aside from client data, source code, scripts, and remaining portions of server infrastructure. CTIX continues to monitor threat actor activity worldwide and will provide additional updates accordingly.

Vulnerabilities

Critical ICS "Crit.IX" Vulnerabilities Could Be Exploited to Conduct RCE

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned of multiple critical industrial control system (ICS) vulnerabilities, dubbed "Crit.IX". The flaws impact Honeywell's Experion Distributed Control System (DCS) platform deployed in factories across the globe including power plants, chemical plants, automotive manufacturing, and agricultural production operations. This exploit is made possible by nine (9) flaws (seven (7) of them deemed "critical") impacting Honeywell's proprietary protocol known as Control Data Access (CDA), designed to facilitate communication between Experion Servers and C300 controllers. The vulnerabilities include "Heap-based Buffer Overflow, Stack-based Buffer Overflow, Out-of-bounds Write, Uncontrolled Resource Consumption, Improper Encoding or Escaping of Output, Deserialization of Untrusted Data, Improper Input Validation, and Incorrect Comparison". If successfully exploited, these flaws could enable unauthenticated attackers to conduct remote code execution (RCE), allowing for the complete takeover of the impacted DCS controller devices. This would allow the threat actors to impersonate the controller and/or server, altering the DCS operations while also hiding evidence of any malicious activity from the administrators and systems managing the controllers. This could allow state-sponsored threat groups who have compromised IT, IoT, and OT assets on the same network as the DCS devices to sabotage the systems, halting all operations. Armis Security researchers, who initially reported the vulnerabilities, have reported that in "the disclosure process we learned that due to reuse of the vulnerable code in other products, the vulnerabilities also affect Honeywell's LX and PlantCruise platforms." To mitigate the imminent threat of exploitation, Honeywell recommends that users upgrade their Experion Platforms to version R520.2. These vulnerabilities are not isolated incidents and represent fundamental flaws in the way that ICS infrastructure has been developed in the past. It is likely that some of the patched vulnerabilities can still be exploited with other techniques. CTIX analysts recommend that all organizations affected by these vulnerabilities follow security best practices recommended by Honeywell for Experion devices. These best practices can be found detailed in the Armis Security report and CISA advisory linked below. CTIX analysts will continue to monitor this matter and may publish updates in future FLASH reports as the situation develops.

Honorable Mention

New WormGPT AI Tool Creates a New Avenue for Sophisticated Cyber Attacks

With the surge of artificial intelligence (AI) tools being offered to the public and integrated into business practices, it is no surprise that such tools are beginning to be curated for cybercriminals. A recently discovered AI cybercrime tool called WormGPT offers malicious actors black hat hacker alternatives to GPT models. WormGPT offers adversaries a new, accelerated method of launching sophisticated phishing and business email compromise (BEC) attacks by allowing them to create convincing fake emails that can be tailored with more personalization, helping cybercriminals increase the success rate of their attacks. Current AI platforms like ChatGPT and Google Bard have anti-abuse restrictors that help prevent the abuse of large language models (LLMs) that have a history of being used to fabricate phishing emails or write malicious code. However, WormGPT, as advertised on underground forums, operates without ethical boundaries or anti-abuse restrictors, offering novice cybercriminals without proficient technical capabilities an easy, streamlined method of launching attacks. Without having to "jailbreak," manipulate, or modify existing AI models, WormGPT and other emerging blackhat generative AI models will allow non-proficient cybercriminals a method of conducting targeted cyberattacks with the power AI offers, ultimately increasing the likelihood of victims being targeted by sophisticated cyber threats.

