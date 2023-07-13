Malware Activity

Researchers Publish Deep Dive on Emerging "Big Head" Ransomware Strain

An emerging ransomware strain dubbed "Big Head" has been identified in malvertising campaigns that promote fraudulent Microsoft Word installers and Windows updates. Researchers initially discovered two (2) samples of the malware in May of 2023 and published an initial report in mid-June of 2023. Additional researchers have recently published a deep dive in early July that discussed the technical aspects of the ransomware operation as well as a third variant. The three (3) samples were identified to have the same contact email address in their ransom notes, leading researchers to believe they are from the same developer. During the attack chain of the first sample, researchers noted the presence of three (3) executables that dropped a copy of itself for propagation purposes, a Telegram bot for establishing communication, and ransomware that encrypts and encodes files in Base64 as well as displays a fraudulent Windows update screen. The ransomware in this sample also deletes system backups and disables various processes including the Task Manager. Researchers noted that the malware terminates itself if the system's language matches the Russian, Belarusian, Ukrainian, Kazakh, Kyrgyz, Armenian, Georgian, Tatar, and Uzbek country codes. The second sample has both ransomware and information-stealer capabilities. Like the first sample, the second sample drops a copy of itself on the victim machine and encrypts various file types. The malware also collects the following data: browser history of all available browsers, list of directories and running processes, product key, networks, replica of drivers, and a screenshot of the machine's display after executing the malware. Researchers discovered the "Neshta" file infector in the third sample of Big Head. Neshta is a virus that infects a machine and inserts malicious code into executable files. This virus is used in the Big Head ransomware deployment as a "camouflage technique" for the final payload. It is emphasized that the technique "can make the piece of malware appear as a different type of threat, such as a virus, which can divert the prioritization of security solutions that primarily focus on detecting ransomware." The ransom note for this sample is different than the ones identified in previous samples. Significant information on the malware developer has yet to be published. Indicators of compromise (IOCs) as well as additional technical details can be viewed in the reports linked below.

Threat Actor Activity

Threat Actors Target European Ministries with "SmugX" Campaign

Threat actors have begun to distribute malware through a new campaign tracked as the "SmugX" campaign. While there is no confirmed threat organization associated to these attacks, certain indicators of compromise show traces to a command-and-control (C2) server utilized by RedDelta/Mustang Panda, which are well-established threat organizations operating on behalf of the Chinese state. A technique associated with this campaign includes compromising a user or computer network through a technique known as HTML smuggling, which is when malicious code is embedded within HTML documents. Since the code is buried within HTML documents, most anti-virus and security detection software won't immediately flag the malware as suspicious. Through the use of themed lures surrounding European domestic and foreign policies, threat actors focused on exploiting those involved with governmental ministries throughout Eastern Europe. Once opened by the user, the embedded HTML code will begin to fetch the payload and download it to the associated system. The core malware that is deployed in this campaign is known as "PlugX", which is a remote access tool (RAT) used by threat groups like RedDelta/Mustang Panda to initiate file exfiltration, screen captures, keylogging, command execution, and further malware deployment on the compromised system. CTIX continues to track threat actor activity worldwide and will provide additional updates accordingly.

Vulnerabilities

Android Critical Vulnerability Added to CISA KEV Catalog

Google's July 2023 security update has fixed more than forty (40) vulnerabilities, with three (3) of the flaws being actively exploited by threat actors in-the-wild. Out of the three (3), one (1) critical Android flaw has been added to the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) catalog, mandating that all Federal Civilian Executive Branch (FCEB) agencies patch the flaw by July 28, 2023. The patches were released on July 1 and July 5, 2023, with the first addressing vulnerabilities impacting the framework and system components, and the second mitigating vulnerabilities in the kernel and closed source components. The vulnerability added to CISA's KEV is tracked as CVE-2021-29256 and is described as a use-after-free vulnerability, which affects the GPU kernel drivers of specific versions of Bifrost, Valhall, and Midgard Arm Mali. An unprivileged attacker could exploit the flaw by conducting malicious activity in GPU memory, gaining access to already freed memory. If successful, the threat actor could escalate their privileges to root as well as gain access to sensitive information. Although the vulnerability added to the KEV is mandated to be patched by FCEB agencies, any organizations or users impacted by this flaw should patch their devices immediately as the vulnerability is under active attack. CTIX analysts will continue to report on the most critical vulnerabilities and provide real-time intelligence for our readers.

Honorable Mention

State Level Digital Privacy Rules Grow, Lacking Federal Legislation

After the American Data and Privacy Protection Act (ADPPA) didn't pass last year, the House Energy and Commerce Committee has begun drafting a new version that they hope will advance this year on the House floor. In the meantime, individual states are taking it into their own hands to push forward on data privacy legislation in the absence of Congressional efforts. A new amendment to a California digital privacy law passed in 2018, enforceable as of July 2023, allows residents the right to limit the use and disclosure of sensitive personal information collected about them while also requiring businesses to alert consumers to their privacy practices. The law also calls for the creation of an entity dedicated to enforcing the law, where the California Privacy Protection Agency will be taking over rulemaking from the California attorney general. In Colorado, a new law requires businesses to adopt opt-in permission requests from consumers before processing their sensitive data, which is seen as a strong consent standard to process personal data. This law also expands to nonprofit organizations beyond just commercial entities. A Connecticut law also requires businesses to adopt opt-in permission requests before sharing consumers' personal data. It goes beyond the precedent of other state laws by implementing more stringent default protections for adolescents' data, limiting the use of facial recognition technology, and offering greater choice for consumers on how their data is handled. With the lack of federal legislation and the growing momentum of state digital privacy rules, privacy advocates and industry officials alike seek a singular national standard governing data privacy protection, attempting to avoid an environment of individual state laws that are disparate and provide uneven protections with the potential to cause costly compliance burdens and overall confusion.

