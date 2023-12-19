Ransomware/Malware Activity

New Trojan Targets macOS Devices

A new trojan has been discovered in-the-wild targeting macOS, distributed through pirated versions of business software. The malware begins by disguising itself as a program the user is trying to download, but once it is installed it creates a hidden proxy server within the system. This creates a backdoor into the network and also allows for traffic to be redirected through the infected device. This can allow the threat actor to utilize the victim's network and devices for a variety of purposes such as use in a botnet, redirecting internet traffic through the network to obfuscate illegal activity, or further install more malware onto the network. The threat actors have configured the trojan to use DNS-over-HTTPS, also known as DoH, to trick security services into thinking the traffic is non-malicious in nature. This allows the trojan to communicate to the command-and-control (C2) server without alerting the network owners. It is noted however that the C2 server is located at one location and does not appear to have backups, meaning that blocking that C2 server IP can permanently cripple the current version of the trojan. Another notable feature is that the trojan creates multiple files that it does not remove, allowing for easier identification of the trojan. This new trojan, albeit somewhat simple, is part of a wave that took off in 2019 of macOS trojans that appear to be targeting casual users to grow botnets in size and ability. CTIX analysts will continue to monitor the prevalence of botnet trojans and their ever-increasing target spread.

Threat Actor Activity

Lazarus Group Deploying Remote Access Trojans while Exploiting Log4j Vulnerabilities

A new global campaign being tracked as Operation Blacksmith has been tied back to the Lazarus Group, the notorious North-Korean-linked threat actors. The operation exploits security flaws in Log4j to install previously undocumented remote access trojans (RATs) onto victims' devices. Researchers have observed the use of three (3) DLang-based malware families so far including NineRAT, which uses Telegram to establish command-and-control (C2). The vulnerability these attacks are currently exploiting is being tracked as CVE-2021-44228, also known as Log4Shell, and the manufacturing, agriculture, and physical security sectors have been the main targets. Researchers have tied these latest tactics more specifically to the Lazarus sub-group Andariel (aka Onyx Sleet) who is often seen engaging in initial access, reconnaissance, and the establishment of longer-term access for Lazurus group activities. The NineRAT malware is used in these attacks as the main channel for interaction with infected endpoints and has the capability to send commands that help gather system information, upload, and download files, as well as uninstall and upgrade itself, all while using the legitimate Telegram messaging service for C2 communications that help enable detection evasion. The multitude of tools observed in use for Operation Blacksmith for backdoor access shows an overall high degree for persistent access. CTIX analysts will continue to monitor the ongoing operation for evolving developments.

Vulnerabilities

Qlik Sense Actively Exploited to Deliver Ransomware

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two (2) actively exploited critical vulnerabilities affecting the Qlik Sense data analytics solution to the Known Exploited Vulnerabilities (KEV) catalog. Qlik Sense is an application heavily used by government organizations and large companies for visualizing and analyzing data, helping build interactive dashboards and reports, as well as extracting data from various sources. The first flaw, tracked as CVE-2023-41265 (CVSS 9.6/10), is an HTTP tunneling vulnerability, allowing threat actors to escalate their privileges and execute HTTP requests on the server hosting Qlik Sense. The second flaw, tracked as CVE-2023-41266 (CVSS 8.2/10), is a path traversal flaw allowing unauthenticated remote attackers to craft malicious HTTP requests to create anonymous sessions, permitting the attackers to send additional requests to other endpoints. These vulnerabilities are being chained together through exploitation to deliver ransomware and have already been used in a series of attacks by the Cactus ransomware group and several other threat actors. Qlik is very popular, having at least 40,000 users, and according to Shodan scans, approximately 6,000 instances are publicly exposed to the internet, many being U.S-based organizations. Since the application is used for data analytics, it is likely provided with both database and network access, making it a very high-value target for attackers. The vulnerabilities' presence on the KEV mandates that all Federal Civilian Executive Branch (FCEB) agencies must become compliant, applying patches no later than December 28, 2023. CTIX analysts urge that any administrators responsible for Qlik instances ensure that they are running a secure version. The servers hosting Qlik should also not be public-facing and accessible from outside of the network.

