Pirrit is a persistent Mac adware family notorious for pushing intrusive and deceptive advertisements to users that, when clicked, downloads and installs unwanted apps that come with information gathering features. Pirrit is one of the oldest and most active Mac adware families, and has been known to constantly change in an attempt to evade detection, so it is unsurprising that it has already begun adapting for the M1.
Furthermore, the GoSearch22 adware presents itself as a legitimate Safari browser extension, but collects user data and serves a large number of ads such as banners and popups, including some that link to malicious websites to proliferate more malware. The adware was signed with an Apple Developer ID in November 2020 to further conceal its malicious content, but it has since been revoked.
Windows Operating System (OS) is the most popular operating system used by more than 75% of desktop users and it has also become among the top products being targeted by cyberattacks. Windows has been a direct target of attacks by malware, more than 80% of malware detected are from windows according to latest discovery. Two updated versions of LodaRAT malware were discovered targeting Windows users. The attack vector used in these attacks was spam email with links to malicious applications or documents. Also, TrickBot malware which was reported earlier on came back with a newer version. This version was using a mechanism of Windows Task Scheduler as the way to reload the malware. Meanwhile, the cybersecurity experts have warned about using Windows 7, which reached end-of-life on January 14, 2020 to minimize the impact of the several attacks on windows products. Microsoft advised updating systems to address the critical Zerologon flaw (tracked as CVE-2020-1472). This vulnerability allows an attack against Microsoft Active Directory domain controllers.
In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.
However, if your organization runs an OWA server exposed to the internet, assume compromise between 02/26-03/03, check for 8 character aspx files in C:\\inetpub\wwwroot\aspnet_client\system_web\. If you get a hit on that search, you’re now in incident response mode.
The campaign begins with attackers sending victims phishing emails that appear to come from a unified communications system used for streamlining corporate communication. This email contains a malicious email attachment. Once the victims open the attached HTML file, they are redirected to a. xyz phishing domain which is disguised as a legitimate Google reCAPTCHA page in order to trick the users. After the reCAPTCHA is verified, the victims are sent to a fake Microsoft login phishing page. The login pages also contain different logos from the companies where the victims work. This reveals that attackers have done their homework and are customizing their phishing landing pages to fit their victims’ profile, in order to make the attack appear more legitimate. Once the victims have entered their login credentials on the attackers' site, a fake message "validation successful," is prompted to add legitimacy to the campaign.
In the spearphishing incident, upon downloading and executing the alleged job file, the victim would have unwittingly executed VenomLNK, an initial stage of more_eggs. By abusing Windows Management Instrumentation , VenomLNK enables the malware’s plugin loader, TerraLoader, which then hijacks legitimate Windows processes, cmstp and regsvr32. While TerraLoader is being initiated, a decoy word document is presented to the victim. The document is designed to impersonate a legitimate employment application, but it serves no functional purpose in the infection. It is merely used to distract the victim from the ongoing background tasks of more_eggs. TerraLoader then installs msxsl in the user’s roaming profile and loads the payload, TerraPreter, an ActiveX control (.ocx file) downloaded from Amazon Web Services. At this point, TerraPreter begins beaconing to a Command & Control server (C2) via the rogue copy of msxsl. The beacon signals that the more_eggs backdoor is ready for Golden Chicken’s customer to log in and begin carrying out their goal, whether it is to infect the victim with additional malware, such as ransomware, or to get a foothold into the victim’s network so as to exfiltrate data.
According to Moxie, the software is riddled with vulnerabilities. (The one example he gives is that it uses FFmpeg DLLs from 2012, and have not been patched with the 100+ security updates since then). It was revealed that it’s possible to execute arbitrary code on a Cellebrite machine simply by including a specially formatted but otherwise innocuous file in any app on a device that is subsequently plugged into Cellebrite and scanned. There are virtually no limits on the code that can be executed. For example, by including a specially formatted but otherwise innocuous file in an app on a device that is then scanned by Cellebrite, it’s possible to execute code that modifies not just the Cellebrite report being created in that scan, but also all previous and future generated Cellebrite reports from all previously scanned devices and all future scanned devices in any arbitrary way (inserting or removing text, email, photos, contacts, files, or any other data), with no detectable timestamp changes or checksum failures. This could even be done at random, and would seriously call the data integrity of Cellebrite’s reports into question. The malicious file could also, for example, insert fabricated evidence or subtly alter the evidence it copies from a phone. It could even write that fabricated/altered evidence back to the phone so that from then on, even an uncorrupted version of Cellebrite will find the altered evidence on that phone.
