Researchers shared comprehensive details about a persistent threat actor group active since 2017. Dubbed as TA2541, the threat actor group has compromised many organizations across the Middle East, North America, Europe. The group is consistent in using its tactics, techniques, and procedures (TTPs) and has not evolved much since starting of its operations.
The attack starts with a spear-phishing email relevant to the target industry or individual. TA2541 does not include email contents related to current events, trending topics, or news for luring victims as is generally used by threat actors. Rather they use transportation-related expressions like charter, yacht, flight, aircraft, fuel, etc. themes to lure the victims of a targeted attack. The messages are always in English, and the campaign includes hundreds to thousands of the sheer number of messages with urgency to trick users to download the malware.
Earlier the threat group used the MS word attachments containing macros that further downloads the RAT but in recent campaigns as observed by researchers, the group is using Google Drive URLs embedded in emails that redirected the victim to obfuscated Visual Basic Script (VBS) file and on execution it invokes PowerShell to pull executable from text file hosted on platforms like Sharetext, and GitHub.
TA2541 executes PowerShell to query Windows Management Instrumentation (WMI) for getting information about anti-virus, firewalls, or other security products to attempt to disable them and collect system information before downloading the RAT on the victim machine. The group had distributed many different malware payloads available to buy on the dark web or can be downloaded from open-source repositories. But currently, the most used malware by the threat actor TA2541 is AsyncRAT. Irrespective of the malware downloaded, the tendency is to gain remote control of the compromised machine and steal data, but the researchers have not yet established the prime goal and from where the group is operating.
The campaign is still active, and the threat actor will continue to send phishing emails and deliver payloads to attack the victims around the world.
Other than the current common deliver payload AsyncRAT, the group also uses other popular payloads which include Parallax, NetWire, WshRAT.
Researchers also observed that the group start using DiscordApp URLs linked to the compressed file which further led to AgentTesla or Imminent Monitor and instead of using Google Drive, the group occasionally use OneDrive to host malicious Visual Basic Script (VBS) files.
Researchers point out that the attacker group may send compressed executables such as RAR files with embedded executables having URLs to Content Delivery Network (CDN) to host malware.
TA2541 email sending infrastructure constitutes Virtual Private servers and for C2 communication uses Dynamic DNS. The common pattern observed in TA2541 C2 domains and URLs containing keywords “kimjoy,” “h0pe,” and “grace”. Threat actor also regularly use the same hosting providers Artyom, Danilenko, GmbH, xTom, and domain registrars which includes No-IP, Netdorm, DDNS.
TA2541 remains an active threat in the cyber world and will continue most probably with the same TTPs used earlier with little change to its lure themes, delivery, and installation.
TA2541 will continue its use of AsyncRAT and vjw0rm for future campaigns and may also use other commodity malware to attack their targets.
TrickBot is targeting popular brand names mainly located in the US that include Microsoft, PayPal, Amazon, JPMorgan, American Express, Yahoo, among others to steal credentials and gain access to sensitive data.
TrickBot is a complex and versatile malware having more than 20 different modules, having the ability to perform all kinds of malicious activities that can be downloaded and executed on demand. It was originally a banking trojan and later evolved to carry more functionality including credential stealing, initial access, and used to fetch second-stage payloads such as ransomware. In this new campaign, the malware is very specific in choosing its target by implementing various tricks which indicate a strong technical background of malware authors. It normally spreads through emails and the latest campaign use self-propagation by exploiting Eternal Romance vulnerability. TrickBot’s new variant constitutes three interesting modules: injectDLL, tabDLL, pwgrabc, new de-obfuscation, and anti-analysis techniques.
The web injects module (inject.dll) performs browser data injection including javascript that can cause severe financial damage because of its ability to steal banking and credential information and the TrickBot capability to select victims to make it even more dangerous. As per the researchers, this module uses a web inject format from another popular banking trojan Zeus that can gather information from login sections on the targeted site and send that information to its C2 server. It also contains anti-analysis techniques as the injected payload is minified that is the code size is smaller which makes the code unreadable and obfuscated. The final payload which is responsible for grabbing keystrokes and submitting actions of webform is also minified and obfuscated. Another anti-analysis technique involves the Referer header as the analysts generally send automated requests to the Command-&-Control server to get fresh web-injects but as an anti-analysis technique, if the request does not contain a Referer header, the C2 server will not respond.
The second module tabDLL is also used to steal user credentials and its main goal is to spread the malware through a network share. It is carried out in multiple steps as it enables the storing of victim credentials in the LSASS application, Inject “Locker” module into explorer.exe application, through this infected explorer.exe forces the victim to enter login credentials to the application and later lock the session, store these credentials into LSASS application memory by using “mimikatz”, forwards the credentials to C2 server, at last, exploit EternalRomance vulnerability to spread to other machines on the network via SMBv1 network shares.
As per researchers, the pwgrabc module is a credential stealer for multiple applications. The targeted applications include OpenSSH; OpenVPN; Outlook; AnyConnect; Chrome; ChromeBeta; Edge; EdgeBeta; Filezilla; Firefox; TeamViewer; VNC; WinSCP; Git; Internet Explorer; KeePass; Precious; Putty; RDCMan; and RDP.
Researchers observed that the TrickBot malware authors are experienced and have the capability to make the malware more lethal and pay attention to minute details.
In the coming future, TrickBot remains a dangerous threat to organizations and requires monitoring.
Researchers have discovered five Critical security vulnerabilities in Moxa’s MXview web-based network management system open the door to unauthenticated remote code execution (RCE) as SYSTEM on any unpatched MXview server. The flaws are present in versions 3. x to 3.2.2 of the network management software, and is fixed in version 3.2.4 or higher.
These flaws could permit an attacker to create or overwrite critical files to execute code, gain access to the program, obtain credentials, disable the software, read and modify otherwise inaccessible data. It also allows remote connections to internal communication channels, or interact and use MQTT remotely.
CVE-2021-38452 – A path traversal vulnerability in the application, allowing the access or overwrite of critical files used to execute code.
CVE-2021-38454 – A misconfigured service that allows remote connections to MQTT, making it possible to remotely interact and use the communication channel.
CVE-2021-38456 – Use of hard-coded passwords.
CVE-2021-38458 – An issue with improper neutralization of special components that could lead to remote execution of unauthorized commands.
CVE-2021-38460 – A case of password leakage that could allow an attacker to obtain credentials.
A researcher discovered these three vulnerabilities CVE-2021-38452, CVE-2021-38454, and CVE-2021-38458 could be combined to achieve pre-authenticated RCE on vulnerable MXView instances with SYSTEM privileges.
CVE-2021-38452 could be misused to get hold of the plain-text MQTT password by reading the configuration file gateway-upper.ini, followed by using CVE-2021-38454 to inject rogue MQTT messages, triggering code execution through command injection on the server. An attacker injects malicious messages to the MQTT broker straight, bypassing all input validation made by the server, and conducts arbitrary remote code execution through the OS command injection vulnerability
