APT MuddyWater Engaged in Targeting Turkish Users by Using Malicious PDFs and Executables.
Suspected Threat Actors: MuddyWater (aka Earth Vetala, MERCURY, Static Kitten, Seedworm, TEMP.Zagros)
Summary: Researchers recently observed a campaign by the Iran-based advance persistent threat (APT) group “MuddyWater” targeting Turkey. As an initial vector, the group is using the malicious PDFs and Microsoft Office documents masqueraded as legitimate documents related to Turkish Interior and Health Ministries including the Scientific and Technological Research Council of Turkey distributed via spear-phishing email messages. The PDF files distributed with embedded malicious links act as the first stage of infection and raises an error message to trick users to click on a link to resolve the issue. On clicking the link, the PDFs are redirected to URLs that host the XLS files having malicious macros that further deploy Visual Basic and PowerShell scripts.
VBA macros are used to gain persistence across reboots, setting up malicious VBS as well as PS scripts, and one interesting functionality was added into the latest malicious VBA code versions to track tokens by making HTTP requests to canary token from canarytokens[.]com used to serve many purposes like to keep track of successful infections, to use as a tool for anti-analysis, and to detect blocking of payload servers.
Researchers also observed some instances where instead of XLS files, the Windows executables (EXE) files were hosted by these malicious URLs and worked in a similar way to further deploy VBS and PS scripts. The EXE files used Turkish names and can also be delivered independently. Upon execution, the malicious EXE drops decoy Office or PDF document in hex format in a temporary folder. This decoy document opens and displays automatically to the victim by using a PDF or document reader and in background, the EXE starts its main malicious activity to download and execute other malicious PowerShell scripts.
The researchers have high confidence in attributing this campaign with APT “MuddyWater” based on TTPs, IOCs, technical indicators, infection chains used, code, meta-data, and other scripts that showed resemblance to earlier discovered MuddyWater artifacts.
Routers exposed to EternalSilence campaign by abusing UPnP Protocol
Summary: Researchers observed a malicious campaign “EternalSilence” exploiting Universal Plug and Play (UPnP) protocol – which is a connectivity protocol available in almost all modern routers – allowing the creation of port forwarding rules automatically on a router by other devices on a network. This attack converts the victim router into a proxy server which can be used by attackers to launch malicious attacks while hiding the location of attackers. The UPnP implementation is vulnerable as it allows remote attackers to add UPnP port forwarding entries through the device’s exposed WAN connection.
Under this campaign, the threat actors are trying to exploit EternalRed (CVE-2017-7494) and EternalBlue (CVE-2017-0144) on unpatched Linux and Windows machines which can further lead to other infections like cryptominers infections, initial access to corporate organizations, and initiate worm attacks to compromise whole corporate network. The attack attempts to expose TCP ports 139 and 445 of devices connected to the target router and the rulesets created by attackers contain the Spanish phrase “galleta silenciosa” which means “silent-cookie”.
A Critical Plugin RCE Vulnerability Affected 600k WordPress Sites
Summary: Essential Addons for Elementor, a popular WordPress plugin used in over a million sites, has been found to have a critical RCE vulnerability in version 5.0.4 and older. The flaw allows an unauthenticated user to perform a local file inclusion attack, such as a PHP file, to execute code on the site. With the plugin installed in over 1 million WordPress sites, that means there are over 600K sites that have not applied the security update yet.