WinorDLL64: A Backdoor From The Vast Lazarus Arsenal
Background:
When the Wslink downloader (WinorLoaderDLL64.dll) was first discovered in 2021, it had no known payload and no known attribution. Now ESET researchers have discovered a Wslink payload dubbed WinorDLL64. This backdoor uses some of Wslink functions and the Wslink-established TCP connection encrypted with 256-bit AES-CBC cipher. WinorDLL64 has some code similarities with the GhostSecret malware used by North Korea-sponsored Lazarus Group.
Takeaway:
Wslink and WinorDLL64 use a well-developed cryptographic protocol to protect the exchanged data. Innovating advanced persistent groups like Lazarus often come out with new versions of their custom malware.
Clasiopa: New Group Targets Materials Research
Background:
Symantec researchers discovered attempts to disable Symantec Endpoint Protection. The threat group behind this activity, dubbed Clasiopa, has no established motivation or origin. It used some India-related strings (the “SAPTARISHI-ATHARVAN-101” mutex and the “iloveindea1998^_^” password), but it could be a false-flag indication. It is possible (low confidence) that Clasiopa uses brute force attacks on public facing servers as an initial infection vector. Its custom Atharvan backdoor receives communication-schedule commands from its C2, which can set an interval between communication attempts and/or restrict communication to certain days of week or to certain days of month. Clasiopa also uses a custom proxy tool, the Thumbsender hacking tool, and modified versions of the publicly available Lilith RAT.
Takeaway:
Clasiopa’s tendency for proxying and variable sleep intervals makes the detection harder. Defense-in-depth approach should be used to stop sophisticated threats that evolve and utilize various techniques of defense evasion.
Learn about our Penetration Testing Services
PureCrypter Targets Government Entities through Discord
Background:
Multiple government organizations in the Asia-Pacific and North America regions have been targeted with phishing emails aiming to deliver PureCrypter, a commodity downloader. These emails contained a Discord app link pointing to a malicious, password-protected ZIP file. At the time of analysis, Menlo Labs researchers were not able to get the final payload from the compromised domain acting as a staging server. Analysis of similar PureCrypter samples showed that the likely payload was AgentTesla, or possibly some other remote access trojans/stealers (Redline Stealer), and ransomware (Eternity, Philadelphia, and others).
Takeaway:
It is not clear why this seemingly unsophisticated actor using commodity malware decided to attack the government sector. Even if the motivation is purely financial, these unsophisticated attacks should be taken seriously. Theft of funds and ransomware attacks can be devastating, and the simple trick of delivering a cloud link to a password-protected archive seemingly provides for low antivirus detection.
S1deload Stealer – Exploring the Economics of Social Network
Background:
Bitdefender researchers analyzed a novel infostealer dubbed S1deload Stealer that became a significant threat in the second half of 2022. The infection typically starts with social engineering to prompt a user to download and open an archive file. The archive has one visible, legitimate, digitally-signed executable that is used for DLL sideloading by invisible malicious files in the same archive. Additional malware and modules are being delivered via two additional cycles of downloading, extracting, and triggering DLL sideloading. S1deload Stealer can obtain user credentials, as well as imitate human behavior to boost engagement on videos and other content and mine for BEAM cryptocurrency.
Takeaway:
Users should be warned about the risk of clicking on executable files from suspicious downloads. An unusually high CPU usage and overheating can be a sign of the malicious resource hijacking for cryptocurrency mining and playing videos in a hidden browser.
Hydrochasma: Previously Unknown Group Targets Medical and Shipping Organizations in Asia
Background:
A new threat actor dubbed Hydrochasma has been targeting shipping companies and medical laboratories in Asia since at least October 2022. This campaign is likely motivated by intelligence gathering with a possible interest in COVID-19-related treatments or vaccines. The attack likely starts with an email attachment: an executable mimicking a document file. Hydrochasma relies exclusively on publicly available and living-off-the-land tools. Fast Reverse Proxy and Meterpreter are being dropped for remote access, followed by the use of other tools for scanning (AlliN, Fscan, and Gogo), password dumping (BrowserGhost, Process Dumper), tunneling (Dogz, Gost, and SoftEtherVPN), remote control (Cobalt Strike), and other functions (HackBrowserData, Ntlmrelay).
Takeaway:
Defenders are advised to block these on their infrastructure.
Learn about our Penetration Testing Services
Subscribe So You Never Miss an Update
