February 2024: Latest Malware, Vulnerabilities and Exploits

The Blue Report 2024

Get a comprehensive analysis of over 136 million cyber attacks and understand the state of threat exposure management.

DOWNLOAD

Welcome to Picus Security's monthly cyber threat intelligence roundup! 

Each month, our goal is to provide insights into the most recent and key malware attacks and vulnerability exploitation campaigns that could potentially affect your industry and region. Recognizing that a blog might not fully cater to your specific threat intelligence requirements, we're excited to introduce a new platform. This platform is crafted to deliver the most customized cyber threat intelligence, directly addressing your unique needs.

Our Picus CTI platform will enable you to identify threats targeting your region, understand your security posture in comparison to similar organizations, and receive easy-to-implement mitigation signatures from a variety of vendors. Additionally, it will offer a report that you can use to communicate with your peers or within your organization, ensuring that you are well-informed and prepared to address cyber threats effectively.

Top Threat Actors Observed in the Wild: February 2024

Here are the most active threat actors that have been observed in February in the wild.

CISA Releases IOCs for Phobos Ransomware as a Service Group

The advisory released on February 29, 2024, by the FBI, CISA, and MS-ISAC outlines the threat of Phobos ransomware, which operates under a ransomware-as-a-service (RaaS) model [1]. Since May 2019, Phobos has been actively targeting sectors such as

  • state and local governments,
  • emergency services,
  • education, and
  • public healthcare.

This widespread targeting underscores the ransomware's capability to infiltrate and paralyze critical infrastructure and services.

Phobos attackers gain initial access through vulnerabilities in Remote Desktop Protocol (RDP) ports, utilizing phishing techniques and brute-force attacks to compromise networks. Subsequent to gaining access, they deploy tools like Smokeloader, enhancing their ability to execute the ransomware, escalate their privileges, and navigate through the compromised networks all while evading detection by manipulating system settings.

The core of Phobos's malicious activity involves the encryption of essential files, followed by ransom demands for the decryption keys. To mitigate the threat posed by Phobos, the advisory emphasizes the importance of securing RDP ports, strictly limiting the use of RDP and any other remote desktop services, remediating known vulnerabilities, and deploying Endpoint Detection and Response (EDR) solutions.

Phobos  Ransomware IOC 

SHA256

58626a9bfb48cd30acd0d95debcaefd188ae794e1e0072c5bde8adae9bccafa6

SHA256

f3be35f8b8301e39dd3dffc9325553516a085c12dc15494a5e2fce73c77069ed

SHA256

518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c

SHA256

32a674b59c3f9a45efde48368b4de7e0e76c19e06b2f18afb6638d1a080b2eb3

SHA256

2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66

BlackCat Ransomware Group Targeting Finance and Healthcare Sectors

The ALPHV/Blackcat ransomware gang has targeted the financial and mortgage lending sectors, claiming responsibility for breaches at Prudential Financial and loanDepot [2]. These incidents exposed personal information of millions and highlighted vulnerabilities within major Fortune 500 companies and one of the largest U.S. nonbank retail mortgage lenders. ALPHV's actions, including the theft and intended sale or release of sensitive data, underscore the escalating threats ransomware groups pose to critical financial institutions and their customers' privacy.

The finance sector was not the only target of the BlackCat ransomware group; healthcare also had its share of attacks. UnitedHealth Group has confirmed that the BlackCat/ALPHV ransomware group orchestrated the cyberattack on its subsidiary, Optum, which disrupted the Change Healthcare payment exchange platforms on February 21 ([3], [4]). This disruption, critical to the U.S. healthcare system's billing processes across hospitals, clinics, and pharmacies, caused a nationwide disruption in prescription processing. The attack impacted over 100 applications across various healthcare services, leading to an immediate system shutdown. Despite efforts to isolate the compromised systems, Change Healthcare is still in the process of restoring affected service.

Following this, on February 27, the FBI, CISA, and the Department of Health and Human Services (HHS) issued a warning to U.S. healthcare organizations [5] regarding targeted ALPHV/Blackcat ransomware attacks. BlackCat is now exploiting the ScreenConnect vulnerability CVE-2024-1709 for initial access. For more information about this vulnerability, please refer to our latest update blog.

LockBit Ransomware Group Has Returned Within Four Days

The National Crime Agency, in collaboration with nine other international law enforcement agencies, initiated Operation Cronos on February 20th, 2024 [6], targeting the LockBit ransomware group, a dominant force responsible for 40% of ransomware attacks in the latter half of 2023. This operation aimed to disrupt LockBit's extensive criminal network, known for its Ransomware-as-a-Service (RaaS) model, double extortion schemes, and collaborations with Initial Access Brokers (IABs). LockBit's infrastructure, including their data leak websites, negotiation sites, and affiliate panels, were crucial for exerting pressure on victims to pay ransoms by threatening the release of stolen sensitive data.

During Operation Cronos, law enforcement successfully seized 34 servers across various countries and released a decryptor for LockBit 3.0 Black, offering a temporary reprieve to victims. This action disrupted LockBit's operations, revealing the group had 188 affiliates and significant Bitcoin holdings in unspent seized crypto-wallets. Despite these efforts, the operation failed to capture the elusive LockBitSupp, the mastermind behind LockBit, nor permanently dismantle the group's operations.

Just four days post-operation, LockBitSupp announced the restoration of their infrastructure, signaling a swift recovery and a significant setback for law enforcement [7]. The resilience of LockBit was attributed to their backup servers not reliant on PHP, which were untouched by Operation Cronos. This strategic foresight by LockBit highlights the advanced and decentralized nature of their operations, making it exceedingly difficult for law enforcement to enact lasting damage on such well-prepared cybercriminal networks. LockBit's rapid return to activity post-Operation Cronos underscores the ongoing challenges faced by global law enforcement in the battle against sophisticated and adaptable ransomware groups.

Latest Vulnerabilities and Exploits in February 2024

In this section, we will provide information on the latest vulnerabilities and exploits being targeted by adversaries in the wild, the affected products, and the available patches.

CVE-2024-21412: Windows Defender SmartScreen Zero-Day Vulnerability

This vulnerability is rooted in a failure to apply the "Mark-of-the-Web" (MotW), a security feature used by Windows to identify files originating from potentially untrusted sources, such as internet downloads, WebDAV, and SMB shares. Under normal circumstances, files downloaded from the web are tagged with MotW, prompting Windows Defender SmartScreen to issue alerts when such files attempt to execute or when a user tries to directly execute them. This mechanism acts as a critical defense, preventing unauthorized or malicious code from running without user knowledge or consent.

However, CVE-2024-21412 allowed attackers to bypass these protections by exploiting a flaw in the handling of internet shortcuts (.URL files) and other mechanisms [8]. Through crafted spear phishing campaigns and the use of compromised websites, the attackers distributed these malicious .URL files. When executed, these files did not carry the MotW tag, effectively blinding SmartScreen to their malicious intent. This oversight permitted the execution of the DarkMe malware without triggering the usual security warnings that would alert users to the potential danger.

By sidestepping SmartScreen's defenses, Water Hydra was able to execute its attack chain discreetly, infecting victims' machines without detection. The attack exploited the trust Windows places in files lacking the MotW designation, assuming they are safe and originate from a trusted source within the user's environment. This exploitation represents a significant breach of trust in the security mechanisms designed to protect users from the very type of attack Water Hydra orchestrated.

Released by Zero Day Initiative, there is a video explaining the patch of the CVE-2024-21412 vulnerability.

CVE-2024-1709 & CVE-2024-1708: ConnectWise ScreenConnect Vulnerability

ConnectWise has addressed two critical vulnerabilities, 

  • CVE-2024-1709 and 

  • CVE-2024-1708

in all on-premise ScreenConnect versions prior to 23.9.7 with an urgent security patch released on February 19, 2024 [9].

CVE-2024-1709, an authentication bypass vulnerability with a critical severity rating of 10/10, compromises ScreenConnect by allowing unauthorized users to manipulate URL access (exp. /SetupWizard.aspx/anygivenstring) to the setup wizard, potentially gaining full administrative privileges and executing arbitrary code.

On the other hand, CVE-2024-1708 exposes a path traversal vulnerability that attackers can exploit by altering file paths during ZIP archive extractions, specifically targeting ScreenConnect extensions, to achieve directory traversal and insert malicious files beyond intended directories. This naturally requires administrator-level privileges. This is why adversaries are exploiting these two vulnerabilities in collaboration, where they can create administrative accounts (with CVE-2024-1709) and leverage the new privileges to download malicious ZIP files (with CVE-2024-1708) on the target server.

The issued patch by ConnectWise significantly improves security measures by tightening access controls to the setup wizard and enhancing path validation procedures for ZIP file extractions. These improvements are designed to prevent unauthorized setup wizard access and ensure extracted files from ZIP archives are confined to specified directories, addressing the root causes of these two vulnerabilities. 

Despite the availability of patches, the inherent risks and the ease of exploiting these vulnerabilities underline the urgency for ScreenConnect users to apply the updates promptly to safeguard against potential attacks, emphasizing the importance of maintaining security in critical organizational tools.

CVE-2023-22527: Atlassian Confluence Vulnerability Explained

A critical vulnerability, identified as CVE-2023-22527, has been discovered in Atlassian Confluence, presenting a severe security risk with a CVSS score of 10 [10]. This vulnerability stems from a template injection flaw within the Object-Graph Navigation Language (OGNL), a component widely used in web applications for creating server-side templates. 

Affected Products 

Confluence Data Center and Server

8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, 8.5.0 - 8.5.3

Updated Products

Confluence Data Center and Server

8.5.4 (LTS)

Confluence Data Center

8.6.0 or later (Data Center only) and 8.7.1 or later (Data Center only)

Specifically, older versions of Confluence Data Center and Server are susceptible to remote code execution (RCE) attacks due to this flaw. Attackers can exploit this vulnerability by manipulating template files that accept user input without proper sanitization. This oversight allows an unauthenticated attacker to inject malicious OGNL expressions, leading to the execution of arbitrary code on the server hosting the Confluence instance.

The exploitation method involves attackers targeting specific .vm template files within Confluence, which improperly handle user-supplied input. For example, the vulnerability was pinpointed in the /confluence/template/aui/text-inline.vm file, where attackers could inject malicious code through parameters intended for legitimate page functions. This file, among others, failed to adequately sanitize input, enabling attackers to execute commands remotely on the affected system.

Addressing this vulnerability, Atlassian has released updates for Confluence Data Center and Server, particularly version 8.5.4 and later, which include patches to mitigate the risk of exploitation. These updates correct the vulnerability by ensuring that user input is properly sanitized and by removing or securing the affected template files. 

Recent Malware Attacks in February 2024

In February 2024, a variety of malware attacks were recorded, highlighting the persistent threat landscape. Below is a detailed list of the active malware incidents for the month. For those seeking a more comprehensive analysis or interested in the Indicators of Compromise (IOCs), please refer to the respective sections within this blog.

  • Fileless Revenge RAT Malware

  • DarkMe RAT and DarkMe RAT Loader Malware

  • TicTacToe Malware Dropper

  • Nood RAT Malware

Fileless Revenge RAT Malware

The Revenge RAT malware is a sophisticated threat that operates in a fileless manner, making detection and mitigation particularly challenging. It begins its infection chain by wrapping itself around legitimate tools, such as smtp-verifier and Email-To-Sms, thereby obscuring its malicious activities from users [11]. 

The malware executes by first generating and running a malicious file named Setup.exe, which is set to be hidden, making it invisible in Windows Explorer under normal conditions. This setup file is responsible for further malicious activities, including the generation of additional malware components like svchost.exe, which is also hidden and registered in the system's registry for persistence. 

These components engage in various nefarious activities, including connecting to a command and control server disguised as a legitimate blog, downloading and executing further payloads, and ultimately deploying the Revenge RAT. This RAT is capable of collecting and exfiltrating sensitive information from the infected machine, including system and user details, antivirus and firewall products being used, and more. 

The malware employs evasion techniques to bypass antivirus detection, such as using CMSTP evasion and registering malware files as exceptions in Windows Defender. The ultimate goal of the attackers is to execute the Revenge RAT in a fileless manner, highlighting the importance of caution when using open-source or publicly available tools and the necessity of downloading software from official sources.

Revenge RAT Malware IOC 

MD5

Revenge RAT

d1af87e121d55230353cbad9b7024fae

MD5

Setup.exe

6d5ad2adce366350200958c37f08a994

MD5

Setup.exe

914ec5019485543bb2ec8edcacd662a7

MD5

smtp-verifier.exe

42779ab18cf6367e7b91e621646237d1

MD5

Email To Sms V8.1.exe

fb34fe9591ea3074f048feb5b515eb61

DarkMe RAT and DarkMe RAT Loader Spreading via CVE-2024-21412

The DarkMe Loader and RAT represent sophisticated malware employed by the Water Hydra APT group (a.k.a DarkCasino) [12], known for targeting the 

  • financial industry, 
  • including banks, 
  • cryptocurrency platforms, 
  • forex, 
  • stock trading platforms, and 
  • gambling sites. 

These malicious binaries, marked by advanced obfuscation techniques, are utilized in highly orchestrated campaigns, enabling Water Hydra to compromise systems, evade security measures like Microsoft Defender SmartScreen, and execute a broad range of commands for financial espionage and data exfiltration.

The DarkMe Loader exhibits characteristics of a Win32 DLL compiled with Microsoft Visual Basic 6. Upon execution, it assembles a DarkMe payload by merging binary contents from files named a1 and a2, resulting in the creation of "C:\Users\admin\AppData\Roaming\OnlineProjects\OnlineProject.dll." 

This loader employs encoded hexadecimal strings within the binary to obfuscate crucial information, which is later decoded during execution. The malware then constructs and executes commands utilizing the reg.exe utility, importing registry settings from the "kb.txt" file, ultimately registering the DarkMe payload as a COM server.

DarkMe RAT Loader Malware IOC via VirusTotal

SHA1

d41c5a3c7a96e7a542a71b8cc537b4a5b7b0cae7 

SHA256

bf9c3218f5929dfeccbbdc0ef421282921d6cbc06f270209b9868fc73a080b8c

On the other hand, the DarkMe RAT serves as the final module delivered in this attack. Also compiled with Microsoft Visual Basic 6, it features heightened obfuscation and junk code. This DLL communicates with its Command and Control (C&C) server through a custom TCP protocol. Upon execution, DarkMe RAT collects system information, such as computer name, username, installed antivirus software, and active window title, subsequently registering the victim's system with the C&C server. Network communication is facilitated through a hidden window named SOCKET_WINDOW, using the CreateWindowEx Windows API. 

The RAT supports various functionalities, including directory enumeration, shell command execution, directory creation and deletion, system drive information retrieval, and ZIP file generation. The C&C registration packet structure and periodic heartbeat traffic ensure ongoing communication between the RAT and the attacker.

DarkMe RAT Malware IOC via VirusTotal

SHA1

a2ba225442d7d25b597cb882bb400a3f9722a5d4

SHA256

d123d92346868aab77ac0fe4f7a1293ebb48cf5af1b01f85ffe7497af5b30738

The Polish TicTacToe Dropper Malware Evading Detections

The "TicTacToe dropper" is a sophisticated malware delivery system that has been actively distributing various types of malware throughout 2023, targeting victims through phishing emails with .iso file attachments. Named for a Polish language string found in its code (Kolko_i_krzyzyk) [13], the dropper is designed to evade detection by employing multiple layers of obfuscation and memory-only loading of payloads. 

Upon execution, the dropper, initially contained in an executable such as 'ALco.exe', sequentially unpacks and executes further obfuscated .NET PE DLL files ('Hadval.dll' followed by 'cruiser.dll', and finally 'Farinell2.dll') directly in memory. This process avoids leaving traces on the disk, making detection by traditional antivirus software challenging. 

The final payload varies but has included a range of remote access tools (RATs) and information stealers such as Leonem, AgentTesla, and LokiBot, indicating a broad spectrum of cybercriminal activities aimed at espionage, data theft, and system compromise. 

The victims of this campaign have been diverse, indicating that the attackers behind the TicTacToe dropper have wide-ranging objectives and targets, leveraging the dropper's versatility and stealth to infect multiple victims across different sectors.

TicTacToe Malware IOC via Fortinet

SHA1

b6914b8fa3d0b67eb6173123652b7f0682cd24fb

SHA1

90624ba95243c7ec20730a101cad6966e75df675

SHA1

4a5b3465ef2298392b60ec78da233287185eb7dd

SHA1

15b3c9768a67ce0d09807627f1939c7165a3fede

SHA1

af14b44a1bdbf96b8fec28236f152d410c91e807

SHA256

69dfa8c16879ab1c6c3bb738619dabe9660f2376cb15051ce55e465680e4f67f

SHA256

3af5c0843b016faa6129e40b696565d4117b48fd6750164ac4a0f307ef3d6a36

SHA256

8fe52481cdabec8900f78cab1d673dbb1bde3366d9347a89c2ea8e2e74ab01b4

SHA256

0239bc35516d6d3680c64f7a5a5a40801c7b0ea4db8a80718e4774687c565af3

SHA256

349fada4859b8ffa4c690af723daa16669d6fa2b9f5ec51111adee2e8cb63748

Nood RAT Malware

Nood RAT, a Linux-focused variant of the well-known Gh0st RAT, has been actively used in cyberattacks since its first detection in 2018 [14]. Originating from the C. Rufus Security Team of China, Gh0st RAT's source code was made public, leading to the development of various variants, including Nood RAT, by malware authors. This variant, despite the dominance of its Windows counterparts, represents a significant threat to Linux systems.

The attack flow of Nood RAT typically begins with the exploitation of vulnerabilities, notably a WebLogic vulnerability identified as CVE-2017-10271. This method was notably used in the past to facilitate the Cloud Snooper APT attack, which aimed to hijack control of AWS servers through backdoor malware installation.

Upon execution, Nood RAT disguises itself as a legitimate process to evade detection. It uses the RC4 algorithm to decrypt its configuration data, which includes C&C server addresses, activation times, and communication intervals. This stealthy operation allows it to bypass network detection and carry out its malicious activities without immediate detection.

The malware's capabilities are extensive, including remote command execution, file management, proxy use, and port forwarding. These functions enable attackers to steal information, execute further malicious commands, and even use the infected system for lateral movements within the targeted network.

Nood RAT Malware IOC via AlienVault

MD5

b4910e998cf58da452f8151b71c868cb

MD5

035f83018cf96f5e1f6817ccd39fc0b6

MD5

b4910e998cf58da452f8151b71c868cb

MD5

4f3afdcfff8f7994b7d3d3fbaa6858b4

MD5

a15ebd19cac42b0297858018da62b1be

MD5

c440bd814be37fac669567131c4ba996

MD5

75838e5d481da40db2e235a6d5a222ef

MD5

905c2158fadfe31850766f010e149a0f

MD5

8457f71c6a5fe83bb513d1dfba99271a

SHA256

c830a233f716416e3754e46aa70e049d10989a48028f3879d425c3851c4dd761

SHA256

bf1b88385aebb37182421e967749f057fbefb4e4386bb47b5098abac7c70c476

SHA256

8ec87dee13de3281d55f7d1d3b48115a0f5e4a41bfbef1ea08e496ac529829c8

References

[1] “#StopRansomware: Phobos Ransomware,” Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060a. [Accessed: Feb. 29, 2024]

[2] S. Gatlan, “ALPHV ransomware claims loanDepot, Prudential Financial breaches,” BleepingComputer, Feb. 16, 2024. Available: https://www.bleepingcomputer.com/news/security/alphv-ransomware-claims-loandepot-prudential-financial-breaches/. [Accessed: Feb. 28, 2024]

[3] I. Arghire, “State-Sponsored Group Blamed for Change Healthcare Breach,” SecurityWeek, Feb. 26, 2024. Available: https://www.securityweek.com/state-sponsored-group-blamed-for-change-healthcare-breach/. [Accessed: Feb. 28, 2024]

[4] J. Lyons, “ALPHV/BlackCat responsible for Change Healthcare cyberattack,” The Register, Feb. 26, 2024. Available: https://www.theregister.com/2024/02/26/alphv_healthcare_unitedhealth/. [Accessed: Feb. 28, 2024]

[5] S. Gatlan, “FBI, CISA warn US hospitals of targeted BlackCat ransomware attacks,” BleepingComputer, Feb. 27, 2024. Available: https://www.bleepingcomputer.com/news/security/fbi-cisa-warn-us-hospitals-of-targeted-blackcat-ransomware-attacks/. [Accessed: Feb. 28, 2024]

[6] E. Kovacs, “Law Enforcement Hacks LockBit Ransomware, Delivers Major Blow to Operation,” SecurityWeek, Feb. 20, 2024. Available: https://www.securityweek.com/law-enforcement-hacks-lockbit-ransomware-delivers-major-blow-to-operation/. [Accessed: Feb. 28, 2024]

[7] H. C. Yuceel, “LockBit Returns: Lessons Learned From Operation Cronos,” Feb. 27, 2024. Available: https://www.picussecurity.com/resource/blog/lockbit-returns-lessons-learned-from-operation-cronos. [Accessed: Feb. 28, 2024]

[8] “CVE-2024-21412: Water Hydra Targets Traders with Microsoft Defender SmartScreen Zero-Day,” Trend Micro, Feb. 13, 2024. Available: https://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html. [Accessed: Feb. 28, 2024]

[9] S. Özeren, “CVE-2024-1709 & CVE-2024-1708: ConnectWise ScreenConnect Vulnerability Exploitations,” Feb. 27, 2024. Available: https://www.picussecurity.com/resource/blog/cve-2024-1709-cve-2024-1708-connectwise-screenconnect-vulnerability-exploitations. [Accessed: Feb. 28, 2024]

[10] “Unveiling Atlassian Confluence Vulnerability CVE-2023-22527: Understanding and Mitigating Remote Code Execution Risks,” Trend Micro, Feb. 07, 2024. Available: https://www.trendmicro.com/en_us/research/24/b/unveiling-atlassian-confluence-vulnerability-cve-2023-22527--und.html. [Accessed: Feb. 28, 2024]

[11] Eswar, “Fileless Revenge RAT Abuses Legitimate Tools to Hide Malicious Activity,” GBHackers on Security | #1 Globally Trusted Cyber Security News Platform, Feb. 13, 2024. Available: https://gbhackers.com/fileless-revenge-rat-legitimate-tools/. [Accessed: Feb. 28, 2024]

[12] “CVE-2024-21412: Water Hydra Targets Traders with Microsoft Defender SmartScreen Zero-Day,” Trend Micro, Feb. 13, 2024. Available: https://www.trendmicro.com/tr_tr/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html. [Accessed: Feb. 28, 2024]

[13] A. Gat and M. Robson, “TicTacToe Dropper,” Fortinet Blog, Feb. 14, 2024. Available: https://www.fortinet.com/blog/threat-research/tictactoe-dropper. [Accessed: Feb. 28, 2024]

[14] Sanseo, “Analysis of Nood RAT Used in Attacks Against Linux (Gh0st RAT’s Variant),” ASEC BLOG, Feb. 26, 2024. Available: https://asec.ahnlab.com/en/62144/. [Accessed: Feb. 28, 2024]