The ransomware attack has been claimed by LockBit 3.0. Read More
The CyberWire
The all in one place for non-profit security aid.
Hackers Use New .NET Loader Malware to Deliver Wide Range of Payloads
An unrecorded .NET Loader was identified during routine threat hunting that downloads, decrypts, and executes a wide range of malicious payloads.
Multiple threat actors extensively distributed this new loader in early June 2023 through the following mediums:-
Malicious phishing emails
Deceptive YouTube videos
Fake web pages mimicking legitimate websites
Ditribution mediums (Source – Sekoia)
The cybersecurity researchers at Sekoia identified this new .NET loader and named this newly discovered loader malware “CustomerLoader.”
Security analysts appointed this name due to its Command and Control (C2) communications containing the term “customer” and its loading functionalities.
CustomerLoader exclusively retrieves dotRunpeX samples, which in turn deliver a diverse range of malware families like:-
Infostealers
Remote Access Trojans (RAT)
Commodity ransomware
In March 2023, the security experts at Checkpoint publicly documented dotRunpeX as a .NET injector that is equipped with multiple anti-analysis techniques.
The association between CustomerLoader and an undisclosed Loader-as-a-Service is highly probable.
The dotRunpeX developer may have added CustomerLoader as a stage before the injector is executed.
Infection chain (Source – Sekoia)
CustomerLoader samples employ multiple code obfuscation techniques, disguising themselves as legitimate apps. This slows down and extends the analysis, likely due to easy-to-use .NET code obfuscation tools.
However, there are numerous such tools that are accessible via NotPrab/.NET-Obfuscator GitHub repository, even for non-experts as well.
CustomerLoader uses AES in ECB mode for string obfuscation, with the decryption key stored in plaintext within the PE.
CustomerLoader evades detection by patching the AmsiScanBuffer function in amsi.dll, returning AMSI_RESULT_CLEAN to bypass antivirus. This marks the buffer as clean and permits the safe execution of malicious payloads.
Function that patches AmsiScanBuffer (Source – Sekoia)
The loader executes the customer payload following this process:-
From an embedded URL, an HTML page is downloaded by the CustomerLoader.
An encoded base64 string is extracted using regex: “/!!!(.*?)!!!/”
Then the base64 string is decoded and decrypted by it.
Then the payload is executed in memory using the reflective code technique.
The method of code reflection is obfuscated by shuffling, enabling the loading of .NET functions using the following function:-
NewLateBinding.LateGet
The encrypted payloads are retrieved by the CustomerLoader samples from their C2 server, with each payload linked to a unique customer ID that is hosted at:-
hxxp://$C2/customer/$ID
The CustomerLoader samples were directly connected to C2 server IP 5.42.94[.]169 via HTTP between 31 May and 20 June 2023. While the C2 server switched to the domain kyliansuperm92139124[.]sbs and HTTPS, protected by Cloudflare on 20 June 2023.
The domain acts as a proxy, while the backend server remains 5.42.94[.]169. This C2 server changes likely aims to evade network detections and hinder security researchers’ analysis, according to Sekoia.io analysts.
Here below we have mentioned all the malware families that are distributed by CustomerLoader:-
Redline
Formbook
Vidar
Stealc
Raccoon
Lumma
StormKitty
AgentTesla
DarkCloud
Kraken Keylogger
AsyncRAT
Quasar
Remcos
XWorm
njRAT
WarzoneRAT
BitRAT
NanoCore
SectopRAT
LgoogLoader
Amadey
Variant of WannaCry
TZW ransomware
CustomerLoader distributes the following malware families, each associated with a distinct number of unique botnets:-
Redline: over 80 botnets
Quasar: 45 botnets
Vidar: 9 botnets
Remcos: 6 botnets
Stealc: 4 botnets
Formbook: 4 botnets
CustomerLoader, when combined with the dotRunpeX injector, enhances compromise rates by reducing the detection of the final payload, despite lacking advanced techniques.
hxxp://smartmaster.com[.]my/48E003A01/48E003A01.7z: Payload delivery URL
d40af29bbc4ff1ea1827871711e5bfa3470d59723dd8ea29d2b19f5239e509e9: Archive
3fb66e93d12abd992e94244ac7464474d0ff9156811a76a29a76dec0aa910f82: CustomerLoader payload
hxxp://5.42.94[.]169/customer/735: CustomerLoader’s C2 URL
hxxps://telegra[.]ph/Full-Version-06-03-2: Malicious redirection webpage
hxxps://tinyurl[.]com/bdz2uchr: Shortened URL redirecting to the payload delivery URL
hxxps://www.mediafire[.]com/file/nnamjnckj7h80xz/v2.4_2023.rar/file: Payload delivery URLs
hxxps://www.mediafire[.]com/file/lgoql94feiic0x7/v2.5_2023.rar/file: Payload delivery URLs
65e3b326ace2ec3121f17da6f94291fdaf13fa3900dc8d997fbbf05365dd518f: Archive
7ff5a77d6f6b5f1801277d941047757fa6fec7070d7d4a8813173476e9965ffc: Archive
c05c7ec4570bfc44e87f6e6efc83643b47a378bb088c53da4c5ecf7b93194dc6: CustomerLoader payload
hxxp://5.42.94[.]169/customer/770: CustomerLoader’s C2 URL
45.9.74[.]99: Raccoon stealer’s C2
5.42.65[.]69: Raccoon stealer’s C2
hxxps://slackmessenger[.]site/: Malicious webpage impersonating Slack website
hxxps://slackmessenger[.]pw/slack.zip: Payload delivery
695f138dd517ded4dd6fcd57761902a5bcc9dd1da53482e94d70ceb720092ae6: Archive
b8f5519f7d66e7940e92f49c9f5f0cac0ae12cc9c9072c5308475bd5d093cdca: CustomerLoader payload
hxxp://5.42.94[.]169/customer/798: CustomerLoader’s C2 URL
missunno[.]com:80: Redline stealer’s C2
The post Hackers Use New .NET Loader Malware to Deliver Wide Range of Payloads appeared first on Cyber Security News.
Cyber Security News
MediSecure Data Breach: 12.9 Million Australian Users’ Sensitive Data Hacked
In one of the largest cyber breaches in Australian history, MediSecure, a former provider of digital prescriptions, has revealed that hackers earlier this year stole the personal and medical data of approximately 12.9 million Australians.
This large number represents almost half of the country’s people, making it an unusually big breach. This event has raised big worries about keeping data safe and making sure companies are responsible with personal information.
The incident came to light on April 14, 2024, when MediSecure discovered that one of its database servers had been encrypted, likely by ransomware. Initially, the company did not disclose the full extent of the breach. However, recent updates from administrators have revealed the shocking scope of the data theft.
The compromised information includes a wide range of sensitive personal and medical details:
Full names
Phone numbers
Home addresses
Dates of birth
Medicare numbers and card expiry dates
Prescribed medications, including drug names, strengths, quantities, and repeats
Reasons for prescriptions
Medication instructions
The hackers absconded with an enormous 6.5 terabytes of data, equivalent to a vast amount of textual information.
The breach has had significant consequences for both MediSecure and the affected individuals:
MediSecure entered voluntary administration in June 2024 following the federal government’s refusal to provide a financial bailout.
The company has since appointed liquidators, effectively ceasing operations.
The Australian government has reassigned the ePrescription service to Fred IT’s eScript Exchange, which became the sole provider of electronic prescriptions to Australians.
Administrators from FTI Consulting have stated that while the number of affected Australians is known, identifying specific individuals has proven challenging due to the vast amount of compromised data.
This afternoon MediSecure and its administrators have publicly advised that the company has ceased its investigation into the cyber incident that impacted the company earlier this year.
MediSecure advised that the personal and sensitive information, including contact and health… pic.twitter.com/NJfOptZO71
— National Cyber Security Coordinator (@AUCyberSecCoord) July 18, 2024
MediSecure cannot afford to accurately identify all affected individuals due to the complex nature of the information.
The breach report reads that “MediSecure has worked closely with the National Cyber Security Coordinator, AFP, ASD, and the Office of the Australian Information Commissioner to respond to the Incident in a way consistent with Australia’s national security interests and the community’s expectations.”
Lieutenant General Michelle McGuinness, the National Cyber Security Coordinator, has addressed the situation:
Assured the public that the breach had not disrupted prescription services and urged people to continue accessing their medications without concern.
Cautioned against searching for the leaked data on the dark web, emphasizing the risks associated with such actions.
Warned about potential scammers exploiting the stolen data and advised people to be wary of unsolicited requests for personal or financial information.
This massive data breach has raised serious concerns about data security and the protection of sensitive personal information in Australia. It highlights the need for stronger cybersecurity measures and more stringent regulations for companies handling such sensitive data.
As the situation continues to unfold, affected individuals are advised to remain vigilant against potential scams and to independently verify the authenticity of any requests for personal information.
The post MediSecure Data Breach: 12.9 Million Australian Users’ Sensitive Data Hacked appeared first on Cyber Security News.
Hackers Attack ThinkPHP By Injecting Payload From Remote Servers
Threat actors are constantly evolving their TTPs and developing new malicious tools to execute their activities.
Recently, Akamai researchers have noted a concerning trend of attackers exploiting known vulnerabilities, such as the years-old ThinkPHP RCE CVE-2018-20062 and CVE-2019-9082.
Initially detected in October 2023 with limited probes, a much larger campaign resurged in April 2024, exploiting these vulnerabilities to install remote shells.
The CVE exploits try to download “public.txt” from a Chinese server that is most likely compromised.
The file is malicious, named “roeter.php,” which, when saved on victims, opens an obfuscated web shell backdoor that is password-protected with the word “admin.”
Most of the originating from Zenlayer cloud IP addresses are based in Hong Kong.
With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis
The server hosting the backdoor itself was infected; this may have been a way for the attacker to cut costs and hide the recognition by authorities.
The web shell is used for navigating, editing, and deleting files, as well as modifying time stamps in an operating system’s file system.
It is worth pointing out that this one has a Chinese interface instead of an English interface, as most shells do.
It is called “Dama” and it not only uploads files but also collects system information useful to exploit detection, performs port scans, grants access to databases, and provides privileged escalation options such as disabling PHP constraints, and scheduling tasks to add high-privileged users or wmi.
However, surprisingly it does not contain command-line interface support for direct OS shell commands, unlike its wide range of other functionalities.
It is highly recommended that ThinkPHP be upgraded to the latest version 8.0. Researchers said that recent attacks have used a sophisticated Chinese web shell, “Dama,” for advanced victim control, but it strangely lacks CLI support.
Some customers were attacked even though they didn’t use ThinkPHP, implying indiscriminate targeting. This consequently indicates the persistent challenge of detecting vulnerabilities and patching them.
Possible aims of an attacker include botnet recruitment, ransomware attack, extortion or acquiring intelligence, and lateral movement.
As offensive technology advances, there is a growing sophistication gap between the tools and their users.
Looking for Full Data Breach Protection? Try Cynet’s All-in-One Cybersecurity Platform for MSPs: Try Free Demo
The post Hackers Attack ThinkPHP By Injecting Payload From Remote Servers appeared first on Cyber Security News.