Ransomware/Malware Activity
ViperSoftX Malware Exploits AutoIT and CLR to Covertly Run PowerShell Scripts
Researchers at Trellix have observed a new variant of the ViperSoftX information-stealing malware which has been hosted on malicious torrent sites. The ViperSoftX malware hides in a RAR file download purporting to contain a helpful e-book but instead contains a decoy PDF file, a shortcut, and PowerShell scripts disguised as JPG images. The shortcut file begins the infection chain once clicked, which initiates a command sequence to list the contents of the disguised JPG files, which include concealed PowerShell code. The PowerShell code then performs actions to configure Windows Task Scheduler to run an AutoIt script every five minutes after log-in to maintain persistence. Researchers observed that the AutoIt executable uses the common language runtime (CLR) to load and execute PowerShell commands. CLR is a component of Microsoft's .NET Framework, which helps to shield the activity from defenders. In addition, the malware can also patch the Antimalware Scan Interface (AMSI) prior to executing PowerShell scripts to circumvent native anti-virus. ViperSoftX uses deceptive hostnames in its traffic such as security-microsoft[.]com in order to appear trustworthy and can then dynamically download additional payloads and commands from its C2 server. As with other sophisticated forms of malware, ViperSoftX also self-deletes to evade detection. This latest finding is reflective of the increasing sophistication of malware and new methods attackers are implementing to evade detection. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.
Threat Actor Activity
Joint Advisory: Chinese APT40 Hijacking SOHO Routers
International cybersecurity agencies and law enforcement have issued a joint advisory warning about the sophisticated cyberespionage activities of APT40, a Chinese state-sponsored hacking group also known as Kryptonite Panda, GINGHAM TYPHOON, Leviathan, and Bronze Mohawk. Active since at least 2011, APT40 has targeted a wide range of entities in the US, Australia, and other countries, exploiting vulnerabilities in public-facing infrastructure and widely used software like Log4J, Atlassian Confluence, and Microsoft Exchange to infiltrate networks. APT40's modus operandi involves leveraging unlicensed versions of Cobalt Strike and hijacking small-office/home-office (SOHO) routers using N-day vulnerabilities. These compromised devices serve as network proxies, blending malicious traffic with legitimate operations and facilitating cyberespionage attacks while avoiding detection. This technique is part of a broader strategy that includes deploying web shells for persistence, using Secure Socket Funneling for command and control (C&C), and employing RDP for lateral movement within networks. The joint advisory, authored by cybersecurity authorities from countries including Australia, the United States, the United Kingdom, Canada, New Zealand, Germany, Korea, and Japan, underscores APT40's capability to rapidly adapt exploit proof-of-concepts for newly disclosed vulnerabilities, targeting networks to compromise vulnerable, end-of-life, or unmaintained devices. The advisory includes case studies from 2022 detailing APT40's exploitation of custom web applications and remote access login portals to conduct network reconnaissance, capture credentials, and exfiltrate sensitive data. In line with the advisory, CTIX analysts recommend timely application patching, comprehensive logging, network segmentation, disabling unused ports and services, using web application firewalls, enforcing the principle of least privilege, employing multi-factor authentication for remote access services, and replacing end-of-life equipment in order to defend against APT40 and similar threats.
- The Record: APT40 Article
- CISA: APT40 Advisory
- The Hacker News: APT40 Article
- Bleeping Computer: APT40 Article
Vulnerabilities
CISA/FBI Advisory Gives Manufacturers Guidance on Eliminating OS Command Injection Flaws
The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have released a joint advisory that urges software companies to eliminate OS command injection vulnerabilities before product release, following recent attacks exploiting such flaws in Cisco, Palo Alto, and Ivanti devices. The attacks, carried out by the Chinese state-sponsored threat group known as Velvet Ant, exploited these vulnerabilities to conduct a cyber espionage campaign by deploying custom malware. The advisory explains that these vulnerabilities occur when user input is not properly validated and sanitized. Developers are advised to use built-in library functions, input parameterization, and limit command construction from user input. To harden their environments, administrators and tech leaders should ensure safe command generation, conduct regular code reviews, and implement thorough testing. Despite being completely preventable, OS command injection vulnerabilities remain common and are ranked fifth in MITRE's top twenty-five (25) most dangerous software weaknesses. Previous alerts also emphasized addressing path traversal and SQL injection vulnerabilities. At the product design level, CISA and the FBI urge manufacturers to safeguard their products from OS command injection exploits and other preventable malicious activities by following the three (3) principles outlined in the joint guidance "Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software." CTIX analysts recommend that the guidance is followed to prevent future exploitation.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.