Malware Activity
New Windows Backdoor Msupedge Exploits Known PHP Vulnerability
Researchers have discovered a new malware named Msupedge used as a backdoor to Windows systems by exploiting a remote code execution (RCE) vulnerability in PHP (CVE-2024-4577). This new backdoor was discovered on Windows systems at a university in Taiwan following a cybersecurity attack. The PHP vulnerability exploited by Msupedge impacts PHP installations running in CGI mode and allows for unauthenticated attackers to execute arbitrary code on the system. The vulnerability also primarily affects Windows installations using Chinese or Japanese languages. The backdoor comes in the form of two dynamic link libraries: "weblog.dll" and "wmiclnt.dll". A unique feature of the backdoor is its use of DNS tunnelling to communicate with the attacker's command-and-control (C2) server, which allows data to be encapsulated within DNS queries to avoid detection. The commands supported by Msupedge include process creation, file download, and file creation and deletion. Currently, the threat actor and motive behind the attack on the Taiwanese university is unknown. The PHP vulnerability used in the attack has also been exploited by other threat groups, and the proof-of-concept (PoC) code for the exploit has been posted to GitHub by WatchTowr Labs. CTIX analysts recommend that organizations ensure the latest patches for PHP are applied to their systems. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.
Threat Actor Activity
Elaborate Phishing Campaign Uses PWA Apps to Steal Banking Credentials
Recent research has uncovered an elaborate phishing campaign targeting European banking customers, leveraging Progressive Web Applications (PWAs) to steal user credentials. Beginning in November of 2023, and as recently as May 2024, the campaign involved hackers setting up malicious banking applications that closely mimic legitimate ones, tricking users into installing these apps on their Android and iOS devices through third-party websites. This method bypasses traditional security measures that usually alert users to the installation of unknown programs. The campaign used automated voice calls, SMS messages, and social media advertisements to lure victims. These tactics directed users to high-quality phishing pages where they were deceived into downloading fake banking apps. The campaign has primarily targeted users of prominent banks in the Czech Republic, Hungary, and Georgia, including a major Czech bank, OTP Bank, and TBC Bank. The PWAs used in these attacks are essentially websites packaged to function like standalone applications, making them difficult for operating systems to detect as harmful. Once installed, these apps prompted users to enter their banking credentials, which were then sent to the attackers' servers. Researchers were able to coordinate the takedown of multiple phishing domains and attacker-controlled servers, sharing sensitive information with the affected banks for further processing. A detailed analysis of the command-and-control (C2) servers and the back-end infrastructure revealed the involvement of two (2) distinct threat actors employing different infrastructures. In response to the rise of PWA-based phishing attacks, cybersecurity experts emphasize the need for increased vigilance and the implementation of stronger defenses by platform providers like Google and Apple. The ability of PWAs to closely mimic native apps and bypass traditional security measures makes them a potent tool for cybercriminals, necessitating ongoing efforts to counteract these sophisticated phishing tactics.
Vulnerabilities
Chinese Threat Group Velvet Ant Exploits a Critical Vulnerability in Cisco Nexus Switches
The China-linked threat actor known as Velvet Ant exploited a zero-day vulnerability in Cisco Nexus switches, enabling them to gain complete control over affected systems to conduct espionage operations with heightened stealth and persistence. This vulnerability, tracked as CVE-2024-20399 (which has since been patched), allows attackers with valid administrator credentials to bypass the NX-OS command line interface (CLI) and access the underlying Linux-based operating system, a layer typically concealed from users and security tools. Once inside, Velvet Ant executed malicious scripts, including a custom payload named "VelvetShell", which is a fusion of the Unix backdoor "TinyShell" and the proxy utility "3proxy". This malware provided the attackers with capabilities to execute arbitrary commands, transfer files, and establish tunnels for proxying network traffic, effectively allowing them to control the compromised systems and maintain long-term access. Velvet Ant's tactics involved infiltrating new Windows systems before moving to legacy servers and network devices, strategically escalating their evasion techniques to avoid detection by conventional security measures. By compromising edge devices like the Cisco Nexus switches, which are often designed with limited user access and visibility, the attackers were able to operate within the network undetected, pivoting directly to other devices without triggering alarms associated with lateral movement. This incident underscores the growing threat posed by sophisticated actors targeting network appliances, which, due to their "black box" design and limited visibility, present significant challenges for cybersecurity defenses and highlight the critical need for enhanced monitoring and security measures around such devices. CTIX analysts urge all Cisco Nexus customers to ensure that their products are up-to-date.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence about current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence about recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the CTIX Team (ctix@ankura.com) if additional context is needed.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.