The worst of all deceptions is self-deception
Attackers are using phishing emails to deliver malicious Microsoft Visio attachments that redirect to credential harvesting pages.
Suspected TTPs:
The threat actors utilized phishing emails with attached PDF documents or embedded HTML links. These emails targeted European companies and organizations, aiming to harvest account credentials and take over the victim’s Microsoft Azure cloud infrastructure.
Attackers are using phishing emails to deliver malicious attachments that gather system information and exfiltrate it to a remote server.
Tactic: Initial Access (TA0001)
Technique: Exploit Public-Facing Application (T1190)
Procedure: Exploit vulnerabilities (ODAY and NDAY) in public-facing PHP applications to gain initial access to the server.
Tactic: Initial Access (TA0001)
Technique: Valid Accounts (T1078)
Procedure: Leverage weak password brute-forcing techniques to compromise valid accounts and gain unauthorized access.
Tactic: Initial Access (TA0001)
Technique: Supply Chain Compromise (T1195)
Procedure: Distribute pre-compromised business systems embedded with the 10ader_shell backdoor through cybercrime source code forums.
Tactic: Execution (TA0002)
Technique: Command and Scripting Interpreter: PHP (T1059.004)
Procedure: Execute malicious PHP code (task_loader, init_task, client_loader, etc.) within the web application environment to carry out various malicious activities.
Tactic: Persistence (TA0003)
Technique: Server Software Component: Web Shell (T1505.003)
Procedure: Inject web shells (10ader_shell) into PHP files to maintain persistence on the compromised server.
Tactic: Persistence (TA0003)
Technique: Create or Modify System Process: Launch Daemon (T1543.003)
Procedure: Install the Winnti backdoor as a daemon process by modifying the /etc/init.d/network file.
Tactic: Command and Control (TA0011)
Technique: Application Layer Protocol: Web Protocols (T1071.001): HTTP
Procedure: Establish an HTTP-based C2 channel for communication with the C2 server (v6.thinkphp1.com, v20.thinkphp1.com) and retrieve additional payloads.
Tactic: Command and Control (TA0011)
Technique: Application Layer Protocol: Web Protocols (T1071.001): UDP
Procedure: Utilize UDP for C2 communication with the PHP backdoor, enabling command execution and data exfiltration.
Tactic: Defense Evasion (TA0005)
Technique: Obfuscated Files or Information (T1027)
Procedure: Employ obfuscation techniques in later stages of the attack (e.g., obfuscating the 10ader function code in client_loader) to hinder analysis and detection.
Tactic: Collection (TA0009)
Technique: System Information Discovery (T1082)
Procedure: Collect system information, including OS version, PHP version, and sensitive data from Baota panels, to gain situational awareness and identify valuable targets.
Tactic: Exfiltration (TA0010)
Technique: Exfiltration Over C2 Channel (T1041)
Procedure: Exfiltrate collected data over HTTP and UDP C2 channels to attacker-controlled servers.
The attacker is using spearphishing emails with malicious attachments to deliver malware, which then establishes command and control and collects system information.
The Head Mare group distributes malicious ZIP archives, likely through spam emails disguised as invoices or financial documents, to deceive recipients into executing the malicious payload.
A threat actor has gained initial access to the manufacturing network and is utilizing the Lumma Stealer and Amadey Bot malware to steal sensitive data and maintain persistence.
T1189 – RomCom actors created a fake website that redirects the potential victim to a server hosting exploits for a Firefox zero-day vulnerability (CVE-2024-9680) and a Windows zero-day vulnerability (CVE-2024-49039). The exploit chain requires no user interaction; if a victim using a vulnerable browser visits the fake website, the vulnerabilities are triggered, and the RomCom backdoor is installed on the victim’s computer.
T1190 – The attackers exploit a use-after-free vulnerability (CVE-2024-9680) in the Firefox browser to gain initial code execution within the browser’s sandboxed environment.
T1068 – After gaining code execution in the browser, the attackers leverage a Windows vulnerability (CVE-2024-49039) to escape the Firefox sandbox and gain elevated privileges on the victim’s system.
T1059.003 – The attackers execute PowerShell code to download and execute the next stage of the attack, which includes the RomCom backdoor.
T1543.003 – A scheduled task named “firefox.exe” is created to maintain persistent access to the compromised system. This task executes the RomCom backdoor at regular intervals.
T1071.001 – The RomCom backdoor communicates with its command-and-control (C2) server using HTTPS, allowing the attackers to remotely control the compromised system.
T1566.001 – The attacker sends a phishing email containing a malicious link to a GitHub repository disguised as a legitimate project.
T1133 – The attacker hosts malicious code, disguised as an NPM package, on a public GitHub repository.
T1059.003 – The victim, a developer, uses the npm install command to install the malicious NPM package from the GitHub repository.
T1543 – The malicious NPM package contains a script that executes a malicious JavaScript file (‘test.js’) located in the ‘.vscode’ folder, establishing persistence on the victim’s machine.
T1071.001 – The malicious JavaScript file uses the cURL command to communicate with the attacker’s C2 server over HTTP to download additional payloads.
T1041 – The attacker uses the established C2 channel to exfiltrate sensitive data from the victim’s machine.