Attackers are exploiting vulnerable IIS servers to install the BadIIS malware, which is then used to manipulate SEO and redirect users to malicious websites.
Tag: T1189
Threat Hunting Scenario: Real Estate Scams
Attackers are compromising email accounts to launch real estate scams, targeting individuals seeking rental properties.
Hunting 4 Two Way Phish
Attackers are using phishing emails to deliver malicious Microsoft Visio attachments that redirect to credential harvesting pages.
Suspected TTPs:
- Spearphishing Attachment [T1566.001]
- Exploit Public-Facing Application [T1190]
- Drive-by Compromise [T1189]
- Command and Control [T1071]
- Exfiltration [TA0010]
- Impact [TA0040]
RomCom – Firefox and Windows Exec Duo
T1189 – RomCom actors created a fake website that redirects the potential victim to a server hosting exploits for a Firefox zero-day vulnerability (CVE-2024-9680) and a Windows zero-day vulnerability (CVE-2024-49039). The exploit chain requires no user interaction; if a victim using a vulnerable browser visits the fake website, the vulnerabilities are triggered, and the RomCom backdoor is installed on the victim’s computer.
T1190 – The attackers exploit a use-after-free vulnerability (CVE-2024-9680) in the Firefox browser to gain initial code execution within the browser’s sandboxed environment.
T1068 – After gaining code execution in the browser, the attackers leverage a Windows vulnerability (CVE-2024-49039) to escape the Firefox sandbox and gain elevated privileges on the victim’s system.
T1059.003 – The attackers execute PowerShell code to download and execute the next stage of the attack, which includes the RomCom backdoor.
T1543.003 – A scheduled task named “firefox.exe” is created to maintain persistent access to the compromised system. This task executes the RomCom backdoor at regular intervals.
T1071.001 – The RomCom backdoor communicates with its command-and-control (C2) server using HTTPS, allowing the attackers to remotely control the compromised system.