Weekly in Security is a summary of the cybersecurity news from the past week. This post covers 2022-07-25 to 2022-08-01.
KNOTWEED is an Austria-based PSOA named DSIRF GmbH that is developing and selling the Subzero malware toolset. In a recent campaign they seem to use an unknown, probably 0day, PDF based RCE in Adobe Reader. The exploit chain starts with writing a malicious DLL to disk from the sandboxed Adobe Reader renderer process. For privilege escalation the CVE-2022-22047 was utilized. An application manifest with an undocumented attribute specified the path of the malicious DLL. When the targeted system process next spawned, the attribute in the malicious activation context was used, the malicious DLL was loaded from the given path, and system-level code execution was achieved. Previous campaigns from 2021 utilized an Adobe Reader exploit (CVE-2021-28550) in conjunction with Windows privilege escalation exploits (CVE-2021-31199 and CVE-2021-31201).
Interestingly, the company DSIRF GmbH is present in mails of wanted Jan Marsalek’s mailbox at Wirecard. Also, the company is said to have strong ties to Moscow.
Intezer found the Linux malware on VirusTotal and provides detailed analysis. Capabilities include both passive and active communications with the threat actor Unfortunately, they were only able to obtain parts of the framework. The researchers are missing important information from a live infection. Such a real-life infection could provide a malleable C2 configuration profiles, which could potentially provide additional IOCs.
Outpost24 provides a short glance behind the scenes of a Social Engineering assessemnt with Gophish and Evilginx.
One important aspect is finding a suitable domain.
Also, modifying the utilized security tools and removing headers X-Gophish is a good idea to not immediately alert the SOC.
MDSec performed an analysis of beacon frameworks.
In the first article they outlined a number of strategies for detecting in-memory beacons.
In the second article they discuss strategies to detect the popular C2 framework Cobalt Strike.
HashClash is a good addition to the cryptanalytic toolbox. It helps create chosen-prefix and identical-prefix collisions in MD5 and SHA-1.
These days I just discovered the Alan C2 post-exploitation framework that Antonio ‘s4tan’ Parata published on Github. Implementing and sharing such a tool can help understand and improve different aspects of security. Personally, I really like the idea of sharing these kinds of projects.