InQuest Presents "The Twelve Days of Maliciousness"

In the spirit of raising awareness about cybersecurity threats during the festive season, we’re excited to introduce our unique and thought-provoking holiday series, “The Twelve Days of Maliciousness.” This list will creatively highlight a different cyber threat for each of the twelve days, mirroring the traditional holiday song structure. This engaging and informative approach aims to educate and prepare individuals and organizations for the diverse range of cyber threats they face, especially during times of heightened digital activity. Check back each weekday to see the next “gift” on our list!

On the twelfth day of Maliciousness bad actors gave to me: Twelve burned-out security analysts

Security analysts, especially in small teams, face intense pressure due to their critical role in managing a wide range of cybersecurity threats. This burden is evident with 73% of security practitioners experiencing burnout due to increasing workloads as found by the Ponemon Institute​​. The importance of automation is more crucial than ever. It not only alleviates the workload by handling routine tasks but it also allows analysts to focus on more complex challenges. This approach aids in reducing the risk of burnout and enhances the overall effectiveness of cybersecurity operations, making it a vital strategy in supporting the well-being and productivity of security professionals in high-pressure environments.

On the eleventh day of Maliciousness bad actors gave to me: Eleven LNK files

Microsoft Windows shortcut files (also called Shell Link files) provide a similar function to other kinds of link files, such as symbolic and hard link files in Unix-like operating systems. However, as threat actors and researchers discovered, LNK files also provide significant attack surface to carry out execution tasks and are often used when gaining an initial foothold on a device and maintaining persistence. LNK files are a binary structure shortcut file with an ideal capability for payload smuggling. A commonly observed technique is the injection of next-stage payloads into LNK files and a parsing command to extract it to disk and execute it.

LNK file abuse was initially a lower volume technique used by primarily APT threat groups in earlier years (2010s), however adoption increased significantly among financially motivated attackers and initial access brokers around 2022. A contributing supporter to this shift in adoption includes the availability of malicious LNK builders, including lnk2pwn, LNKUp, MacroPack, mLNK Builder, QuantumBuilder, SharPersist and VenomLNK. After attack surface reduction has reduced the effectiveness of macro-laden documents, with the number of threat groups adopting LNK files in their playbooks, InQuest expects the abuse of this file type to continue to increase in attacks.

On the tenth day of Maliciousness bad actors gave to me: Ten PHP web shells

Web shells are pieces of code in various languages, but the most widely observed are PHP backdoor shells. They are often placed on web servers through exploits, outdated websites, and poor password hygiene practices. The types of threat actors that utilize web shells range from the most novice to nation state (often APT). Some common threats observed utilizing these backdoors are phishing campaigns, malware download URLs, and traffic redirection scripts.

On the ninth day of Maliciousness bad actors gave to me: Nine Coin Miner URLs

Also known as “cryptojacking,” coin mining has risen with the popularity of Bitcoin and other coins created for use as legitimate currency. Threat actors leverage crypto-theft both as an alternative to other commonly seen malware payloads; and alongside them in cases where module-based or multistage malware is deployed. Theft can range from exfiltrating wallets and related credentials to deploying mining software on infected systems. Miners successfully deployed on victim machines consume local resources to generate revenue for threat actors ranging from common cybercriminals to state-sponsored actors. Remain vigilant of suspicious downloads and irregular resource usage this holiday season.

On the eighth day of Maliciousness bad actors gave to me: Eight AitM phishers

Phishing is the quintessential technique utilized for compromising user credentials and providing adversaries with access to accounts on target services, known as account takeover (ATO). While we’re unlikely to see phishing or ATOs abate in the foreseeable future, we do at least see the cat and mouse game that occurs when the bar is raised to increase the cost of phishing through multi-factor authentication (MFA) and two-step verification (2SV). These security controls are not new; for decades, organizations that take account security seriously have utilized multiple authentication factors to increase the cost of account access for adversaries. These have most often been seen in financial institutions and highly sensitive industry sectors. The difference today is that a strong surge in available options and prevalent support across all forms of online services has made it possible for most consumers to use one form of MFA or another more widely.

But attackers know this, and advances made in offensive tradecraft have resulted in phishing schemes based on so-called AitM (adversary in the middle) phishing attacks, carried out using phish kits that are designed to place the phishing site in the middle of the authentication exchange with the legitimate service. This architecture enables the attacker to intercept even some types of MFA tokens along with user credentials in the process. If this sounds familiar, it is; Adversary-in-the-Middle is simply a more modern term for Man-in-the-Middle (MitM), and is also documented as On-path Attacker.

The key takeaway for defenders is that not all MFA methods are created equal; organizations should deploy phishing-resistant authentication schemes, noting that the only widely available phishing-resistant authentication is FIDO/WebAuthn authentication. Organizations should further take note of and plan to combat commonly utilized open source toolkits supporting AitM phishing, including evilginx, Modlishka and Muraena. Also be aware that adversaries may operate their own schemes and services, as seen with NakedPages, PerSwaysion and others. At the same time, service providers also have a role to play; it is critical to support modern, phishing-resistant MFA methods for customers. Minimizing dependence on SMS as a weak authentication scheme and enabling support for security keys (hardware tokens supporting FIND/WebAuthn standards) are an excellent way to enable consumers to secure accounts.

On the seventh day of Maliciousness bad actors gave to me: Seven ActiveMIME polyglots

As Microsoft’s Mark of the Web for Microsoft Office documents was introduced to place a hurdle for cybercriminals attempting to deliver weaponized macros, an alternate vehicle saw a resurgence by way of embedding macros in PDF documents in MIME format (ActiveMIME). Discovered and documented by JPCERT, these maldocs will have Microsoft Word file extensions to open within Word despite containing file magic consistent with PDF. While this does not bypass other local settings managing automatic execution of macros, detection of this delivery method requires special consideration for spotting ActiveMIME within PDF hiding behind Word document file extensions. Threat actors are expected to continue discovering alternative means of deploying malicious macro code given the popularity of the technique amongst attackers.

On the sixth day of Maliciousness bad actors gave to me: Six DarkGate trojans

If you aren’t familiar with the DarkGate trojan, it’s understandable. The malware surfaced in industry reporting in 2018 and saw light usage, passing out of memory. That is, until it surfaced again in 2023, a pet project advertised as a multi-purpose backdoor by a developer selling it on underground crime forums. DarkGate’s features include functioning as a downloader with support for evasive in-memory execution, hidden VNC and AnyDesk modules, the ability to evade endpoint security solutions through process hollowing, direct syscall invocation, and virtualization and sandbox evasion. It is utilized for native information theft capabilities, including targeting of cryptocurrency wallets, web browser data, keystroke logging and integrated password stealers. High volumes of distribution activity during 2023 suggested adoption by prominent threat groups, potentially utilizing it as a backfill for the Qakbot malware after law enforcement operations affected its use. This adoption by large scale criminal operators ensures that DarkGate deserves attention from defenders, as the amount of coverage in the media during this resurgence is likely to put it on the radar of other criminal groups, bringing it to an inbox near you.

On the fifth day of Maliciousness bad actors gave to me: Five Formbook links

Some malware families stay on defenders’ radar not due to sophisticated capabilities, but rather due to prevalence, affordability and staying power. One of those families is Formbook, an information stealing trojan that is sold in the underground. Formbook has been showing up in distribution campaigns since 2016, and has been a favorite of threat groups such as Cobalt Group and SWEED, as well as being utilized by numerous other financially motivated actors. More recent variants of Formbook, tracked as XLoader, provide support for multiple platforms (Windows and macOS), and are believed to be offered and maintained in a malware-as-a-service (MaaS) model, easing the overhead of acquiring and operating the stealer for criminal actors. Most organizations are likely to encounter Formbook due to its prevalence.

On the fourth day of Maliciousness bad actors gave to me: Four Pikabot infections

Who is next on the naughty list and will receive some coal in their stocking? The creators of Pikabot. Pikabot being a newer modular malware has been actively observed since early 2023 according to this Zscaler post and gained popularity after the Department of Justice’s takedown of Qbot, as mentioned in their press release link. Pikabot uses similar distribution methods and capabilities as Qbot, which is something to be aware of when opening email and email attachments during this holiday season.

On the third day of Maliciousness bad actors gave to me: Three EDR evasions

How layered is your defensive strategy? On the heels of the COVID-19 pandemic, and with zero trust becoming a popular network access model, many organizations adopted Enterprise Detection & Response (EDR) software as the centerpiece of their defensive strategy. But attackers know this, and numerous techniques exist and are utilized to bypass EDR and evade detection. When EDR fails, it’s a reminder of the need to maintain a layered defense and to shift left in your security posture. Three methods, in particular, are worth understanding as they have enabled adversaries to distribute and execute malware even against organizations running leading EDR software: 

  • “Bring Your Own Vulnerable Driver” (BYOVD) – adversaries may exploit vulnerabilities in trusted kernel drivers to escalate privileges to kernel mode in order to terminate EDR, antivirus, and other security software agents or otherwise blind them to their next stages of attack. So-called EDR Killer malware families exist to commoditize this capability for their criminal customers.
  • API unhooking – API hooks are used by security tools to add monitoring shims into the operating system and key software like web browsers. Adversaries may utilize various techniques to uninstall API hooks utilized by endpoint security software to monitor function calls and detect signs of malicious activity. This technique is commonly used by penetration testing teams during the initial stages of attack to demonstrate defense evasion through disabling or modifying tools and paving the path for follow-on steps.
  • In-memory execution – this simple technique is often paired with encrypted payloads to evade detection. Traditional malware droppers and loaders often executed additional payloads by running executables or loading DLLs from disk; in the modern threat landscape, this is now often performed by simply decrypting and executing payloads directly in memory. Loader trojans that operate in this manner are available as commodities in underground markets and have become increasingly commonplace.

On the second day of Maliciousness bad actors gave to me: Two CSRF emails

It’s important to update your webmail software! Many organizations use free and open-source webmail software to give users the convenience and mobility of being able to log in to their email from anywhere using only a web browser. Webmail is typically a client used to access remote mailboxes with the IMAP or POP3 protocol. One risk to be aware of is the threat model associated with web-based applications. Like any web application, webmail software can be affected by common security risks such as cross-site scripting (XSS) and cross-site request forgery (CSRF). Unlike many web applications though, webmail software almost always processes untrusted inputs in the form of emails sent by malicious users. Researchers at Proofpoint recently disclosed that threat actors aligned with Russian interests have carried out attacks against users of Roundcube and Zimbra email and collaboration portals, using multiple vulnerabilities (CVE-2020-35730, CVE-2022-27926 and CVE-2023-5631) to target users in a number of sensitive agencies in government and defense across Europe, Central Asia and the United States. The use of these vulnerabilities resulted in execution of carefully crafted JavaScript payloads, enabling the Winter Vivern threat actors to browse and access sensitive email communications as users opened malicious messages. It’s important to note that these types of attacks don’t typically require targets to open attachments or click links; just opening the email is enough to trigger the malicious payload. And just because a malicious user can’t log in to access the webmail application doesn’t mean they can’t exploit it; just sending an email to a user is enough to reach vulnerable code paths, since the content is rendered client-side.

On the first day of Maliciousness bad actors gave to me: A document with embedded macros

A tried and true classic, document embedded macros are leveraged for malicious use by petty cyber criminals and APTs alike. The capability of living off the land with VB and PowerShell script allows threat actors access to a vast array of functions that ship on every Windows machine to deliver and execute obfuscated payloads or retrieve supplementary files from remote locations while bypassing User Account Control. Though it has seen a decline in popularity since Microsoft introduced Mark of the Web (MotW), disabling macros for documents acquired from the internet, this has not deterred the cybercriminal community from further development with macro based delivery methods. Including the weaponized document as an attachment is no longer viable, so threat actors pivot to other file formats and encapsulation methods coupled with enhanced social engineering tactics to ensure intended victims follow the necessary steps for initial access.

Additional Resources