Windows Search Vulnerability Identified

June 07, 2022

Windows Search Vulnerability Identified

Industry: N/A | Level: Tactical | Source: BleepingComputer

Reported by BleepingComputer, a Windows search vulnerability has been identified to enable a search window containing malicious code to be executed from launching a Word document. “The security issue can be leveraged because Windows supports a URI protocol handler called ‘search-ms’ that allows applications and HTML links to launch customized searches on a device. While most Windows searches will look on the local device’s index, it is also possible to force Windows Search to query file shares on remote hosts and use a custom title for the search window.” A targeted victim would have to manually execute the executable file and accept the security prompt for the attacker’s remote application to run.

Anvilogic Use Cases:

  • Rare executable from Microsoft Office

RedLine Stealer Spreading from Illegitimate Windows 11 Upgrade

February 15, 2022

RedLine Stealer spreading from illegitimate Windows 11 Upgrade

Industry: N/A | Level: Tactical | Source: HP – ThreatResearch

Threat Research from HP has identified the distribution of information-stealing malware, RedLine Stealer posing as an installer to Microsoft’s latest Windows 11 OS version. The threat campaign is recent, as one of the malicious domain windows-upgraded[.]com was registered on January 27th, 2022. The fraudulent Microsoft page drops a malicious zip file, “Windows11InstallationAssistant.zip” for users to click the download link. The zip file is hosted on Discord containing “six Windows DLLs, an XML file and a portable executable.” Upon execution of the malicious executable file, an encoded PowerShell command runs with a download of a jpg file following a 21-second timeout. The jpg file is actually a disguised DLL file. Once the DLL is loaded, the RedLine Stealer payload is active and able to proceed with data collection and exfiltration as desired by the attacker.

  • Anvilogic Scenario: InfoStealer Malware Behaviors
  • Anvilogic Use Cases:
    • Encoded Powershell Command
    • Query Registry

APT36’s Malware Arsenal

February 01, 2022

APT36’s Malware Arsenal

Industry: N/A | Level: Tactical | Source: TrendMicro

TrendMicro’s tracking of APT36/Earth Karkaddan shared research from January 2020 to September 2021, detailing the threat group’s recent campaigns. Crimson RAT (Windows), ObliqueRat (Windows) and CapaRAT (Android), were the three malware observed from the group. The threat group utilizes spear-phishing emails or a USB for initial access. The phishing emails lure victims, leveraging themes involving the government, coronavirus and others. Following the execution of a malicious link, file, or document, the RAT drops and executes on the system. Activities following, vary with the RATs having numerous capabilities for system reconnaissance, data collection and exfiltration.

  • Anvilogic Scenario: Malicious Document Delivering Malware
  • Anvilogic Use Cases:
    • Malicious Document Execution
    • New AutoRun Registry Key

SysJoker

January 18, 2022

Report from Intezer shares research of a new backdoor – SysJoker, that was discovered in December

Khonsari Ransomware & Log4Shell

December 21, 2021

Khonsari Ransomware & Log4Shell

Industry: N/A | Level: Tactical | Source: CadoSecurity

Ransomware family – Khonsari has been observed utilizing CVE-2021-44228/Log4Shell vulnerability targeting Windows servers.  The malware executable “groenhuyzen.exe” is dropped and exploits the JNDI class. The malware’s functionality is straightforward at only 12 KB, it’ll enumerate and encrypt (with extension – .khonsari) all mounted drives with the exception of C:\. Only user directories are encrypted including Documents, Videos, Pictures, Downloads, and Desktop.

  • Anvilogic Use Case: Potential CVE-2021-44228 – Log4Shell

Emotet and App Installer

December 01, 2021

Emotet and App Installer

Industry: N/A | Level: Tactical | Sources: Twitter – @malware_traffic & BleepingComputer

Sophos reported on November 11th 2021, Emotet malware is following the same tactics utilized by Bazarloader for abusing the Windows App Installer packages, says twitter security researcher @malware_traffic. The attack chain starts with an email from a stolen reply chain with a URL link to an alleged PDF document. The link leads to a Google Drive styled page where a download will occur for a file hosted on Microsoft Azure URLs at .web.core.windows.net. Following the install of an alleged Adobe PDF component, a DLL file will be downloaded to the %Temp% folder and executed with rundll32, additionally an autorun entry gets created.

  • Anvilogic Scenario: Malware & AppInstaller
  • Anvilogic Use Cases:
    • AppInstaller.exe Download
    • New AutoRun Registry Key

CVE-2021-41379 Patch Bypass = InstallerFileTakeOver

November 23, 2021

CVE-2021-41379 Patch Bypass = InstallerFileTakeOver

Industry: N/A | Level: Tactical | Source: BleepingComputer

Security researcher, Abdelhamid Naceri, was able to bypass a vulnerability Microsoft intended to patch as part of the November 2021 patch cycle, tracked under CVE-2021-41379. The exploit is tracked under the name, InstallerFileTakeOver. The exploit affects all supported versions of Windows including Windows 10, 11 and Windows Server 2022, enabling a user to obtain admin level privileges. BleepingComputer validated the ease and use of the exploit, “tested the exploit and used it to open to command prompt with SYSTEM privileges from an account with only low-level ‘Standard’ privileges. Using this vulnerability, threat actors with limited access to a compromised device can easily elevate their privileges to help spread laterally within the network.”

  • Anvilogic Use Case: Potential InstallerFileTakeOver CVE-2021-41379