In this version of the Hacker’s Playbook Threat Coverage round-up, we are highlighting attack coverage for newly discovered or analyzed threats, including those based on original research conducted by SafeBreach Labs. SafeBreach customers can select and run these attacks and more from the SafeBreach Hacker’s Playbook™ to ensure coverage against these advanced threats. Additional details about the threats and our coverage can be seen below.
NEW SafeBreach Original Research
Magic Dot
Microsoft Windows is the world’s most widely used desktop operating system (OS) accounting for more than 70% of market share as of February 2024, being installed on more than 1.4 billion active devices. SafeBreach Labs undertook an effort to determine if seemingly harmless known issues could be exploited to uncover vulnerabilities and, ultimately, pose a significant security risk. One such vulnerability is associated with DOS-to-NT path conversion process, something that has been left unfixed for years to support backwards-compatibility.
When a user executes a function that has a path argument in Windows, the DOS path at which the file or folder exists is converted to an NT path. During this conversion process, a known issue exists in which the function removes trailing dots from any path element and any trailing spaces from the last path element. This action is completed by most user-space APIs in Windows. By exploiting this known issue, SafeBreach Labs was able to uncover:
- A remote code execution (RCE) vulnerability (CVE-2023-36396) in Windows’s new extraction logic for all newly supported archive types that allowed researchers to potentially craft a malicious archive that would write anywhere they chose on a remote computer once extracted, leading to code execution.
- Two elevation of privilege (EoP) vulnerabilities: one (CVE-2023-32054), that allowed researchers to potentially write into files without the required privileges by manipulating the restoration process of a previous version from a shadow copy and another that allowed them to delete files without the required privileges.
SafeBreach Coverage of Magic Dot Threat Research
- #9578 – File Impersonation (MagicDot)
- #9579 – Directory Impersonation (MagicDot)
- #9580 – Parent Deleting Directory (MagicDot)
- #9581 – MagicDot Remote Code Execution (CVE-2023-36396)
More details about the research and findings can be found on the following blog.
Dark Side of EDR: Repurpose EDR as an Offensive Tool
Endpoint detection and response (EDR) solutions have become a key component of many enterprise endpoint security strategies, resulting in a forecasted market value close to $17 billion by 2030. EDR solutions are designed to monitor end-user devices—like laptops, desktops, and servers—to help organizations better detect and address threats like ransomware and malware. As threat actors become increasingly sophisticated, there is a constant tug-of-war between EDR solutions and malware strains. SafeBreach Labs wanted to determine how potentially manipulating the relationship between EDRs and the malware they are intended to block can potentially turn an EDR into a malicious offensive tool. SafeBreach Labs focused on creating a malware strain that was part of the EDR itself— a strain that not just bypasses it— but also remains persistent, stealthy, and with high privileges. One of the most widely used EDR solutions, PAN Cortex XDR was chosen for this experiment.
As part of the installation process, Cortex XDR includes Lua-based content files containing the underlying logic for its detection mechanisms. Information in these files is used to enforce protection features. By analyzing content from these files, SafeBreach Labs were able to devise innovative methods to evade the protection mechanisms, including:
- Encrypting files within a specified folder while leaving honeypot files unaffected to avoid detection.
- Conducting a memory dump of the lsass.exe process, which holds sensitive data like user credentials and security tokens.
Additionally, the SafeBreach Labs team was also able to identify a couple of ways to exploit Cortex XDR behavior, including:
- Bypassing Cortex’s file anti-tampering protection, ultimately enabling researchers to load a vulnerable driver (bring-your-own-vulnerable-driver [BYOVD]) and patch Cortex XDR’s management password verification within one of its drivers. This allowed them to change Cortex’s logic to deny any administrator password, thus preventing the administrator the ability to remove the XDR by using the admin’s uninstall password from the Cortex management server or with physical access to the infected machine. It is believed that a full disk format and reinstall of the operating system and Cortex XDR would be required to remove the malicious code.
- Inserting malicious code into one of its processes, granting the researchers high privileges and allowing them to remain undetected and persistent.
SafeBreach Coverage of Dark Side of EDR Threat Research
- #9575 – Cortex Ransomware Protection Bypass
- #9576 – Cortex Lsass Dump Protection Bypass
- #9577 – Disable Cortex Rules to Execute Mimikatz
More details about the research and findings can be found on the following blog.
AcidPour Wiper: What You Need to Know
In March 2024, threat researchers from SentinelLabs uncovered a novel variant of the AcidRain wiper (originally identified in February 2022) that has been used to target Ukrainian telecommunications networks. This new variant, called AcidPour has expanded capabilities allowing it to better disable embedded devices including networking, IoT, large storage (RAIDs), and possibly ICS devices running Linux x86 distributions.
While the old variant, AcidRain was compiled for MIPS (Microprocessor without Interlocked Pipeline Stages) architecture, the new variant is compiled for x86 architecture. The AcidPour variant is an ELF binary whose codebase has been modified and expanded to include additional capabilities. Notable similarities between AcidRain and AcidPour include the use of the same reboot mechanism, the exact logic of the recursive directory wiping, and most importantly the use of the same IOCTL-based wiping mechanism. Additionally, AcidPour expands upon AcidRain’s targeted Linux devices to include Unsorted Block Image (UBI) and Device Mapper (DM) logic. One of the most interesting aspects of AcidPour is its coding style, which is very similar to CaddyWiper. AcidPour is programmed in C without relying on statically compiled libraries or imports. Most functionality is implemented via direct syscalls, many called using inline assembly and opcodes. Ukraine’s CERT has attributed AcidPour to UAC-0165, a Sandworm-affiliated threat actor.
SafeBreach’s Updated Coverage of AcidRain Wiper
The SafeBreach platform was updated with the following new attacks to ensure our customers can validate their security controls against this wiper variant:
- #9566 – Transfer of Acid Rain (5d7728) wiper over HTTP/S
- #9567 – Transfer of Acid Rain (5d7728) wiper over HTTP/S
- #9568 – Email Acid Rain (5d7728) wiper as a compressed attachment
- #9569 – Email Acid Rain (5d7728) wiper as a compressed attachment
Pikabot Backdoor: What You Need to Know
In February 2024, researchers from McAfee observed a huge change in threat campaigns leveraging the PikaBot backdoor. PikaBot, which was first observed in 2023 is a malicious backdoor that comprises of a loader and a core module which performs malicious actions, including the execution of commands and the injection of payloads from a command-and-control server.
PikaBot is typically distributed via multiple file types, depending on the objective and nature of the attack. By leveraging different file types, motivated threat actors can exploit multiple threat vectors, thereby increasing their chances of success and evading detection by bypassing security measures. The latest campaigns leveraging Pikabot heavily leverage HTML, JavaScript, and Excel.
- Pikabot was distributed via a zip file containing an HTML file, which was then downloaded as a text file to deploy the payload. By using a meta tag refresh for redirection, threat actors were able to leverage client-side execution to bypass security measures.
- Pikabot, distributed through a compressed zip file containing a .js (JavaScript) file initiated the execution of curl.exe to retrieve the malicious payload, allowing the malware to manipulate system processes to achieve malicious objectives.
- A brand-new distribution method involving the use of Excel spreadsheets exploited user familiarity with Excel and cloud services to facilitate the spread of malware.
SafeBreach’s Updated Coverage of Pikabot Backdoor
The SafeBreach platform was updated with the following new attacks to ensure our customers can validate their security controls against this backdoor malware variant:
- #9804 – Write Pikabot (4ccda9) backdoor to disk
- #9805 – Pre-execution phase of Pikabot (4ccda9) backdoor (Windows)
- #9806 – Transfer of Pikabot (4ccda9) backdoor over HTTP/S
- #9807 – Transfer of Pikabot (4ccda9) backdoor over HTTP/S
- #9808 – Email Pikabot (4ccda9) backdoor as a compressed attachment
- #9809 – Email Pikabot (4ccda9) backdoor as a compressed attachment
Latrodectus Malware: What You Need to Know
Proofpoint researchers first identified the Latrodectus malware in November 2023. This malware, distributed via email campaigns, has been attributed to threat groups TA577 and TA578. Latrodectus is a downloader with the objective of downloading payloads and executing arbitrary commands. Initial analysis of the malware suggested that Latrodectus may have been a variant of IcedID. However, additional analysis has revealed that it indeed is a novel malware variant, named after a string, identified in its malware code. However, it is very likely that the developers of IcedID and Latrodectus may be the same.
Latrodectus malware incorporates sandbox evasion functionality like Pikabot and Wikiloader malware, a functionality intended to slow down threat researchers. Threat actors typically use contact forms to initiate a conversation with a victim. They were also observed impersonating various companies to send legal threats about alleged copyright infringement. If a link on the impersonated site was clicked, the victim was redirected to a landing page personalized to display both the victim’s domain and the name of the impersonated company reporting the copyright infringement. The URL then downloads a malicious JavaScript file from a Google Firebase URL.
Latrodectus resolves Windows API functions dynamically by hash, checks for debuggers present, gathers operating system information, checks running processes, and checks to make sure the computer does not have an existing Latrodectus infection running. The malware will then attempt to install itself, set an AutoRun key, and create a scheduled task for persistence. Latrodectus will post encrypted system information to the command-and-control server (C2) and request the download of the bot. Once the bot registers with the C2, it sends requests for commands from the C2.
SafeBreach Coverage of Latrodectus Malware
The SafeBreach platform was updated with the following new attacks to ensure our customers can validate their security controls against this malware variant:
- #9981 – Write Latrodectus (5e6de9) downloader to disk
- #9982 – Transfer of Latrodectus (5e6de9) downloader over HTTP/S
- #9983 – Transfer of Latrodectus (5e6de9) downloader over HTTP/S
- #9984 – Email Latrodectus (5e6de9) downloader as a compressed attachment
- #9985 – Email Latrodectus (5e6de9) downloader as a compressed attachment
VenomRAT: What You Need to Know
The threat actor known as TA558 has leveraged a large-scale phishing campaign to distribute VenomRAT (a Remote Access Trojan) and target organizations across Latin America, United States, Dominican Republic, Spain, and Portugal. TA558’s primary victims include organizations in the hotel, travel, trading, financial, manufacturing, industrial, and government verticals.
The latest attacks leverage phishing emails as an initial access vector to drop Venom RAT, a fork of Quasar RAT that comes with capabilities to harvest sensitive data and commandeer systems remotely. VenomRAT exploits various privilege escalation techniques to gain higher-level permissions, often overlapping with persistence techniques. These include exploiting system weaknesses, misconfigurations, and vulnerabilities to achieve elevated access.
SafeBreach Coverage of VenomRAT
The SafeBreach platform was updated with the following attacks to ensure our customers can validate their security controls against this RAT:
- #9987 – Pre-execution phase of VenomRAT (596168) RAT (Windows)
- #9988 – Transfer of VenomRAT (596168) RAT over HTTP/S
- #9989 – Transfer of VenomRAT (596168) RAT over HTTP/S
- #9990 – Email VenomRAT (596168) RAT as a compressed attachment
- #9991 – Email VenomRAT (596168) RAT as a compressed attachment
PAN-OS Vulnerability (CVE-2024-3400): What You Need to Know
Palo Alto Networks is warning users about a critical flaw that impacts PAN-OS software used in its GlobalProtect gateways. The CVE-2024-3400 (rated CVSS 10.0/ Critical) is a command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions, and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.
The flaw impacts the following versions of PAN-OS and Palo Alto strongly advises customers to immediately upgrade to a fixed version of PAN-OS to protect their devices even when workarounds and mitigations have been applied.:
- PAN-OS < 11.1.2-h3
- PAN-OS < 11.0.4-h1
- PAN-OS < 10.2.9-h1
SafeBreach Coverage of the PAN-OS Vulnerability
The SafeBreach platform was updated with the following attack to ensure our customers can validate their security controls against this vulnerability:
- #9992 – Remote exploitation of PAN-OS command injection CVE-2024-3400 (WAF)
Mallox Ransomware: What You Need to Know
According to Unit42 researchers, Mallox (also known as TargetCompany, FARGO, and Tohnichi) is a ransomware strain targeting Microsoft (MS) Windows systems since June 2021, primarily exploiting unsecured MS-SQL servers as a penetration vector. Recent observations by Unit42 researchers have revealed Mallox ransomware using brute force techniques, data exfiltration, and tools such as network scanners.
Mallox ransomware follows the double-extortion model – stealing data before encrypting an organization’s files, and then threatening to publish the stolen data on a leak site as leverage to convince victims to pay the ransom fee. Each victim is given a private key to interact with the group and negotiate terms and payment. The ransomware threat group has claimed hundreds of victims across multiple industries, including manufacturing, professional and legal services, wholesale, and retail.
Mallox attacks with a dictionary brute force attack, trying a list of known or commonly used passwords against the MS-SQL servers. After gaining access, the attackers use a command line and PowerShell to download the Mallox ransomware payload from a remote server. The payload then goes on to download another file, which enables remote desktop protocol (RDP) that executes the ransomware payload using Windows Management Instrumentation (WMI). Mallox leaves a ransom note in every directory on the victim’s drive. This ransom note explains the infection and provides contact information.
SafeBreach Coverage of Mallox Ransomware
The SafeBreach platform was updated with the following attacks to ensure our customers can validate their security controls against the ransomware variant:
- #10011 – Pre-execution phase of Mallox (4e6420) ransomware (Windows)
- #10012 – Transfer of Mallox (4e6420) ransomware over HTTP/S
- #10013 – Transfer of Mallox (4e6420) ransomware over HTTP/S
- #10014 – Email Mallox (4e6420) ransomware as a compressed attachment
- #10015 – Email Mallox (4e6420) ransomware as a compressed attachment
- #10016 – Write prueba5 malox (631339) ransomware to disk
- #10017 – Pre-execution phase of prueba5 malox (631339) ransomware (Windows)
- #10018 – Transfer of prueba5 malox (631339) ransomware over HTTP/S
- #10019 – Transfer of prueba5 malox (631339) ransomware over HTTP/S
- #10020 – Email prueba5 malox (631339) ransomware as a compressed attachment
- #10021 – Email prueba5 malox (631339) ransomware as a compressed attachment
Interested in Protecting Against Advanced Ransomware?
SafeBreach now offers a complimentary and customized real-world ransomware assessment, RansomwareRx, that allows you to gain unparalleled visibility into how your security ecosystem responds at each stage of the defense process. This ransomware assessment includes:
- Training: Understand the methodology around ransomware attacks, persistent threats, and malware attacks.
- Assessment: Review goals and ensure simulation connections to our management console and all configurations are complete.
- Attack Scenario: Run safe-by-design, real-world ransomware attacks across the cyber kill chain on a single device of your choice.
- Report: Receive a custom-built report with simulation results and actionable remediation insights.
Empower your team to understand more about ransomware attacks, methodologies, and behaviors—all through the lens of the attacker. Request your complimentary RansomwareRx assessment today.