norm. threat bulletin: 03rd May 2023

Norm threat bulletin

Malicious adversaries and the Cyber Kill Chain

The Cyber Kill Chain, a Lockheed Martin framework, describes the seven steps that an adversary needs to accomplish to achieve their objectives. These steps cover attacks from their start to their end and everything in between. This framework can bring a new understanding of what adversaries need to do to compromise a network and what you can do to make their objectives significantly harder.


Step 1 – Reconnaissance

Much like physical crime, it always starts with reconnaissance – research and identification of potential targets before continuing. This will include vulnerability discovery, identifying entry points and high value assets, and OSINT (Open-Source Intelligence) on the target organisation. Adversaries may search for systems vulnerable to new zero-day exploits, vulnerabilities that do not have patches released by product vendors.

Step 2 – Weaponisation

An adversary will weaponise their gathered information once all necessary information has been obtained. Malware can be built or customised specifically to suit the target environment or phishing campaigns can be targeted toward high value targets.

Step 3 – Delivery

Delivery brings in the hacking tools that the adversary will use to gain access to the target. This can be through phishing emails, leveraging hardware/software vulnerabilities to gain initial access, or by using USB/removable media to infect a system.

Step 4 – Exploitation

With an initial foothold in the target, an adversary must pivot and move laterally within the target network to leverage additional exploits to reach their targets, all the while using information gained from the reconnaissance stage. Often multiple vulnerabilities are chained together to achieve the end goal.

Step 5 – Installation

Malware or other additional hacking tools will be installed on the target to take control of the target and other systems, steal and exfiltrate targeted data, or compromise the system in the form of a denial of service (DOS) or ransom.

Step 6 – Command & Control (C2)

To maintain persistence on the target system/network, two-way communication must be setup for the attacker to communicate with their compromised assets. Typically, this is used by Botnets like Mirai, Emotet, and Dridex, to direct waves of attacks against new targets.

Step 7 – Actions on objectives

The seventh and final step is for the adversary to act on their own objectives. These can vary but can by impacted by politics, financial gain, disinformation, denial of service, extortion via ransomware etc.

By utilising Norms complete Cyber Security as a Service (CSaaS) you can cover your organisation across all seven steps of the Cyber Kill Chain with our Vulnerability Management, Phishing Simulation, and round-the-clock SOC monitoring services.


[1] Cyber Kill Chain® | Lockheed Martin

[2] The Cyber Kill Chain: The Seven Steps of a Cyberattack | EC-Council (

AI tools expected to breathe new life into BEC attacks

Across all recorded Business Email Compromise (BEC) attacks over the past 12 months, 57% of them have relied on language as the main attack vector to deliver and masquerade them in front of unsuspecting employee targets, according to a study by Amorblox. The data gathered for this study was gathered from more than 58,00 clients, with over 4 billion emails analysed and over 800,000 threats mitigated every month. It was also found that language was the main attack vector used in BEC attacks, with this vector used in 4/5 phishing attacks.

Small to Medium Businesses (SMBs) are some of the most vulnerable targets to these attacks, with roughly 58% of SMBs being targeted by account compromise attacks. Another statistic shows that 20% of all BEC attacks involved graymail or unwanted solicitation mail, which can divert attention from security teams, with research finding that this can waste up to 27 hours per week manually sorting and removing graymail.

Another important statistic discovered there was a 70% increase in phishing attacks performed in 2022, compared to the 63% increase in 2021. These statistics outline the prevalence of phishing attacks and their increasing popularity among threat actors.

AI tools such as ChatGPT are expected to generate an even greater rise in the number of BEC emails that flood the inboxes of company employees as they can provide automation in regard to producing a phishing email that appears legitimate to a user, with the AI bot asking a user to provide prompts to dictate how they want the email to be worded (E.g., the tone of the email). These AI tools can also be used to provide insights into how to perform phishing attacks or setup phishing campaigns, making them a valuable tool for wannabe threat actors. There are ethical rules in place with some AI bots to try and mitigate nefarious usage, however researchers have already shown these limitations can be easily overridden.

With the threat of Phishing attacks growing each year and new tools that can aid in the production and distribution of them becoming more popular, it is important to stay educated on these forms of attacks.

The Cyber Safety and Phishing module from norm. can educate users on how to spot a likely malicious email. With this education, not only would users be more aware of the tactics used by attackers but also the content will enable them to exercise caution when clicking on suspicious emails and links. It is also recommended to take a minute to assess an email or message before responding and never give any remote access to your device.

EvilExtractor – A surging threat

EvilExtractor is an information stealer malware seen by Fortinet researchers in multiple attacks in the United States and Europe to Windows OS in specific. Some of the reports include the tool dropping ransomware onto the victim’s device with the intent to steal images, files, take screenshots, key log, use the webcam to take pictures, and to also destroy your data. Originally, this program was created and developed by Kodex as an “educational tool”, however cybercriminals have leveraged its powerful modules maliciously.

So how does the EvilExtractor work? It relies on the ftp service, initial access is based on the user interaction on what appears to be a legitimate PDF file received, an example being via a phishing email or through Dropbox.

Fig 1 – (Fortinet)

Once the user has been tricked to click on the malicious file, a Python program will be executed and reveal a PYARMOR string.

Fortinet 1 1
Fig 2 – (fortinet)

A Base64 Obfuscated PowerShell scripts will then launch the following 8 modules:

  • Date time checking
  • Anti-Sandbox
  • Anti-VM
  • Anti-Scanner
  • FTP server setting
  • Steal data
  • Upload Stolen data
  • Clear log

Three additional Python components “,” “,” and “” will be downloaded.

  • is used to extract cookies from Google Chrome, Microsoft Edge, Opera, and Firefox and also collects browsing history and saved passwords from other programs.
  • is a keylogger that records the victim’s keyboard inputs and saves them in a local folder to be exfiltrated at a later point.
  • is a webcam extractor, which can secretly activate the webcam, capture video or images, and upload the files to the attacker’s FTP server, which Kodex rents.
Fortinet 2
Fig 3 – kodex ransomware note (fortinet)

The Kodex module seen as a “ransomware” is within the loader and can be activated. If this is the case, a file named “” is downloaded from the product website. Kodex is still developing and adding features to EvilExtractor and this app is currently in the wild spreading phishing campaigns.

norm. recommends that all users be vigilant and aware of any unsolicited emails or files sent. norm.‘s Cyber Safety and Phishing module does provides educational content to train users and prepare them when facing potential phishing emails. In addition, norm.‘s Threat Detection & Response module will detect potentially malicious files such as the files mentioned in this article.

EvilExtractor malware activity spikes in Europe and the U.S. (
EvilExtractor – All-in-One Stealer | FortiGuard Labs (
Evil Extractor malware targets Windows devices to steal data | TechRadar
Evil Extractor Targets Windows Devices to Steal Sensitive Data – Infosecurity Magazine (

PaperCut vulnerability exploit is actively being used

Attackers are leveraging improper access control to bypass authentication and execute arbitrary code on affected installations. This is actively being run on installations of PaperCut NG.

The vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut. As of the 18th of April 2023, the vendor has evidence that unpatched servers are being exploited in the wild with the earliest known event taking place on the 13th of April 2023 UTC. The Vendor has issued an update on the 25th of April.

ZDI-CAN-18987/PO-1216 also known as CVE-2023-27350 PaperCut say the following “We have confirmed that under certain circumstances this allows for an unauthenticated attacker to get Remote Code Execution (RCE) on a PaperCut Application Server. This could be done remotely and without the need to log in.” This vulnerability has been rated with a CVSS score of 9.8.

Due to this being actively used in the wild PaperCut have taken the precaution to not reveal too much about the vulnerabilities.

ZDI-CAN-19226/PO-1219 also known as CVE-2023-27351 PaperCut say the following “We have confirmed that under certain circumstances this allows for an unauthenticated attacker to potentially pull information about a user stored within PaperCut MF or NG – including usernames, full names, email addresses, office/department info and any card numbers associated with the user. The attacker can also retrieve the hashed passwords for internal PaperCut-created users only (note that this does notinclude any password hashes for users sync’d from directory sources such as Microsoft 365 / Google Workspace / Active Directory and others). This could be done remotely and without the need to log in.” Papercut stated they do not have any evidence of this vulnerability being used against their customers at this point. This vulnerability has been rated with a CVSS score of 8.2.

The immediate advice is to upgrade PaperCut Application Servers to one of the following versions listed below if you have not already done so. This is extremely important as its actively being exploited in the wild. 

The vulnerability has been fixed on the following versions PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11 and 22.0.9 or later. Norm agrees with PaperCut’s recommendation to upgrade to one of the versions containing the fix.

With the potential of data loss, can you really afford to wait to upgrade to a version containing a fix?

It is recommended that you upgrade all Application Servers and Site servers by the vendor, and they have reported that there should be no negative impact from applying these security fixes with no other manual steps needed to be taken.

By utilising norm.’s Vulnerability Patch Management module, customers can ensure that they are protected against vulnerabilities disclosed via vendor bug bounty programs.


PaperCut MF/NG vulnerability bulletin (March 2023)

CVE-2023-27350 Detail

CVE-2023-27351 Detail

Get norm.’s threat bulletin direct to your inbox

norm. tracks and monitors the latest security trends and cyber threats and collates these into a fortnightly threat bulletin.

You can receive this bulletin for free, every fortnight, by entering your business email address below: