norm. threat bulletin: 22nd February 2023

Havoc replaces Cobalt Strike and Brute Ratel

Havoc is a modern and malleable post-exploitation command and control framework, comparable to Cobalt Strike and Brute Ratel with one distinctive feature; it is open source and as such, free. Because of this, it has been observed as an alternative tool of choice in an increasing number of attacks.

Analysis on the cross-platform framework casts light on techniques that can bypass even the most updated version of Windows 11 Defender, it is considered challenging to detect because it uses several sophisticated evasion techniques.

It allows its operators to execute commands, manage payloads, manipulate Windows tokens, execute shellcode, and download extra payloads, amongst other tasks. A shellcode loader deactivates the Event Tracing for Windows (ETW), on compromised systems, and loads the Havoc payload without DOS and NT headers, all in an effort to avoid detection.

The tool has been observed to have been utilised by an attack group to launch an attack on an undisclosed government organisation as recent as January 2023. Additionally, a recent report by reversing labs uncovered that the framework was distributed through a harmful npm package, which imitated a legitimate module by typosquatting.

Running norm.’s Threat Detection & Response service can prevent execution of obfuscated scripts and prevent scripts from launching downloaded executable content. This in combination with IDS sensors within your environment to detect suspicious traffic, enabling our security operations centre to analyse and detect any potentially malicious or suspicious traffic.

Microsoft patches three actively exploited Zero-Days

Microsoft has released patches for 75 CVE numbered vulnerabilities, of note are three zero-day vulnerabilities which are being actively exploited in the wild. In this article, we will take a look at these three high priority threats.

CVE-2023-21715

This is a vulnerability which allows attackers to bypass a Microsoft publisher security feature, the Office macro policies used to block untrusted or malicious files. This attack is carried out locally by a user with authentication to the targeted system. An authenticated attacker could exploit the vulnerability by convincing a victim, through social engineering, to download and open a specially crafted file from a website which could lead to a local attack on the victim computer

CVE-2023-23376

This is a vulnerability in the Windows Common Log File System that could allow attackers to achieve SYSTEM privileges on a target host. This is being chained with an RCE bug to spread malware or ransomware within an estate.

CVE-2023-21823

This is a vulnerability in Windows Graphics Component and could lead to remote code execution and a total takeover of a vulnerable system. Unfortunately, Microsoft did not share any details about the attacks in which this vulnerability is being exploited.

By utilising norm.‘s Vulnerability Patch Management service, you can ensure your Windows devices receive this patch and remain up to date, removing the threat posed by the actively exploited zero days above.

New evasive Malware that can fly under the radar observed

Cybersecurity researchers have unearthed a new piece of evasive Malware dubbed ‘Beep’ that’s designed to fly under the radar and drop additional payloads onto a compromised host. Researchers noted the Malware creators took steps to implement as many anti-debugging and anti-sandbox techniques as possible, with one such technique involving delayed execution through the use of the Beep API function, which is where the Malware’s name originated from.

Beep comprises of three components, the first of which is a dropper that’s responsible for creating a new Windows Registry key and executing a Base64-encoded PowerShell script stored in it. This PowerShell script reaches out to a remote server to retrieve an injector, which after confirming its not being debugged or launched in a virtual machine, extracts and launches the payload via the technique process hollowing. (Process hollowing is the act of injecting malicious code into suspended and hollowed processes in order to evade process-based defences).

The retrieved payloads is an information stealer that’s tasked to collect and exfiltrate system information and enumerate system running processes. This payload is capable of other instructions from its command-and-control server including the ability to execute DLL and EXE files.

Researchers remarked that the malware includes features within the code that are yet to be implemented, suggesting that Beep is still in its early stages of development, resulting in it being likely that multiple versions will be observed in future.

What sets Beep Malware apart from the multitude of other Malware packages seen before is its very heavy focus on stealth, adopting a sheer number of detection evasion methods in an effort to resists analysis, avoid sandboxes and delaying execution. Once this execution is run and successfully penetrated a system, it can easily download and spread by a wide range of additional malicious tools, including Ransomware, making Beep extremely dangerous.

By utilising norm.’s Threat Detection & Response service you can prevent execution of potentially obfuscated scripts and prevent scripts from launching downloaded executable content, helping to prevent your estate from this attack.

Social engineering attacks increased in Q4 2022

A report released by Avast Threat Labs has found during their investigation of scams and fraud attacks throughout Q4 of 2022 that cybercriminals are getting better at exploiting fear and creating a sense of urgency among victims to carry out malicious activities.

The report highlights a rise in social engineering attacks including invoice and refund fraud and tech support scams. Refund and invoice fraud saw a 22% jump in December 2022, with perpetrators utilising emails originating from a trustworthy organisation to create the illusion of unauthorised charges and false receipts. In some cases, the intended victim was also contacted via a specific telephone number by an attacker posing as an agent and requested access to the individual’s computer and financial accounts. The tech support attacks were aimed at stealing money or engaging in information theft or spying on victims.

Cybercriminals continue to manipulate and scam individuals in multiple ways. The Cyber Safety and Phishing module from norm. can educate users on how to spot a likely malicious email. With this education, not only would users be more aware of the tactics used by attackers but also the content will enable them to exercise caution when clicking on suspicious emails and links. It is also recommended to take a minute to assess an email or message before responding and never give any remote access to your device.

Swiss Army Knife Malware on the rise

Swiss Army Knife Malware is multipurpose Malware that can perform malicious actions across the cyber kill chain and evade detection by security controls. According to research, this type of Malware is on the rise with security researchers analysing of over 550,000 open-source threat intelligence services, security vendors and researchers, and Malware sandboxes and databases.

The researchers observed the Malware’s behaviour and extracted over 5 million actions; this data was then used to identify the ten most common ATT&CK techniques leveraged by cybercriminals in 2022.

Analysis showed the average Malware leverages 11 different tactics, techniques, and procedures (TTP’s). With one third of Malware leveraging more than 20 TTPS’ and one tenth leveraging more than 30 TTPS.  

Traditional, rudimentary types of Malware are designed to perform basic functions. Others, like a surgeon’s scalpel, are engineered to conduct single tasks with great precision. As shown in their research, the cyber security industry is seeing more Malware that can do anything and everything. This ‘Swiss Army Knife’ Malware can enable attackers to move through networks undetected at great speed, obtain credentials to access critical systems, and encrypt data.

By utilising norm.‘s Vulnerability Patch Management service, you can ensure firstly that software is up to date with the latest security patches, greatly reducing the attack surface, by adding norm.‘s Threat Detection & Response module on top of this, you can ensure this attack surface is protected as best as possible.

Further reading:

08th February 2023 Threat Bulletin