norm. threat bulletin: 29th November 2023

LummaC2: Malware leveraging trigonometry as an anti-sandbox technique

In a recent update, the infostealer malware LummaC2 can leverage trigonometry to detect the presence of an automated malware sandbox, reported by Alberto Marín of Outpost24.

Threat actors and malware authors use anti-sandbox techniques to avoid having their malware detonated in analysis environments. These techniques can range from making code and functionality difficult to analyse to outright detection of a virtual environment. Some malware families have been known to attempt sandbox escapes, disrupt log collection (Black Basta), or even overloading the virtual system completely to end any analysis attempts (Bazar).

LummaC2 has integrated an effective method of sandbox detection by recording and analysing the movement of the mouse cursor prior to detonation. Typically, the mouse movements in automated malware analysis sandboxes like JoeSandbox move randomly, abruptly, and are not smooth movements along the screen.

LummaC2 records five unique cursor positions 50ms apart. Vectors are generated between these points and the angle between each is calculated. Angles less than 45° constitute human behaviour, while greater angles indicate automated mouse movements indicative of a malware sandbox. LummaC2 will continually repeat this cursor position and movement angle check.

Alberto states that this will result in an unsuccessful detonation in most cases. We expect that as this technique becomes more widespread, sandbox environments will catch on and bake in more realistic mouse movements to emulate real user interaction.

By utilising norm.’s Threat Detection & Response service your assets are monitored around the clock for the detonation of infostealer malware including LummaC2.

References:
Unveiling LummaC2 stealer’s novel Anti-Sandbox technique: Leveraging trigonometry for human behavior detection – Outpost24
Black Basta, Software S1070 | MITRE ATT&CK®
Bazar, Software S0534 | MITRE ATT&CK®

Black Fridays phishing emails soar by 237%, here is what you can do and what to look for

‘Tis the season of festive lights, joyous carols, and the ever-enticing allure of holiday deals. As we merrily approach the most wonderful time of the year, there is a shadow lurking in the digital realm.

This year, as the world gears up for the holiday shopping frenzy, we have observed a not-so-jolly surge in a different kind of gift-giving—unwanted and potentially malicious. In a plot twist reminiscent of a Grinchy cyber tale, Black Friday phishing emails have soared to unprecedented heights, marking a staggering 237% increase compared to just last month.

So, as we wrap ourselves in the warmth of the holiday spirit, it’s essential to unwrap the truth about this cyber threat that’s attempting to turn our festivities into a cyber winter nightmare.

The Threat Intelligence Specialists at Egress have noted a distinct surge in phishing emails posing as well-known brands. Cyber criminals use varied tactics to challenge your security intuition, such as employing stylised HTML templates with official logos and links to the real brand’s site. However, these emails also harbor at least one malicious link, typically disguised as a tempting discount, or offer in a call-to-action (CTA) button which is almost indiscernible to the untrained eye.

So here at norm. We wanted to give you some handy tips and precautions about how you can protect yourself from some pretty nasty surprises during the Festive season:

• When possible, choose a credit card instead of a debit card, as credit cards provide an extra layer of fraud protection, making it easier to recover funds in the event of fraudulent transactions.
• Multi-Factor authentication on any of your accounts will add a robust layer of defense in the unfortunate event of compromising your credentials, making it more challenging for hackers to get into your account.
• Prioritise safe networks for your online activities; avoid public Wi-Fi usage if possible.
• If an offer appears too good to be true, and if especially time limited, it likely is.
• At the end of the day, if you have any doubts, it is best to avoid clicking on links or making purchases from the seller. Review any user reviews, and most importantly, trust your instincts, as they are generally dependable.

Sometimes, our instincts can fail us, which is why it is so important to be aware and trained in the art of detecting malicious emails. Luckily for you we can help save you from future troubles by partaking in our Cyber Safety and Phishing module from norm. It can educate users on how to spot a likely malicious email. With this education, not only would you be more aware of the tactics used by attackers, but the content will also enable you to exercise caution when clicking on suspicious emails and links. We highly recommend that you take a minute to assess an email or message before responding and never give any remote access to your device.

References:
Black Friday phishing emails up 237% (egress.com)
Black Friday: Phishing Emails Soar 237% (infosecurity-magazine.com)
Safety Principles for Black Friday & Cyber Monday (digit.fyi)
Black Friday Scams: How to Stay Safe Online This Festive Season (digit.fyi)

Microsoft Exchange Server authenticated SSRF vulnerability (Zero day)

A researcher affiliated with Trend Micro’s Zero Day Initiative (ZDI) recently disclosed an unauthenticated Server-Side Request Forgery (SSRF) zero-day vulnerability within the Microsoft Exchange Server. This vulnerability is yet to receive a CVE number.

The Zero day vulnerability found in Microsoft Exchange Server allows an attacker to manipulate web applications and make unintended requests to a user supplied URL. An attacker can exploit it for internal access requests and/or lead internal information to an external attacker controlled server.

This vulnerability is plagued with the following issues reported by ZDI:

• Exchange OWA is frequently exposed to the internet.
• The vulnerability could be exploited by any authenticated user (any user with a mailbox). Even though this means that authentication is required, the number of mailboxes deployed in some organisations can run into the hundreds of thousands.
• It allows performing any HTTP GET request, with full control over the URL and query string parameters.
• It retrieves the content of the response.

Due to these issues, it can be quite damaging and a massive risk to sensitive information, mainly because of the last point; the ability to retrieve the contents of the response. Accessing internal network information might seem like a big risk, but Microsoft seems to think it is not worth an instant patching.

Technically, the ‘CreateAttachmentFromUri’ method is the cause of the problem, usually allowing a file attachment to be added to a message with the clip button. Instead accepting a Uniform Resource Identifier (URI) and initiating the request to a specified URI and generating an attachment based on the received response. Thus, allowing an attacker access to the usually inaccessible internal server.

According to Qualys Threat Research Unit, the vulnerability was verified on a fully patched Exchange Server 2019, 2016 and 2013.

While there is no current patch available, the ZDI advisory notes that this Microsoft Exchange vulnerability requires authentication for successful exploitation, presenting a challenge for potential attackers. Nevertheless, it is important to acknowledge that threat actors can acquire credentials through various means, such as phishing, to meet this prerequisite.

As always it is imperative to stay vigilant, a combination of norm.‘s Cyber Safety & Phishing and Vulnerability Management modules would help mitigate the risk, posed by this vulnerability.

Hopefully, Microsoft release a patch in due course.

References:
Unpatched powerful ssrf in exchange owa getting response through attachments (Zero Day Initiative)
Microsoft exchange server authenticated ssrf vulnerability zero-day (Qualys)