Hello Everyone, this week your editor is Dharminder.

I am back again with another edition of This Week in Security, This week I have looked at

DoubleFinger, a crypto-stealer, BATCloak a fully undetectable (FUD) malware obfuscation engine and CISA directive for federal civilian agencies on network devices.

We in F5 SIRT invest lot of time to understand the frequently changing behaviour of bad actors. Bad actors are a threat to your business, your reputation, your livelihood. That’s why we take the security of your business seriously. When you’re under attack, we’ll work quickly to effectively mitigate attacks and vulnerabilities, and get you back up and running. So next time you are under security emergency please contact F5 SIRT.

Ok so let's get started to find details of security news. 

DoubleFinger Crypto Stealer

If you own crypto currency or planning to own it, then you must know that there are criminals who are always looking for new ways to steal crypto. Researcher from Kaspersky has recently discovered a sophisticated attack where a multi-stage DoubleFinger loader delivers a cryptocurrency stealer.

Attack starts with an email containing malicious PIF file. As soon as the victim opens the malicious attachment series of event happens. There are five different stages of DoublFinger which finally executes GreetingGhoul stealer on the victim’s host

GreetingGhoul is a stealer designed to steal cryptocurrency-related credentials. It consists of majorly two components. First uses MS WebView2 to create overlays on cryptocurrency wallet interfaces and the second detects cryptocurrency wallet apps and steals sensitive informations

Other then GreetingGhoul, researchers have also found several DoubleFinger samples that have downloaded Remcos RAT which is a well-known RAT often used by cybercriminals.

Kaspersky team have provided some suggestions (in the link below) on how a user can protect their cryptowallets. But as a general rule always think twice before opening any attachment. 

https://securelist.com/doublefinger-loader-delivering-greetingghoul-cryptocurrency-stealer/109982/

https://www.kaspersky.com/blog/doublefinger-crypto-stealer/48418/

https://thehackernews.com/2023/06/beware-new-doublefinger-loader-targets.html

CISA Directive 23-02 for Federal Agencies.

It is well know that often attackers uses internet facing network devices as entry point to gain unrestricted access to organizational networks. Since the devices are accessible from anywhere from the internet, it makes those devices easy target for attackers. In order to mitigate this risk, CISA has released cybersecurity directive to order all federal civilian agencies to remove devices from the public-facing internet.

As per the CISA directive, All federal civilian executive-branch agencies are required to comply with the following actions for all federal information systems hosted by agencies or third parties on their behalf.

1. Within 14 days of notification by CISA or discovery by an agency of a networked management interface in scope for this Directive, agencies will take at least one of the following actions:
   1. Remove the interface from the internet by making it only accessible from an internal enterprise network (CISA recommends an isolated management network);
   2. Deploy capabilities, as part of a Zero Trust Architecture, that enforce access control to the interface through a policy enforcement point separate from the interface itself (preferred action).
2. Agencies will implement technical and/or management controls to ensure that all management interfaces on existing and newly added devices, identified as in scope for this Directive, have at least one of the following protections in place:
   1. The interface is removed from the internet by making it only accessible from an internal enterprise network (CISA recommends an isolated management network);
   2. The interface is protected by capabilities, as part of a Zero Trust Architecture, that enforce access control to the interface through a policy enforcement point separate from the interface itself (preferred action).

It is also mentioned in the directive document that:

• CISA will conduct scans to identify devices and interfaces falling within the directive's scope and notify the agencies of its findings.
• CISA will provide federal agencies a reporting interface and standard remediation plan templates if remediation efforts exceed required timeframes.

It is indeed a great way to reduce the attack surface and every organisation should adapt this approach.

https://www.cisa.gov/news-events/directives/binding-operational-directive-23-02

https://www.cisa.gov/news-events/news/cisa-directs-federal-agencies-secure-internet-exposed-management-interfaces#:~:text=WASHINGTON%20%E2%80%93%20The%20Cybersecurity%20and%20Infrastructure,the%20public%2Dfacing%20internet%20or

https://therecord.media/cisa-binding-operational-directive-remove-tools-from-public-internet

BatCloak a Malware Obfuscation Engine

A recent investigation done by Trend Micro researchers have revealed a FUD (fully undetectable ) malware obfuscation engine BatCloak being used to deploy various malwares by the attackers. Per researchers BatCloak can persistently evade security solutions.

The BatCloak engine is the core engine of Jlaive’s obfuscation algorithm and includes LineObfuscation.cs and FileObfuscation.cs.  The file LineObfuscation.cs is the main file responsible for line obfuscation where as The FileObfuscation.cs algorithm contains the logic responsible for obfuscating batch files.

As per Trend Micro report, the opensource tool Jlaive was officially introduced to hacker community in Sept 2022 which was hosted on both Github and Gitlab. Later it was taken down but it didn’t stop other actors to make clone and make modifications.

Various stages of Jlaive.

(Source: Trend Micro)

 

The actor behind Jlaive contributed to numerous iterations and adaptations of the BatCloak engine and has also contributed FUD capabilities to other projects, such as CryBat, Exe2Bat, ScrubCrypt, and SeroXen. Out of these ScrubCrypt is the most recent one.

Developers of ScrubCrypt have made it closed-source most likely monetize it and also avoid unauthorise use of it. Apart from FUD capabilities, ScrubCrypt contains features  to invade host-based security measures such as User account control (UAC) bypass, Anti-debugging capabilities, AMSI bypass and Event tracing for Windows (ETW) bypass

Trend Micro warns that adversaries will likely continue to push the highly-effective BatCloak engine in future crime tools, and the presence of BatCloak in numerous malware families serves as a compelling testament to the engine’s inherent modularity.

https://www.trendmicro.com/en_in/research/23/f/analyzing-the-fud-malware-obfuscation-engine-batcloak.html

https://thehackernews.com/2023/06/cybercriminals-using-powerful-batcloak.html