SteganoAmor, Fake IP Scanner, MITRE Corporation Breach - April 14-20, 2024 - This Week in Security



Hello Everyone, this week your editor is Dharminder. I am back again with another edition of This Week in Security, This week I have security news about SteganoAmor Campaign ran by a well-known TA558 group, A Fake IP scanner software distributing backdoor MadMxShell, MITRE Corporation breach and Vulnerability disclosure program for Defense Industrial Base.

We in F5 SIRT invest lot of time to understand the frequently changing behaviour of bad actors. Bad actors are a threat to your business, your reputation, your livelihood. That’s why we take the security of your business seriously. When you’re under attack, we’ll work quickly to effectively mitigate attacks and vulnerabilities, and get you back up and running. So next time you are under security emergency please contact F5 SIRT.

Ok so let's get started to find details of security news.


TA558 - SteganoAmor Campaign

Researchers from the Positive Technologies Expert Security Center discovered more than three hundred attacks worldwide, which they believe were performed by well-known TA558 group.

As per the researchers, to target various sectors in number of countries, TA558 has been using steganography to obfuscate the delivery of malware like Agent Tesla, FormBook, Remcos RAT, and others within images and text files.

Steganography is the way of hiding information within another message or object to avoid detection. It can conceal various types of digital content like text, images, videos, or audio files, which can then be extracted at the intended destination. Codename given to this campaign is SteganoAmor. Whole attack process starts with a phishing email, containing a Microsoft Excel attachment that exploits a flaw(CVE-2017-11882) to download a Visual Basic Script, that in turn, fetches the next-stage payload, which further downloads two images from an external URL. Downloaded Images are embedded with a Base64-encoded component that ultimately retrieves and executes the Agent Tesla malware on the compromised host. To make the email look credible, attacker uses compromised SMTP and FTP servers. Interesting point to note here is that attacker was able to exploit a Microsoft Excel vulnerability CVE-2017-11882 which was fixed years ago,  It means, unpatched Microsoft Excel is still n use.

The takeaway from this news, always keep the software up to date and always be extra cautious before opening an email attachment. 


Google Ads For Distributing Fake IP Scanner Software with Hidden Backdoor

Zscaler ThreatLabz researchers  has discovered a new malvertising campaign where threat actor is using Google Ads, featuring domains that mimic legitimate IP scanner software to distribute a new backdoor named MadMxShell. Using typosquatting  technique, threat actor have registered multiple look-alike domains to target specific search keywords and redirect users to malicious sites. Upon clicking download buttons, users unwittingly download a ZIP file containing a backdoor that uses DLL side-loading and process hollowing techniques to inject malicious code into legitimate processes. The backdoor, utilizing DNS MX queries for command-and-control communication, performs various malicious activities like gathering system information, executing commands, and manipulating files while evading security solutions. Zscaler researcher’s has detected two accounts linked to malware operators on underground forums using the email, which was also used for a domain spoofing Advanced IP Scanner. These operators have shown interest in setting up unlimited Google AdSense threshold accounts since June 2023, suggesting plans for a long-term malvertising campaign. Such threshold accounts are often traded on BlackHat forums, allowing threat actors to run ad campaigns without immediate payment until reaching a high threshold limit, enabling extended campaign durations.

The takeaway from this news, never download any file from untrusted source.


Vulnerability Disclosure Program for Defense Industrial Base

The Department of Defense Cyber Crime Center (DC3) and Defense Counterintelligence and Security Agency (DCSA) have joined forces to establish the Defense Industrial Base Vulnerability Disclosure Program (DIB-VDP). This voluntary program aims to enhance cybersecurity within the Defense Industrial Base (DIB) by allowing ethical researchers to analyze and assess vulnerabilities in participating companies' assets and platforms. The program aligns with national-level cybersecurity strategies and past successful pilot programs, leveraging partnerships with HackerOne and the DoD-Defense Industrial Base Collaborative Information Sharing Environment. Through this strategic partnership, DC3 and DCSA aim to improve information sharing, vulnerability management, and cybersecurity practices to address evolving cyber threats in the DIB.

The takeaway from this news, To secure the future start acting today. 


MITRE Corporation Breach

MITRE Corporation disclosed being targeted by a nation-state cyber attack in January 2024. As per MITRE attacker exploited two zero-day vulnerabilities in Ivanti Connect Secure appliances to compromised their NERVE (Networked Experimentation, Research, and Virtualization Environment) but they did not find any indication that their core enterprise network or partners' systems were affected. The attackers bypassed multi-factor authentication, breached VMware infrastructure, and deployed backdoors. The exploitation, initially attributed to a group linked to China, has since seen involvement from other Chinese hacking groups. MITRE has contained the incident, conducted forensic analysis, and is advocating for enhanced cybersecurity practices in response.

The takeaway from this news, no one is safe from cyber attacks, so always be alert.

Updated Apr 29, 2024
Version 2.0

Was this article helpful?

No CommentsBe the first to comment