Hello Everyone, this week your editor is Dharminder.
I am back again with another edition of This Week in Security, This week I have looked at
DoubleFinger, a crypto-stealer, BATCloak a fully undetectable (FUD) malware obfuscation engine and CISA directive for federal civilian agencies on network devices.
We in F5 SIRT invest lot of time to understand the frequently changing behaviour of bad actors. Bad actors are a threat to your business, your reputation, your livelihood. That’s why we take the security of your business seriously. When you’re under attack, we’ll work quickly to effectively mitigate attacks and vulnerabilities, and get you back up and running. So next time you are under security emergency please contact F5 SIRT.
Ok so let's get started to find details of security news.
DoubleFinger Crypto Stealer
If you own crypto currency or planning to own it, then you must know that there are criminals who are always looking for new ways to steal crypto. Researcher from Kaspersky has recently discovered a sophisticated attack where a multi-stage DoubleFinger loader delivers a cryptocurrency stealer.
Attack starts with an email containing malicious PIF file. As soon as the victim opens the malicious attachment series of event happens. There are five different stages of DoublFinger which finally executes GreetingGhoul stealer on the victim’s host
GreetingGhoul is a stealer designed to steal cryptocurrency-related credentials. It consists of majorly two components. First uses MS WebView2 to create overlays on cryptocurrency wallet interfaces and the second detects cryptocurrency wallet apps and steals sensitive informations
Other then GreetingGhoul, researchers have also found several DoubleFinger samples that have downloaded Remcos RAT which is a well-known RAT often used by cybercriminals.
Kaspersky team have provided some suggestions (in the link below) on how a user can protect their cryptowallets. But as a general rule always think twice before opening any attachment.
It is well know that often attackers uses internet facing network devices as entry point to gain unrestricted access to organizational networks. Since the devices are accessible from anywhere from the internet, it makes those devices easy target for attackers. In order to mitigate this risk, CISA has released cybersecurity directive to order all federal civilian agencies to remove devices from the public-facing internet.
As per the CISA directive, All federal civilian executive-branch agencies are required to comply with the following actions for all federal information systems hosted by agencies or third parties on their behalf.
It is also mentioned in the directive document that:
It is indeed a great way to reduce the attack surface and every organisation should adapt this approach.
A recent investigation done by Trend Micro researchers have revealed a FUD (fully undetectable ) malware obfuscation engine BatCloak being used to deploy various malwares by the attackers. Per researchers BatCloak can persistently evade security solutions.
The BatCloak engine is the core engine of Jlaive’s obfuscation algorithm and includes LineObfuscation.cs and FileObfuscation.cs. The file LineObfuscation.cs is the main file responsible for line obfuscation where as The FileObfuscation.cs algorithm contains the logic responsible for obfuscating batch files.
As per Trend Micro report, the opensource tool Jlaive was officially introduced to hacker community in Sept 2022 which was hosted on both Github and Gitlab. Later it was taken down but it didn’t stop other actors to make clone and make modifications.
Various stages of Jlaive.
(Source: Trend Micro)
The actor behind Jlaive contributed to numerous iterations and adaptations of the BatCloak engine and has also contributed FUD capabilities to other projects, such as CryBat, Exe2Bat, ScrubCrypt, and SeroXen. Out of these ScrubCrypt is the most recent one.
Developers of ScrubCrypt have made it closed-source most likely monetize it and also avoid unauthorise use of it. Apart from FUD capabilities, ScrubCrypt contains features to invade host-based security measures such as User account control (UAC) bypass, Anti-debugging capabilities, AMSI bypass and Event tracing for Windows (ETW) bypass
Trend Micro warns that adversaries will likely continue to push the highly-effective BatCloak engine in future crime tools, and the presence of BatCloak in numerous malware families serves as a compelling testament to the engine’s inherent modularity.