Ivanti Zero-Day Vulnerabilities Result in MITRE Network Breach
April 21, 2024AsyncRAT – Active IOCs
April 22, 2024Ivanti Zero-Day Vulnerabilities Result in MITRE Network Breach
April 21, 2024AsyncRAT – Active IOCs
April 22, 2024Severity
High
Analysis Summary
A new strain of information-stealing malware, believed to be linked to the notorious Redline malware, has emerged which masquerades as a game cheat named 'Cheat Lab.' This deceptive tactic lures users with promises of a free copy of the cheat if they convince others to install it.
Redline, known for its capability to harvest sensitive data like passwords and cryptocurrency wallet information, is widely popular among cybercriminals and is distributed globally through various channels. According to researchers, this new variant of the malware employs Lua bytecode to avoid detection, allowing it to stealthily inject into legitimate processes and exploit Just-In-Time (JIT) compilation for better performance.
While the malware shares a command and control server with Redline, it diverges in behavior. Unlike Redline, this variant does not engage in typical actions like stealing browser information and saving passwords. The distribution of the malware involves packaging it as ZIP files containing an MSI installer which unpacks malicious files upon execution.
The installer prompts users to share the program with friends to unlock its full version, adding an element of social engineering to its propagation. Once installed, the malware establishes persistence through scheduled tasks and communicates with a command-and-control (C2) server to send system information and await further commands.
The method of initial infection remains unclear, but information-stealing malware like this is commonly disseminated through malvertising, deceptive software download sites, and other untrustworthy sources. Users are cautioned against downloading unsigned executables and files from dubious websites to mitigate the risk of infection.
This incident underscores the evolving tactics of cybercriminals, who exploit unsuspecting users by disguising malware as legitimate software. Even platforms like Microsoft's GitHub typically considered reliable are not immune to such threats. Collaboration with reputable security firms and adopting cautious browsing habits are essential to safeguard against these increasingly sophisticated attacks.
Impact
- Sensitive Information Theft
- Cryptocurrency Theft
Indicators of Compromise
IP
- 213.248.43.58
MD5
- ecf943bf12019c1fd2a948b33d739657
- 75d539df595217555d98c59af85edab1
- da93380e27ef93a7b46af81a3b8c0f13
- f33e239a228ad29b22f40a503db1dd60
SHA-256
- 5e37b3289054d5e774c02a6ec4915a60156d715f3a02aaceb7256cc3ebdc6610
- 873aa2e88dbc2efa089e6efd1c8a5370e04c9f5749d7631f2912bcb640439997
- 751f97824cd211ae710655e60a26885cd79974f0f0a5e4e582e3b635492b4cad
- dfbf23697cfd9d35f263af7a455351480920a95bfc642f3254ee8452ce20655a
SHA1
- e1eab61b64b46d27746c969d1bfb65c24c49a57e
- a67b14c2ddfda8f770cfeef0d3b676b433df500c
- 620c61603dfd44074133b20ae15f2b1a7478be9a
- 8b56571cd8c39978c657818f2ff6b05753c9fd94
Remediation
- Block all threat indicators at your respective controls.
- Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Never download apps from unofficial sources.
- Emails from unknown senders should always be treated with caution.
- Never trust or open ” links and attachments received from unknown sources/senders.
- Passwords – Ensure that general security policies are employed including implementing strong passwords, correct configurations, and proper administration security policies.
- Admin Access – limit access to administrative accounts and portals to only relevant personnel and make sure they are not publicly accessible.
- Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
- Enable antivirus and anti-malware software and update signature definitions on time. Using multi-layered protection is necessary to secure vulnerable assets.