ICS: Multiple Hitachi Energy RTU500 Series and MACH SCM Vulnerabilities
April 26, 2024CVE-2024-21511 – Node.js mysql2 module Vulnerability
April 26, 2024ICS: Multiple Hitachi Energy RTU500 Series and MACH SCM Vulnerabilities
April 26, 2024CVE-2024-21511 – Node.js mysql2 module Vulnerability
April 26, 2024Severity
High
Analysis Summary
Using its tried-and-true fake job lures, the threat actor with ties to North Korea, Lazarus Group, released a new remote access trojan named Kaolin RAT to target the Asian region.
In addition to performing normal RAT functions, the malware can load any DLL binary that it receives from the command-and-control (C2) server and modify the last write timestamp of a chosen file. The appid.sys driver's now-patched admin-to-kernel exploit (CVE-2024-21338, CVSS score: 7.8) allows the rootkit FudModule to be delivered via the RAT. Once inside, it can use this attack to get a kernel read/write primitive and eventually disable security protections.
“The attacker initiates the attack by presenting a fabricated job offer to an unsuspecting individual, utilizing social engineering techniques to establish contact and build rapport,” explained the researchers.
The Lazarus Group is not the first to infiltrate targets using employment offer lures. The long-running campaign, known as Operation Dream Job, has a history of distributing malware via a variety of social media and instant messaging services.
Through the use of these initial access vectors, targets are tricked into opening a malicious optical disc image (ISO) file that contains three files, one of which poses as the Amazon VNC client ("AmazonVNC.exe") but is a renamed version of the windows application "choice.exe." Those are the two additional files, "version.dll" and "aws.cfg." "version.dll" is side-loaded using the executable "AmazonVNC.exe," which then launches an IExpress.exe process and injects a payload from "aws.cfg" into it.
Shellcode from a command-and-control (C2) domain, which is thought to be an authentic but compromised website of an Italian business that specializes in granite and marble excavation and processing, is downloaded by the payload. The precise nature of the shellcode is unknown, but it is believed to be utilized to start RollFling, a DLL-based loader that gets and starts the next-generation malware known as RollSling. Microsoft revealed this information last year concerning a Lazarus Group campaign that took advantage of a serious JetBrains TeamCity vulnerability (CVE-2023-42793, CVSS score: 9.8).
RollSling is the next stage of the infection process; it is likely executed directly in memory to avoid being detected by the security program. Its main purpose is to start the RollMid loader, which is a third loader that runs in the system's memory. To initiate an attack and establish communication with a C2 server, RollMid is equipped with the following three steps in its process:
- To obtain an HTML file containing the address of the second C2 server, initiate communication with the first C2 server.
- Use a method known as steganography to communicate with the second C2 server to retrieve a PNG image that contains a malicious component.
- Use the address in the hidden picture data to send data to the third C2 server.
- Get another blob of Base64-encoded data from the Kaolin RAT, the third C2 server.
As the security researchers pointed out, the multi-stage sequence's technological intricacy borders on overkill, with the Kaolin RAT facilitating the installation of the FudModule rootkit after establishing communication with the RAT's C2 server. Furthermore, the malware can list files, perform file operations, upload files to the C2 server, change the last modified date of a file, list, create, and end processes, run commands with cmd.exe, download DLL files from the C2 server, and establish a connection with any host.
The Lazarus organization used a sophisticated toolkit to obtain improved persistence while eluding security solutions, and they targeted individuals with fake job offers. Clearly, they spent a lot of money creating an intricate attack chain. One thing is for sure, Lazarus needed to constantly innovate and spend a lot of money researching different facets of Windows mitigations and security technologies. The capacity of these entities to adjust and develop is a noteworthy obstacle to cybersecurity endeavors.
Impact
- Security Bypass
- Unauthorized Remote Access
- Cyber Espionage
- Data Theft
Remediation
- Ensure that general security policies are employed including implementing strong passwords, correct configurations, and proper administration security policies.
- Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
- Deploy advanced threat detection solutions that can identify and analyze suspicious activities, patterns, and behaviors across your network and endpoints. Utilize intrusion detection systems (IDS), intrusion prevention systems (IPS), and next-generation firewalls to proactively monitor and block malicious activities.
- Implement network segmentation to compartmentalize sensitive systems and data.
- Strengthen email security protocols to identify and block phishing attempts. Train employees to recognize suspicious emails and attachments, and employ email filtering technologies to reduce the likelihood of successful spear-phishing attacks.
- Regularly update and patch all software, applications, and operating systems to minimize potential entry points for cyber attackers.
- Enforce MFA across your organization to add an extra layer of security to user accounts and critical systems.
- Deploy advanced endpoint security solutions that offer real-time threat detection and response. This includes antivirus software, endpoint detection and response (EDR) tools, and behavioral analysis to identify suspicious activities.
- Ensure that systems are securely configured and hardened following industry best practices. Disable unnecessary services, ports, and protocols to reduce the attack surface.
- Develop and regularly update an incident response plan that outlines the steps to be taken in the event of a cyber attack. This plan should include communication protocols, roles and responsibilities, and procedures for containing and mitigating the attack.
- Conduct regular security audits and penetration testing to identify vulnerabilities and weaknesses in your systems and infrastructure.