Week in Overview(7 Nov-14 Nov)

WWW.THREATRADAR.NET
 Threat Intel Roundup: OpenVPN, eBPF, AsyncRAT, OpenSea

Technical Summary
1. Kernel Exploit and Rootkit Detection Using eBPF 4. Malware Distribution via GitHub: Threat Actors
Technology: eBPF (extended Berkeley Packet Spreading AsyncRAT
Filter) in Linux. Platform Used: GitHub.
Purpose: Detect kernel exploits and rootkits. Malware: AsyncRAT (Remote Access Trojan).
Mechanisms: Method: Disguising malicious screensaver (.scr)
wCFI (Control Flow Integrity): Monitors kernel files as .sln files in legitimate Visual Studio
call stack and validates return addresses projects.
against a bitmap of valid call sites. Exploitation: Utilizing Discord's CDN for
PSD (Privilege Escalation Detection): Tracks distribution.
changes in kernel credential structures to 5. CVE-2023-46849
identify unauthorized privilege escalations. Vulnerability: In OpenVPN versions 2.6.0 to 2.6.6.
Implementation: eBPF programs attached to Issue: Divide by zero behavior when using the --
kernel functions, submitting events to userspace fragment option, leading to application crash and
for analysis. denial of service.
2. Email Phishing Campaigns Targeting OpenSea Users 6. CVE-2023-4966
and Developers Vulnerability: In Citrix NetScaler ADC and
Target: OpenSea platform users and developers. Gateway appliances.
Method: Issue: Sensitive information disclosure
Fake developer account risk alerts. vulnerability allowing hijacking of authenticated
Fraudulent offers. sessions and bypassing multifactor
Modus Operandi: Emails mimicking official authentication.
communication to deceive recipients into Exploitation: Observed in the wild since late
revealing sensitive information or credentials. August 2023.
3. Chrome Use-After-Free Vulnerability in WebAudio 7. Vidar Stealer
(CVE-2023-5996) Update: Major changes in C2 (Command and
Vulnerability: Use-after-free in Chrome's Control) communications, mimicking Stealc.
WebAudio component. Capabilities:
CVE ID: CVE-2023-5996. Downloads legitimate third-party DLLs.
Resolution: Ignoring channel count updates after the Harvests data from browsers, crypto wallets,
audio context is closed to prevent exploitation. and more.
Exfiltrates data file by file.
Uses Dynamic Data Exchange (DDR) for
communication.
Impact: Improved evasion capabilities, even if
detected by antivirus software.

Key Findings
it is crucial for organizations and individuals to prioritize remediation and patching efforts to safeguard their
systems and data. The following key findings highlight the importance of proactive measures to mitigate risks
associated with various vulnerabilities and threats:

Kernel Exploit and Rootkit Detection Using eBPF

Email Phishing Campaigns Targeting OpenSea Users and Developers
Chrome Use-After-Free Vulnerability in WebAudio (CVE-2023-5996)
Malware Distribution via GitHub: Threat Actors Spreading AsyncRAT
CVE-2023-46849
CVE-2023-4966
Vidar Stealer
 Threat Intel Roundup: OpenVPN, eBPF, AsyncRAT, OpenSea

🚨 Vulnerability of the Week

CVE-2023-46849
CVE-2023-46849 is a vulnerability identified in References and Advisories
OpenVPN, specifically affecting versions 2.6.0 to 2.6.6.
This vulnerability is related to the use of the --fragment Several advisories and resources provide more
option in certain configuration setups of OpenVPN. information about CVE-2023-46849:
Vulnerability: The issue arises when the --fragment OpenVPN Community Wiki on CVE-2023-46849
option is used inappropriately, leading to a divide by OpenVPN Security Advisory
zero behavior. NIST National Vulnerability Database Detail
Impact: This divide by zero error can cause an
application crash, resulting in a denial of service
(DoS).
Affected Versions: OpenVPN versions from 2.6.0 to
2.6.6.
Severity
As of now, the CVSS (Common Vulnerability Scoring
System) score for CVE-2023-46849 has not been
provided by NIST (National Institute of Standards and
Technology). The severity of this vulnerability is still
under analysis, and no official score or metrics have
been published.
 Threat Intel Roundup: OpenVPN, eBPF, AsyncRAT, OpenSea

🥵 Malware or Ransomware

https://twitter.com/crep1x/status/1722652451319202242

The blog post from SEKOIA.IO provides an in-depth analysis of the Stealc malware, highlighting its similarities with other infostealers like
Vidar and Raccoon. Here's a summary of the key points related to the major update in Vidar Stealer's Command and Control (C2)
communications, which now closely mimic those of Stealc:
1. Use of Legitimate Third-Party DLLs: Unlike previous versions that downloaded a ZIP file, the updated Vidar Stealer now downloads
legitimate third-party DLLs. This change likely helps the malware evade detection by blending in with normal software operations.
2. Malware Configurations: The malware is configured to target specific data from browsers, cryptocurrency wallets, and other valuable
information through a grabber module. This targeted approach allows for more efficient data harvesting.
3. Exfiltration of Harvested Data: The updated method involves exfiltrating harvested data file by file. This step-by-step approach can
potentially improve the "knock rate" or "knock time," which refers to the efficiency and speed of data transmission back to the C2 servers.
4. Use of DDR: DDR (Dynamic Data Exchange) is a method of interprocess communication. In the context of this malware, it could be used to
facilitate the transfer of stolen data or commands between processes, potentially making detection more difficult.
5. C2 Servers: The post lists several IP addresses identified as C2 servers for the malware. These servers are crucial for the malware's
operation, as they receive the stolen data and send commands.
6. Improved Evasion Capabilities: The modification in the malware's communication and data exfiltration methods is likely aimed at
improving its ability to evade detection. Even if antivirus software detects the malware, the step-by-step data exfiltration process might
allow some data to be transmitted before the malware is neutralized.
 Threat Intel Roundup: OpenVPN, eBPF, AsyncRAT, OpenSea

💦 Malware Distribution Sites

https://twitter.com/doc_guard/status/1724011012515369248

A phishing HTML file, named "GFT000567.html," has successfully evaded the majority of antivirus (AV) solutions, raising
significant concerns in the cybersecurity community.
Detection and Analysis
VirusTotal Detection: The file has a remarkably low detection rate of 1 out of 60 AV solutions on VirusTotal, indicating its
sophistication in evading security measures.
Filename: GFT000567.html
MD5 Hash: 2017a1ec0479724dae5ad5cd95781841
Indicators of Compromise (IOCs)
Malicious URLs:
pub-91c76ad75ccd43f3a4351ea91d50ae83[.]r2[.]dev/execo.html#[email protected]
sulzer[.]shop/campi/excelphp1.php
These URLs are likely used for phishing attacks, data exfiltration, or directing users to download further malicious
payloads.
DOCGuard Reports
Primary Sample Report: A detailed analysis of the phishing file is available on DOCGuard, which can provide insights into
its behavior, embedded scripts, and evasion techniques. The report can be accessed here.
Similar Sample Report: Another report on a similar sample, which could provide comparative insights, is available here.
 Threat Intel Roundup: OpenVPN, eBPF, AsyncRAT, OpenSea

📱 Mobile Malware

https://time.com/6334344/google-scammers-fake-ai-chatbot/

Google has initiated legal action against scammers for distributing malware under the guise of its Bard AI chatbot. The scammers,
believed to be based in Vietnam, created social media pages and ads, misleading users into downloading a fake version of Bard,
which in reality was malware.

Method of Attack
1. Social Media Deception: The scammers set up social media accounts, using names like "Google AI," "AIGoogle," and similar
variations. They promoted posts on platforms like Facebook, falsely advertising the download of Google's Bard AI chatbot.
2. Misuse of Google's Branding: The fraudulent entities used Google's trademarks and logos to lend credibility to their scheme,
misleading users into believing the authenticity of their offering.
3. Malware Distribution: The download links provided by the scammers did not contain the Bard AI chatbot but malware. This
malware was designed to steal social media credentials and potentially other sensitive information from the users' devices.

Impact
Credential Theft: The primary objective of the malware was to siphon off login details of users, particularly targeting small
businesses and their social media accounts.
Financial Risks: By gaining access to social media accounts, the scammers could potentially access financial information or
defraud businesses and their contacts.
Brand Damage: The use of Google's trademarks in the scam could lead to reputational damage for Google, misleading users
about the security and reliability of its products.

Recommendations
1. Vigilance in Downloads: Users should only download software from verified, official sources.
2. Awareness of Scams: Be aware of the increasing use of AI and popular brand names in online scams.
3. Credential Protection: Use multi-factor authentication and regularly update passwords, especially for business-related social
media accounts.
 Threat Intel Roundup: OpenVPN, eBPF, AsyncRAT, OpenSea

🦮 Art of Detection

https://twitter.com/Jane_0sint/status/1724098761121575398

The malware, humorously proposed to be named "Electrocuted File System Monitoring: Watching for changes in file systems,
Stealer," is a type of infostealer. It has been identified through a especially in system directories like \Temp, can be a red flag.
sample available on the ANY.RUN malware analysis service. This Analysis and Reporting Tools
malware is initially categorized as "Win32/Unknown Infostealer." ANY.RUN: A cloud-based malware analysis service that
Unique Characteristics provides a detailed report of malware behavior. The specific
Folder Naming: The malware uses a peculiar method for report for this malware can be accessed here.
naming folders, such as
\Temp\YUOhtyugjKgdfgjFGghj676jj\. This naming pattern is
notably random and chaotic, possibly reflecting an attempt
to avoid pattern detection.
Proposed Name: "Electrocuted Stealer" – This name
humorously suggests the seemingly random and jumbled
nature of the folder naming convention, as if the author was
"electrocuted" while typing.
Detection Strategies
1. Anomalous Folder Names: Security systems can be
configured to flag unusually named folders, especially those
with a high degree of randomness and length, as seen in this
malware.
2. Behavioral Analysis: Utilizing tools like ANY.RUN to observe
the behavior of suspected malware in a safe, controlled
environment. This can help in identifying unusual patterns
of behavior that are indicative of infostealers.
3. Signature-Based Detection: While the malware is initially
categorized as "Win32/Unknown," updates to antivirus
databases with its signature, once fully analyzed, can help in
its detection.
4. Heuristic Analysis: Employing heuristic analysis to detect
new, unknown variants of malware based on similarities to
known infostealers.
5. Network Traffic Monitoring: Infostealers often communicate
with a C2 server. Monitoring for unusual outbound network
traffic can help in detecting such malware.
 Threat Intel Roundup: OpenVPN, eBPF, AsyncRAT, OpenSea

🦮 Art of Detection#2

https://twitter.com/g0njxa/status/1724038475765145931

Threat actors are increasingly utilizing GitHub, a popular Exploitation of Discord CDN: The use of Discord's CDN for
platform for software development, to spread malware. A distributing AsyncRAT indicates a sophisticated approach to
recent incident involved the distribution of malicious bypassing standard security measures. CDNs are typically
screensaver files (.scr), which were disguised as .sln files within trusted networks, and their abuse can lead to widespread
a legitimate Visual Studio project. This tactic was used to malware distribution.
distribute AsyncRAT, a remote access trojan, by exploiting AsyncRAT: This remote access trojan allows attackers to
Discord's Content Delivery Network (CDN). control infected systems remotely, posing significant risks to
Analysis from ANY.RUN data security and privacy.

The detailed analysis of this malware distribution strategy is

provided by ANY.RUN, an interactive malware hunting service.
Unfortunately, the specific content of the analysis from the
provided ANY.RUN link is not accessible due to technical
limitations. However, the general approach of these threat
actors can be outlined based on known tactics and the
summary provided.

Tactics and Implications

Disguised Files: The .scr files, typically used for
screensavers, are disguised as .sln (solution) files, which are
part of Visual Studio projects. This disguise is intended to
trick users into executing the malware, believing it to be a
harmless component of the project.
Use of GitHub: By placing these malicious files in a
seemingly legitimate project on GitHub, attackers leverage
the trust and popularity of the platform to spread the
malware.
 Threat Intel Roundup: OpenVPN, eBPF, AsyncRAT, OpenSea

🐙 Proxylife

https://twitter.com/0xToxin/status/1722915203040354656

BumbleBee, a newly identified malware, has been observed in a Triage and Analysis
campaign labeled "Documents!" by the cybersecurity Dynamic Generation Algorithm (DGA): Interesting findings
community. This campaign is notable for its use of advanced include the use of a DGA seed, counter, and length. This
techniques and has been linked to the botnet "rar0409." indicates a sophisticated command and control (C2)
Execution Flow mechanism, where the malware can dynamically generate
The malware's execution flow is relatively straightforward but domain names for C2 communications.
effective: Files and Samples: For further analysis and research, files
1. Initial Contact: Via an HTML file. related to this campaign can be found on the Abuse.ch Bazaar.
2. Delivery Mechanism: The malware is packed in a RAR
archive.
3. Execution: The final payload is an executable file (.exe).
Key Features
HTML Smuggling: BumbleBee utilizes HTML smuggling
techniques. This involves using legitimate HTML5 features
to create and deliver malicious files while bypassing
security controls.
Exploitation of CVE-2023-38831: The malware exploits this
specific vulnerability, although details about the nature of
this vulnerability are not provided in the brief.
Botnet Association
Botnet Name: rar0409
The association with this botnet suggests a broader
infrastructure and possibly a wider range of attack capabilities.
🥷 TTP Analysis
The report focuses on a sophisticated malware known as SystemBC, also
referred to as Coroxy. This malware is multifaceted, functioning as a socks5
proxy, bot, backdoor, and Remote Access Trojan (RAT). It has been utilized by
various threat actors in cyber-attacks.

Malware Characteristics
Category: Socks5 proxy, bot, backdoor, RAT
Usage: By several threat actors
Operational Flow
The operational flow of SystemBC is as follows:
Loader/Other Malware: Initial infection vector.
SystemBC Activation: Acts as a secondary payload.
Mutex Creation: Ensures unique instance.
Temporary Copy Creation: For execution and persistence.
Persistence Mechanism: Ensures long-term access.
Sensitive Information Harvesting: Collects valuable data.
Network Information Gathering: For further exploitation.
Command and Control (C&C) Communication: For remote control and data
exfiltration.

Tactics, Techniques, and Procedures (TTP)

The TTPs associated with SystemBC include:
[T1547.001] Registry Run Keys: For persistence.
[T1070] Stop Process: To evade detection.
[T1140] Decode Network Information: For data extraction.
[T1082] System Information Discovery: To understand the environment.
[T1033] System Owner/User Discovery: Identifying potential targets.
[T1560] Archive Collected Data: For data exfiltration.
[T1497] Virtualization/Sandbox Evasion: To avoid analysis.
[T1071] Application Layer Protocol: For communication.

Indicators of Compromise (IOC)

The IOCs related to SystemBC are:
Domains:
payload[.]su
mxstat215dm[.]xyz
mxstex725dm[.]xyz
zl0yy[.]ru
r0ck3t[.]ru
IP Addresses:
91[.]191[.]209[.]110
5[.]42[.]65[.]67

https://twitter.com/RexorVc0/status/1723961165305532675
 Threat Intel Roundup: OpenVPN, eBPF, AsyncRAT, OpenSea

💦 Leakage

https://twitter.com/cycatz2/status/1724287204686750125

The security of user data in web applications is critical. Tools Used for Exploitation
However, vulnerabilities like Insecure Direct Object Intruder: A tool used to automate the brute-forcing of
Reference (IDOR) can significantly compromise data these portions.
integrity. This report examines a real-world case of an Python Script: A script was written to generate altered
IDOR vulnerability within a web application, particularly 'v' parameters. This script takes the original
focusing on the exploitation of the 'v' parameter, which parameter, splits it into constant and changeable
led to the exposure of all users' Personally Identifiable parts, and then randomly changes some characters in
Information (PII). the changeable part while keeping the constant parts
intact.
Analyzing the 'v' Parameter
The 'v' parameter in question is 64 characters long,
making it unpredictable and lengthy. It consists of a mix
of constant and changeable parts. The constant parts
are enclosed in curly braces, such as {xrjo}, {tgx}, {tgyj},
{mrzo}, {tnkxn}, {qnjn}, and {irgirnittghn}. The
characters outside these braces are changeable, and
this variability is what can be exploited.

Exploiting the Vulnerability

The exploitation process involves making partial and
unpredictable changes to the characters outside the
curly braces while keeping the constant parts intact. By
altering these characters in different requests, it
becomes possible to access different users' data. For
example, by changing the original 'v' parameter from
vnnt {xrjo} nnnr {tgx} ntkx {tgyj} yinvr {mrzo} jyg {tnkxn}
ugor {qnjn} zyjr {irgirnittghn} to various altered forms,
each alteration potentially leads to the exposure of a
different user's data.
 Threat Intel Roundup: OpenVPN, eBPF, AsyncRAT, OpenSea

👹 Scam Contract

https://www.hackread.com/fake-ledger-app-microsoft-app-store-crypto-funds/

OpenSea, a popular platform in the NFT (Non-Fungible The Domain "docs-opensea[.]io"

Token) space, has recently become the target of email The mentioned domain, docs-opensea[.]io, seems to
phishing campaigns. These campaigns are specifically be part of this phishing campaign. However, accessing
designed to deceive OpenSea's users and developers. this domain resulted in an error, indicating it might be
It's important to be aware of the nature of these scams down or not accessible at the moment.
to protect personal and financial information. It's crucial to note that such domains are often
Types of Phishing Scams created to appear legitimate, mimicking the official
1. Fake Developer Account Risk Alert: This scam website's look and feel to deceive users.
involves sending emails that appear to be from
OpenSea, warning developers of some risk or issue
with their accounts. The goal is to trick recipients
into revealing sensitive information or credentials.
2. Fake Offer: Another common tactic is sending emails
that mimic legitimate offers from OpenSea. These
emails may contain links to fraudulent websites
where users are prompted to enter personal details
or connect their digital wallets, leading to potential
theft of assets or personal information.
 Threat Intel Roundup: OpenVPN, eBPF, AsyncRAT, OpenSea

🟥 1Day

https://twitter.com/hosselot/status/1724106627106603492

The "Tianfu Cup 2023" highlighted a significant vulnerability in Code Analysis

Google Chrome, specifically a use-after-free issue in the WebAudio The provided code snippet demonstrates the logic implemented to
component, tracked as CVE-2023-5996. This vulnerability was address the vulnerability:
addressed by modifying how Chrome handles channel count Channel Count Check: The code first retrieves the old channel
updates after the audio context is closed. count and sets a new channel count. If there's an exception or
The Vulnerability the channel count remains unchanged, it bypasses the
Component Affected: The issue was in the WebAudio recreation of the platform destination.
component of Chrome. Context State Validation: The fix includes a check for the
Nature of Vulnerability: It was a use-after-free vulnerability, a context state (AudioContext::kClosed). If the context is closed,
type of memory corruption issue that can lead to arbitrary code or other conditions are met (same channel count or exception
execution. state), the function returns early, avoiding further processing.
CVE ID: CVE-2023-5996. Recreation of Platform Destination: If the conditions are not
The Fix met, the destination is stopped, recreated, and started again to
Google implemented a fix by ignoring channel count updates after apply the new channel count, ensuring the integrity of the audio
the audio context is closed. The key aspects of the fix include: processing.
1. Checking Context State: The new code checks if the audio Broader Context: Linux Kernel Security and Google's kernelCTF
context's state is 'closed'. If so, any changes to the channel The discussion around CVE-2023-5996 leads to a broader
count are ignored. conversation about Linux kernel security. The kernel, being the core
2. Maintaining Stability: The fix ensures that the audio rendering of many systems, is a critical security component. Google's
thread is not activated unexpectedly, which could lead to kernelCTF program is an initiative to encourage the discovery and
instability or exploitation of the use-after-free condition. mitigation of vulnerabilities in the Linux kernel.
 Threat Intel Roundup: OpenVPN, eBPF, AsyncRAT, OpenSea

🌶️ Trending Exploit

https://twitter.com/fofabot/status/1714997328455643425

The exploit related to CVE-2023-4966 in Citrix NetScaler ADC and Gateway appliances is a significant
cybersecurity concern. Here's a detailed overview:

Background
Date of Security Bulletin: Citrix released a security bulletin on October 10, 2023, addressing a sensitive
information disclosure vulnerability identified as CVE-2023-4966.
Affected Appliances: The vulnerability impacts NetScaler ADC (Application Delivery Controller) and
NetScaler Gateway appliances.

Nature of the Vulnerability

Exploitation in the Wild: Mandiant reported that this vulnerability has been exploited in the wild since
late August 2023.
Consequences of Exploitation: Successful exploitation allows attackers to hijack existing authenticated
sessions. This bypasses multifactor authentication or other strong authentication mechanisms.
Persistence of Sessions: Even after deploying the update to mitigate CVE-2023-4966, some hijacked
sessions may persist.
Session Hijacking Incidents: There have been instances where session data was stolen before the patch
deployment and then used by threat actors.
 Threat Intel Roundup: OpenVPN, eBPF, AsyncRAT, OpenSea

🕯️ The Topic of the Week

https://twitter.com/the_yellow_fall/status/1724265785231917521

VED (Vault Exploit Defense)-eBPF is an innovative How it Works

approach to enhancing kernel security in Linux systems. eBPF Program Attachment: VED-eBPF attaches eBPF
It utilizes eBPF (extended Berkeley Packet Filter), an in- programs to specific kernel functions to trace
kernel virtual machine, to monitor kernel activities and execution flows and gather security events.
detect potential exploits or rootkits without altering the Data Submission: These events are then submitted to
kernel source code. userspace for analysis via perf buffers.
eBPF Overview Detailed Mechanisms
Functionality: eBPF allows for the execution of code wCFI:
within the kernel space, providing a high degree of Stack Tracing: On each function call, it dumps the
flexibility and efficiency. stack and assigns an ID.
Application: It can be attached to various kernel Validation: Checks return addresses against a
events like tracepoints and kprobes, enabling precomputed bitmap of valid call sites.
detailed analysis and data collection. Event Generation: If a corrupted stack is detected,
VED-eBPF's Approach it generates a wcfi_stack_event with details like
VED-eBPF leverages eBPF to trace security-sensitive stack trace, ID, and invalid return address.
behaviors within the kernel, focusing on detecting PSD:
anomalies that could indicate exploits or rootkits. It Credential Monitoring: Extracts credential
primarily provides two detection mechanisms: information during key function calls.
1. wCFI (Control Flow Integrity): Comparison: Analyzes changes in credentials to
Purpose: Detects control flow hijacking attacks. spot unauthorized escalations.
Method: Utilizes a bitmap of valid call sites and Event Generation: Produces a psd_event with
validates each return address against this map. credential details in case of illegal privilege
Implementation: Traces the kernel call stack, escalation.
validating return addresses and monitoring stack Current Status and Future Work
pointer and kernel text region changes. VED-eBPF is in the proof-of-concept stage, showcasing
2. PSD (Privilege Escalation Detection): the potential of eBPF for kernel security. Ongoing and
Purpose: Identifies unauthorized privilege future work includes:
escalations. Expanding Attack Coverage: Broadening the scope to
Method: Monitors changes to credential detect a wider range of exploits.
structures within the kernel. Performance Optimization: Enhancing efficiency to
Implementation: Attaches to functions like minimize impact on system performance.
commit_creds and prepare_kernel_cred, Support for Additional Kernel Versions: Adapting the
analyzing credentials before and after execution. tool for various kernel releases.
Integration with Security Analytics: Combining with
analytical tools for comprehensive security insights.
 HADESS
cat /etc/HADESS

"Hadess" is a cybersecurity company focused on safeguarding digital assets

and creating a secure digital ecosystem. Our mission involves punishing hackers
and fortifying clients' defenses through innovation and expert cybersecurity
services.

Website: Threat Radar

WWW.HADESS.IO WWW.THREATRADAR.NET

Threat Radar is a powerful threat intelligence platform that combines advanced analytics, machine learning, and human expertise to deliver actionable intelligence to organizations. It
continuously monitors various data sources, including the deep web, dark web, social media platforms, and open-source intelligence, to identify potential threats, vulnerabilities, and
emerging attack patterns.