Welcome to the latest edition of the Neu Cyber Threats, a weekly series in which we bring attention to the latest cyber attacks and phishing threats in order to ensure you stay safe online.

Here are the most prominent threats which you should be aware of:


Neu Cyber Threats

Backdoor malware targeting corporate networks

A brand new multi-platform malware, likely distributed via malicious “npm packages”, is spreading under the radar with Linux and Mac versions going fully undetected. The Windows version has only six detections so far.

Dubbed “SysJoker” by researchers, the backdoor is used for establishing initial access on a target machine. Once installed, it can execute follow-on code as well as additional commands, through which malicious actors carry out follow-on attacks or pivot to move further into a corporate network. This kind of initial access is also a hot commodity on underground cyber forums, where ransomware groups and others can purchase it.

It was first seen in December 2021 during a cyber attack on a Linux-based web server of a “leading educational institution,” researchers said. Looking at its command-and-control (C2) domain registration and other sample data, the malware appears to have been cooked up in the second half of 2021.

A possible attack vector for SysJoker is an infected npm package, as it is an increasingly popular vector for dropping malware on targets. Npm and other public code repositories are centralised developer communities where coders can upload and download building blocks for building applications. If one of these building blocks is malicious, it can be pulled into any number of apps, ready to strike any users of those infected projects.

Once it finds a target, SysJoker masquerades as a system update to avoid suspicion. Meanwhile, it generates its C2 by decoding a string retrieved from a text file hosted on Google Drive. “During our analysis the C2 has changed three times, indicating the attacker is active and monitoring infected machines. Based on victimology and the malware’s behaviour, we assess that SysJoker is after specific targets,” researchers said.

SysJoker’s behaviour is similar for all three operating systems, with the exception that the Windows version makes use of a first-stage dropper. After execution, SysJoker sleeps for a random amount of time, between a minute and a half and two minutes. Then, it will create the C:ProgramDataSystemData directory and copy itself there using the file name “igfxCUIService.exe” – masquerading as the Intel Graphics Common User Interface Service.

After gathering system information (mac address, user name, physical media serial number and IP address), it collects the data into a temporary text file. Researchers said: “These text files are deleted immediately, stored in a JSON object and then encoded and written to a file named ‘microsoft_Windows.dll.” SysJoker will then establish persistence by adding an entry to the registry run key: “HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun.” Between each of these stages of infection, it sleeps for a random period of time.

To establish a connection with the C2, SysJoker first decodes a hardcoded Google Drive link using a hardcoded XOR key. It uses the same key to encrypt information sent back and forth to and from the C2. That Google Drive link opens a text file named “domain.txt” that holds an encoded C2 (the address changes dynamically according to server availability). The link decodes the C2 and sends the previously collected machine fingerprinting data over, according to the analysis. The C2 replies with a unique token – an identifier for that particular infection that it will use to ping the C2 for instructions.

SysJoker can receive various commands, including “exe,” “cmd,” “remove_reg” and “exit”. Researchers explained: “remove_reg and exit are not implemented in this current version. Based on the instruction names, we can assume that they are in charge of self deletion of the malware.” The exe command is in charge of dropping and running an executable: “SysJoker will receive a URL to a .ZIP file, a directory for the path the file should be dropped to and a filename that the malware should use on the extracted executable, it will download this file, unzip it and execute it.”

After execution, the malware will reply “success” if the file was successfully installed or “exception” if not. The cmd command is for running next-stage instructions. Researchers added: “SysJoker will decode the command, execute it and upload the command’s response to the C2 via /api/req/res API, but during our analysis, the C2 hasn’t responded with a next stage instruction.”

Even though VirusTotal detections are low to non-existent for SysJoker, researchers have provided some tips for determining whether it is on your network or not. Users or admins can initially use memory scanners to detect a SysJoker payload in memory. Detection content can be used to search endpoint detection and response (EDR) and security information and event management (SIEM) platforms.

If a compromise is detected, victims can take the following steps:

  1. Kill the processes related to SysJoker, delete the relevant persistence mechanism and all files related to SysJoker.
  2. Make sure that the infected machine is clean by running a memory scanner.
  3. Investigate the initial entry point of the malware, if a server was infected with SysJoker during the course of this investigation, check: the configuration status and password complexity for publicly facing services, as well as used software versions and possible known exploits.

MacOS bug allows criminals to snoop on users

Neu Cyber Threats

Details have been released about a bug in macOS that Apple fixed last month – named “powerdir” – that could let attackers hijack apps, install their own nasty apps, use the microphone to eavesdrop or grab screenshots of your device.

The vulnerability allows malicious apps to bypass privacy preferences. Specifically, it could allow an attacker to bypass the operating system’s Transparency, Consent and Control (TCC) technology, thereby gaining unauthorised access to a user’s protected data.

Introduced in 2012’s macOS Mountain Lion, TCC helps users to configure their apps’ privacy settings by requiring that all apps get user consent before they’re able to access files in Documents, Downloads, Desktop, iCloud Drive and calendar. Apple released a fix for the vulnerability in macOS Big Sur and macOS Monterey, in a security update released on 13th December 2021. At the time, Apple didn’t give much detail. It was merely stated that the flaw was a logic issue that could allow a malicious actor to bypass privacy preferences.

TCC also stores the consent history of app requests. The feature is designed to prevent unauthorised code execution by restricting full disk access to only those apps with appropriate privileges. However, of course, this was not what occurred. Researchers discovered that it’s possible to programmatically change a target user’s home directory and to plant a fake TCC database.

Researchers explained: “If exploited on unpatched systems, this vulnerability could allow a malicious actor to potentially orchestrate an attack based on the user’s protected personal data. For example, the attacker could hijack an app installed on the device – or install their own malicious app – and access the microphone to record private conversations or capture screenshots of sensitive information displayed on the user’s screen.”

Typically, users manage TCC under System Preferences in macOS (System Preferences > Security & Privacy > Privacy). As researchers explained, there are two potential outcomes when an app requests access to protected user data:

  1. If the app and the type of request have a record in the TCC databases, then a flag in the database entry dictates whether to allow or deny the request — automatically and without any user interaction.
  2. If the app and the type of request do not have a record in the TCC databases, then a prompt is presented to the user, who decides whether to grant or deny access. Then said decision is backed into the databases so that succeeding similar requests will now fall under the first scenario.

If an attacker gets full disk access to TCC databases, researchers explained that the world’s then their app oyster: “They could edit it to grant arbitrary permissions to any app they choose, including their own malicious app. The affected user would also not be prompted to allow or deny the said permissions, thus allowing the app to run with configurations they may not have known or consented to.”

This isn’t the first time that TCC databases have shown themselves to be susceptible to bypass. Past vulnerabilities have included:

  • Time Machine mounts: macOS offers a built-in backup and restore solution called Time Machine. It was discovered that Time Machine backups could be mounted with the “noowners” flag. Since these backups contain the TCC.db files, an attacker could mount those backups and determine the device’s TCC policy without having full disk access.
  • Environment variable poisoning: It was discovered that the user’s tccd could build the path to the TCC.db file by expanding $HOME/Library/Application Support/com.apple.TCC/TCC.db. Since the user could manipulate the $HOME environment variable, an attacker could plant a chosen TCC.db file in an arbitrary path, poison the $HOME environment variable, and make TCC.db consume that file instead.
  • Bundle-conclusion issue: First disclosed in a blog post about the XCSSET malware family, this bug abused how macOS was deducing app bundle information. For example, if an attacker knew of a specific app that commonly has microphone access. In that case, they could plant their application code in the target app’s bundle and “inherit” its TCC capabilities.

Apple has responded to those vulnerabilities with two changes: it protected the system-wide TCC.db via System Integrity Protection (SIP), a macOS feature that prevents unauthorised code execution. It also enforced a TCC policy that only apps with full disk access can access the TCC.db files.

Researchers say that although Apple has since patched these vulnerabilities, their research shows that “the potential bypass to TCC.db can still occur”. The best advice to follow is to apply macOS security updates as soon as possible.

WordPress vulnerabilities exploited by malware gang

The GootLoader malware gang has pivoted to targeting businesses with malicious downloads. Having previously spread REvil ransomware, GootLoader are now taking advantage of WordPress vulnerabilities.

The WordPress vulnerabilities let attackers hijack sites, offering sample business agreements for professionals. Researchers were able to identify more than 100,000 pages with malicious business agreement links set up by GootLoader. One site was found to have more than 150 pages of content generated by the threat actors.

Law firm employees tricked by the malicious agreements were searching for common legal filings including, “Post Nuptial Agreement”, “Model IP Agreement” and “Olympus Plea Agreement”, according to the report.

Researchers said: “When the user navigates to one of these malicious web pages and clicks the link to download the purported business agreement, they are unknowingly downloading GootLoader. Unless your organisation has security protections in place, your entire corporate network will then be likely infected with GootLoader. This could lead to the deployment of ransomware, which would make it game over.”

The group has also gamed Google’s Search Engine Optimisation algorithm to get their malicious sites and downloads to the top of keyword search results, analysts found. Once downloaded, GootLoader installs ransomware or Cobalt Strike.

Researchers advise the following: “All businesses, should have a vetting process for business agreement samples, gathered from the Internet, to ensure that they are not infected with malware. Employees should also be aware that GootLoader comes as a JavaScript (.js) file. While it is often disguised as a document, right clicking the downloaded file and clicking properties will show the real file type. Whenever downloading documents from the web, scripting files like .js, .ps1 and .cmd should never be executed.”

Remote Desktop Protocol attacks
on the rise

Certain types of Remote Desktop Protocol (RDP) have been found with security bugs that could allow any standard, unprivileged user to access other connected users’ machines. Researchers have warned that if the bugs were exploited, there could be data-privacy issues, lateral movement and privilege escalation.

Inside attackers could view and modify other people’s clipboard data or impersonate other logged-in users with smart cards. Researchers found the bug lurking in Windows Remote Desktop Services. The bug dates back at least to Windows Server 2012 R2, which has led researchers to conclude that the latest versions of Windows, including client and server editions, are affected.

Some basics on RDP plumbing include the fact that RDP splits a single connection into multiple logical connections called virtual channels for handling different types of data. Some channels are responsible for the core functionality of RDP, such as graphical and input data, while other channels handle protocol extensions, such as clipboard, drive and printer redirection.

The vulnerability involves the attack surface presented by named pipes. These are a common method for interprocess communication in Windows, which work in a client/server model. Both sides specify the name of the pipe in the format: “\.pipename”; or, “\hostnamepipename”. Both the client and the server use the WriteFile and ReadFile functions to exchange data after the connection is established.

It’s common to have one server process that handles multiple clients by creating multiple pipe server instances, meaning that the server process will call CreateNamedPipe multiple times with the same pipe name. Researchers said: “Each time it will get a new server instance. When a client connects to a named pipe server, it connects to one instance. If there are multiple instances available, the client will connect to the one that was created first [FIFO, or first-in, first-out ordering].”

But because each call to CreateNamedPipe is independent, potentially malicious processes may create pipe server instances of the same name. Researchers outlined how simple the attack is, here:

  • An attacker connects to a remote machine via RDP
  • The attacker lists the open named pipes and finds the full name of the TSVCPIPE pipe
  • The attacker creates a pipe server instance with the same name and waits for a new connection
  • Once a new connection arrives, RDS creates its own pipe server instance for the session and a pipe client that will attempt to connect to it
  • Because of the FIFO, the pipe client will connect to the attacker pipe server instance instead of the one created by the RDS service
  • The attacker connects as a client to the real RDS pipe server instance
  • The attacker holds both ends of the connection; they can act as man-in-the-middle (MitM), passing the data back and forth, viewing and (optionally) modifying it

RDP attacks are very common. But, this new vulnerability adds a twist, showing, “An example of an unconventional attack vector targeting RDP. Instead of tapping into the input side of the server/client as one usually does, we abused the RDP server internal mechanism as an entry point,” researchers said. While the researchers chose to focus on drive and smart-card redirection, they said they believe that the same technique would work with other types of devices, protocols and channels, such as printers, audio, USB devices and authentication redirection.

They’re “strongly” recommending applying the patch Microsoft issued on Tuesday (25th Jan 2022), given that “almost all Windows versions are affected.” They also suggested that developers of applications that use custom virtual channels “should check whether they are vulnerable and conduct their own security assessment.”

Last July, researchers took a look at the complexities of setting up RDP for remote work. They noted that the protocol itself “is not a secure setup” and therefore requires “additional security measures to keep workstations and servers protected.” Without proper security protocols, “organisations face several potential risks, including the increased risk of cyber attacks.”

The typical targets of RDP attacks tend to be small businesses, because they often lack the resources needed to protect against and respond to these threats. Cyber criminals target RDP vulnerabilities for a number of reasons, with the most common objectives including distributed denial of service (DDoS) attacks and ransomware delivery.

Cyber criminals have noted the increased use of RDP, as remote working has surged. Between Q1 and Q4 2020, attacks against RDP surged by 768%, while an October 2020 report identified that 47% of ransomware attacks were preceded by RDP compromise. Researchers said: “While RDP is required for normal system maintenance, it can’t be left to run on its own. Additional defences like establishing a zero-trust framework and having an automated method of quickly implementing firmware fixes are needed to ensure RDP is used safely.”

Neuways have plenty of alternatives to RDP for businesses to take advantage of. Microsoft Office 365 removes the need for RDP, as the shared Microsoft ecosystem provides an easy-to-use and share platform for businesses to interact and work collaboratively on.

If you are concerned about any cyber security issues within your business, contact us today on 01283 753 333 or email hello@neuways.com.