Anomali Cyber Watch: Balada Injector Exploits WordPress Elementor Pro, Icon 3CX Stealer Detected by YARA, Koi Loader-Stealer Compresses-then-Encrypts Memory Streams | Anomali

The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Clipboard-injectors, Infostealers, Malvertising, Pay-per-install, Supply chain, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.

Trending Cyber News and Threat Intelligence

High Severity Vulnerability in WordPress Elementor Pro Patched

(published: March 31, 2023)

The Balada Injector campaign has been targeting vulnerable website plugins and themes since at least 2017. Its newest target are WordPress WooCommerce websites with a broken access control vulnerability in the popular website builder plugin Elementor Pro. This high severity (CVSS v3.1: 8.8, High) vulnerability received a security patch on March 22nd, 2023, therefore, Balada Injector targets websites that have not been patched yet. The attackers create a new administrator user and insert a script sending visitors to a multi-hop redirect for the purpose of spam, scam, or installing adware.
Analyst Comment: Website administrators should update immediately if they have Elementor Pro version 3.11.6 or below installed. Employ server-side scanning to detect unauthorized malicious content. All known indicators associated with the Balada Injector campaign are available in the Anomali platform and customers are advised to block these on their infrastructure.
MITRE ATT&CK: [MITRE ATT&CK] T1587.004 - Develop Capabilities: Exploits | [MITRE ATT&CK] T1190 - Exploit Public-Facing Application
Tags: campaign:Balada Injector, Compromised website, Redirect, Spam, Scam, malware-type:Adware, Broken access control, Vulnerability, Elementor Pro, WordPress

3CX: Supply Chain Attack Affects Thousands of Users Worldwide

(published: March 30, 2023)

An unidentified threat group linked to North Korea has Trojanized 3CX's DesktopApp, a voice and video calling desktop client used by 12 million users across 190 countries. Installers for recent Windows (18.12.407 and 18.12.416) and Mac (18.11.1213, 18.12.402, 18.12.407, and 18.12.416) versions of the software were compromised. The Windows installers contained clean versions of the app along with malicious DLLs ready for DLL side-loading attack. The macOS affected versions were compromised in a similar fashion and contained a trojanized version of the dynamic library named libffmpeg.dylib. The final observed payload was an information-stealing malware downloaded as an ICO file from a specific GitHub repository.
Analyst Comment: Supply chain attacks, such as attacks leveraging SolarWinds and 3CX, are hard to defend against. After the 3CX compromise was disclosed, it was recommended to uninstall all the affected versions. Google and a number of security vendors have invalidated the 3CX software security certificate used to sign the affected (and previous) software. 3CX DesktopApp users are advised to use only 18.12.422 or newer versions. All known indicators associated with this 3CX supply chain attack are available in the Anomali platform and customers are advised to block these on their infrastructure.
MITRE ATT&CK: [MITRE ATT&CK] T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain | [MITRE ATT&CK] T1574.002 - Hijack Execution Flow: Dll Side-Loading | [MITRE ATT&CK] T1105 - Ingress Tool Transfer | [MITRE ATT&CK] T1027 - Obfuscated Files Or Information | [MITRE ATT&CK] T1140 - Deobfuscate/Decode Files Or Information
Signatures: Icon_3cx_stealer. YARA by Symantec
Tags: 3CX, 3CXDesktopApp, malware:Icon 3cx stealer, malware-type:Infostealer, file-type:DLL, file-type:JSON, file-type:ICO, file-type:DYLIB, source-country:North Korea, source-country:KP, Supply Chain, GitHub, Windows, macOS

Copy-Paste Heist or Clipboard-Injector Attacks on Cryptousers

(published: March 28, 2023)

During August 2022 - February 2023, Kaspersky researchers detected a significant increase in a clipboard-injector campaign targeting cryptocurrency users. The campaign has been using trojanized versions of TOR Browser. The most targeted country was Russia that banned the official Tor Project’s website, followed by Ukraine, the US, and Germany. Targeted users were activating a self-extracting executable containing a valid TOR installer, a command-line RAR extraction tool, and a password-protected RAR archive with the clipboard-injector malware. By infecting over 16,000 users and replacing cryptocurrency wallet addresses, the attackers gained approximately 400,000 US Dollars in traceable cryptocurrencies, and an unknown amount of Monero.
Analyst Comment: Users should download software only from reliable and trusted sources. If it is for some reason not an option, check the download with an antivirus and sandbox. Try to isolate your financial activity from devices with questionable downloads.
MITRE ATT&CK: [MITRE ATT&CK] T1547 - Boot Or Logon Autostart Execution | [MITRE ATT&CK] T1036 - Masquerading | [MITRE ATT&CK] T1565 - Data Manipulation | [MITRE ATT&CK] T1027.002 - Obfuscated Files or Information: Software Packing | [MITRE ATT&CK] T1027 - Obfuscated Files Or Information | [MITRE ATT&CK] T1140 - Deobfuscate/Decode Files Or Information
Tags: malware-type:Clipboard-injector, target-industry:Cryptocurrency, Enigma packer v4.0, Bitcoin, Litecoin, Dogecoin, ERC-20, Ethereum, Monero, file-type:EXE, file-type:RAR, TOR, target-country:RU, target-country:Russia, target-country:UA, target-country:Ukraine, target-country:US, target-country:USA, target-country:Germany, target-country:DE, Windows

Updates from the MaaS: New Threats Delivered through NullMixer

(published: March 27, 2023)

The NullMixer malware delivery campaign has been advertising fake software pirate cracks since September 2022. Their new campaign wave tracked as ATK-16 targets tech-savvy users and system administrators to install backdoored, cracked versions of PC maintenance software such as EaseUS Partition Master and Driver Easy Pro. ATK-16 spiked in March 2023 with expanded targeting reaching outside of previously-targeted North America (Mexico and USA) to include Italy, Indonesia, France, and other countries. The attackers produced YouTube videos prompting to download the backdoored pirate software. The payload is hidden behind the Bitly url shortener and Blogspot accounts. A WinRAR executable archive simultaneously launches multiple binaries delivered for different actors on a pay-per-install basis: loaders (CrashedTech, Koi, and PseudoManuscript), infostealers (Fabookie, RacconStealer, and RedLine), and GCleaner spyware. PseudoManuscript was previously associated with Asia-based state-sponsored actors. The Koi loader-stealer (Sqlcmd Loader) is a new malware likely operated from the Commonwealth of Independent States. Its advanced features include redirecting certain memory streams directly to the remote server, avoiding touching the disk before exfiltration, and obfuscating the memory stream in a compress-then-encrypt fashion.
Analyst Comment: As long as individuals continue to download cracked software, threat actors will continue using it as a distribution method. These types of downloads should be restricted by your company, often by supplying legitimate with dedicated development teams who continue improving and implementing new patches. Your employees should be well educated about the risks these downloads pose. Indicators and YARA rules associated with the ATK-16 NullMixer campaign are available in the Anomali platform.
MITRE ATT&CK: [MITRE ATT&CK] T1204 - User Execution | [MITRE ATT&CK] T1555 - Credentials From Password Stores | [MITRE ATT&CK] T1555.003 - Credentials from Password Stores: Credentials From Web Browsers | [MITRE ATT&CK] T1059.001: PowerShell | [MITRE ATT&CK] T1105 - Ingress Tool Transfer | [MITRE ATT&CK] T1027.002 - Obfuscated Files or Information: Software Packing | [MITRE ATT&CK] T1027 - Obfuscated Files Or Information | [MITRE ATT&CK] T1140 - Deobfuscate/Decode Files Or Information | [MITRE ATT&CK] T1497.001 - Virtualization/Sandbox Evasion: System Checks | [MITRE ATT&CK] T1560 - Archive Collected Data | [MITRE ATT&CK] T1573 - Encrypted Channel | [MITRE ATT&CK] T1090.002 - Proxy: External Proxy
Signatures: CrashedTech Loader. YARA by Luca Mella | Sqlcmd Loader. YARA by Luca Mella | Koi Loader. YARA by Luca Mella | Fabookie stealer. YARA by Luca Mella
Tags: campaign:NullMixer, campaign-wave:ATK-16, malware:PseudoManuscript, malware:Koi, malware:CrashedTech, malware-type:Loader, malware:RacconStealer, malware:RedLine, malware:Fabookie, malware-type:Infostealer, malware:GCleaner, malware-type:Spyware, Pay-per-install, Malware-as-a-Service, MaaS, target-region:North America, target-country:USA, target-country:US, target-country:Mexico, target-country:MX, target-region:Europe, target-country:Italy, target-country:IT, target-country:France, target-country:FR, target-country:ID, target-country:TR, source-region:CIS, SEO poisoning, Social engineering, Malvertising, target-industry:IT, target-identity:System administrator, EaseUS Partition Master, Driver Easy Pro, Youtube, Bitly, BlogSpot, file-type:EXE, PowerShell, ConfuseEx v1.0.0, Windows Embedded, Windows Server, Windows

MacStealer: New macOS-based Stealer Malware Identified

(published: March 24, 2023)

In March 2023, a new macOS Python-based stealer dubbed MacStealer was introduced on dark web forums. Despite being presented as a beta version in active development, it can steal the passwords, cookies, and credit card data from Brave, Firefox, and Google Chrome browsers, extract files and KeyChain database. In addition, when started, MacStealer tries to get system credentials by displaying a fake password prompt. The collected data is archived into a ZIP file for exfiltration over Telegram.
Analyst Comment: MacStealer is an emerging threat targeting the newest macOS versions and it is expected to receive new features in the near future. MacOS users are advised to install software from the official App store or from identified developers only. All known indicators associated with the MacStealer version are available in the Anomali platform and customers are advised to block these on their infrastructure.
MITRE ATT&CK: [MITRE ATT&CK] T1059.004 - Command and Scripting Interpreter: Unix Shell | [MITRE ATT&CK] T1555.001 - Credentials from Password Stores: Keychain | [MITRE ATT&CK] T1555.003 - Credentials from Password Stores: Credentials From Web Browsers | [MITRE ATT&CK] T1560 - Archive Collected Data | [MITRE ATT&CK] T1071.001 - Application Layer Protocol: Web Protocols
Tags: malware:MacStealer, malware-type:Infostealer, file-type:Mach-O, file-type:DMG, file-type:ZIP, Fake password prompt, Python, Telegram, macOS


Anomali Cyber Watch

Related Content

Get the Anomali Newsletter

The latest Anomali updates and cybersecurity news, delivered straight to your inbox each month.