Release Date: Sept 05, 2023
Zscaler have documented an extensive analysis of DuckTail’s intrusion techniques, compromise tactics, post-compromise procedures, and activities in the underground economy. Many of these insights have not been previously documented, but are now available to help others understand their targets and strategic motives.
Figure 1: DuckTail abuses social media and cloud platforms over multiple attack stages
The Zscaler team discovered DuckTail threat actors primarily use social engineering to target users working in digital marketing and advertising so they can gain access to business accounts. They often create fake job postings on LinkedIn as a lure, then send applicants malware disguised as interview-related material. Once threat actors gain access to these accounts, they abuse security features to lock out victims. The group uses Telegram to perform C2 communications. Compromised accounts are sold on a Vietnamese underground market.
It spreads via a malicious Google advertisement that infects computers when clicked. Statc infiltrates systems, steals sensitive data, and employs sophisticated evasion techniques to avoid detection. In our detailed analysis, we unveil the malware’s distribution methods and evasion strategies to provide crucial insights for safeguarding against this threat.
Figure 2: Statc Stealer attack chain
Statc Stealer exhibits a wide variety of stealing capabilities. It captures sensitive data and passwords from multiple browsers, cryptocurrency wallets, and messaging apps. The malware uses techniques such as filename checks and encryption to evade analysis and detection. Statc Stealer’s ability to exploit various apps for data theft highlights the importance of implementing comprehensive security measures.
In its bid to steal data, JanelaRAT employs several tactics, techniques, and procedures (TTPs) such as DLL side-loading, dynamic C2 infrastructure, and a multi-stage attack.
Figure 3: End-to-end attack chain of the campaign used to distribute JanelaRAT
JanelaRAT can capture Windows title strings to steal relevant financial and banking data. It uses dynamic socket configuration that allows it to rotate C2 domains daily. It also performs DLL side-loading techniques using legitimate processes (like VMWare and Microsoft) to evade endpoint detection.
Zscaler believe Agniane Stealer belongs to the Malware-as-a-Service (MaaS) platform Cinoshi Project, as the two share similar code structures. During their investigation they discovered a Telegram channel sharing updates and pricing information for this malware.
Figure 4: Project information indicating that Agniane Stealer is very likely part of the Cinoshi Project
Agniane Stealer exfiltrates data from web browsers, Telegram sessions, Discord tokens, Steam, WinSCP, Filezilla sessions, crypto extensions, and crypto wallets. In its quest to remain undetected, Agniane Stealer looks for various types of security analysis software like malware sandboxes, emulators, and VirtualBox. It also leverages WMI to obtain CPU information, GPU details, and identify installed antivirus software. Agniane Stealer transfers stolen information to its command-and-control (C&C) servers and then removes its subfolder from the compromised machine.
These new regulations aim to enhance transparency and cyber accountability by fostering informed stakeholders and encouraging robust risk management.
Citrix issued a security advisory highlighting a critical vulnerability (CVE2023-3519) with a CVSS score of 9.8 on July 18.
The vulnerability has gained considerable attention due to reports of its use in active zero-day attacks. When successfully exploited, attackers can install web shells on crucial infrastructure.
Figure 5: Attack chain of Citrix Gateway CVE-2023-3519 unauthenticated remote code execution
The exploitation of CVE-2023-3519 involves triggering a stack buffer overflow through a specially crafted HTTP GET request, potentially leading to arbitrary code execution with “root” privileges. The attack chain includes uploading a file with a web shell and exploiting privilege escalation mechanisms to access Active Directory credentials.
The advisory also highlights other vulnerabilities:
Users are advised to upgrade affected applications. Countermeasures, including network-segmentation controls, have thwarted attempts to exploit the vulnerability.
If you are interested in finding out more about the IISF, or would like to attend one of our Chapter Meetings as an invited guest, please contact the
Enhance your Cybersecurity knowledge and learn from those at the coalface of information Security in Ireland
Sponsors are featured prominently throughout the IISF.IE website, social media channels as well as enjoying other benefits Read more