Shadow Talk Update – 05.07.2018
May 7, 2018
In this week’s episode Shadow Talk, it’s a vulnerability extravaganza. We cover malicious use of legitimate software, as APT28 is attributed to hijacking LoJack and Blackrouter delivered via AnyDesk software. Vulnerabilities found (and exploited) in GPON home routers, and Loki Bot exploits two remote code execution vulnerabilities in Microsoft Office (CVE-2017-8570 and CVE-2018-0802).
Microsoft Office flaws exploited to deliver Loki Bot
Distributors of the Loki Bot information-stealing malware are exploiting two remote code execution (RCE) vulnerabilities in Microsoft Office: CVE-2017-8570 and CVE-2018-0802. CVE-2018-0802 is associated with another flaw (CVE-2017-11882), and only devices that have applied the patches for that vulnerability can be exploited in the new attacks. Because Loki Bot is widely available on online criminal forums, there has been no attribution for the recent activity. Proof of concept (PoC) code has been released online, which has highly likely enabled attackers to target both vulnerabilities.
Cyber incident affects Mexican inter-bank money transfers
News service Bloomberg reported that three Mexican banks were forced to use contingency plans for monetary transfers after a cyber “incident” affected connections with the Interbank Electronic Payment System (SPEI). The SPEI is a nearly real-time hybrid settlement system that enables transfers between participating banks, and is operated by Mexico’s central bank (Banco de México). At the time of writing, few details of any intrusions are publicly available. Attacks targeting specific banks and their internal systems are often conducted by threat actors with a good knowledge of banking payment infrastructure. This incident followed a failed attack on a Mexican bank’s SWIFT platform in January 2018.
GravityRAT evades detection for two years
A previously unreported RAT, dubbed GravityRAT, allegedly targeted organizations in India, and has been under development for the past two years. GravityRAT has similar functionality to pre-existing RATs, including file extraction and RCE. GravityRAT evaded detection for multiple years despite the C2 infrastructure remaining static throughout its evolution. This likely indicates that there were a few attacks against organizations, and that it was unlikely to have represented a significant threat.
Rubella Macro Builder crimeware kit used in banking malware campaigns
Malware distributors have been using a new crimeware kit, called Rubella Macro Builder, for attacks. The kit is available to rent from Russian-language criminal forums at a relatively low price, and offers a range of functions pertaining to payload execution and encryption. The attack vector relies on social engineering, in sending emails with malicious Microsoft documents attached: an unsophisticated but consistently popular distribution method. Since its emergence in February 2018, the kit has undergone modification and developments, and more improvements are highly likely in the short term.
Subscribe to our weekly newsletter to get the latest podcast and other research by Digital Shadows.