5th January, 2024
Barracuda's Vulnerability: An Exploited Zero Day
Threat Actors, originating from an Asian country, have been targeting the newly revealed vulnerability within Barracuda's Amavis Scanner. By exploiting a third party and open source spreadsheet (CVE-2023-7102), the threat actors are able to engage in 'arbitrary code execution'. Evidence provided by Microsoft, and collaborated upon by Barracuda, suggests that this is the same group that exploited a previous vulnerability earlier this year.
The exploitation of this flaw simply involves using a specially designed Excel email attachment. This then results in the deployment of SEASPY and SALTWATER malwares that offer persistence to the threat actors, and also allows them enage in command exaction on the victim. Thankfully a security update was applied on December the 21st. Customers are advised to ensure that they are up to date with the newest version, and no further user action is required to ensure that they're safe.
Rugmi Loader: A Looming Threat
Recently released and with hundreds of daily detections, Rugmi is a threat that every analyst should be aware of. It consists of three main components: the downloader, an initial loader, and a secondary loader. Rugmi's constant support from its own developers ensures that it is able to constantly adapt its evasion methods. Rugmi utilises a wide variety of methods to gain initial access, including; Malvertisement, exploiting discords content delivery network, and phishing. Rugmi itself is a malware-as-a-service; with users paying a subscription in order to access the stealer. Nearly all instances of Rugmi's use are financially motivated. Often it targets individuals but small to medium sized businesses are also indiscriminately targeted.
Carbanak: A Ghost of Malware Past
The notorious Carbanak banking malware has resurfaced with a new twist and now incorporates ransomware tactics; a sharp turn from away from its known behavior of data exfiltration. In a recent analysis of November 2023 ransomware incidents, NCC Group discovered that Carbanak has returned through new distribution channels, leveraging compromised websites to impersonate various business-related software, including well-known tools like HubSpot, Veeam, and Xero. This follows a trend in variety of malware shifting their focus over towards ransomware; which proved to be effective and successful throughout 2023.
Xamalicious: Widespread Android Backdoor
Leveraging the Xamarin open-source mobile app framework to exploit accessibility permissions for malicious activities. Xamalicious was identified by the McAfee Mobile Research Team, it encrypts communication using advanced algorithms, making it challenging to detect. The malware, disguised within seemingly harmless apps, has impacted at least 327,000 devices, primarily in regions like Brazil, Argentina, the U.K., Australia, and the U.S. It dynamically injects a second-stage payload at runtime to gain full control, posing serious risks as it can act as spyware or a banking trojan without user interaction. Despite its presence on the Google Play Store since mid-2020, Google reassures users that Play Protect provides warnings and automatic removal if the malware is detected.
Xamalicious showcases the evolving threat landscape of Android malware, employing encryption and self-updating capabilities. The use of non-Java code frameworks like Xamarin adds an additional layer of obfuscation, allowing the malware to stay under the radar of security vendors.
Over the Christmas break it has become clear that the primary focus of threat actors has been updating their old software and exploiting zero-day vulnerabilities wherever they might be found. Worryingly this suggests that we are likely to see a continued rise in Ransomware based threats. Their continued success throughout the year, and with more transitioning over to this methodology, Ransomware will remain one of the most prevalent threats.