The Vulnerability tracked as CVE-2022-0609, is described as a Use-After-Free (UAF) vulnerability in the Animation component. Use-After-Free is a memory corruption bug that occurs when an application attempts to use memory that is no longer assigned to it (or has been freed) – after that memory has been assigned to another application.
MuddyWater attempts to coax their targeted victim into downloading ZIP files containing either an Excel file with a malicious macro that communicates with the actor's C2 server or a PDF file that drops a malicious file to the victim's network as part of its spearphishing campaign. MuddyWater actors have been observed exploiting publicly disclosed vulnerabilities and employing open-source tools and strategies to gain access to sensitive data on victims' systems and deploy ransomware. These actors also maintain persistence on victim networks by employing techniques such as side-loading dynamic link libraries (DLLs) to trick legitimate programs into running malware and obfuscating PowerShell scripts to conceal command and control (C2) functions. Furthermore, the group employs multiple malware sets, including PowGoop, Small Sieve, Canopy/Starwhale, Mori, and POWERSTATS, for malware loading, backdoor access, persistence and exfiltration.
In this attack, a hacker can use JavaScript code to display a pop-up window that is another phishing sham to trick you into entering your account information. It's difficult to tell whether it's real or not. The novel method makes use of third-party single sign-on (SSO) options embedded on websites that display popup windows for authentication, such as "Sign in with Google," Facebook, Apple, or Microsoft. While the default behavior when attempting to sign in via these methods is to be greeted by a pop-up window to complete the authentication process, the BitB attack aims to replicate this entire process using a mix of HTML and CSS code to create an entirely fabricated browser window. The created popups mimic a browser window within the browser, spoofing a legitimate domain and allowing for convincing phishing attacks. Furthermore, the BitB attack can deceive those who use the trick of hovering over a URL to determine whether it is legitimate or not. As a result, if JavaScript is allowed, the security safeguard becomes ineffective. As a result, the BitB technique undermines both the fact that a URL contains the "https" encryption designation as a trusted site and the hover-over-it security check. Potential victims must be redirected to a phishing domain that can display a fake authentication window in order to harvest credentials. However, once on the attacker's website, the user will feel at ease as they enter their credentials on what appears to be a legitimate website (because the trustworthy URL says so).
The malicious website used in the campaign is https://windows11-upgrade11[.]com.
According to CloudSEK, the threat actors behind this campaign are using a new malware named “Inno Stealer” due to its use of the Inno Setup Windows installer. The loader file (Delphi-based) is the “Windows 11 setup” executable contained in the ISO, which, when launched, dumps a temporary file named is-PN131.tmp and creates another .TMP file where the loader writes 3,078KB of data. The loader spawns a new process using the CreateProcess Windows API that helps spawn new processes, establish persistence, and plant four files.
Two of the four dropped files are Windows Command Scripts to disable Registry security, add Defender exceptions, uninstall security products, and delete the shadow volume.
Two of the four dropped files are Windows Command Scripts to disable Registry security, add Defender exceptions, uninstall security products, and delete the shadow volume.
The third file is a command execution utility that runs with the highest system privileges; and the fourth is a VBA script required to run dfl.cmd.
At the second stage of the infection, a file with the .SCR extension is dropped into the C:\Users\\AppData\Roaming\Windows11InstallationAssistant directory of the compromised system.
That file is the agent that unpacks the info-stealer payload and executes it by spawning a new process called “Windows11InstallationAssistant.scr”, the same as itself.
BlackCat/ALPHV ransomware leverages previously compromised user credentials to gain initial access to the victim system. Once the malware establishes access, it compromises Active Directory user and administrator accounts. The malware uses Windows Task Scheduler to configure malicious Group Policy Objects (GPOs) to deploy ransomware. Initial deployment of the malware leverages PowerShell scripts,
in conjunction with Cobalt Strike, and disables security features within the victim’s network. BlackCat/ALPHV ransomware also leverages Windows administrative tools and Microsoft Sysinternals tools during compromise.
Bad actors download legitimate apps from the Play Store, modify them by embedding the trojan malware and then uploading the app back to the Play Store with a new name. The malicious payload is only activated once the apps goes live on the Play Store -- which enables the apps to scale through Google’s strict evaluation process. Once installed, these apps request for permissions that once granted, enable the apps to have access to critical functions such as text messages and notifications.
