In the spearphishing incident, upon downloading and executing the alleged job file, the victim would have unwittingly executed VenomLNK, an initial stage of more_eggs. By abusing Windows Management Instrumentation , VenomLNK enables the malware’s plugin loader, TerraLoader, which then hijacks legitimate Windows processes, cmstp and regsvr32. While TerraLoader is being initiated, a decoy word document is presented to the victim. The document is designed to impersonate a legitimate employment application, but it serves no functional purpose in the infection. It is merely used to distract the victim from the ongoing background tasks of more_eggs. TerraLoader then installs msxsl in the user’s roaming profile and loads the payload, TerraPreter, an ActiveX control (.ocx file) downloaded from Amazon Web Services. At this point, TerraPreter begins beaconing to a Command & Control server (C2) via the rogue copy of msxsl. The beacon signals that the more_eggs backdoor is ready for Golden Chicken’s customer to log in and begin carrying out their goal, whether it is to infect the victim with additional malware, such as ransomware, or to get a foothold into the victim’s network so as to exfiltrate data.
According to Moxie, the software is riddled with vulnerabilities. (The one example he gives is that it uses FFmpeg DLLs from 2012, and have not been patched with the 100+ security updates since then). It was revealed that it’s possible to execute arbitrary code on a Cellebrite machine simply by including a specially formatted but otherwise innocuous file in any app on a device that is subsequently plugged into Cellebrite and scanned. There are virtually no limits on the code that can be executed. For example, by including a specially formatted but otherwise innocuous file in an app on a device that is then scanned by Cellebrite, it’s possible to execute code that modifies not just the Cellebrite report being created in that scan, but also all previous and future generated Cellebrite reports from all previously scanned devices and all future scanned devices in any arbitrary way (inserting or removing text, email, photos, contacts, files, or any other data), with no detectable timestamp changes or checksum failures. This could even be done at random, and would seriously call the data integrity of Cellebrite’s reports into question. The malicious file could also, for example, insert fabricated evidence or subtly alter the evidence it copies from a phone. It could even write that fabricated/altered evidence back to the phone so that from then on, even an uncorrupted version of Cellebrite will find the altered evidence on that phone.
The attack chain commences with the creation of a Telegram bot by the attacker, which is then embedded into the RAT's configuration file, before compiling it into an executable (e.g. "paypal checker by saint.exe"). This .EXE file is then injected into a decoy Word document ("solution.doc") that, when opened, downloads and runs the Telegram RAT ("C:\Users\ToxicEye\rat.exe").
The malware is spread via phishing emails embedded with a malicious Windows executable file. ToxicEye uses Telegram to communicate with the command-and-control (C2) server and upload data to it.
In the analysed attack, the attackers first created a Telegram account and a dedicated Telegram bot which they then bundled with the ToxicEye malware and spread it via spam campaigns as an email attachment.
If opened by a victim, the malicious attachment connects to Telegram, enabling the attackers to gain a foothold on their device via the bot.
After gaining initial access to the pipeline company’s network, DarkSide actors deployed DarkSide ransomware against the company’s IT network. DarkSide is ransomware-as-a-service (RaaS)—the developers of the ransomware receive a share of the proceeds from the cybercriminal actors who deploy it, known as “affiliates.” According to open-source reporting, since August 2020, DarkSide actors have been targeting multiple large, high-revenue organizations, resulting in the encryption and theft of sensitive data. The DarkSide group has publicly stated that they prefer to target organizations that can afford to pay large ransoms instead of hospitals, schools, non-profits, and governments.
The zero-day vulnerability tracked with CVE-2021-30665 and CVE-2021-30663 as Buffer overflow and Integer Overflow vulnerabilities. Buffer overflows occur when a developer does not sanitize or validate the user input before allocating space for it in the buffer. Integer overflow leads to the execution of buffer overflow vulnerability which allows the attacker to gain shell and elevate his privileges once this vulnerability is exploited. The validation checks are actually disabled by the integer overflow vulnerability thus resulting in execution of buffer overflow. The vulnerabilities allows a remote attacker to execute arbitrary code on the target system.