IcedID Abuses Google Search for Distribution

Read Time:1 Minute, 31 Second

FortiGuard Labs is aware of a report that the IcedID threat actor started to abuse Google pay per click (PPC) to distribute malware. Malicious ads displayed above search results lead to fake Web sites that mimic Web sites of the legitimate services. The fake Web sites offer a download link that leads to malicious installers that install IcedID to victims’ machines.Why is this Significant?This is significant because Google offers the largest search engine and ads in search results are seen by billions of people every day. The IcedID threat actor reportedly started to abuse Google search, which provides them a prominent platform for malware distribution. Also, the threat actor created fake Web sites that mimic Web sites of legitimate and popular services and applications to trick users into downloading and running malicious installers. How Does the Attack Work?When a search is made on Google, ads from the threat actor are displayed above an actual search result. Clicking the malicious ads redirect users to Web sites that that mimic Web sites of legitimate and popular services and applications. The fake Web sites have a link to download malicious installers that install IcedID to victims’ machines.What else?On December 21st, 2022, Federal Bureau of Investigation (FBI) released an advisory that cyber criminals are leveraging search engine advertisement services for malicious purposes. The advisory specifically calls out threat actors created fake crypto exchange platforms that users are lured into from ads on search results. The fake crypto exchange Web sites are designed to trick users into enter login credentials.What is the Status of Protection?FortiGuard Labs detect the Iced ID and relevant samples in the report with the following AV signature:W64/IcedId.F!trIcedID Command-and-Control servers and fake Web sites that distribute IcedID malware are blocked by Webfiltering.

Read More

New Zerobot Variant Exploits Additional Vulnerabilities for Propagation

Read Time:3 Minute, 44 Second

FortiGuard Labs is aware of a report that a new Zerobot variant is capable of propagating to other devices by exploiting known vulnerabilities. Zerobot was first reported in a blog released by Fortinet on December 06, 2022. Devices infected with Zerobot connect to Command-and-Control C2) server and can take part in DDoS attacks.Why is this Significant?This is significant because a new Zerobot variant was updated to exploit additional vulnerabilities for propagation. Since previous variants of Zerobot were recently found, Zerobot developer is currently putting constant effort to improve malware. Because of this – patches should be applied to vulnerable devices as soon as possible.What is Zerobot?Zerobot is a Go-based malware recently discovered by Fortinet that runs on Linux and Windows platforms. Zerobot contains several modules, including self-replication, attacks for different protocols, and self-propagation. It also communicates with its command-and-control server using the WebSocket protocol.While Zerobot can spread to other devices by exploiting vulnerabilities and performing brute-force attacks, the malware is reportedly unable to propagate to Windows machines. For more information on Zerobot, see the Appendix for a link to “Zerobot – New Go-Based Botnet Campaign Targets Multiple Vulnerabilities”.What Vulnerabilities does Zerobot Exploit?
The following vulnerabilities are exploited by Zerobot.
Additional vulnerabilities exploited by a new Zerobot
variant:

Vulnerability

Affected Product

CVE-2017-17105

Zivif
PR115-204-P-RS

CVE-2019-10655

Grandstream

CVE-2020-25223

WebAdmin of
Sophos SG UTM

CVE-2021-42013

Apache

CVE-2022-31137

Roxy-WI

CVE-2022-33891

Apache Spark

ZSL-2022-5717

MiniDVBLinux

Vulnerabilities exploited by previously reported variant of
Zerobot

Vulnerability

Affected Product

CVE-2014-8361

miniigd SOAP
service in Realtek SDK

CVE-2017-17106

Zivif
PR115-204-P-RS V2.3.4.2103 Webcams

CVE-2017-17215

Huawei HG532
Router

CVE-2018-12613

phpMyAdmin

CVE-2020-10987

Tenda AC15
AC1900 Router

CVE-2020-25506

D-Link
DNS-320 NAS

CVE-2021-35395

Realtek
Jungle SDK

CVE-2021-36260

Hikvision
product

CVE-2021-46422

Telesquare
SDT-CW3B1 Router

CVE-2022-01388

F5 BIG-IP

CVE-2022-22965

Spring MVC or
Spring WebFlux application (Spring4Shell)

CVE-2022-25075

TOTOLink
A3000RU Router

CVE-2022-26186

TOTOLINK
N600R Router

CVE-2022-26210

Totolink
A830R Router

CVE-2022-30525

Zyxel USG
FLEX 100(W) Firewall

CVE-2022-34538

Digital
Watchdog DW MEGApix IP camera

CVE-2022-37061

FLIR AX8
thermal sensor cameras

Other vulnerabilities that may be associated with Zerobot:

Vulnerability

Affected
Product

CVE-2016-20017

D-Link
DSL-2750B

CVE-2018-10561

Dasan GPON

CVE-2018-20057

D-Link
DIR-605L/DIR-619L

CVE-2020-7209

HP LinuxKI

CVE-2022-30023

Tenda ONT
GPON AC1200 Dual band WiFi HG9

ZERO-36290

What is the Status of Coverage?FortiGuard Labs provides the following AV coverage for the samples called out in the report:W32/ZeroBot.A!trW64/ZeroBot.A!trELF/Zerobot.A!trBASH/ZeroBot.A!tr.dldrW32/Agent.JL!trLinux/Agent.SE!trW32/Malicious_Behavior.VEXMalicious_Behavior.SBW32/PossibleThreatPossibleThreatFortiGuard Labs provides the following IPS signatures for the vulnerabilities exploited by Zerobot:D-Link.Realtek.SDK.Miniigd.UPnP.SOAP.Command.Execution (CVE-2014-8361)D-Link.DSL-2750B.CLI.OS.Command.Injection (CVE-2016-20017)Zivif.PR115-204-P-RS.Web.Cameras.Remote.Command.Injection (CVE-2017-17105)Zivif.PR115-204-P-RS.Web.Cameras.Credentials.Disclosure (CVE-2017-17106)Huawei.HG532.Remote.Code.Execution (CVE-2017-17215)Dasan.GPON.Remote.Code.Execution (CVE-2018-10561)phpMyAdmin.Authenticated.db_sql.Directory.Traversal (CVE-2018-12613)Grandstream.Devices.Invalid.Phonecookie.Command.Injection (CVE-2019-10655)Tenda.AC15.AC1900.Authenticated.Remote.Command.Injection (CVE-2020-10987)Sophos.SG.UTM.WebAdmin.PreAuth.Remote.Code.Execution (CVE-2020-25223)D-Link.ShareCenter.Products.CGI.Code.Execution (CVE-2020-25506)HP.LinuxKI.Kivis.PHP.Remote.Command.Injection (CVE-2020-7209)Realtek.SDK.CVE-2021-35395.Buffer.Overflow (CVE-2021-35395)Hikvision.Product.SDK.WebLanguage.Tag.Command.Injection (CVE-2021-36260)Apache.HTTP.Server.cgi-bin.Path.Traversal (CVE-2021-42013)Spring.Framework.SerializationUtils.Insecure.Deserialization (CVE-2022-22965)Totolink.Router.Main.Function.Query_String.Command.Injection (CVE-2022-25075)Totolink.Router.Cstecgi.Command.Injection (CVE-2022-26186)Totolink.Router.Cstecgi.Command.Injection (CVE-2022-26210)ZyXEL.Firewall.ZTP.Command.Injection (CVE-2022-30525)Roxy-WI.options.API.Remote.Code.Injection (CVE-2022-31137)Apache.Spark.getUnixGroups.Command.Injection (CVE-2022-33891)Digital.Watchdog.MEGApix.IP.Camera.Addacph.Command.Injection (CVE-2022-34538)FLIR.AX8.Thermal.Camera.Command.Injection (CVE-2022-37061)All network IOCs are blocked by Webfiltering.

Read More