Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Google Chrome is a web browser used to access the internet. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Monthly Archives: May 2023
CVE-2015-10107
A vulnerability was found in Simplr Registration Form Plus+ Plugin up to 2.3.4 on WordPress and classified as problematic. This issue affects some unknown processing. The manipulation leads to cross site scripting. The attack may be initiated remotely. Upgrading to version 2.3.5 is able to address this issue. The name of the patch is d588446844dd49232ab400ef213ff5b92121c33e. It is recommended to upgrade the affected component. The identifier VDB-230153 was assigned to this vulnerability.
CVE-2014-125103
A vulnerability was found in BestWebSoft Twitter Plugin up to 1.3.2 on WordPress. It has been declared as problematic. Affected by this vulnerability is the function twttr_settings_page of the file twitter.php. The manipulation of the argument twttr_url_twitter/bws_license_key/bws_license_plugin leads to cross site scripting. The attack can be launched remotely. Upgrading to version 1.3.7 is able to address this issue. The name of the patch is e04d59ab578316ffeb204cf32dc71c0d0e1ff77c. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-230155.
USN-6125-1: snapd vulnerability
It was discovered that the snap sandbox did not restrict the use of the
ioctl system call with a TIOCLINUX request. This could be exploited by a
malicious snap to inject commands into the controlling terminal which would
then be executed outside of the snap sandbox once the snap had exited. This
could allow an attacker to execute arbitrary commands outside of the
confined snap sandbox. Note: graphical terminal emulators like xterm,
gnome-terminal and others are not affected – this can only be exploited
when snaps are run on a virtual console.
Discord Admins Hacked by Malicious Bookmarks
A number of Discord communities focused on cryptocurrency have been hacked this past month after their administrators were tricked into running malicious Javascript code disguised as a Web browser bookmark.
According to interviews with victims, several of the attacks began with an interview request from someone posing as a reporter for a crypto-focused news outlet online. Those who take the bait are sent a link to a Discord server that appears to be the official Discord of the crypto news site, where they are asked to complete a verification step to validate their identity.
As shown in this Youtube video, the verification process involves dragging a button from the phony crypto news Discord server to the bookmarks bar in one’s Web browser. From there, the visitor is instructed to go back to discord.com and then click the new bookmark to complete the verification process.
However, the bookmark is actually a clever snippet of Javascript that quietly grabs the user’s Discord token and sends it to the scammer’s website. The attacker then loads the stolen token into their own browser session and (usually late at night after the admins are asleep) posts an announcement in the targeted Discord about an exclusive “airdrop,” “NFT mint event” or some other potential money making opportunity for the Discord members.
The unsuspecting Discord members click the link provided by the compromised administrator account, and are asked to connect their crypto wallet to the scammer’s site, where it asks for unlimited spend approvals on their tokens, and subsequently drains the balance of any valuable accounts.
Meanwhile, anyone in the compromised Discord channel who notices the scam and replies is banned, and their messages are deleted by the compromised admin account.
Nicholas Scavuzzo is an associate at Ocean Protocol, which describes itself as an “open-source protocol that aims to allow businesses and individuals to exchange and monetize data and data-based services.” On May 22, an administrator for Ocean Protocol’s Discord server clicked a link in a direct message from a community member that prompted them to prove their identity by dragging a link to their bookmarks.
Scavuzzo, who is based in Maine, said the attackers waited until around midnight in his timezone time before using the administrator’s account to send out an unauthorized message about a new Ocean airdrop.
Scavuzzo said the administrator’s account was hijacked even though she had multi-factor authentication turned on.
“A CAPTCHA bot that allows Discord cookies to be accessed by the person hosting the CAPTCHA,” was how Scavuzzo described the attack. “I’ve seen all kinds of crypto scams, but I’ve never seen one like this.”
Importantly, the stolen token only works for the attackers as long as its rightful owner doesn’t log out and back in, or else change their credentials.
Assuming the administrator can log in, that is. In Ocean’s case, one of the first things the intruders did once they swiped the administrator’s token was change the server’s access controls and remove all core Ocean team members from the server.
Fortunately for Ocean, Scavuzzo was able to reach the operator of the server that hosts the Discord channel, and have the channel’s settings reverted back to normal.
“Thankfully, we are a globally distributed team, so we have people awake at all hours,” Scavuzzo said, noting that Ocean is not aware of any Discord community members who fell for the phony airdrop offer, which was live for about 30 minutes. “This could have been a lot worse.”
On May 26, Aura Network reported on Twitter that its Discord server was compromised in a phishing attack that resulted in the deletion of Discord channels and the dissemination of fake Aura Network Airdrop Campaign links.
On May 27, Nahmii — a cryptocurrency technology based on the Ethereum blockchain — warned on Twitter that one of its community moderators on Discord was compromised and posting fake airdrop details.
On May 9, MetrixCoin reported that its Discord server was hacked, with fake airdrop details pushed to all users.
KrebsOnSecurity recently heard from a trusted source in the cybersecurity industry who dealt firsthand with one of these attacks and asked to remain anonymous.
“I do pro bono Discord security work for a few Discords, and I was approached by one of these fake journalists,” the source said. “I played along and got the link to their Discord, where they were pretending to be journalists from the Cryptonews website using several accounts.”
The source took note of all the Discord IDs of the admins of the fake Cryptonews Discord, so that he could ensure they were blocked from the Discords he helps to secure.
“Since I’ve been doing this for a while now, I’ve built up a substantial database of Discord users and messages, so often I can see these scammers’ history on Discord,” the source said.
In this case, he noticed a user with the “CEO” role in the fake Cryptonews Discord had been seen previously under another username — “Levatax.” Searching on that Discord ID and username revealed a young Turkish coder named Berk Yilmaz whose Github page linked to the very same Discord ID as the scammer CEO.
Reached via instant message on Telegram, Levatax said he’s had no involvement in such schemes, and that he hasn’t been on Discord since his Microsoft Outlook account was hacked months ago.
“The interesting thing [is] that I didn’t use Discord since few months or even social media because of the political status of Turkey,” Levatax explained, referring to the recent election in his country. “The only thing I confirm is losing my Outlook account which connected to my Discord, and I’m already in touch with Microsoft to recover it.”
The verification method used in the above scam involves a type of bookmark called a “bookmarklet” that stores Javascript code as a clickable link in the bookmarks bar at the top of one’s browser.
While bookmarklets can be useful and harmless, malicious Javascript that is executed in the browser by the user is especially dangerous. So please avoid adding (or dragging) any bookmarks or bookmarklets to your browser unless it was your idea in the first place.
CVE-2012-10015
A vulnerability was found in BestWebSoft Twitter Plugin up to 2.14 on WordPress. It has been classified as problematic. Affected is the function twttr_settings_page of the file twitter.php of the component Settings Page. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. Upgrading to version 2.15 is able to address this issue. The name of the patch is a6d4659cbb2cbf18ccb0fb43549d5113d74e0146. It is recommended to upgrade the affected component. VDB-230154 is the identifier assigned to this vulnerability.
DSA-5417 openssl – security update
Multiple vulnerabilities have been discovered in OpenSSL, a Secure
Sockets Layer toolkit.
DSA-5416 connman – security update
It was discovered that there was a potential buffer overflow and denial
of service vulnerabilty in the gdhcp client implementation of connman, a
command-line network manager designed for use on embedded devices.
qemu-2.0.0-5.el7
FEDORA-EPEL-2023-03b316a546
Packages in this update:
qemu-2.0.0-5.el7
Update description:
Backport fix for CVE-2015-7504.
SeroXen RAT for sale
This blog was jointly written with Alejandro Prada and Ofer Caspi.
Executive summary
SeroXen is a new Remote Access Trojan (RAT) that showed up in late 2022 and is becoming more popular in 2023. Advertised as a legitimate tool that gives access to your computers undetected, it is being sold for only $30 for a monthly license or $60 for a lifetime bundle, making it accessible.
Key takeaways:
SeroXen is a fileless RAT, performing well at evading detections on static and dynamic analysis.
The malware combines several open-source projects to improve its capabilities. It is a combination of Quasar RAT, r77-rootkit and the command line NirCmd.
Hundreds of samples have shown up since its creation, being most popular in the gaming community. It is only a matter of time before it is used to target companies instead of individual users.
Analysis
Quasar RAT is a legitimate open-source remote administration tool. It is offered on github page to provide user support or employee monitoring. It has been historically associated with malicious activity performed by threat actors, APT groups (like in this Mandiant report from 2017), or government attacks (in this report by Unit42 in 2017).
It was first released in July 2014 as “xRAT” and renamed to “Quasar” in August 2015. Since then, there have been released updates to the code until v1.4.1 in March 2023, which is the most current version. As an open-source RAT tool with updates 9 years after its creation, it is no surprise that it continues to be a common tool used by itself or combined with other payloads by threat actors up to this day.
In a review of the most recent samples, a new Quasar variant was observed by Alien Labs in the wild: SeroXen. This new RAT is a modified branch of the open-source version, adding some modifications features to the original RAT. They’re selling it for monthly or lifetime fee. Figure 1 contains some of the features advertised on their website.
Figure 1. SeroXen features announced on its website.
This new RAT first showed up on a Twitter account, established in September 2022. The person advertising the RAT appeared to be an English-speaking teenager. The same Twitter handle published a review of the RAT on YouTube. The video approached the review from an attacking/Red Team point of view, encouraging people to buy the tool because it is worth the money. They were claiming to be a reseller of the tool.
In December 2022, a specific domain was registered to market/sell the tool, seroxen[.]com. The RAT was distributed via a monthly license for $30 USD or a lifetime license of $60 USD. It was around that time that the malware was first observed in the wild, appearing with 0 detections on VirusTotal.
After a few months, on the 1st of February, the YouTuber CyberSec Zaado published a video alerting the community about the capabilities of the RAT from a defensive perspective. In late February, the RAT was advertised on social media platforms such as TikTok, Twitter, YouTube, and several cracking forums, including hackforums. There were some conversations on gaming forums complaining about being infected by malware after downloading some video games. The artifacts described by the users matched with SeroXen RAT.
The threat actor updated the domain name to seroxen[.]net by the end of March. This domain name was registered on March 27th, 2023, after seroxen[.]com was decommissioned. The threat actor used GoDaddy for registration and Cloudflare for hosting the website. These domains are only used for selling and marketing purposes, and not for Command and Control (C&C) communications.
Figure 2: SeroXen website
Based on the packed versions uploaded to VT, it appears that the RAT is being used for targeting video game users. Several lure injector cheat files have been observed with names invoking popular videogames such as Fortnite, Valorant, Roblox or Warzone2. The threat actor used Discord for the distribution of some of the samples.
Figure 3. SeroXen timeline.
One of the most relevant announced features is that it is a fully undetectable version. This is currently true from a static analysis point of view, since the RAT is packaged into an obfuscated PowerShell batch file. The file’s size typically ranges between 12-14 megabytes, as we can see in sample 8ace121fae472cc7ce896c91a3f1743d5ccc8a389bc3152578c4782171c69e87 uploaded to VT on May 21. Due to its relatively large size, certain antivirus may choose not to analyze it, potentially bypassing detection. This sample currently has 0 detections on VT, but some of the crowdsourced Sigma Rules do detect the activity as suspicious.
As the malware is fileless and executed only in memory after going through several decryptions and decompression routines, it is more difficult to detect by antiviruses. In addition, its rootkit loads a fresh copy of ntdll.dll, which makes it harder to detect by Endpoint Detection & Response (EDR) solutions that hook into it to detect process injections.
Regarding the dynamic analysis, it is worth noting that some sandbox environments might fail to detect the RAT due to its utilization of several techniques to evade virtualization and sandbox detection mechanisms and string encryption subsequent payloads.
The RAT employs anti-debugging techniques by leveraging Windows Management Instrumentation (WMI) to identify the system’s manufacturer. This enables it to identify virtualization environments such as VMware and abort the execution to delay and make the analysis harder. The RAT also checks for the presence of debuggers and uses pings make the threads sleep.
Currently, most child processes and files dropped during the execution of the RAT have a low detection rate.
Execution analysis
When the malicious payload is delivered to the victim, commonly through a phishing mail or a Discord channel – the victim often receives a ZIP file containing a benign file in plain sight, and the heavily obfuscated batch file is hidden and automatically executed when launched. The bat file format is always very similar and looks like the contents of Figure 4, followed by base64 encoded text later in the file.
Figure 4. Obfuscated bat script.
During the bat execution, the script extracts two separate binaries from the base64 encoded text, AES decrypts, and GZIP decompresses it to produce two separate byte arrays. These byte arrays are then used with .NET reflection to perform an in-memory load of the assembly from its bytes, locate the binary’s entry point, and perform an Invoke on both.
Throughout the decryption process, the attackers had the need to create a legitimate looking folder to drop an illicit version of the System Configuration Utility msconfig.exe that is required later. For this purpose, the script creates the folder “C:Windows System32”, with a space after Windows and deletes it as soon as the utility is running. If it wasn’t for this file temporarily dropped into disk, the RAT would be fully fileless.
The execution of one of the above-mentioned binaries leads to another obfuscated binary carrying an embedded resource. This resource is hidden behind anti-sandboxing and debugger techniques, only to lead to more obfuscation and encryption techniques that lead to the final payload. This payload has been built using the Github project Costura, which allows SeroXen to pack the code’s dependencies into the .NET assembly so it can run self-contained.
Figure 5. Payload embedded resources.
The extraction of the resources leads to the final payloads. This is in the form of two .NET assemblies: CSStub2.InstallStager.exe, and CSStub2.UninstallStager.exe. And a Win32 binary called CSStub2.$sxr-nircmd.exe, which corresponds to the unmodified command-line utility NirCmd.
The payload InstallStager.exe is a compilation of the open-source rootkit named r77-rootkit – a fileless ring 3 rootkit written in .NET. This rootkit supports both x32 and x64 Windows processes and has the following features:
Fileless persistence: The rootkit is stored as obfuscated data in the registry and is spawned with PowerShell via Task Scheduler to be injected into the winlogon.exe process.
Child process hooking.
Option to embed additional malware to be executed with the rootkit – in this case NirCmd and/or Quasar. The added malware will be decompressed and decrypted before it is injected into other processes.
In memory process injection: the rootkit injects itself and additional malware(s) into all processes. Injection is done from memory: no files are needed to be stored on disk.
Hooking: Hooks several functions from ntdll.dll to hide its presence.
Communicating via NamedPipe: The rootkit can receive a command from any running process.
Antivirus / EDR evasion: The rootkit uses several evasion techniques:
AMSI bypass: PowerShell inline script patches “amsi.dll!AmsiScanBuffer” to always return “AMSI_RESULT_CLEAN”.
DLL unhooking: Removes EDR hooks by loading a fresh copy of “ntdll.dll” from disk to avoid process hollowing detection
Hiding entities: Hiding all entities starts with a configurable prefix, which in SeroXen’s case its “$sxr”. This prefix hardens the visualization of the attack on the system, but eases attribution of the malware family during the analysis. The prefix is used to hide files, directories, NamedPipes, scheduled tasks, processes, registry keys/values, and services.
R77 technical documentation provides a guideline of where can the prefix be found:
Config parameter
Details
Example
HIDE_PREFIX
The prefix for name-based hiding (e.g. processes, files, etc…).
L”$sxr”
R77_SERVICE_NAME32
Name for the scheduled task that starts the r77 service for 32-bit processes.
HIDE_PREFIX L”svc32″
R77_SERVICE_NAME64
Name for the scheduled task that starts the r77 service for 64-bit processes.
HIDE_PREFIX L”svc64″
CHILD_PROCESS_PIPE_NAME32
Name for the named pipe that notifies the 32-bit r77 service about new child processes.
L”\\.\pipe\” HIDE_PREFIX L”childproc32″
CHILD_PROCESS_PIPE_NAME64
Name for the named pipe that notifies the 64-bit r77 service about new child processes.
L”\\.\pipe\” HIDE_PREFIX L”childproc64″
CONTROL_PIPE_NAME
Name for the named pipe that receives commands from external processes.
L”\\.\pipe\” HIDE_PREFIX L”control”
The two main components in this project are the InstallStager service and the Rootkit. The InstallStager service is responsible for:
Creating a registry key to store the malware code and writes it as encrypted data.
Creating a scheduled task to execute the malware using PowerShell. PowerShell will decompress and decrypt the final payload (Service) that will be injected into the winlogon.exe process and executed via dllhost.exe using process hollowing techniques.
Figure 6. Starting payload after decryption using process hollowing.
Now the second and main stage of the Rootkit is ready to start. The service kicks off the load of the rootkit’s DLL that is embedded as a resource and saves its configuration as a registry key. (In SeroXen case it’s [HKEY_LOCAL_MACHINESOFTWARE$sxrconfig]).
The service creates 3 listener threads:
NewProcessListener: Enumerates all running processes and injects the rootkit when new processes are created.
ChildProcessListener: Injects the rootkit to a newly created process by another process and updates the callee via NamedPipe.
Figure 7. Child process injection.
ControlPipeListener: Creates a NamedPipe to receive commands from any process. Supported commands are listed below:
Command
Details
CONTROL_R77_UNINSTALL
The control code that uninstalls r77.
CONTROL_R77_PAUSE_INJECTION
The control code that temporarily pauses injection of new processes.
CONTROL_R77_RESUME_INJECTION
The control code that resumes injection of new processes.
CONTROL_PROCESSES_INJECT
The control code that injects r77 into a specific process, if it is not yet injected.
CONTROL_PROCESSES_INJECT_ALL
The control code that injects r77 into all processes that are not yet injected.
CONTROL_PROCESSES_DETACH
The control code detaches r77 from a specific process.
CONTROL_PROCESSES_DETACH_ALL
The control code detaches r77 from all processes.
CONTROL_USER_SHELLEXEC
The control code that executes a file using ShellExecute.
CONTROL_USER_RUNPE
The control code that executes an executable using process hollowing.
CONTROL_SYSTEM_BSOD
The control code that triggers a BSOD.
CONTROL_R77_TERMINATE_SERVICE
The control code that terminates the r77 service.
The DLL rootkit carries out process injections, executes commands received by other processes, and keeps out of sight any sign of SeroXen being executed within the system.
Figure 8. System function hooking.
As a summary of the execution process:
Figure 9. SeroXen decryption flow.
Since Seroxen is based on QuasarRAT, the C&C server utilizes the same Common Name in their TLS certificate. The functionalities offered by the threat actor for the C&C server closely mirror those found in the Quasar Github repository, including support for TCP network streams (both IPv4 and IPv6), efficient network serialization, compression using QuickLZ, and secure communication through TLS encryption.
Figure 10. Quasar Server Certificate.
Conclusion
The SeroXen developer has found a formidable combination of free resources to develop a hard to detect in static and dynamic analysis RAT. The use of an elaborated open-source RAT like Quasar, with almost a decade since its first appearance, makes an advantageous foundation for the RAT. While the combination of NirCMD and r77-rootkit are logical additions to the mix, since they make the tool more elusive and harder to detect.
The Alien Labs team will continue to monitor the threat landscape for SeroXen samples and infrastructure.
Detection methods
The following associated detection methods are in use by Alien Labs. They can be used by readers to tune or deploy detections in their own environments or for aiding additional research.
SURICATA IDS SIGNATURES
2035595: ET TROJAN Generic AsyncRAT Style SSL Cert
2027619: ET TROJAN Observed Malicious SSL Cert (Quasar CnC)
Associated indicators (IOCs)
The following technical indicators are associated with the reported intelligence. A list of indicators is also available in the OTX Pulse. Please note, the pulse may include other activities related but out of the scope of the report.
TYPE
INDICATOR
DESCRIPTION
SHA256
8ace121fae472cc7ce896c91a3f1743d5ccc8a389bc3152578c4782171c69e87
Example malware hash
Mapped to MITRE ATT&CK
The findings of this report are mapped to the following MITRE ATT&CK Matrix techniques:
TA0002 : Execution
T1053: Scheduled Task/Job
T1053.005: Scheduled Task
T1059: Command and Scripting Interpreter
T1059.003: Windows Command Shell
TA0003: Persistence
T1547: Boot or Logon Autostart Execution
T1547.001 Registry Run Keys / Startup Folder
TA0004: Privilege Escalation
T1548: Abuse Elevation Control Mechanism
T1548.002: Bypass User Account Control
TA0005: Defense Evasion
T1112: Modify Registry
T1553: Subvert Trust Controls
T1553.002: Code Signing
T1564: Hide Artifacts
T1564.001: Hidden Files and Directories
T1564.003: Hidden Window
TA0006: Credential Access
T1552: Unsecured Credentials
T1552.001: Credentials In Files
T1555: Credentials from Password Stores
T1555.003: Credentials from Web Browsers
TA0007: Discovery
T1016: System Network Configuration Discovery
T1033: System Owner/User Discovery
T1082: System Information Discovery
T1614: System Location Discovery
TA0008: Lateral Movement
T1021: Remote Services
T1021.001: Remote Desktop Protocol
TA009: Collection
T1005: Data from Local System
T1056: Input Capture
T1056.001: Keylogging
T1125: Video Capture
TA0011: Command and Control
T1090: Proxy
T1095: Non-Application Layer Protocol
T1105: Ingress Tool Transfer
T1571: Non-Standard Port
T1573: Encrypted Channel:
T1573.001: Symmetric Cryptography
References:
Seroxen webpage
Seroxen features
Quasar RAT
NirCmd – Windows command line tool (nirsoft.net)
R77-rootkit