Cyber threats of the past 30 days as seen by Gatewatcher's CTI analysts
Identified Indicators of Compromise (IOCs)
Identified compromise reports
Highlight of the month
This month’s spotlight follows a recent warning communication sent out to our users about the Follina vulnerability.
In late May, a new vulnerability targeting the Microsoft Support Diagnostic Tool (MSDT) was discovered. The CVE-2022-30190, better known as Follina, allows remote Powershell command execution from a Word document or a Rich Text Format (RTF) file with very little user interaction. It seems similar to CVE-2021-40444, where a malicious Word document loads an inline HTML template that will allow the attacker to launch an executable.
The MSDT tool is used to automatically collect diagnostic information and send it to Microsoft. It can be called from other applications through the special MSDT URL protocol. The arbitrary code executed by the attacker will have the privileges of the application that called MSDT, in this case the rights of the user who opened the malicious file.
To date, we still see active exploitation of this vulnerability: by hacker groups like APT28 or TA570, which use it to install Qakbot, or the DCRat malware that recently targeted Ukraine, or AsyncRat in Australia.
On June 14th Microsoft released several patches to fix this vulnerability, you can find the list here in the “Security Updates” section. We strongly advise to apply the latest updates and patches available.
common vulnerabilities & exposures
Definition of the month
A packer is a software aiming at modifying a binary without changing its executed code, for various purposes.
Legitimate packers are often used to reduce an executable size: the original binary data are zipped inside a section, and then unzipped in memory at runtime. Packer can also be legitimately used to protect intellectual property by complexifying reverse engineering. Malware use packer mainly to avoid detection. Given a well-known payload (detected by every antivirus), a malicious packer will produce another binary, containing and running said payload, which will not be detected by any antivirus software.
Before extracting its payload, a malicious packer typically takes steps to complexify its analysis: anti-debug, anti-VM, anti-sandbox, encryption and process injections techniques are often used by packer to check their environment and protect their payload. A typical malicious payload doesn’t contain any technique to hide itself, this task is often completely left to the packer, which can easily be changed. There are numerous packer used by malicious actors, some of them based on open source legitimate tool, as UPX.
The process of retrieving the payload stored inside a packed file is called unpacking. It can be a time consuming and complex process, and its automation is still to this a day subject to active research and development efforts.
About the cyber threats barometer
Malware, zero-day vulnerabilities, advanced persistent threats, industries and sectors particularly targeted, weak signals of emerging attacks…It’s no secret that knowledge of one’s adversary is a key factor for the security of an enterprise. The Cyber Threats Barometer gives you a monthly overview of the cyber threats detected in the previous month by LastInfoSec, Gatewatcher’s Cyber Threat Intelligence (CTI) platform.
LastInfoSec’s automated collection, analysis and correlation engines are continuously fed by more than three thousand data sources from multiple channels: social networks, specialized sites, dark and deep web. They make threat information available an average of 24 hours in advance of the competition and help operational response teams make better decisions by dramatically reducing their analysis and incident treatment times.