This week counted two wins for the FBI in the fight against malicious activities orchestrated by cybercriminals and state-sponsored hackers.
First, the Bureau dismantled an extensive cybercrime operation revolving around the Warzone remote access trojan (RAT). Daniel Meli, a 27-year-old Maltese resident linked to the operation, was arrested for his role in spreading the malware. Warzone RAT was first created in 2018 and is often seen in attacks involving hidden remote desktops, keylogging, reverse proxies, remote shells, UAC bypassing, as well as cookie and password theft.
Meli’s arrest and the seizure of Warzone RAT’s primary website warzone[.ws] is the result of transnational cooperation between Maltese authorities and the U.S. DoJ. He faces 15 years in prison under the charges of unauthorized damage to protected computers, the illegal sale and advertisement of electronic interception devices, and conspiring to commit various computer intrusion offenses.
Just days later, the FBI announced the success of Operation Dying Ember, a court-ordered effort that took down a botnet comprising Ubiquiti Edge OS routers infected with Moobot malware. The malware was reportedly operated by Russia’s Main Intelligence Directorate of the General Staff (GRU), also tracked as APT28 or Fancy Bear.
The GRU’s use of pre-existing malware like Moobot speaks to blurred lines between cybercriminal and state-sponsored tactics, challenging traditional threat detection methods. In this case, the GRU hackers had leveraged the malware and effectively repurposed the botnet to deploy their own custom cyber espionage tool. FBI agents have since countered the hackers by using Moobot to delete stolen data, malicious files, and the malware itself before blocking remote access that would have allowed GRU operations to reinfect the routers.
RansomHouse has recently introduced a new tool called ‘MrAgent’, designed to automate the deployment of its data encrypter across multiple VMware ESXi hypervisors. The ransomware-as-a-service (RaaS) operators have been known to target large organizations and high-value victims since its inception in March of 2022. ESXi servers are a prime target for ransomware groups due to their role in hosting virtual computers that often hold valuable data and critical business applications, amplifying the impact of attack.
Based on latest research reports, MrAgent streamlines RansomHouse’s attacks on ESXi systems by identifying host systems, disabling firewalls, and automating ransomware deployment across multiple hypervisors simultaneously. This tool supports custom configurations received from the command-and-control (C2) server, allowing for tailored ransomware deployment and execution of local commands on the hypervisor. It works by minimizing the chances of detection while targeting all reachable virtual machines (VMs) at once to increase the impact of the attack campaign.
Threat actors will continue to focus on automating their tactics to conduct faster, more effective campaigns. For example, SentinelLabs this week identified threat actors moving workloads previously handled by traditional web servers to the cloud in order to bulk send SMS messages through SNS Sender, a Python script that uses AWS Simple Notification Service (SNS) for the purpose of spamming phishing links.
For threat actors, automation enables them to scale their operations and rapidly deploy attacks. This helps maximize their chances of success, streamline their time and resources, and maintain consistency across attack campaigns. By automating repetitive tasks, threat actors are also able to devote more time to developing sophisticated attack techniques and novel ways of evading detection.
A zero-day vulnerability (CVE-2024-21412) that bypasses Microsoft Defender SmartScreen is under active exploitation by an advanced persistent threat (APT) actor called Water Hydra (aka DarkCasino). In a report this week, cybersecurity researchers revealed the threat actor’s tactics currently focused on leveraging the flaw to distribute the DarkMe malware.
I found a 0-Day, marked as CVE-2024-21412, reported to @MsftSecIntel in Microsoft Defender SmartScreen being exploited in-the-wild. This security bypass is part of a Water Hydra (DarkCasino) campaign targeting financial traders. #patchtuesday #microsoft https://t.co/LDVNm0GmEw
— Peter Girnus (@gothburz) February 13, 2024
CVE-2024-21412 revolves around the processing of Internet Shortcut Files (.url
) and a technology called ‘Mark of the Web’ (MOTW). Applications that download files from the internet are supposed to tag them with the MOTW attribute to indicate their origin. When these files are executed, the presence of the MOTW attribute tells Windows Defender SmartScreen to alert users if the file is potentially malicious or to take other security measures. Water Hydra attackers discovered that the MOTW attribute is not attached to a file when it is executed through a series of shortlinks, and thus the file bypasses examination by Windows Defender SmartScreen.
The attack campaign currently targets financial market traders by spreading malicious internet shortcut files via forex trading forums and Telegram channels. Using social engineering tactics, Water Hydra tricks victims into executing the malware, which comes equipped with capabilities for further exploitation and data exfiltration. The attackers then deliver DarkMe malware, a Visual Basic trojan, which downloads and executes additional instructions after registering with a command-and-control (C2) server. DarkMe enables Water Hydra attackers to create and delete folders, execute shell commands, and enumerate folder content.
In a previous attack campaign, Water Hydra exploited CVE-2023-38831, another high-severity vulnerability (CVSS score: 7.8) in the WinRAR software, to install malware and breach online cryptocurrency trading accounts.
These campaigns underscore Water Hydra’s adeptness at discovering and exploiting zero-day vulnerabilities and emphasizes the fact that a tight relationship between security software and the OS vendor is a weak point that threat actors continue to exploit.