eSentire's Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
Stealers Bypassing Chrome’s App-Bound Encryption
Bottom Line: In July of 2024, Google enabled App-Bound encryption to prevent the theft of sensitive information for the Chrome browser. There are now multiple techniques being employed by a variety of information stealer malware families that reliably bypass the new security measure.
Information-stealing malware consistently threatens users' sensitive data, with browser cookies being one of the most targeted types of information. Cybercriminals seek to access these cookies to obtain user credentials. In the Chrome 127 release, a new protection for Windows that enhances Data Protection API (DPAPI) by implementing Application-Bound (App-Bound) Encryption was introduced. This improvement prevents any application running as the logged-in user from accessing the data. App-Bound Encryption ties the data to a specific application identity, ensuring that it is only accessible to that particular application.
On November 13th, Red Canary released a report detailing various methods used by infostealers to circumvent App-Bound Encryption. One of tactics involves the creation of new instances of the browser using specific command-line options, often including flags to hide the browser window. This method has been observed in Phemedrone Stealer, Remcos RAT, Cryptbot, StealC, and Vidar. Some stealer malware families such as StealC, Vidar, and Lumma Stealer extract cookies directly from the memory of a Chromium browser using techniques from ChromeKatz. Stealers were also observed exfiltrating cookies from Chromium browser by interacting with the elevated Chromium service via COM interfaces, which requires them to be in the same folder as the browser. Recent observations suggest that Medusa Stealer may have used this technique on newer Chromium versions. Certain malware, like Exela Stealer, manipulate Windows Registry settings to disable app-bound encryption, leveraging a policy-based solution in Google Chrome.
GenDigital released an report on November 13th, uncovering new stealer malware dubbed as “Glove Stealer”. The stealer was found to be distributed as part of a phishing campaign that employed phishing emails. Although the malware distribution tactic was common, and the malware employed minimal obfuscation, it was distinctive in its use of the IElevator service to bypass App-Bound Encryption. Using stolen data from Chrome, Glove Stealer bypasses App-Bound Encryption by requesting a small .NET payload from its Command-and-Control (C2) server. This payload, named zagent.exe, is downloaded and placed in Chrome's Program Files directory. After execution, it searches for the App-Bound encryption key stored in the local state file and retrieves it using a hardcoded string. The key is then Base64-decoded and saved in a file called chromekey.txt. The stealer further communicates with the C2 server confirming successful bypass of the App-Bound encryption.
Researchers have observed that stealer malware families have bypassed Chrome's App-Bound Encryption since September 2024. Adversaries announced in mid-September that new versions of Lumma Stealer, Vidar, Meduza Stealer, Lumar Stealer, and WhiteSnake, had successfully countered the encryption. The authors of Rhadamanthys malware claimed it only took them 10 minutes to reverse the encryption. eSentire has detected multiple incidents where threat actors use social engineering tactics, such as phishing emails and ClickFix to deliver infostealers.
eSentire Threat Intelligence Analysis:
Adversaries continue to evolve their tactics by conducting new experiments to bypass emerging security features and measures implemented by organizations to prevent the abuse of their products. Combining new social engineering tactics such as ClickFix to deliver new versions malware which possess enhanced capabilities, highlights the evolution of attacker techniques and tactics. The ability of infostealer malware developers to bypass Chrome's App-Bound Encryption underscores the ongoing challenge of securing web sessions from hijacking.
Google plans to replace App-Bound Encryption with a new security feature called Device Bound Session Credentials (DBSC), designed to reduce the risk of account hijacking from cookie and credential theft. DBSC works by binding session credentials to a cryptographic key tied directly to the user's device. This ensures that even if session data, such as cookies, is stolen, it cannot be used on any device other than the one it originated from. The goal is to provide enhanced security by making stolen session data useless on unauthorized devices, even if intercepted.
Although threat actors may successfully bypass new security features, it is strongly recommended to update browsers to their latest versions to benefit from the most recent security patches and enhancements. Updating the browser will provide an added layer of security to protect the sensitive data from the less evolved infostealers. For better protection against stealer malware, it is essential to implement robust endpoint security and monitoring solutions with advanced detection capabilities to identify and block malicious activity.
The eSentire MDR suite has multiple detection rules in place to identify information stealer activities. eSentire Threat Intelligence team has been tracking the evolving stealer malware families and developing new detection rules for better visibility and identification of the malicious activity. eSentire Threat Intelligence Team has published an advisory “Lumma Stealer ClickFix Distribution” and blogs such as “Fake Browser Updates delivering BitRAT and Lumma Stealer” and “Go Injector Leading to Stealers” which focus on the stealer malware families’ tactics and techniques.
Citrix Vulnerabilities Disclosed
Bottom Line: Exploitation attempts are now confirmed for two recently disclosed Citrix vulnerabilities. Organizations using Citrix Virtual Apps and Desktops need to apply the relevant security patches immediately.
On November 12th, Citrix disclosed two separate vulnerabilities identified in Citrix Session Recording, which impacts multiple versions of Citrix Virtual Apps and Desktops. The vulnerabilities are tracked as CVE-2024-8068 (CVSS: 5.1) and CVE-2024-8069 (CVSS: 5.1). CVE-2024-8068 allows for privilege escalation “when an attacker is an authenticated user in the same Windows Active Directory domain as the session recording server domain”. CVE-2024-8069 may be exploited to achieve Remote Code Execution (RCE) “if the attacker is an authenticated user on the same intranet as the session recording server”. Security patches were released along with the disclosure; alternative mitigations are not available.
The vulnerabilities were discovered and reported to Citrix by WatchTowr. Researchers at WatchTowr have publicly disputed the description and criticality rating of the vulnerabilities. They claim that the vulnerabilities can be exploited by unauthenticated threat actors to execute code on the underlying Windows server hosting the Citrix applications, making them high value for initial access into victim organizations. In response to the public disclosure, WatchTowr released technical details and public Proof-of-Concept (PoC) exploit code.
eSentire has observed multiple exploitation attempts targeting CVE-2024-8069. In real-world attacks, threat actors successfully achieved RCE and attempted to establish a reverse shell for persistent access. All attempts to establish reverse shells have failed due to existing security appliances.
eSentire Threat Intelligence Analysis:
As exploitation attempts are ongoing, it is paramount that all organizations using Citrix Virtual Apps and Desktops apply the vendor-released security patches immediately. The release of PoC exploit code greatly simplifies the attack process for threat actors, making exploitation possible for even less skilled adversaries.
The debate surrounding whether these vulnerabilities can be exploited without prior authentication is ongoing. Based on an internal review of these vulnerabilities, the eSentire Threat Intelligence team assesses that threat actors would require internal network access to contact the Windows server hosting Citrix Virtual Apps and Desktops over port 1801, to enable exploitation. If the server hosting the Citrix applications is directly exposed to the Internet, authentication would not be required.
In response to the disclosure of these vulnerabilities, the eSentire Threat Intelligence team released an advisory on November 13th. Additionally, eSentire’s Tactical Threat Response (TTR) team created new detections for both eSentire MDR for Network and Endpoint. eSentire Managed Vulnerability Service (MVS) has plugins in place to identify vulnerable devices.
Fake North Korean IT Workers Linked to BeaverTail Video Conference App Phishing Attack
Bottom Line: North Korean APT groups are employing both fake interview campaigns as well as and remote workers that function as insider threats to launch financially motivated attacks against a range of organizations. Both job seekers and organizations hiring remote staff are advised to remain vigilant to avoid this growing threat.
On November 14th, Unit42 released a report on an activity cluster dubbed CL-STA-0237, linked to North Korean IT workers leveraging fake identities and malware-infected video conferencing apps to conduct phishing attacks. Operating from Laos and other regions, this cluster exploited legitimate companies to secure jobs and conduct espionage activities. The threat actors targeted a U.S.-based Small and Medium Business (SMB) IT services company. Compromised data was then used to apply for other jobs and further infiltrate organizations. The shift of North Korean IT workers from direct income-seeking activities to more aggressive malware campaigns highlight the change of the group’s tactics.
The North Korean tactic of erroneous job interviews, such as Contagious Interview, has evolved. Previously, attackers used npm (JavaScript package manager) packages to infect developers with BeaverTail and InvisibleFerret malware, but the updated approach involves video conferencing software installations as the primary delivery vector. Their main motive is to target a wider pool of job applicants, including those without specialized technical skills.
The CL-STA-0237 cluster compromised a U.S.-based SMB IT services company to apply for jobs and conduct the malware operations. They controlled multiple IT infrastructure and management accounts that belonged to the company and managed email accounts that mimicked the company owners. The threat actors created multiple fake identities and resumes, some of which included headshots that were possibly taken from a real individual involved in the operation. These resumes were used to deceive recruiters and gain access to job opportunities or deliver malware.
CL-STA-0237 secured employment at a major tech company in 2022, gaining access to sensitive systems, including SSO accounts. Unit42 established connections to the Wagemole campaign, where North Korean IT workers used fake profiles to secure remote roles. Tracing CL-STA-0237's activities revealed the use of multiple Lao residential IP addresses and there was evidence suggesting threat actor’s physical presence in Vientiane by investigating the headshot photo.
eSentire Threat Intelligence Analysis:
Successfully infiltrating major tech companies highlights the growing insider threat posed by fake IT workers. By creating realistic resumes and using fake or stolen identities, threat actors demonstrate the ability to impersonate legitimate job seekers. It is essential for organizations to strengthen the hiring screening process and implement robust monitoring to identify potential insider threats. Employees should be made aware of common lures and social engineering tactics, such as fake interviews.
There was a similar incident reported on November 12th, by ClearSky Cyber Security Researchers, where they detailed a fraudulent job campaign dubbed “Dream Job”, attributed to the Iranian Threat actor TA455. The campaign targeted the aerospace, aviation, and defense industries, aiming to distribute the SnailResin malware. This incident share similarities with the North Korean APT group described by Unit42, particularly in use of social engineering tactics, in the form of fake job offers and impersonated profiles, which acts as entry points to deliver malware. This may indicate a growing trend of sophisticated threat actors employing interview type lures.
The geographical spread of these campaigns- from North Korea based operation in Laos to Iranian attacks focused on Israel and Eastern Europe highlights the motive of achieving global reach, as state-sponsored groups seek to expand their influence and gather intelligence across multiple regions.
Delivering malware at the beginning of job interviews expands the pool of potential victims beyond specific skill sets. Organizations should have endpoint protection software on all corporate devices, including workstations and servers, to detect and block malware before it is executed.
In response to the Unit42 report, eSentire’s Threat Intelligence team is performing Indicator-based threat hunts and validating detection coverage. eSentire's Threat Intelligence team has previously published aTRU Positive blog on the BeaverTail malware, titled “Bored BeaverTail Yacht Club – A Lazarus Lure”. The eSentire Threat Response Unit (TRU) is investigating the topic for additional details and detection opportunities.
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
