eSentire's Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
Cloud Atlas Employs New Malware
Bottom Line: While browser-based attacks have become the most common method for malware deployment in 2024, email remains a significant threat. Sophisticated threat actor groups like Cloud Atlas continue to find success with email-based attacks.
On December 23rd, SecureList released a report on the Cloud Atlas APT group, and their use of a previously unseen malware dubbed VBCloud. Cloud Atlas, also known as Inception and Inception Framework, has been active since at least 2014. The group has heavily targeted organizations in Russia, the United States, and countries across Europe, Asia, Africa, and the Middle East. The group’s goal is data theft for espionage related purposes. It is highly likely that Cloud Atlas is state sponsored, but they have not been attributed to a specific government at the time of writing.
Cloud Atlas’ most recent campaign began in August 2023, and has continued since, with samples observed as recently as September 2024. This campaign has impacted organizations in Russia, Belarus, Canada, Moldova, Israel, Kyrgyzstan, Vietnam and Turkey. In observed attacks, victims are targeted through phishing emails containing a malicious document that exploits a vulnerability in Microsoft Office’s formula editor (CVE-2018-0802). When opened, this document downloads a malicious template formatted as an RTF file from an attacker controlled server. The downloaded RTF file contains a formula editor exploit that retrieves and executes an HTML Application (HTA) file hosted on the same Command-and-Control (C2) server. The HTA file results in deployment of VBShower, an advanced backdoor that probes the local network for vulnerabilities and facilitates further infiltration.
In recent attacks, VBShower has resulted in the deployment of a new backdoor, dubbed VBCloud. This new backdoor variant downloads and executes malicious plugins, communicates with cloud servers, and performs various system tasks. The updated attack chain now involves loading VBCloud via VBShower, which also downloads the PowerShower module. PowerShower is responsible for probing the local network and facilitating further infiltration, while VBCloud focuses on collecting system information and exfiltrating files of interest.
eSentire Threat Intelligence Analysis:
The infection chain consists of several stages and ultimately aims to steal data from victims’ devices. As highlighted from the report, phishing emails continue to be the initial access point. These emails often feature highly tailored content, weaponized attachments, or malicious links that exploit victims. Upon interaction, the victim unintentionally initiates the infection process. This campaign highlights the criticality of ensuring users are trained to identify and report suspicious or unexpected emails. Additionally, organizations should ensure that network monitoring and Endpoint Detection and Response (EDR) is deployed to identify malicious activity in the case that initial access is achieved. As CVE-2018-0802 has been public for approximately six years and is known to be exploited by various threat actor groups, organizations should prioritize patching.
Cloud Atlas is a highly sophisticated group. The introduction of VBCloud matches the group’s known tradecraft. It is almost certain that Cloud Atlas will continue to invest resources into the creation of new malware variants to enable future campaigns.
In response to the release of this report, the eSentire Threat Intelligence team has performed Indicator-based threat hunting and is investigating new detection opportunities. eSentire MDR for Network maintains a variety of detections for Cloud Atlas, including the PowerShower module. eSentire Managed Vulnerability Service (MVS) has plugins in place to identify CVE-2018-0802.
OtterCookie: New malware used by Contagious Interview
Bottom Line: Threat actors from the Democratic People's Republic of Korea (DPRK) continue to evolve the malicious Contagious Interview campaign targeting software developers with the inclusion of new backdoor malware.
On December 24th, NTT Security Japan released a report detailing recent development in the Contagious Interview campaign, revealing a new malware strain known as OtterCookie. The malware was identified as a result of incidents investigated by the NTT Security Operations Center (SOC).
The Contagious Interview campaign, tracked as CL-STA-0240 by Palo Alto’s Unit 42, has been active since early December 2022. Unit 42’s report linked the campaign to state-sponsored threat actors associated with the Democratic People’s Republic of Korea (DPRK). The campaign uses job lures to target software developers, with attackers posing as potential employers from legitimate AI, cryptocurrency, and NFT-related companies or recruitment agencies through job search platform ads. The attackers deploy an information stealer called BeaverTail and a Python backdoor named InvisibleFerret on the victim's device.
BeaverTail is an information stealer malware delivered via malicious NPM package posing as legitimate applications on GitHub. The attackers lure the victims to install the malicious package as a part of the interview process which when launched deploys BeaverTail on the victim’s device. BeaverTail targets cryptocurrency wallets and credit card information stored in the victim's web browsers and acts as a loader for InvisibleFerret. In the next phase, the InvisibleFerret backdoor provides remote control to the attackers, enabling fingerprinting, keylogging, and data exfiltration. It also has browser data-stealing capabilities and can install AnyDesk to facilitate further remote malicious activities.
In the recent incidents investigated by the SOC at NTT Security Japan, the Contagious Interview campaign utilized a new backdoor malware called OtterCookie, alongside BeaverTail and InvisibleFerret. OtterCookie-related activity was first identified in September 2024. The campaign followed a similar lure tactic, where victims downloaded a malicious NPM package. The JavaScript (JS) within the NPM package deployed both OtterCookie and BeaverTail simultaneously. The OtterCookie backdoor was observed to establish a connection with the Command-and-Control (C2) server, steal cryptocurrency wallet keys, and extract clipboard information from the victims.
Unit42’s other report on the Contagious Interview campaign disclosed that in July 2024, the campaign began using a new version of the BeaverTail information stealer. Previously, a JavaScript (JS) variant of BeaverTail had been used. The new Qt-based variant featured cross-platform capabilities, targeting cryptocurrency wallets on both Windows and MacOS devices. The new backdoor, OtterCookie, also displayed variations between the versions seen in September 2024 and those observed in November 2024. Throughout the campaign, the malware used to carry out the attacks has undergone continuous updates.
eSentire Threat Intelligence Analysis:
Since the onset of the Contagious Interview campaign, the threat actors have consistently experimented with the malware employed, introducing a new version of BeaverTail in July 2024 and now utilizing the new backdoor, OtterCookie. Given that these threat actors are financially motivated and continue to evolve their attack methods, it is highly likely that the Contagious Interview campaign will persist. This ongoing adaptation suggests that organizations should remain vigilant and continue to enhance their security measures to defend against emerging threats.
Contagious Interview campaign exploits employee sentiment in the market for financial gains. The campaign utilizes a set of sophisticated malware such as BeaverTail and InvisibleFerret and is developing new functional malware like OtterCookie to steal victim information. This suggests that the North Korean threat actors are capable of crafting effective social engineering campaigns as well as developing advanced malware. To mitigate the risk of compromise via such ever-evolving campaigns, organizations should implement robust monitoring and detection solutions and enforce strict policies that permit software downloads only from trusted sources. Implementation of phishing awareness trainings in the organizations can significantly reduce the risk of falling victim to malicious campaigns, such as the Contagious Interview campaign.
eSentire MDR Product Suite has variety of detections in place to identify activities associated with BeaverTail and InvisibleFerret. eSentire's Threat Intelligence team has published two TRU Positive blogs on the BeaverTail malware, titled “Bored BeaverTail Yacht Club – A Lazarus Lure” and “Bored BeaverTail & InvisibleFerret Yacht Club – A Lazarus Lure Pt.2”. The eSentire Threat Intelligence team is performing threat hunts based on related Indicators of Compromise (IoCs) and is evaluating OtterCookie for detection opportunities.
CL0P Data Extortion
Bottom Line: The CL0P data extortion group has begun extorting organizations breached via recently disclosed Cleo Managed File Transfer (MFT) vulnerabilities.
The Cl0P data extortion group began to extort victims recently breached via the critical Cleo Managed File Transfer vulnerabilities CVE-2024-50623 and CVE-2024-55956. The CL0P group claimed responsibility for recent attacks exploiting these vulnerabilities in an interview with BleepingComputer on December 15th, but did not share evidence of the breach at that time.
CVE-2024-50623 (CVSS: 8.8) was disclosed in October 2024, and exploitation was confirmed in early December by Huntress Labs. Exploitation of the vulnerability could enable a remote and unauthenticated threat actor to execute code. On December 13th, Cleo released CVE-2024-55956 (CVSS: 9.8), a vulnerability that allows an unauthenticated user to import and execute arbitrary Bash or PowerShell commands on the host system. CVE-2024-55956 and CVE-2024-50623 are similar, as both are unauthenticated file write vulnerabilities that enable code execution in Cleo Harmony, VLTrader, and LexiCom, but the vulnerabilities are due to separate issues in the Synchronization endpoint.
CL0P exploited these vulnerabilities in order to steal data from victim organizations and demand an extortion fee for the deletion of the data. To date, CL0P has posted the partial names of sixty-six organizations they claim to have breached. According to CL0P, listed organizations did not respond to negotiation messages. Full unredacted victim names will be posted if these organizations do not contact CL0P, via a private messaging service. To date, only one unredacted victim name is included on the CL0P leak site; this is the supply chain management company Blue Yonder. Blue Yonder has confirmed their use of Cleo software but has not shared any information on the attack. This breach occurred only two weeks after Blue Yonder was impacted by Termite ransomware, which led to outages for Blue Yonder customers including Starbucks, BIC, and several supermarket brands. At this time, CL0P and Termite ransomware are not believed to be related.
eSentire Threat Intelligence Analysis:
Security patches to address both CVE-2024-50623 and CVE-2024-55956 are available; as exploitation is ongoing, it is critical that organizations using Cleo products update to Cleo Harmony, VLTrader, and LexiCom versions 5.8.0.24 or higher.
CL0P has a long history of executing similar extortion campaigns. In 2020, the group exploited a zero-day vulnerability in the Accellion File Transfer Application to steal victim data. Data theft attacks were also carried out in 2021 and 2023, via vulnerabilities in SolarWinds Serv-U FTP, GoAnywhere MFT, and MOVEit MFT. According to public reporting, the MOVEit campaign impacted over 2,700 organizations and led to between $75 - $100 million USD in extortion payments.
While CL0P currently lists sixty-six victims on their leak site, there is a high probability that more organizations were impacted in this campaign. CL0P has only listed victims that failed to start the negotiation process, meaning that organizations that did engage with the group are not listed on the site at this time. CL0P has not shared a deadline for when victim data will be released, but it is expected in the near future. Paying a ransom or extortion demand does not guarantee that data will be deleted by cybercriminals. CL0P may choose to sell stolen data after receiving the extortion payment to “double monetize” breaches; as such, the FBI has publicly recommended that organizations do not pay ransom or extortion demands.
In response to the disclosure of attacks exploiting Cleo vulnerabilities, eSentire published an advisory on December 10th. eSentire’s Tactical Threat Response (TTR) team has crafted new detections for both eSentire MDR for Network and Endpoint, and threat hunts have been performed across the eSentire customer base. eSentire Managed Vulnerability Service (MVS) has plugins in place to identify devices vulnerable to both CVE-2024-55956 and CVE-2024-50623.
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
