Intelligints, a leading cybersecurity organization specializing in security related services worldwide, has announced today the identification of an advanced cyberattack that might go undetected in your IT environment. Intelligints’ SOC is issuing this research and findings so that organizations and security teams are aware of this type of attack.
The exploit starts with email phishing or through unpatched Windows systems. Then, through iexplore.exe, requests are made to an external IP to download a file (size 2.91 KB) which includes root certificates and certain scripts to modify the Windows system registry. The scripts go through the registry to find out what software is installed on the target system and credentials in the environment, then call the system API to communication with the outside command server. By installing the root certificate on the compromised system, it makes it look like a trusted certificate and the malware/attack goes undetected by a number of EPP/EDR tools.
“iexplore.exe” wrote bytes “4068bdf3fe070000” to virtual address “0xFF29BEA8” (part of module “OLE32.DLL”)
The malware will then create a guarded memory region as identified in Intelligints’ labs (anti-debugging trick to avoid memory dumping):
Details “iexplore.exe” is protecting 8192 bytes with PAGE_GUARD access rights
Source API Call
Intelligints’ IDR team performed network traffic forensics on the communication and found traffic being initiated outside the compromised network to certain domains with “onion” protocols and others used in command-and-control code execution on victim systems.
Intelligints has identified the dll’s replaced on victim systems and recommends a careful approach to eradicate it without causing system corruption. Also, ensure you have up to date backups in case something goes wrong. Clone the impacted system and attempt replacing the dll’s and test business apps/functionality. This malware eradication needs both Administrator and System permissions to write code into virtual address. So, proceed carefully.
Intelligints LLC is a leading provider of Cybersecurity and Information Security services for enterprises concerned about their security posture. Intelligints offers a range of services covering penetration testing, code reviews, managed security services and 24x7x365 SOC, Incident Detection/Response and forensics. Intelligints approaches each customer’s security based on risk exposure/factor.
Intelligints is headquartered in Irvine, California. For more information, visit www.intelligints.com.