AI Threat Scenario, GuLoader, DarkGate, MirrorBlast, Kutaki Stealer and More – Hacker’s Playbook Threat Coverage Round-up: May 2024

In this version of the Hacker’s Playbook™ Threat Coverage round-up, we are highlighting attack coverage for newly discovered or analyzed threats, including a newly created scenario that leverages AI Generated malware. SafeBreach customers can select and run these attacks and more from the SafeBreach Hacker’s Playbook to ensure coverage against these advanced threats. Additional details about the threats and our coverage can be seen below. 

NEW SafeBreach Scenario – AI Generated Malware

This new scenario highlights another SafeBreach product and SafeBreach Labs innovation. This new scenario simulates a full kill-chain progression of a generic ransomware created using an artificial intelligence (AI) chatbot. This scenario includes attacks that mimic host-level actions, malware transfer and email attachments allowing organizations to protect themselves against AI-generated malware. 

Attacks Included in the NEW AI Generated Malware Scenario

• #10328 – Write AI Generated ransomware to disk (HOST_LEVEL) 
• #10329 – Pre-execution phase of AI Generated ransomware (Windows) (HOST_LEVEL) 
• #10330 – Transfer of AI Generated ransomware over HTTP/S (LATERAL_MOVEMENT
• #10331 – Transfer of AI Generated ransomware over HTTP/S (INFILTRATION) 
• #10332 – Email AI Generated ransomware as a compressed attachment (LATERAL_MOVEMENT
• #10333 – Email AI Generated ransomware as a compressed attachment (INFILTRATION) 

GUloader Malware: What You Need to Know

McAfee Labs researchers recently came across an email campaign being used to deliver the GUloader malware via a malicious Scalable Vector Graphics (SVG) file. GUloader is a sophisticated malware loader that is known for its stealthiness and its ability to evade organizational defenses. The GUloader uses polymorphic code, allowing it to alter its structure and making it difficult to detect via traditional AV software and intrusion detection systems (IDS). This ability also allows it to maintain network persistence and easily gain access to networks and stage itself for any further malicious activity. 

According to the researchers, the infection would begin when the malicious SVG file was opened from an email attachment. This would trigger the browser to download a zip file containing a Windows Script File (WSF). Upon execution of this WSF file, a PowerShell command would be executed to establish a connection with a malicious domain. A shellcode would then be injected into the MSBuild application, facilitating further malicious actions. After injection, the shellcode executed an anti-analysis check, then modified the Registry run key to achieve persistence. The final stage used the injected shellcode to download and execute the final malicious executable. GUloader can also download and deploy a wide range of other malware variants.

SafeBreach’s Coverage of GUloader Malware

The SafeBreach platform was updated with the following new attacks to ensure our customers can validate their security controls against this malware variant:

• #10069 – Write GULoader (svg) (9b60c0) loader to disk (HOST_LEVEL) 
• #10070 – Transfer of GULoader (svg) (9b60c0) loader over HTTP/S (LATERAL_MOVEMENT) 
• #10071 – Transfer of GULoader (svg) (9b60c0) loader over HTTP/S (INFILTRATION) 
• #10072 – Email GULoader (svg) (9b60c0) loader as a compressed attachment (LATERAL_MOVEMENT) 
• #10073 – Email GULoader (svg) (9b60c0) loader as a compressed attachment (INFILTRATION) 

Kutaki Stealer: What You Need to Know

A security operations team from SEQURETEK noticed an abnormal email communication while monitoring their XDR for a managed client. This email included a flagged malicious IP address, and further analysis revealed it as a phishing email. The phishing email contains a PDF file and asks the receiver to open the attachment to confirm receipt of a payment. 

Upon opening and extracting the attachment, a malicious command (cmd) file gets executed that includes information-stealing malware – Kutaki. The Kutaki infostealer is designed to infiltrate victim computers with extreme stealth. The Kutaki infostealer leverages old-school techniques to detect vulnerability management tools, sandboxes, and malware debugging tools. Its built-in mechanisms allow it to terminate deployed detection and debugging processes. Kutaki also acts as a key logger that captures keystrokes and mouse movements, allowing it to capture user credentials and send all the captured user information to the attacker. 

SafeBreach’s Coverage of Kutaki Stealer

The SafeBreach platform was updated with the following new attacks to ensure our customers can validate their security controls against this infostealer variant: 

• #10084 – Write kutaki dacic (86ff31) infostealer to disk (HOST_LEVEL) 
• #10085 – Pre-execution phase of kutaki dacic (86ff31) infostealer (Windows) (HOST_LEVEL) 
• #10086 – Transfer of kutaki dacic (86ff31) infostealer over HTTP/S (LATERAL_MOVEMENT) 
• #10087 – Transfer of kutaki dacic (86ff31) infostealer over HTTP/S (INFILTRATION) 
• #10088 – Email kutaki dacic (86ff31) infostealer as a compressed attachment (LATERAL_MOVEMENT) 
• #10089 – Email kutaki dacic (86ff31) infostealer as a compressed attachment (INFILTRATION) 

DarkGate Trojan Malware: What You Need to Know

Zero Day Initiative researchers recently discovered a campaign leveraging the DarkGate trojan which exploited CVE-2024-21412 through the use of fake software installers. Victims were lured via PDF files that led them to malicious websites hosting the Microsoft Windows SmartScreen bypass vulnerability CVE-2024-21412, eventually leading them to malicious Microsoft (.MSI) installers. 

These fake and malicious MSI installers contained a sideloaded DLL file that decrypted and infected users with a DarkGate malware payload. DarkGate typically operates on a malware-as-a-service (MaaS) model and is one of the most prolific, sophisticated, and active strains of malware. Threat actors have used this malware strain to target financial organizations across North America, Europe, Asia, and Africa. 

To initiate the DarkGate infection chain, the threat actors deploy an open redirect from the doubleclick[.]net domain inside a PDF file served via the phishing campaign. Victims must click the button inside the PDF file to begin the CVE-2024-21412 exploit by redirecting victims with the Google DoubleClick open redirect to a compromised web server containing a .URL Internet shortcut file. This Internet shortcut file exploits CVE-2024-21412 by redirecting to another Internet shortcut file using the  “URL=” parameter to point to the next stage of the infection process; this time, it is hosted on an attacker-controlled WebDAV server. By exploiting CVE-2024-21412, the victim’s Microsoft Defender SmartScreen is not prompted due to a failure, leaving the victim vulnerable to the next stage of DarkGate infection via fake software installers that leverage .MSI files. 

SafeBreach Coverage of DarkGate Trojan

The SafeBreach platform was updated with the following new attacks to ensure our customers can validate their security controls against this malware variant:

• #10074 – Write darkgate injectorx (e9e7f7) trojan to disk (HOST_LEVEL) 
• #10075 – Transfer of darkgate injectorx (e9e7f7) trojan over HTTP/S (LATERAL_MOVEMENT) 
• #10076 – Transfer of darkgate injectorx (e9e7f7) trojan over HTTP/S (INFILTRATION) 
• #10077 – Email darkgate injectorx (e9e7f7) trojan as a compressed attachment (LATERAL_MOVEMENT
• #10078 – Email darkgate injectorx (e9e7f7) trojan as a compressed attachment (INFILTRATION

MirrorBlast Trojan: What You Need to Know

Morphisec Labs researchers have tracked a new phishing campaign targeting financial services industry (FSI) organizations using a weaponized Excel document. According to information available, this campaign’s attack chain bears striking similarities to the TTPs commonly used by Russian threat group TA505. 

This phishing campaign starts with an email attachment document that later changes to use the Google feedproxy URL with a SharePoint and OneDrive lure, posing as a file-share request. These malicious URLs then lead to a compromised SharePoint or a fake OneDrive site used by attackers to evade detection. The Excel document is weaponized with an extremely lightweight macro code. The macro code can be executed only on a 32-bit version of Office due to compatibility reasons with ActiveX objects and performs anti-sandboxing tasks if:

• Computer name is equal to the user domain
• Username is equal to admin or administrator

There are two variants of the MSI installer that can be downloaded. Bother versions are generated using the Windows Installer XML Toolset (WiX) version – 3.11.0.1528; once executed they drop two files into a random directory in ProgramData. One of them is the legitimate software language interpreter executable (KiXtart or REBOL) and the other is the malicious script. Once executed, the malicious script sends the victim’s machine information (domain, computer name, user name, process list) to the C2 server.

SafeBreach Coverage of MirrorBlast Trojan

The SafeBreach platform was updated with the following attacks to ensure our customers can validate their security controls against this trojan: 

• #10079 – Write mirror blast (7caad7) trojan to disk (HOST_LEVEL) 
• #10080 – Transfer of mirror blast (7caad7) trojan over HTTP/S (LATERAL_MOVEMENT
• #10081 – Transfer of mirror blast (7caad7) trojan over HTTP/S (INFILTRATION) 
• #10082 – Email mirror blast (7caad7) trojan as a compressed attachment (LATERAL_MOVEMENT) 
• #10083 – Email mirror blast (7caad7) trojan as a compressed attachment (INFILTRATION) 

XZ Backdoor: What You Need to Know

A new malicious backdoor has been discovered in a compression utility known as xz Utils. This intentionally planted backdoor has found its way into several widely used Linux distributions including Red Hat and Debian. According to Andres Freund, the developer who discovered this backdoor, the malicious code added to versions 5.6.0 and 5.6.1 of xz Utils modifies the way the compression tool functions. 

The backdoor manipulates sshd– the executable file used to make remote SSH connections. Anyone in possession of a predetermined encryption key could stash any code of their choice in an SSH login certificate, upload it, and execute it on the backdoored device. The backdoor is implemented through a five-stage loader that uses a series of simple but clever techniques to hide itself. It also provides the means for new payloads to be delivered without major changes being required.

SafeBreach Coverage of XZ Backdoor

The SafeBreach platform was updated with the following attacks to ensure our customers can validate their security controls against this backdoor: 

• #10289 – Write xzbackdoor (b83537) trojan to disk (HOST_LEVEL) 
• #10290 – Email xzbackdoor (b83537) trojan as a compressed attachment (LATERAL_MOVEMENT) 
• #10291 – Email xzbackdoor (b83537) trojan as a compressed attachment (INFILTRATION) 
• #10292 – Transfer of xzbackdoor (b83537) trojan over HTTP/S (LATERAL_MOVEMENT) 
• #10293 – Transfer of xzbackdoor (b83537) trojan over HTTP/S (INFILTRATION) 
• #10294 – Pre-execution phase of xzbackdoor (b83537) trojan (Linux) (HOST_LEVEL) 

Interested in Protecting Against Advanced Ransomware?

SafeBreach now offers a complimentary and customized real-world ransomware assessment, RansomwareRx, that allows you to gain unparalleled visibility into how your security ecosystem responds at each stage of the defense process. This ransomware assessment includes:

• Training: Understand the methodology around ransomware attacks, persistent threats, and malware attacks.
• Assessment: Review goals and ensure simulation connections to our management console and all configurations are complete.
• Attack Scenario: Run safe-by-design, real-world ransomware attacks across the cyber kill chain on a single device of your choice.
• Report: Receive a custom-built report with simulation results and actionable remediation insights.

Empower your team to understand more about ransomware attacks, methodologies, and behaviors—all through the lens of the attacker. Request your complimentary RansomwareRx assessment today.