PoolParty Process Injections, SysJoker, NetSupport RAT, & More: Hacker’s Playbook Threat Coverage Round-up: December 2023

In this version of the Hacker’s Playbook Threat Coverage round-up, we are highlighting attack coverage for newly discovered or analyzed threats, including those based on original research conducted by SafeBreach Labs. SafeBreach customers can select and run these attacks and more from the SafeBreach Hacker’s Playbook™ to ensure coverage against these advanced threats. Additional details about the threats and our coverage can be seen below. 

NEW ORIGINAL RESEARCH – Windows Thread Pool Process Injection Techniques

SafeBreach Labs researchers recently developed a brand-new set of process injection techniques that can completely bypass the defenses of several leading EDR tools. By using Windows thread pools as a novel attack vector, they were able to trigger malicious execution because of a completely legitimate action. These eight techniques could work across all processes without any limitations, making them more flexible than the existing process injection techniques. When these were attempted on five leading EDR tools, these tools failed to detect them. This research was first presented at Black Hat Europe 2023 in December 2023. 

These techniques work by targeting worker factories, which refer to Windows objects that are responsible for managing thread pool worker threads. The first discovered process injection technique abuses the start routine of worker factories, while the other seven abuse the three queue types: one abuses the task queue, five abuse the I/O completion queue, and the eighth abuses the timer queue.

SafeBreach Coverage of Windows Thread Pool Process Injection Techniques

The SafeBreach platform has been updated with the following attacks to ensure our customers can validate their EDR tools against techniques discovered in this original research. 

• #8378 – PoolParty process injection – Worker Factory Start Routine Overwrite (HOST_LEVEL) 
• #8379 – PoolParty process injection – Remote TP_WORK Work Item Insertion (HOST_LEVEL) 
• #8380 – PoolParty process injection – Remote TP_WAIT Work Item Insertion (HOST_LEVEL)
• #8381 – PoolParty process injection – Remote TP_IO Work Item Insertion (HOST_LEVEL)
• #8382 – PoolParty process injection – Remote TP_ALPC Work Item Insertion (HOST_LEVEL) 
• #8383 – PoolParty process injection – Remote TP_JOB Work Item Insertion (HOST_LEVEL) 

SysJoker Trojan: What you need to know

SysJoker is a stealthy Windows, Linux, and macOS malware written in C++ that was first discovered by threat researchers at Intezer in December 2021. The recent hostilities between Israel and Hamas have seen a new variation of this trojan being discovered in the wild. According to researchers from Checkpoint, this new version is written in the Rust programming language and involves a complete code rewrite when compared to its C++ variant. This new variant was recently involved in several targeted cyberattacks on Israeli organizations by a Hamas-related threat actor. 

The malware employs random sleep intervals at various stages of its execution, which may serve as possible anti-sandbox or anti-analysis measures. When first launched, it executes actions to modify the registry to maintain persistence using PowerShell scripts. During its later executions, it establishes communication with the C2 (command and control) server, the address for which it retrieves from a OneDrive URL. This trojan’s main objective is to fetch and load additional malicious payloads on the compromised system, directed via the reception of JSON-encoded commands. 

SafeBreach Coverage of SysJoker Trojan

The SafeBreach platform has been updated with the following new attacks to ensure our customers can validate their security controls against this trojan variant:

• #9382 – Write SysJoker (862d95) trojan to disk (HOST_LEVEL) 
• #9383 – Pre-execution phase of SysJoker (862d95) trojan (Windows) (HOST_LEVEL) 
• #9384 – Transfer of SysJoker (862d95) trojan over HTTP/S (LATERAL_MOVEMENT) 
• #9385 – Transfer of SysJoker (862d95) trojan over HTTP/S (INFILTRATION) 
• #9386 – Email SysJoker (862d95) trojan as a compressed attachment (LATERAL_MOVEMENT) 
• #9387 – Email SysJoker (862d95) trojan as a compressed attachment (INFILTRATION) 

NetSupport RAT: What you need to know

The NetSupport Manager tool is a legitimate piece of software that enables users to receive remote technical support or provide remote computer assistance. However, threat actors have managed to turn this legitimate tool into a remote access trojan (RAT) that can be used to gain unauthorized access to victim networks and launch malicious payloads. VMware researchers have observed a recent uptick in attacks involving this RAT variant, primarily targeting entities in the government, education, and business sectors. 

According to the information gathered by researchers, the recent infections have started with the download of the malicious package (NetSupport RAT) via fake websites and bogus browser updates. The infected websites host a PHP script that displays a seemingly authentic update and lures the victim into downloading the update. When the victim clicks on the download link, an additional JavaScript payload is downloaded onto the endpoint. This downloaded update then invokes a PowerShell script that can execute obfuscated commands. Once installed on a victim’s device, the NetSupport RAT can monitor behavior, transfer files, manipulate computer settings, and move to other devices within the network. Its important to note that the NetSupport RAT, once installed, is very robust and powerful, and threat actors can leverage it in any way they see fit.

SafeBreach Coverage of NetSupport RAT

The SafeBreach platform has been updated with the following attacks to ensure our customers can validate their security controls against the malware variant: 

• #9444 – Write NetSupport (a57911) RAT to disk (HOST_LEVEL) 
• #9445 – Pre-execution phase of NetSupport (a57911) RAT (Windows) (HOST_LEVEL) 
• #9446 – Transfer of NetSupport (a57911) RAT over HTTP/S (LATERAL_MOVEMENT) 
• #9447 – Transfer of NetSupport (a57911) RAT over HTTP/S (INFILTRATION) 
• #9448 – Email NetSupport (a57911) RAT as a compressed attachment (LATERAL_MOVEMENT) 
• #9449 – Email NetSupport (a57911) RAT as a compressed attachment (INFILTRATION) 

Phobos Ransomware/VX-Underground: What you need to know

Threat researchers from Qualys recently came across a new version of an existing ransomware family pretending to be VX-Underground. This ransomware variant, known as Phobos, usually operates using the ransomware-as-a-service (RaaS) model and has been around since 2018. This ransomware is believed to be an offshoot of the Crysis ransomware. VX-Underground is an open-source community that hosts the largest library of malware code, samples, and papers on the internet. Threat researchers frequently use this open-source community to gain access to malware code that their peers around the world share. 

When encrypting files, the ransomware adds the  following string: “.id[unique_id].[[email protected]].VXUG” to the file name. The email is the real address of the VX-Underground community, and the extension “VXUG” is a commonly used abbreviation for VX-Underground. Once file encryption is complete, ransom messages are created on the Windows desktop and other places. One ransom text is called “Buy Black Mass Volume II.txt” which happens to be the name of the latest book released by the VXUG researchers. Another ransom note is a file named “Buy Black Mass Volume II.hta,” which is a standard ransom note from Phobos, designed using the VX-Underground logo, name, and contact information. It is important to note that victims are not provided with a real address where they can contact cybercriminals, leaving them in limbo if their files get encrypted. 

SafeBreach Coverage of Phobos Ransomware

The SafeBreach platform has been updated with the following attacks to ensure our customers can validate their security controls against this ransomware variant: 

• #9376 – Write Vx-underground (Phobos) (9dbdeb) ransomware to disk (HOST_LEVEL) 
• #9377 – Pre-execution phase of Vx-underground (Phobos) (9dbdeb) ransomware (Windows) (HOST_LEVEL)
• #9378 – Transfer of Vx-underground (Phobos) (9dbdeb) ransomware over HTTP/S (LATERAL_MOVEMENT) 
• #9379 – Transfer of Vx-underground (Phobos) (9dbdeb) ransomware over HTTP/S (INFILTRATION) 
• #9380 – Email Vx-underground (Phobos) (9dbdeb) ransomware as a compressed attachment (LATERAL_MOVEMENT) 
• #9381 – Email Vx-underground (Phobos) (9dbdeb) ransomware as a compressed attachment (INFILTRATION) 

Golden Ticket Attacks: What are they and what you need to know

A Golden Ticket attack is a malicious cyber attack that provides the attacker with the opportunity to gain almost unlimited access to an organizational domain by exploiting weaknesses in the Kerberos identity authentication protocol. By targeting the user data stored in the Active Directory (AD), the attacker can   get access to the organizational devices, files, domain controllers, and more. Kerberos is a protocol for authenticating service requests between trusted hosts across an untrusted network, such as the internet. Kerberos support is built into all major computer operating systems, including Microsoft Windows, Apple MacOS, FreeBSD, and Linux. 

Kerberos authentication uses a key distribution center to protect and verify a user’s identity. With this system, the goal is to eliminate the need for multiple credential requests to the user, and instead verifies the user’s identity and assigns a ticket to the user for access. The Distribution center has the ticket-granting server (TGS) which connects the user to the service server. The Kerberos database contains the password of all verified users. The authentication server (AS) performs the initial authentication of the user. If AS is verified, the the user gets a Kerberos Ticket Grant Ticket (TGT) which is proof of authentication. Using a golden ticket, adversaries are then able to request ticket granting service (TGS) tickets, which enable access to specific resources. 

SafeBreach’s Golden Ticket Attack Coverage

SafeBreach’s Golden Ticket attack simulation starts with a DCSync attack to retrieve the hash of the KRBTGT account (a default account that exists in all domains of an Active Directory). Once the hash is retrieved, the simulation forges a golden ticket and injects the ticket into the running user’s session by using a pass the ticket attack. Lastly, using the injected ticket, the simulation retrieves files from the domain controller. You can run the following simulation to ensure protection against this malicious attack: 

• #8377 – Golden Ticket (HOST_LEVEL) 

Interested in Protecting Against Advanced Ransomware?

SafeBreach now offers a complimentary and customized real-world ransomware assessment, RansomwareRx, that allows you to gain unparalleled visibility into how your security ecosystem responds at each stage of the defense process. This ransomware assessment includes:

• Training: Understand the methodology around ransomware attacks, persistent threats, and malware attacks.
• Assessment: Review goals and ensure simulation connections to our management console and all configurations are complete.
• Attack Scenario: Run safe-by-design, real-world ransomware attacks across the cyber kill chain on a single device of your choice.
• Report: Receive a custom-built report with simulation results and actionable remediation insights.

Empower your team to understand more about ransomware attacks, methodologies, and behaviors—all through the lens of the attacker. Request your complimentary RansomwareRx assessment today.