Raspberry Robin: worm detected in multiple Windows networks
Microsoft has issued a private advisory to Microsoft Defender for Endpoint subscribers, informing about the detection of the Raspberry Robin malware in multiple networks, mostly from the industrial sector.
The worm, created in 2019 and first detected in September 2021, is mainly disseminated through infected USB devices. Some of its characteristics are the use of QNAP NAS devices as command and control (C2) servers and its ability to connect to the Tor network.
In addition, Raspberry Robin abuses legitimate Windows tools such as the msiexec process to infect new devices, execute malicious payloads and ultimately deliver malware. There are no evidences indicating that the operators of this malware have exploited the accesses obtained from their activities.
Plus, it has not been possible to attribute this campaign to any specific malicious actor, although Microsoft has rated it as high risk, as the attackers could deploy additional malware on the victims’ networks and escalate privileges at any time.
* * *
Critical vulnerability in Spring Data for MongoDB
NSFOCUS TIANJI Lab researcher Zewei Zhang has reported a critical remote code execution (RCE) vulnerability in Spring Data MongoDB, a project for integrating documents into MongoDB databases.
The flaw has been identified as CVE-2022-22980 and has received a criticality of 9.8 (CVSSv3). The vulnerability in particular consists in the possibility of performing a malicious SpEL (Spring Expression Language) injection that would allow an attacker to execute arbitrary code remotely with legacy privileges. The flaw affects versions 3.4.0, 3.3.0 to 3.3.4, and earlier unsupported versions.
Spring has already released the corresponding patched versions of Spring Data MongoDB, 3.4.1 and 3.3.5 at the end of June. However, in case it is not possible to implement these new versions, there are mitigation measures that can be consulted in the advisory published by VMware, which are recommended to be applied immediately taking into account the public availability of proofs of concept on this vulnerability.
* * *
Malicious version of Brute Ratel C4
Researchers at Palo Alto Networks have published about a malicious sample of the legitimate Brute Ratel C4 (BRc4) software. This tool has emerged as an alternative to Cobalt Strike for red team penetration testers.
Just as Cobalt Strike leaves beacons on infected computers, Brute Ratel installs badgers that perform a similar function, establish persistence and connect to command and control servers to receive commands and execute code on infected computers.
Additionally, this tool was specifically designed to evade endpoint detection (EDR) and antivirus detection. According to the researchers, it is very likely that former members of Conti ransomware have created shell companies in order to pass a part of the verification process required to obtain this software.
Finally, they urge security vendors to update their protections to detect this software and for organisations to take proactive steps to defend themselves.
* * *
Critical vulnerability in OpenSSL
Security researcher Xi Ruoyao has discovered a vulnerability in the OpenSSL cryptographic library that could lead to remote code execution under certain circumstances. The flaw, identified as CVE-2022-2274, lies in the implementation of RSA for X86_64 CPUs supporting AVX512IFMA instructions.
The vulnerability could lead to memory corruption during computation, which an attacker could use to ultimately trigger remote code execution on the machine performing the computation.
The flaw affects OpenSSL version 3.0.4, which was released on 21 June 2022, and has been fixed with OpenSSL version 3.0.5. OpenSSL versions 1.1.1 and Open SSL 1.0.2 are not affected by this vulnerability.
* * *
New HavanaCrypt ransomware campaign
TrendMicro researchers have analysed a campaign of the new ransomware family called HavanaCrypt, which is reportedly masquerading as the Google Software Update application for distribution.
HavanaCrypt is compiled in .NET and uses Obfuscar, an open-source obfuscator to secure .NET code. It has also been confirmed to be using an IP address of a Microsoft hosting service such as C&C (Command&Control) to evade detection, which is unusual for this type of threat.
TrendMicro has also detected the use of multiple anti-virtualisation tools to evade possible dynamic analysis in virtual machines. Finally, it is worth mentioning the QueueUserWorkItem function, used to distribute other payloads and encryption tools.
After the encryption process, during which it uses legitimate KeePass Password Safe modules and the CryptoRandom function, this ransomware does not leave any ransom note, so researchers believe it may still be under development.