Vulnerabilities fixed in new OpenSSL version
The new 3.0.7 version of OpenSSL, announced last week by the developers of the project, was made public this past Wednesday.
The expectation around this version was high because, initially, it was going to patch a critical vulnerability in the software, the first of this severity since 2016. In the end, yesterday’s release includes fixes for two vulnerabilities considered to be of high importance, thus lowering the initial criticality announced.
The vulnerability that had raised the highest alert is CVE-2022-3602, a buffer overflow flaw in the certificate verification process that requires a certificate authority (CA) to have signed a malicious certificate or the application to continue the verification process without a valid path. While an attacker could trigger the flaw via a malicious email address, many platforms already incorporate protections to prevent such attacks.
The second vulnerability fixed, also with high criticality, CVE-2022-3786, is also a buffer overflow in the same process, but based on the length of the email address.
* * *
Emotet campaign returns after five months of inactivity
The research team Cryptolaemus, which specialises in the study of the Emotet malware, has announced on Twitter that the operators of the popular malware have returned to malicious actions after five months of inactivity.
In particular, an Emotet infection campaign has been detected via email distributing malicious Excel files. To bypass Mark-of-the-Web (MoTW) protection, the mail instructs the potential victim to copy the Excel file to the Templates folder, which will allow it to be opened outside the protected mode and thus execute the macros that will download the malware onto the target computer.
The Emotet malware is then downloaded as a DLL file into random folders created in the path
%UserProfile%\AppData\Local. According to the available data, this reactivation campaign is reportedly having a global impact, distributing its malicious files in several languages.
* * *
Use of Raspberry Robin in complex infection chains
Microsoft researchers have recently reported new discoveries concerning the Raspberry Robin malware. Based on their analysis, this malware is being marketed as a method to gain access to victims’ systems to subsequently install other malware or carry out other post-exploitation activities.
During the summer, Raspberry Robin has been used to install the FakeUpdate malware by malicious groups close to EvilCorp, and has even been observed in infection chains of the Lockbit ransomware.
More recently, Raspberry Robin is reportedly being used to deploy other malware such as IcedID, Bumblebee, and Truebot. Likewise, Microsoft has observed its use by the FIN11/TA505 group, which is using it together with Truebot to deploy Cobalt Strike beacons and infect their victims with the Clop ransomware, thus allowing this group to abandon phishing as the initial vector of the chain of infection.
It should be noted that, according to Microsoft, nearly 3,000 devices from 1,000 different organizations have been affected in some way by Raspberry Robin in the last month.
* * *
Google fixes a 0-day vulnerability for Chrome
Successful exploitation of the vulnerability would allow a remote attacker to manipulate data on the victim’s system and escalate privileges. It is recommended to update the browser as soon as possible, to version 107.0.5304.87 on Mac and Linux and 107.0.5304.87/88 on Windows.
* * *
RomCom RAT launches campaign via KeePass and SolarWinds fakes
Researchers at BlackBerry Threat Research have discovered a RomCom RAT (Remote Access Trojan) campaign with new access vectors. According to the BlackBerry team, RomCom has cloned the official download pages of several widely used software products such as the network monitor SolarWinds, the password manager KeePass or the PDF file reader Reader Pro.
RomCom has copied the original HTML to reproduce it on domains with typos that give the appearance of veracity to these malicious URLs. In fact, in the case of SolarWinds along with the infected file the user will be redirected to the official SolarWinds registration page to be contacted by legitimate customer support to avoid suspicion on the part of the victim.
In the pieces of malware analysed, the file
setup.exe has been observed executing the file
hlpr.dat, which contains the dropper that installs RomCom. This campaign is spread through phishing techniques, SEO poisoning and social engineering.