Ankura CTIX FLASH Update - November 28, 2023

Ransomware/Malware Activity

macOS Targeted with Atomic Stealer Malware in ClearFake Campaign

The "ClearFake" malicious browser update campaign has continued its spread and is now targeting macOS devices with Atomic Stealer (AMOS) malware. According to researcher Randy McEoin, the ClearFake campaign began back in July of 2023. ClearFake is using non-obfuscated JavaScript on a variety of websites to create a fake pop-up window that informs the user they need to download the latest version of Google Chrome for security updates. This tricks users into thinking they need to download browser updates, thereby causing the victims to download malware and other targeted payloads. The original malware was using JavaScript to create the fake pop-up and a clickable button that redirected users to a malicious OneDrive file that would load the Amadey trojan to the device. As of November 17, 2023, the ClearFake campaign has expanded to include macOS devices by employing the same tactics previously seen targeting Windows devices. JavaScript is used to create a fake webpage that implores the user to download the latest Safari web browser version, but it instead deploys a payload of Atomic, an information stealing piece of malware. Atomic is capable of harvesting numerous pieces of information from a victim device, including passwords and credit card information stored in browser, crypto currency files, keychain passwords, financial information, and even WiFi passwords. Bleeping cComputer reports that approximately 50% of antivirus software is still struggling to identify Atomic once loaded. CTIX analysts will continue to provide updates and monitor the situation and malware payloads utilized by ClearFake.

Bleeping Computer: Atomic Stealer Article
• The Hindu: Atomic Stealer Article

Threat Actor Activity

UK and South Korea Release Joint Advisory Following Surge in North Korean-linked Attacks

The United Kingdom and South Korea recently released a joint advisory warning of a surge in software supply chain attacks by North Korean (DPRK) state-linked threat actors. The increased frequency and sophistication of such attacks carried out by North Korean-linked hackers is what prompted the creation of the joint advisory, with Korea's National Intelligence Service (NIS) and Britian's National Cyber Security Centre (NCSC) announcing a new strategic partnership between the nations' governments aimed at bolstering increased security measures that disrupt and deter DPRK malicious cyber capabilities and the associated activities that contribute to their nuclear missiles program. This advisory comes just as the North Korean-linked hackers tracked as Diamond Sleet were associated to another supply chain attack that targeted downstream customers via a trojanized version of a legitimate software application produced by the Taiwanese software developers CyberLink. As outlined in the joint advisory, and consistent with the latest DPRK-associated attack, the threat actors involved in the surge of attacks have been observed leveraging zero-day vulnerabilities and exploits in third-party software to gain access to specific targets or an entire organization via their supply chains. The agencies mentioned that the attacks align with known North Korean state aligned priorities like "revenue generation and espionage, with the theft of advanced technologies across a range of sectors, including but not limited to defense." Along with CyberLink, other recent noteworthy attacks include 3CX, MagicLine4NX, and JumpCloud.

National Cyber Security Centre: Joint Advisory
• The Record: North Korea Article
• Bleeping Computer: MagicLine4NX Article
• The Hacker News: CyberLink Article

Vulnerabilities

North Korean Hackers Exploit Critical Vulnerability in Apache ActiveMQ to Take Control of Vulnerable Instance

UPDATE: A threat actor known as Andariel, believed to be a member or partner of the North Korean state sponsored threat group Lazarus, has been identified in a cyberattack campaign targeting South Korean entities to spread the NukeSped and TigerRat backdoors. Andariel is known for targeting "national defense, political groups, shipbuilding, energy, telecommunications, ICT firms, universities, and logistics firms." The threat actors were able to install the backdoors by exploiting a critical remote code execution (RCE) vulnerability in Apache ActiveMQ, tracked as CVE-2023-46604. ActiveMQ is an open-source protocol which functions as an implementation of message-oriented middleware (MOM), allowing different applications to send messages between each other. Specifically, the flaw exists in the Java OpenWire protocol marshaller, allowing remote attackers with network access to Java-based OpenWire brokers or clients to run arbitrary shell commands by manipulating class types. Once installed, the backdoors communicate with Andariel command-and-control (C2) servers, allowing the threat actors to take complete administrative control of compromised systems. The exploited vulnerability has been patched, however threat actors knowing that many organizations are slow to patch, are actively scanning and attacking vulnerable versions of ActiveMQ. CTIX analysts recommend that any administrators responsible for infrastructure that may be vulnerable should ensure that their instances of Apache ActiveMQ are running the most recent software version.

GBHackers On Security: Apache ActiveMQ Vulnerability Article
• Apache: ActiveMQ Vulnerability Notification

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.