In this week’s Threat Digest, we examine an array of sophisticated cyberthreats, from Lumma Stealer’s trigonometry-based evasion tactics to the Mirai-based botnet, InfectedSlurs, exploiting zero-day vulnerabilities. We explore the exploitation of Apache ActiveMQ’s CVE-2023-46604 flaw by Kinsing malware, and the critical zero-day vulnerability in CrushFTP’s CVE-2023-43177. Finally, we uncover the intricate phishing operations of DarkGate and PikaBot. Each of these threats highlights the evolving landscape of cybersecurity and the continuous need for vigilance and proactive defense measures.

Lumma Stealer, a malware-as-a-service, has advanced its evasion capabilities in its latest 4.0 version. It now uses trigonometry to analyze mouse movements, distinguishing between real user activity and automated sandbox environments. This technique helps it evade detection by security software. Additionally, Lumma Stealer has improved its obfuscation methods, including encrypted strings and complex code structures, to thwart analysis. A concerning development is its alleged ability to restore expired Google authentication cookies, potentially allowing unauthorized access to Google accounts. This feature’s effectiveness is yet to be confirmed, but it highlights a potential security gap in session cookie management. Users are advised to exercise caution, especially when downloading files from untrusted sources, as a preventive measure against such malware threats.

‘InfectedSlurs,’ a new Mirai-based botnet, has been targeting routers and NVR devices using two zero-day RCE vulnerabilities. Identified by Akamai in October 2023, its initial activities date back to late 2022. The botnet, which hijacks devices for DDoS attacks, leverages undocumented flaws in specific NVR and wireless LAN router models. The vulnerabilities remain unpatched, with fixes expected in December 2023. InfectedSlurs, characterized by offensive language in its C2 infrastructure, is a JenX Mirai variant with minimal code changes from the original Mirai, focusing on self-propagating DDoS attacks. Without a persistence mechanism, rebooting affected devices can temporarily disrupt the botnet.

Trend Micro’s recent report highlights the exploitation of the CVE-2023-46604 vulnerability in Apache ActiveMQ by the Kinsing malware, targeting Linux systems for crypto mining. This vulnerability stems from a failure in OpenWire command validation, leading to remote code execution. ActiveMQ, an essential Java-based message-oriented middleware developed by Apache, is widely used in various applications. The Kinsing malware, known for primarily targeting Linux systems, exploits vulnerabilities in web applications or misconfigured container environments to infiltrate and spread across networks rapidly. Once inside, it deploys cryptocurrency-mining scripts, severely impacting system performance and infrastructure. Trend Micro specifies that versions of Apache ActiveMQ including 5.18.0 to 5.18.3 and other earlier versions are vulnerable. Users are urgently recommended to upgrade their systems to patched versions like 5.15.16, 5.16.7, 5.17.6, or 5.18.3 to mitigate this significant security risk.

Converge Technology Solutions disclosed a critical zero-day vulnerability, CVE-2023-43177, in the CrushFTP enterprise suite in August 2023, affecting about 10,000 public instances and more behind firewalls. This unauthenticated exploit allows attackers to access all files, run programs, and obtain passwords in the default software configuration. Patched in CrushFTP version 10.5.2, the vulnerability arises from a mass-assignment flaw in AS2 request header parsing, enabling control over user session properties and leading to root-level remote code execution. Converge advises updating CrushFTP, enhancing password security, auditing user accounts, and enabling Limited Server mode for increased protection. The exploit chain culminates in administrative access and arbitrary Java code execution, highlighting the importance of immediate system updating and hardening against such sophisticated attacks.

A highly sophisticated phishing campaign, initially detected in September by Cofense, has rapidly evolved to become a major threat. Initially focused on disseminating DarkGate malware, the campaign now also deploys PikaBot, leveraging advanced tactics reminiscent of the infamous QakBot malware and botnet. This campaign stands out for its volume and range, targeting various industries with a barrage of phishing emails. The primary concern is the loader capabilities of DarkGate and PikaBot, which pave the way for more intricate cyberthreats, including reconnaissance tools and ransomware.

In August, the FBI and Justice Department’s actions temporarily silenced QakBot. Despite this, similarities between this new campaign and QakBot’s strategies are striking, involving hijacked email threads and unique URL patterns restricting access based on specific criteria. DarkGate and PikaBot, both advanced in nature, offer a wide range of malicious functionalities, raising the stakes for potential victims. Their sophisticated evasion and anti-analysis techniques significantly increase the complexity and potential impact of this campaign.

For real-time intel and updates, don’t forget to follow APG on Twitter and Reddit.