In this week’s Threat Digest, we delve into a range of sophisticated cyberthreats: from a deceptive malvertising campaign mimicking a popular Windows news site and the critical CVE-2023-47246 vulnerability in SysAid’s software, to the ongoing exploitation of Atlassian Confluence’s security flaw. We also examine the advanced GootBot variant by IBM X-Force and the rising tide of Jupyter Infostealer malware variants. These cases highlight the evolving complexity of cyberthreats and underscore the importance of proactive measures in cybersecurity. Stay informed, stay secure.

Malwarebytes Labs has uncovered a sophisticated malvertising campaign where threat actors replicated a legitimate Windows news portal, WindowsReport.com, to distribute a malicious installer for CPU-Z, a popular processor tool. This deceptive strategy targets users seeking software utilities, with the fake site appearing almost identical to the authentic one. The campaign also targets other utilities like Notepad++, Citrix, and VNC Viewer, employing cloaking techniques to evade detection. The payload, a signed MSIX installer containing a malicious PowerShell script and the FakeBat loader, leads to the Redline stealer. Malwarebytes has taken steps to block these malvertising domains and added coverage for the command and control (C2) servers. This campaign highlights the increasing sophistication of cybercriminals in mimicking legitimate software download portals to deploy malware.

A critical zero-day vulnerability, CVE-2023-47246, in SysAid’s on-premises software was identified on Nov. 2. This path traversal vulnerability, leading to code execution, was exploited by the DEV-0950 (aka Lace Tempest) group. Attackers gained unauthorized access via a WebShell and deployed the GraceWire trojan using a PowerShell script. SysAid has urged customers to update to version 23.3.36 to remediate this vulnerability and conduct network assessments for any signs of compromise such as any WAR, ZIP, or JSP files with timestamps differing from the SysAid installation. Given the severity of this threat, immediate action and adherence to incident response protocols are strongly recommended to secure installations and mitigate risks.

Read our Director of Threat Research’s commentary here and Blackpoint’s threat notice on the vulnerability here.

As previously mentioned at the beginning of November, the critical Atlassian Confluence vulnerability, CVE-2023-22518, has seen an increase of exploitation in the wild. This severe flaw, rated 9.1 out of 10, allows unauthorized authentication bypass and affects all versions of Confluence Data Center and Server software. Attackers are exploiting it to deploy Cerber ransomware, encrypting victims’ files and potentially wiping data. Atlassian has released security updates, urging immediate patching of vulnerable instances. Additionally, a proof-of-concept (PoC) exploit is already online, heightening the risk. Over 24,000 Confluence instances are exposed online, although the exact number vulnerable to this bug is unclear.

For those unable to patch immediately, Atlassian recommends backup and network isolation strategies, and modifying the /<confluence-install-dir>/confluence/WEB-INF/web.xml to mitigate risks.

IBM X-Force has identified a new variant of Gootloader, known as “GootBot,” which presents a more sophisticated threat to enterprise environments according to an article from Security Intelligence. This evolution marks a significant shift in the threat landscape, as GootBot facilitates stealthier lateral movement, complicating the detection and blocking of Gootloader campaigns. Unlike its predecessor, which served primarily as initial access malware, GootBot enables threat actors to remain undetected for extended periods. It is distributed as a payload following a Gootloader infection, capable of executing encrypted PowerShell scripts for C2 tasks. Notably, GootBot employs SEO poisoning to lure victims to compromised sites disguised as legitimate forums, from where the initial payload is downloaded. Each GootBot implant contains a distinct C2 server, usually hosted on a hacked WordPress site, which proliferates across corporate networks, aiming to reach domain controllers. As of now, GootBot has evaded detection on platforms like VirusTotal, underscoring the heightened risk and sophistication of these post-exploitation stages, which may lead to further damaging activities like ransomware deployment.

The VMWare Carbon Black MDR Team has reported a surge in sophisticated Jupyter Infostealer malware variants, primarily targeting the education and healthcare sectors. These new variants cleverly employ PowerShell command modifications and utilize signed certificates to disguise themselves as legitimate files, making detection more challenging. Initially discovered in late 2020, Jupyter Infostealer has evolved to use SEO poisoning and search engine redirects for delivering malware via browsers like Chrome, Edge, and Firefox. The current wave of attacks involves the use of multiple certificates to sign the malware, further evading detection by appearing as authentic software. The Blackpoint SOC has intercepted 50+ attacks by Jupyter (aka Polazert and SolarMarker), which often hide using filenames that contain a few words with dashes like ‘Aisd-Residency-Affidavit-Form.exe.’ As malware becomes more “user-friendly” in this digital arms race, our defenses must keep pace.

For real-time intel and updates, don’t forget to follow APG on Twitter and Reddit.