Between May 22-29, 2024, Blackpoint’s Security Operations Center (SOC) responded to 59 total incidents. These incidents included 19 on-premises MDR incidents, no Cloud Response for Google Workspace incidents, and 40 Cloud Response for Microsoft 365 incidents, with confirmed or likely threat actor use of:
- Multiple ChromeLoader attempts for information theft;
- A malicious scheduled task for persistence; and
- RDP abuse for lateral movement.
In this blog, we’ll dive into the details behind these select incidents, including why they’re important for partners to account for today – even if they’ve not been attacked yet! – as well as possible mitigations leveraging your current tech stack and Blackpoint Cyber.
Multiple Cross-Industry ChromeLoader Incidents on 2024-05-24 and 2024-05-28
Topline Takeaways
- Industry targets:
- Healthcare
- Professional & Commercial Services
- Attack information:
- ChromeLoader
- Registry Run Key “ChromeBrowserAutoLaunch”
- .msi initial payload file
- Antivirus (AV) and / or EDR present in environment? Yes
- Threat assessment for partners:
- The Adversary Pursuit Group (APG) predicts that it is likely that threat actors will continue to use ChromeLoader to exploit other Healthcare organizations over the next 12 months.
- Recommended remediations and mitigations:
- Heuristics-based activity monitoring and remediation
- Scripting language controls
- Least-privilege access controls
- Browser extension allowlists
Chromeloader Incidents Overview for 2024 May 24 and 28
Several times this week, Blackpoint’s MDR+R technology alerted Active SOC analysts to malicious Chromeloaders within managed partner environments, with similar IoCs and behaviors:
- On 2024-05-24, Blackpoint’s MDR+R alerted to a Registry Run Key addition “ChromeBrowserAutoLaunch” and several detections of JavaScript files on a Healthcare partner’s endpoint.
- The threat actor configured the added run key to automatically launch Google Chrome with a specific extension.
- The infection likely occurred from an “.msi” file that was identified in the user’s download folder.
- Blackpoint’s Active SOC analysts isolated the device to prevent any further malicious activity, before reaching out to the Healthcare partner about the incident and with further remediation advice.
- On 2024-05-28, Blackpoint’s MDR+R alerted to a Registry Run Key added for Chrome and a scheduled task “PDFFlexUpdateOnce-672a83b6-cb4e-4c28-9425-36d01e529df1” on a Professional & Commercial Services partner’s endpoint.
- The infection likely occurred from a “.msi” file that analysts later discovered in the affected user’s downloads folder.
- There were no indications that the threat actor had attempted to move laterally or elevate privileges.
- Blackpoint’s Active SOC analysts isolated the affected device out of an abundance of caution, before reaching out to the Professional & Commercial Services partner with additional information and remediation advice.
More About ChromeLoader
Click for details
ChromeLoader is a browser extension that hijacks user search queries and sends traffic to an advertising site and operates similar to other suspicious browser extensions (1). Unlike other malware variants, ChromeLoader injects itself into the browser and adds a malicious extension. By doing so, it is able to collect browser data, which could include browser stored passwords.
Threat actors using ChromeLoader have been previously observed gaining initial access via:
- Social engineering tactics,
- QR codes posted on social media sites, and
- Malicious advertisements (“malvertising”).
APG Threat Analysis of ChromeLoader for 2024
Click for details
The APG predicts that threat actors will likely continue to use ChromeLoader over the next 12 months in an attempt to monitor browsing habits, collect sensitive data (such as credentials), and redirect traffic to malicious sources.
This assessment is based on Blackpoint Active SOC observed attacks, which include multiple incidents reported in last week’s Active SOC incident analysis alone (2), as well as additional external reporting detailing ChromeLoader incidents.
- 2023:
- AhnLab researchers observed ChromeLoader campaigns targeting gamers by masquerading as hacks or cracks for Nintendo and Steam games (3).
- HP and Wolf Security released a threat insight report detailing how a Google Chrome extension that could redirect victim’s search queries to malicious websites (4).
- 2022: Blackberry researchers observed ChromeLoader deployments relying on JavaScript, rather than PowerShell, with delivery via phishing emails with malicious ISO file attachments. (5).
Recommended ChromeLoader Mitigations and Remediations
Click for details
Blackpoint’s APG recommends the following actions to help mitigate ChromeLoader malware infections. Note: many of the mitigations for ChromeLoader are the same as mitigations for other malicious activity.
- Monitor system activity through heuristics-based triggers and alerts, which can help identify anomalous scheduled tasks and user activity.
- Minimize the use of – or implement strict controls on – the use of scripting languages, as threat actors often rely on scripting languages to deploy malware and conduct malicious activities.
- Implement the practice of least privilege, to ensure that users without elevated privileges are unable to create or modify Registry Run Keys and run malicious files.
- Implement browser extension allowlists, which can prevent the installation of unauthorized or malicious browser extensions.
“Innovation Systems” Scheduled Task Incident with Legal Services Partner on 2024-05-24
Topline Takeaways
- Industry target: Legal Services
- Attack information:
- Scheduled task “Innovation Systems”
- wscript
- .pdf.pdf double extension
- Antivirus (AV) and / or EDR present in environment? Yes
- Threat assessment for partners:
- The Adversary Pursuit Group (APG) predicts that it is very likely that threat actors will continue to abuse scheduled tasks for persistence, as well as the double file-extension naming convention, to exploit other Legal Services organizations over the next 12 months.
- Recommended remediations and mitigations:
- Heuristics-based activity monitoring and remediation
- Least-privilege access controls
- Strategic operation system (OS) configurations
- Regular environment and endpoint audits
“Innovation Systems” Scheduled Task Incident Timeline for 2024-05-24
- Blackpoint’s MDR+R technology alerted to a detection for a “.js” file being run from a Legal Services organizations’ host.
- Upon further investigation by Active SOC analysts, the alerted JavaScript file was not seen in the alerted folder; however, the threat actor (through the affected user account) used wscript.exe to execute the malicious .js file.
- The .js file created a scheduled task “Innovation Systems”, designed to help the threat actor’s tools and access persist on the impacted endpoint and profile.
- Active SOC analysts isolated the device and deleted the malicious “Innovation Systems” scheduled task to prevent any additional malicious activity, before reaching out to the affected Legal Service’s partner with additional information and remediation advice.
- Additional analysis identified the probable initial payload originated from a “.pdf.pdf” file in the affected user’s download folder, which malicious actors use to obfuscate the malicious file extension.
More About Scheduled Task Abuse for Persistence
Click for details
Scheduled tasks are tasks that run in the background of a user’s endpoint and are scheduled to occur at specific intervals or triggers. Task triggers can include:
- A certain date and time;
- After a specific action occurs, such as a user logs in or system reboots; and
- On specific intervals, such as every 30 seconds.
Organizations’ authorized system adminitrators, IT professionals, and developers often use scheduled tasks to complete necessary actions and automate activities across their environments to save time and make recurring or manual tasks more manageable.
However, threat actors abuse the scheduled task feature of different operating systems to ensure persistence of malicious actions, such as executing malware each time the system is turned on (6).
And, in addition to writing their own original scheduled tasks, threat actors can take advantage of already present scheduled tasks to further obfuscate their activities, blending into normal traffic on a compromised network as part of a broader “living off the land” (LotL) strategy(7).
APG Threat Analysis of Scheduled Task Abuse for Persistence for 2024
Click for details
The APG predicts that threat actors will very likely continue to abuse scheduled tasks for persistence over the next 12 months.
This assessment is based on internal Blackpoint observed attack trends within partner managed environments across all industries, as well as external reporting related to the abuse of scheduled tasks for malicious purposes. Most notably:
- As of May 2024, at least 20 ransomware operators tracked by Blackpoint’s APG have been observed abusing scheduled tasks for execution and persistence as part of a wide range of cyberattacks.
- In January 2024, Purple Team security researchers reported that the Silk Typhoon (AKA HAFNIUM) APT group used scheduled tasks during their malicious campaigns to gain persistence on compromised networks (9). Of particular note, Silk Typhoon attackers specifically modified Registry Keys in their malware to create scheduled tasks.
- As far back as 2022, Red Canary researchers reported that scheduled task abuse was the seventh most prevalent technique used by threat actors that year(8).
Recommended Scheduled Task Abuse Mitigations and Remediations
Click for details
Blackpoint’s APG recommends the following actions to help mitigate the abuse of scheduled tasks for persistence and execution.
- Monitor system activity through heuristics-based triggers and alerts, which can help identify anomalous scheduled tasks and user activity.
- Implement the practice of least privilege, to ensure that regular users do not have the ability to create or modify scheduled tasks.
- Ensure the operating system is configured to prevent scheduled tasks from running as SYSTEM, and instead forces them to run under the context of an authenticated account.
- Regularly audit both the environment and endpoints to establish what a “normal” baseline looks like, as well as to quickly identify anomalous scheduled tasks that are indicative of malicious activity.
RDP Incident with Consumer Cyclicals Partner on 2024-05-24
Topline Takeaways
- Industry target: Consumer Cyclicals
- Attack information:
- update.js and 44927f61.js
- RDP
- Scheduled task “pypa-embed”
- Antivirus (AV) and / or EDR present in environment? No
- Threat assessment for partners:
- The Adversary Pursuit Group (APG) predicts that it is very likely that threat actors will continue to abuse RDP to exploit other Consumer Cyclicals organizations over the next 12 months.
- Recommended remediations and mitigations:
- Multifactor authentication (MFA)
- Network segmentation for common ports
- Account lockout policies
- Heuristics-based activity monitoring and remediation
RDP, “update.js”, and “44927f61.js” Incident Timeline for 2024-05-24
- Blackpoint’s MDR+R technology alerted to a Consumer Cyclicals partner’s end client user account enumerating domain trusts on a host, while also enumerating enterprise admins.
- During the Active SOC team’s initial investigation, analysts discovered the compromised user account had used:
- quser.exe, to see who was actively on the server;
- nslookup, to view the internal IP address;
- RDP (remote desktop protocol) from one host to another; and
- wscript.exe, to execute two JavaScript files (“update.js” and “44927f61.js”), which were likely malicious payloads used to establish persistence.
- Additional observations by the Active SOC team revealed that the threat actor had:
- Likely gained initial access via an RDP session, using a user account from two unknown IP addresses.
- Infected other devices within the environment, using several user accounts and creating new user accounts in the process for persistence.
- Created a scheduled task, “pypa-embed”, which was using Python to call out to a command and control (C2) server in Lithuania.
- The Active SOC team isolated all affected devices and deleted the malicious scheduled task to prevent further threat actor activity before contacting the affected Consumer Cyclicals partner with additional incident information and remediation information.
More About RDP Abuse
Click for details
Remote Desktop Protocol (RDP) is a protocol that allows users to use a desktop remotely. Threat actor can, and often do, use RDP to gain initial access and move laterally through compromised networks. RDP is often used for two legitimate purposes:
- Remote Desktop Access: Users can remotely access physical desktop computers from another device.
- Remote administration: Users can perform remote administrative work by accessing the device.
Threat actors target RDPs in infected environments, abusing it in a variety of ways (10):
- Hijacking RDP sessions
- Abusing accessibility features, such as Sticky Keys
- Brute force attacks
- Deploying malware specifically designed to target and twist RDP functionality
- Protocol tunneling
APG Threat Analysis of RDP Abuse for 2024
Click for details
The APG predicts that threat actors will very likely continue to abuse Remote Desktop Protocol (RDP) over the next 12 months.
This assessment is based on internal Blackpoint observed attacks within managed environments, as well as external reporting highlighting threat actors’ abuse of RDP for lateral movement in particular.
- As of May 2024, Blackpoint’s APG has tracked at least 31 ransomware operations that have previously abused RDP for malicious actions, most often lateral movement.
- In a report released April 2024, Sophos security researchers released incident analysis of incidents from 2023, and reported that RDP abuse was featured in 90% of their reviewed cases analyzed (11).
- In 2021, CrowdStrike researchers released attack details related to FIN7 (aka Carbon Spider, Sangria Tempest, Gold Niagara, ITG14, ELBRUS), a financially motivated threat group. The researchers reported that the group previously used RDP to move laterally through observed compromised networks (13).
- In 2020, Bitdefender researchers reported that the Iranian-linked threat group Chafer (aka APT39, Remix Kitten, ITG07) had been observed abusing RDP services for lateral movement and persistence in compromised networks (12).
Recommended RDP Abuse Mitigations and Remediations
Click for details
Blackpoint’s APG recommends the following actions to help mitigate the malicious use of RDP for lateral movement and persistence.
- Ensure employees are using MFA and VPNs to access sensitive data and resources, which will provide an additional level of credential authentication when using services like RDP to access devices.
- Segment managed environments and networks to ensure critical systems are isolated from less secure areas and prevent unauthorized communication restrictions between segments. This segmentation helps prevent threat actors from using allowlisted services like RDP to move laterally within the network.
- Implement account lockout policies to aid in prevention of brute force attacks on RDP and other critical services and software.
- Monitor system activity through heuristics-based triggers and alerts, which can aid in detecting anomalous logins and behavior when threat actors abuse services like RDP.
References and Resources
A quick note on incident details:
As these analyses concern recent incidents in actively monitored environment, certain details may be occasionally omitted and / or obfuscated, to better secure our partners and protect any still-ongoing investigations.
However, we felt that these incidents were important enough to bring to the community’s attention as fast as possible, and so included them in this public writeup.
Please feel free to reach out to the APG directly if you have any questions about a specific incident!
Click for full reference list
- Logpoint’s Blog: “Emerging Threats: ChromeLoader: A rise in malvertisers” by Nilaa Maharjan on 2022-07-20
- Blackpoint Cyber’s Blog: “ChromeLoader, Telegram, RustDesk, and Tailscale” by Blackpoint Cyber on 2024-05-24
- ASEC’s Blog: “ChromeLoader Disguised as Illegal Game Programs Being Distributed” by gygy0101 on 2023-02-23
- HP’s Blog: “ChromeLoader malware campaign punishes pirating users” by HP on 2023-06-14
- BlackBerry’s Blog: “ChromeLoader Infects the Browser by Loading Malicious Extension” by The BlackBerry Research & Intelligence Team on 2022-11-03
- MITRE’s Repository: “Scheduled Task/Job: Scheduled Task” by MITRE on 2023-11-15
- Center for Internet Security (CIS)’s Blog: “Abusing Scheduled Tasks with Living off the Land Attacks” by Valecia Stocchetti on N/A
- Red Canary’s Blog: “Scheduled Task” by Red Canary on 2024-03-12
- Purple Team’s Blog: “Scheduled Task Tampering” by Adminstrator on 2024-01-03
- Blackpoint Cyber’s Blog: “How RDP Attacks Go Down” by Blackpoint Cyber on 2022-05-31
- Sophos’s Blog: “It’s Oh So Quiet (?): The Sophos Active Adversary Report for 1H 2024” by John Shier; Angela Gunn on 2024-04-03
- Bitdefender’s Blog: “Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia” by Liviu Arsene on 2020-05-21
- CrowdStrike’s Blog: “CARBON SPIDER Embraces Big Game Hunting, Part 1” by Eric Loui; Josh Reynolds on 2021-08-30