This Week in Review: Ligolo Tunneler, Neshta, Purple Fox, and More 

Between March 6-13, 2024, Blackpoint’s Security Operations Center (SOC) responded to 158 total incidents. These incidents included 14 on-premises MDR incidents, one Cloud Response for Google Workspace, and 143 Cloud Response for Microsoft 365 incidents, with confirmed or likely threat actor use of: 

• The Ligolo Tunneler application attempting to connect to external attacker infrastructure via port 11601, with additional improper Impacket use 
• The Neshta / Neshuta file infector virus, using a trojan disguised as a legitimate SFVIP Player executable 
• Purple Fox / DirtyMoe botnet malware through a fake .png file 
• Local Security Authority Subsystem Service (LSASS) dump, leveraging Microsoft Management Consoler and WMI per threat actors’ live-off-the-land (LotL) strategies for a potential user credential exfiltration 

In this blog, we discuss some of the incidents we observed, why they’re important, and how you can mitigate these types of incidents with Blackpoint Cyber.  

Topline Takeaways

• Date: March 7, 2024 
• Targeted Industry: Manufacturing 
• Relevant attacker information:  
  • Impacket 
  • Ligolo Tunneler 
  • Use of trojans 
• Relevant client systems:  
  • MS Defender 
  • SFVIP Player 
• Blackpoint SOC actions:  
  • Proactive isolation of infected device 
  • Client outreach with additional remediation advice 
• Why this matters: The Adversary Pursuit Group (APG) predicts that abuse of legitimate coding and software tools for malicious purposes will continue over the next 12 months – especially Ligolo Tunneler.
• Recommended remediations and mitigations:
  • Alert configuration on abnormal user activity
  • Network segmentation for common ports
  • Disabled administrative and hidden shares 

Last Thursday, the Blackpoint SOC was alerted to potentially malicious activity on an endpoint for an end customer in the manufacturing vertical.  

The threat actor was observed enumerating domain admins and moving laterally in the network, before remotely executing commands that resembled standard commands for the Impacket tool.  

Upon further analysis, the Blackpoint SOC identified a potential tunnel application “lig_cr.exe” that was communicating to a remote IP over port 11601, a default port for the Ligolo Tunneler.  

On confirmation of malicious activity by an active threat, the client’s devices were isolated to prevent any further malicious activity or compromise, and the SOC analysts contacted the client to provide further mitigations. 

What is Impacket and Ligolo Tunneler?

Impacket is an open-source Python module collection which – while it has legitimate developer and testing use cases – can be used by threat actors to dump credentials and perform enumeration and escalation tactics. 

Ligolo Tunneler is another legitimate developer tool used for establishing SOCKS5 or TCP tunnels. However, threat actors can also use this tool to connect to attacker infrastructure. The tool is often used to connect to a system within a victim network via reverse tunneling.  

• The Ligolo Tunneler has been used by multiple threat actors including LockBit, BlackCat, Karakurt, Akira, Magnet Goblin, and others.

How often will Ligolo Tunneler and Impacket be used by threat actors in 2024?

In July 2023, CISA released an advisory that warned of threat actors observed exploiting CVE-2023-3519 (CVSS Score 9.8) to gain access to victim environments. These threat actors then used the Ligolo Tunneler to connect to remote hosts and continue their attack.  

The APG predicts that threat actors will continue to abuse legitimate developer and tester tools and platforms over the next 12 months – especially the Ligolo Tunneler and portions of the Impacket tool set.

Recommended Ligolo and Impacket Mitigations and Remediations

The APG recommends the following mitigations for preventing the malicious use of tools such as Ligolo and Impacket.  

• Identify malicious Impacket activity – specifically unauthorized data transfers over Windows default dynamic port range – with the following detection:
  • endpoint_name:NAME AND (network_port:135 OR network_port:445 OR network_port:[49152 To *] 
• Configure alerts on non-typical user activity – specifically the use of developer tools such as Ligolo Tunneler and Impacket on non-developer endpoints or user accounts.
• Disable administrative and hidden shares on workstations, as these tools often target the ADMIN$ share to remotely execute commands.  
• Use network segmentation that blocks the common ports and protocols between devices, which include:
  • SMB/RPC
  • RDP 
  • PowerShell 
  • WMI 

Topline Takeaways

• Date: March 8, 2024 
• Targeted Industry: Technology 
• Relevant attacker information:  
  • Neshta / Neshuta malware 
  • Use of trojans 
• Relevant client systems:  
  • MS Defender 
  • SFVIP Player 
• Blackpoint SOC actions:  
  • Proactive isolation of infected device 
  • Client outreach with additional remediation advice 
• Why this matters: The APG predicts that threat actors will continue using trojans masquerading as legitimate software throughout 2024, with similar attack patterns for malvertising and SEO poisoning also becoming more common. 
• Recommended remediations and mitigations:  
  • Application whitelisting 
  • Endpoint and environment audits 
  • Heuristics-based network monitoring  

What happened?

Last Friday, the Blackpoint SOC was alerted by MS Defender to the trojan process “sfvip player.exe” on the host of a client in the technology vertical. Upon further investigation, SOC analysts identified successful process execution and active network connections to foreign IP addresses.  

Our SOC analysts isolated the device and contacted the impacted client to provide additional information and mitigations. 

What was the “sfvip player.exe” process?

In researching the “sfvip player.exe” process involved in this incident, the APG found that a similar file name “sfvip_player.exe” was previously identified as the Neshta (also known as “Neshuta”) malware.  

Thus, it is likely that the malicious process carried out by the SFVIP Player trojan during this incident was the Neshta malware, or some variant thereof. 

Note that while 35 out of 73 security vendors on VirusTotal identified the “sfvip player.exe” process in our incident as malicious, this majority categorized it as a “generic trojan,” rather than a specific carrier of Neshta malware.  

What is Neshta malware?

Neshta (or Neshuta) malware is a file infector virus that specifically targets executable files and collects data on users and the overall compromised system.   

While Neshta malware has been in use since 2003 for a wide variety of threat-specific use cases, in 2021, Neshta was part of the Avaddon group’s Ransomware-as-a-Service (RaaS) package during a successfully infection of a Mexican company.  

How often will the SFVIP Player trojan for Neshta malware be used by threat actors in 2024?

Threat actors are often observed masquerading their malware as executables as a method to evade detection and successfully infect a victim network.  

For example, consider the malicious file name “sfvip player.exe” in this incident.  

SFVIP Player is a legitimate software, designed to provide users with a seamless playback experience. If an unsuspecting end user or SOC analyst saw that file name in their logs or directory files – so close to that of a legitimate software process – then there’s a high chance that they would believe any alerts around it were false, delaying response time or even going completely undetected until it would be too late. 

(This file name masquerade is the same strategic move employed by threat actors leveraging malvertising and SEO poisoning techniques for initial intrusion and malware deployments, among other use cases.) 

The APG predicts that threat actors will likely continue to masquerade trojans as legitimate executable files over the next 12 months.  

Recommended SFVIP Player Trojan and Neshta Malware Recommendations

Especially for the SFVIP Player trojan and Neshta malware, the Blackpoint SOC recommends that organizations: 

• Implement application whitelisting to help restrict unauthorized program execution, particularly with peripheral applications and software that may not be directly used for organization work but might be useful. 
  • Had the organization either approved the official SFVIP Player process (and no others) for use on endpoints – or outright blacklisted all secondary audio playback apps – the suspected Neshta malware could not have run even as far as it had. 
• Employ heuristics-based monitoring of network activity to identify threats primarily based on what they do, instead of what they upload. 
  • While this specific process was flagged as “generic malware” by most security vendors, it could have been missed by more literal tools, since the file name wasn’t exactly the same as previously identified Neshta malware. 
• Conduct regular environment and endpoint audits to identify weak points, apply necessary patching requirements, and close potential infection paths.  
• Check for the SFVIP Player malware executable on your network, with binary name: 
  • C:\Users\$username\Desktop\SFVIP-Player-x64\sfvip player.exe 

Topline Takeaways

• Date: March 9, 2024 
• Targeted Industry: Insurance 
• Relevant attacker information:  
  • Purple Fox / DirtyMoe 
• Relevant client systems:  
  • WindowsOS 
• Blackpoint SOC actions:  
  • Proactive isolation of infected host before payload downloads 
  • Client outreach with additional remediation advice 
• Why this matters: Purple Fox / DirtyMoe infections predicted to increase over the next 12 months for malware deployment, persistence, and distributed denial of service (DDoS) attack capabilities.  
• Recommended remediations and mitigations:  
  • Application whitelisting 
  • Regular environment and endpoint audits 
  • Search for evidence of Purple Fox infections and persistence 

What happened?

Last Saturday, the SOC was alerted to the Purple Fox malware on a host of a client in the insurance vertical.  

The MDR analyst identified suspicious call outs to China, Singapore, Kazakhstan, India, and Netherlands-based malicious IPs attempting to download a fake .png file “0AC0B78.png”, which was the malicious payload.  

We then immediately isolated the infected device, before contacting the customer to provide additional context and advice on next steps. 

What does Purple Fox malware do?

Active since 2018, Purple Fox (also known as “DirtyMoe”) is a modular Windows botnet malware. 

Purple Fox comes with a rootkit module, allowing the malware to hide and remain persistent between reboots – making it difficult to remove from an infected system.  

Purple Fox can also be used as a downloader to deploy second-stage payloads on the compromised system. 

Multiple threat actors have used Purple Fox malware, mostly for:  

• Establishing remote access to the targeted system,  
• Launching DDoS attacks, and  
• Deploying cryptocurrency miners.  

While other tools can accomplish the same or similar tactical goals, Purple Fox malware is an attractive tool for threat actors due to its: 

• Rootkit capabilities,  
• Worm propagation, and  
• Ability to maintain persistence on victim networks.  

How often will Purple Fox malware be used by threat actors in 2024?

In January 2024, the Government Computer Emergency Response Team of Ukraine CERT-UA released an advisory warning of a Purple Fox malware campaign that infected more than 2,000 computers in Ukraine.

The APG predicts that threat actors will continue to deploy Purple Fox malware across multiple industry verticals and geographic locations over the next 12 months. 

Recommended Purple Fox Mitigations and Remediations

Thankfully, the security actions which help prevent Purple Fox malware deployment are similar to other malware mitigations. 

Specifically, the APG recommends the following to help detect malicious activity related to Purple Fox malware: 

• Implement application whitelisting to help restrict unauthorized program execution.  
• Conduct regular environment and endpoint audits to identify weak points, apply necessary patching requirements, and close potential infection paths.  
• Search for potential Purple Fox infections by:  
  • Examining network connections to “high” (10000+) ports using the IP address list in the report’s appendix. 
  • Using regedit.exe to check for the following registry values: 
    • WindowsXP: HKEY_LOCAL_MACHINE\ControlSet001\Services\AC0[0-9] 
    • Windows7: HKEY_LOCAL_MACHINE\Software\Microsoft\DirectPlay8\Direct3D 
  • Analyzing “Application” log in Event Viewer for event IDs 1040 and 1042, source: “MsiInstaller” 
  • Checking “C:\Program Files” for folders with random names (e.g., “C:\Program Files\dvhvA”) 
• Verify the persistent execution of the malware, which uses services and stores files in specific directories, impeded by a rootkit from detection/removal.  
  • Key locations, with “XXXXXXXX” as a random [A-F0-9]{8} sequence (e.g., “MsBA4B6B3AApp.dll”) 
    • HKEY_LOCAL_MACHINE\System\ControlSet001\services\MsXXXXXXXXApp 
    • C:\Windows\System32\MsXXXXXXXXApp.dll 
    • C:\Windows\AppPatch\DBXXXXXXXXMK.sdb, RCXXXXXXXXMS.sdb, TKXXXXXXXXMS.sdb  

Topline Takeaways

• Date: March 11, 2024 
• Targeted Industry: Technology 
• Relevant attacker information:  
  • Living of the Land (LotL) 
• Relevant client systems:  
  • Local Security Authority Subsystem Service (LSASS) 
  • MiniDump 
• Blackpoint SOC actions:  
  • Proactive isolation of impacted endpoint 
  • Client outreach with additional remediation advice 
• Why this matters: APG predicts an increase in LotL strategies by threat actors, with 25+ ransomware operations abusing LSASS and 5+ abusing the MiniDump for credential harvesting.
• Recommended remediations and mitigations:  
  • Least privilege access controls 
  • System activity monitoring 
  • Multifactor authentication (MFA) & virtual private networks (VPNs) 
  • Scripting language controls 

What happened?

Last Monday, the SOC detected remote execution events on an endpoint of a customer in the technology vertical.  

They observed that a Local Security Authority Subsystem Service (LSASS) dump was created via the execution of rundll32.exe running comsvcs.dll, specifically: 

• rundll32.exe C:\Windows\System32\comsvcs.dll, #+0000^24 (Get-Process lsass).Id \Windows\Temp\KKQ.pdf fullï¯z 

They isolated the endpoint and contacted the customer. 

What is comsvcs.dll?

The comsvcs.dll is a recognized LotL binary that creates a miniDump using its exported function, which then calls MiniDumpWriteDump.  

During this incident, the threat actor used scheduled tasks, Microsoft Management Consoler, and WMI during the course of actions. 

What is the Local Security Authority Subsystem Service?

The LSASS plays an integral role in Microsoft Windows operating systems. Its primary function is to implement the system’s security policy. It ensures that user logins to a Windows computer or server are verified, manages password modifications, and generates access tokens.  

LSASS is often utilized by threat groups – both advanced persistent threat (APT) and cybercriminal groups – to collect credentials that can be used to: 

• Conduct follow-on attacks 
• Be sold on cybercriminal forums 
• Elevate privileges, and  
• Evade detection.  

How often will LSASS be used by threat actors in 2024?

The APG has identified at least 25 ransomware operations that have utilized the LSASS process and five ransomware operations that have used the MiniDump function to collect credentials.  

It is likely that threat actors will continue to use LotL techniques such as LSASS to evade detection and collect credentials over the next 12 months.  

Recommended Living off the Land and LSASS Mitigations and Remediations

LotL techniques can have significant impacts, allowing threat actors to remain undetected for longer periods of time by conventional security technologies and techniques. LotL facilitates malware deployment (including ransomware, backdoor, wiper malware, etc.) and theft of sensitive data (including credentials, proprietary data, etc.). 

Blackpoint APG recommends the following actions to help mitigate LotL techniques.  

• Implement the practice of least privilege access controls. This can help ensure that users only have access to the data and resources required to complete their job functions.  
• Monitor system activity to detect unusual access patterns that could be indicative of malicious behavior with commonly abused whitelisted software and functions, such as LSASS and MiniDump, for LotL strategies by threat actors.  
• Ensure employees are using MFA and VPNs to access sensitive data and resources, providing an additional level of credential authentication.  
• Minimize the use of – or implement strict controls on – the use of scripting languages, as threat actors rely on scripting languages to conduct LotL techniques.  

• MITRE ATT&CK – Impacket
• CISA – Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells
• VirusTotal
• Metabase Q – Neshta and Avaddon groups teaming up to infect Mexican company
• CERT-UA – UAC-0027: DIRTYMOE (PURPLEFOX) affected more than 2000 computers in Ukraine

The Adversary Pursuit Group, including…

Andi Ursry, Threat Intelligence Analyst

Andi Ursry has over five years of experience in threat intelligence. She has experience in both small business and Fortune 500 companies, beginning her career in the retail sector helping box stores mitigate risk prior to shifting to cyber intelligence. Her expertise lies in ransomware and APT (advanced persistent threat) groups’ tactics and tracking cyber trends. She holds a bachelor’s and master’s degree in criminal justice from Colorado Technical University, Online.

Connect with Andi on LinkedIn.