The Consensus Security Vulnerability Alert

January 20, 2022  |  Vol. 22, Num. 03

Internet Storm Center Spotlight


Title: Attackers use AWS, Azure, to spread group of RATs

Description: Cisco Talos discovered a malicious campaign in October 2021 delivering variants of Nanocore, Netwire and AsyncRATs targeting user's information. According to Cisco Secure product telemetry, the victims of this campaign are primarily distributed across the United States, Italy and Singapore. The actor used complex obfuscation techniques in the downloader script. Each stage of the deobfuscation process results with the decryption methods for the subsequent stages to finally arrive at the actual malicious downloader method. The campaign is the latest example of threat actors abusing cloud services like Microsoft Azure and Amazon Web Services and are actively misusing them to achieve their malicious objectives.

References: https://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html

Snort SIDs: 58758 – 58773

ClamAV signatures:

* Ps1.Dropper.HCrypt-9913873-0

* Txt.Trojan.BatchDownloader-9913886-0

* Win.Trojan.AsyncRAT-9914220-0

* Txt.Downloader.Agent-9914217-0

* Js.Trojan.Agent-9914218-0

* Js.Downloader.Agent-9914219-0

* Win.Packed.Samas-7998113-0

* Win.Trojan.NanoCore-9852758-0

* Win.Dropper.NetWire-8025706-0

* Win.Malware.Generickdz-9865912-0

* Win.Dropper.Joiner-6

Title: Log4j-related Java flaw found in H2

Description: Security researchers recently discovered a critical vulnerability in the H2 open-source Java SQL database that’s like the widespread Log4shell exploit. However, the issue in H2 is considered to be less serious, as it's harder to exploit and gives potential attackers less of an attack surface. The flaw, identified as CVE-2021-42392, could allow an adversary to execute remote code on vulnerable systems. H2 is widely used by developers in web and internet-of-things platforms. This issue specifically lies in JNDI remote class loading, making it similar to Log4Shell, in that it allows several code paths in the H2 database framework to pass unfiltered attacker-controlled URLs to the javax.naming.Context.lookup function.

References: https://threatpost.com/log4j-related-flaw-h2-database/177448/