Xanthe malware spreads using systems with exposed Docker API [Warning]

Welcome to the next episode of Xopero Security Center. This time we are taking a good look into the Xanthe malware. Cisco Talos recently discovered a campaign affecting Linux systems employing a multi-modular botnet that uses various methods to spread across the network. How does it infect vulnerable infrastructures exactly? Check below.

Xanthe malware targets misconfigured Docker servers

Xanthe is a Monero cryptomining botnet, which has been exploiting incorrectly configured Docker API installations in order to infect Linux systems.

Typically crypto miners attack Windows desktop systems – because the number of possible infection is much larger. But with the growth of cloud environments, there are more and more hosts on the internet that run Linux and that are not as well secured as in-house Windows systems. Non-Windows systems become then quite attractive targets for malicious actors.

Xanthe, named after the file title of the main spreading script, uses an initial downloader script (pop.sh) to download and run its main bot module (xanthe.sh). This module then downloads and runs four additional modules with various anti-detection and persistence functionalities. These additional four modules include: 

A process-hiding module (libprocesshider.so).
A shell script to disable other miners and security services (xesa.txt).
A shell script to remove Docker containers of competing Docker-targeting cryptomining trojans (fczyo).
And the XMRig binary (as well as a JSON configuration file, config.json).

The Xanthe attack process

Once downloaded, the main module is also responsible for spreading to other systems on local and remote networks. It attempts to spread to other known hosts by stealing client-side certificates and connecting to them without the requirement for a password.

Misconfigured Docker servers are another way that Xanthe spreads. Researchers said that Docker installations can be easily misconfigured and the Docker daemon exposed to external networks with a minimal level of security.

Recent checking of Shodan shows that there are more than 6,000 incorrectly-configured Docker implementations exposed to the internet. As seen in the case of Xanthe, attackers are actively finding ways to exploit those exposed servers.


TrickBot’s new module aims to infect your UEFI firmware

The developers of TrickBot have created a new module that probes for UEFI vulnerabilities. Which means that attackers are looking for a way to take ultimate control over infected machines. No wonder that this new TrickBot feature scares security professionals.

With access to UEFI firmware, a threat actor would establish on the compromised machine persistence that resists operating system reinstalls or replacing of storage drives. Malicious code planted in the firmware (bootkits) is invisible to security solutions operating on top of the operating system because it loads before everything else, in the initial stage of a computer’s booting sequence.

Targeting Intel platforms

TrickBoot is a reconnaissance tool that checks for vulnerabilities in the UEFI firmware of the infected machine. It checks if the UEFI/BIOS write protection is active using the RwDrv.sys driver from RWEverything, a free utility that allows access to hardware components such as the SPI flash memory chip that stores a system’s BIOS/UEFI firmware. The threat actor had implemented a mechanism that checked the single-chip chipset on the compromised system.

The researchers discovered that the role of the module was to run PCH queries to determine the specific model of PCH running on the system, thus identifying the platform. This information also allows the attacker to check if the platform is vulnerable or not.

The researchers also found that the actor relies on functions from a known firmware exploitation tool and library called fwexpl for the following purposes:

Read data from hardware IO ports.
Call the rwdrv.sys driver to write data to hardware IO ports.
Call the rwdrv.sys driver to read data from physical memory addresses.
Call the rwdrv.sys driver to write data to physical memory addresses.

TrickBot developing such a module is a clear indication that the actor is making an effort to expand its grip on compromised systems. The botnet already has thousands of infected machines from which the actor can select the most valuable targets.

For now the verification targets only Intel platforms (Skylake, Kaby Lake, Coffee Lake, Comet Lake).


Turla Crutch: Keeping the “back door” open

ESET researchers found a previously undocumented backdoor and document stealer believed to be attributed to Turla APT group. Dubbed Crutch, it was used from 2015 to, at least, early 2020. They have seen Crutch on the network of a Ministry of Foreign Affairs in a country of the European Union, suggesting that this malware family is only used against very specific targets as is common for many Turla tools.

Specialists identified similarities between Crutch and Turla’s previous backdoor – Gazer, also known as WhiteBear. Both samples have similar droppers and were dropped at C:\Intel~intel_upd.exe on the same machine with a five-day interval in September 2017. Aforementioned samples drop CAB files containing the various malware components. The loaders share clearly related PDB paths and decrypt their payloads using the same RC4 key.

Data exfiltration

According to ESET, Turla used the Crutch toolset against several machines of the Ministry of Foreign Affairs in a country of the European Union. These tools were designed to exfiltrate sensitive documents and other files to Dropbox accounts Turla operators controlled. The main malicious activity is the staging, compression and exfiltration of documents and various files. Commands are manually executed by the operators. The exfiltration is performed by another backdoor command.

ESET specialists believe that Crutch is not a first-stage backdoor and is deployed after the operators have first compromised an organization’s network. The first method consists in using a first-stage implant such as Skipper. The second method is the use of PowerShell Empire. It’s not obvious how the malicious script arrived on the machine but probably through another implant although a phishing document cannot be excluded. It should be noted that the PowerShell Empire scripts were using OneDrive and Dropbox.

Crutch is able to bypass some security layers by abusing legitimate infrastructure – here Dropbox – in order to blend into normal network traffic while exfiltrating stolen documents and receiving commands from its operators.

The new version of Clutch has following components: The Crutch DLL (outllib.dll), the genuine Outlook Item Finder from Microsoft Outlook, genuine DLL that is a dependency of finder.exe, Crutch config file that contains the Dropbox API token, the genuine RAR utility and a clean version of the Wget utility for Windows.

Crutch shows that the Turla is not short of new or currently undocumented backdoors. This discovery further strengthens the perception that the group has considerable resources to operate such a large and diverse arsenal.


Hundreds of millions of Android users potentially exposed – 8% of apps vulnerable to old bug

Hundreds of millions of Android users are potentially exposed to the risk of hack due to the use of Android Play Core Library versions vulnerable to CVE-2020-8913. Some of the apps include Microsoft’s Edge browser, Grindr, OKCupid, and Cisco Teams – all together, 8% of all available Google Play apps! 

The security flaw resides in older versions of Play Core, a very popular Java library provided by Google that developers can embed inside their apps to interact with the official Play Store portal.

Earlier this year, security researchers from Oversecured discovered a major vulnerability (CVE-2020-8913) in the Play Core library that a malicious app installed on a user’s device could have abused to inject rogue code inside other apps and steal sensitive data — such as passwords, photos, 2FA codes, and more.

A demo of such an attack is available below:

Google patched the bug in Play Core 1.7.2 in March. According to a scan performed by Check Point, six months after a Play Core patch was made available, 13% of all the Play Store apps were still using this library, and only 5% were using an updated (safe) version.

Apps that did their duty to users and updated the library included Facebook, Instagram, Snapchat, WhatsApp, and Chrome. However, many other apps did not.

Among the apps with the largest userbases that failed to update, Check Point listed Microsoft Edge, Grindr, OKCupid, Cisco Teams, Viber, and Booking.com. After researchers notified the apps – 3 months later only Booking and Viber have made patches. 

The vulnerability is extremely easy to exploit. All the hacker needs to do is to create a ‘hello world’ application that calls the exported intent in the vulnerable app to push a file into the verified files folder with the file-traversal path. Then sit back and watch the magic happen.


Do you have thirst for knowledge? There is ten more cybersecurity stories below

1. Google Hacker Details Zero-Click ‘Wormable’ Wi-Fi Exploit to Hack iPhones (The Hacker News)
2. Researchers Discover New Obfuscation-As-a-Service Platform (Dark Reading)
3. Mac users warned of more Ocean Lotus malware targeted attacks (Graham Cluley)
4. Vulnerability Spotlight: Multiple vulnerabilities in WebKit (Talos Intelligence)
5. VMware fixes zero-day vulnerability reported by the NSA (Bleeping Computer)
6. This new cyberattack can dupe DNA scientists into creating dangerous viruses and toxins (ZDNet)
7. Hackers hide software skimmer in social media sharing icons (Security Affairs)
8. How the human immune system inspired a new approach to email security (The Register)
9. Manipulating Systems Using Remote Lasers (Schneier on Security)
10. Malicious npm packages spotted delivering njRAT Trojan (Security Affairs)