Keypoints
- Gopuram backdoor was deployed via a trojanized 3CXDesktopApp by embedding malicious code into libffmpeg to fetch a payload, targeting cryptocurrency firms with surgical precision.
- The Lazarus DeathNote cluster evolved its TTPs: weaponized documents (remote template injection), Trojanized legitimate apps, in-memory backdoors (BLINDINGCAN/COPPERHEDGE), DLL side-loading, named-pipe communication, and ServiceMove-based lateral movement.
- Operation Triangulation used zero-click iMessage exploits to install the in-memory spyware TriangleDB, which exfiltrates keychain credentials, media, and location data without user interaction.
- Tomiris and Turla tool overlaps were observed; Tomiris uses varied implants (downloaders, backdoors, stealers) and exploits including ProxyLogon and other creative vectors.
- DoubleFinger loader used multi-stage PNG-embedded payloads and Process Doppelgänging to deploy the GreetingGhoul crypto-stealer and, in some variants, Remcos RAT to hijack crypto-wallets.
- Nokoyawa ransomware leveraged a previously unknown CLFS elevation-of-privilege zero-day (CVE-2023-28252) to escalate privileges for ransomware deployment.
- Other campaigns used PowerShell task execution, GPO-like changes, browser extension injection (Satacom), and miner malware (Minas) using injection and persistence to evade detection.
MITRE Techniques
- [T1203] Exploitation for Client Execution – Used to execute weaponized documents and client-side exploits, e.g., ‘…remote template injection…’ and ‘…the Follina vulnerability…’ and ‘…using an invisible iMessage with a malicious attachment…’
- [T1105] Ingress Tool Transfer – Downloading of stage payloads from remote servers and image hosting (libffmpeg payloads, PNG stages from Imgur): ‘…to download a payload from their servers…’
- [T1574.001] Hijack Execution Flow: DLL Search Order Hijacking – DLL side-loading observed repeatedly to run malicious DLLs alongside legitimate executables: ‘…the same DLL side-loading technique…’
- [T1543.003] Create or Modify System Process: Windows Service – ServiceMove abuse of the Windows Perception Simulation Service to load arbitrary DLLs and achieve SYSTEM execution: ‘…ServiceMove…uses the Windows Perception Simulation Service to load arbitrary DLL files…’
- [T1055] Process Injection (Process Doppelgänging) – Process Doppelgänging used to replace legitimate process with a modified one to execute GreetingGhoul: ‘…using a technique called Process Doppelgänging…’
- [T1059.001] Command and Scripting Interpreter: PowerShell – Encoded PowerShell scripts executed as tasks were used to launch shellcode and payloads: ‘…running an encoded PowerShell script as a task…’
- [T1113] Screen Capture – CloudWizard modules include screenshot capture capability: ‘…taking screenshots…’
- [T1056.001] Input Capture: Keylogging – Keylogging modules were part of CloudWizard’s feature set: ‘…keylogging…’
- [T1555] Credentials from Password Stores – TriangleDB and other implants retrieve passwords and credentials from device keychains: ‘…get passwords and credentials stored in the keychain…’
Indicators of Compromise
- [File names] Infection artifacts and droppers – guard64.dll, skype32.exe, CameraSettingsUIHost.exe, DUI70.dll
- [Image/embedded payloads] PNG-staged components used by DoubleFinger – aa.png (example of PNG containing encrypted stages) and other image-based loaders
- [CVE] Exploited vulnerabilities – CVE-2023-28252 (CLFS elevation-of-privilege zero-day), CVE-2021-26855 (ProxyLogon) mentioned as exploited
- [Domains/Platforms] Hosting and transfer mechanisms – imgur.com (used to host encrypted PNG stages), and references to compromised WordPress sites used as C2 relays
Attackers used multiple delivery chains and evasion techniques to achieve persistent, stealthy access and credential theft. The 3CX supply-chain compromise embedded malicious code in libffmpeg to download and load guard64.dll (Gopuram) into 3CXDesktopApp.exe as a backdoor, targeting cryptocurrency firms. Lazarus’ DeathNote campaigns relied on weaponized Office documents (remote template injection and Trojanized viewers) to drop downloaders that retrieve staged payloads, execute memory-resident backdoors (BLINDINGCAN/COPPERHEDGE), and subsequently deploy modular implants via named-pipe communications and DLL side-loading; in several intrusions attackers manually staged additional implants and used ServiceMove to load arbitrary DLLs as NT AUTHORITYSYSTEM for lateral movement.
Multi-stage image-based staging and process replacement were observed in crimeware campaigns: DoubleFinger executes shellcode that downloads PNG files containing encrypted components, uses a legitimate java.exe loader, and employs Process Doppelgänging to swap in the GreetingGhoul crypto-stealer (and sometimes Remcos RAT), which persists via scheduled tasks and targets local crypto-wallet apps and overlays. Satacom uses a Windows-side dropper to install a Chromium extension that performs web injections against crypto sites; Minas used encoded PowerShell scheduled tasks and in-memory shellcode injected into system processes—likely deployed through compromised GPO-like configurations—to run a miner and maintain stealthy persistence.
Mobile-targeting and zero-click exploitation were also prominent: Operation Triangulation delivered an invisible iMessage attachment exploiting multiple iOS vulnerabilities to install TriangleDB, an in-memory spyware implant that exfiltrates files, microphone recordings, keychain credentials, and location data without user interaction. Ransomware actors (Nokoyawa) exploited a CLFS elevation-of-privilege zero-day (CVE-2023-28252) for privilege escalation, underscoring the broad mix of exploitation, in-memory operation, DLL side-loading, and scheduled/Service-based persistence across campaigns.
Read more: https://securelist.com/it-threat-evolution-q2-2023/110355/