Monthly Threat Brief: April 2024

Welcome to the latest edition of the monthly threat brief published by the ConnectWise Cyber Research Unit™ (CRU).

In this threat brief, we will provide raw data statistics, intel on specific threats, and a list of new detection signatures added to the ConnectWise SIEM™ throughout the month of April.

For a more detailed explanation of the overall trends and analysis of these numbers, check out our annual and quarterly threat reports. For comparison, March’s threat brief can be found here.

April 2024 stats

IOCs

The CRU collects indicators of compromise (IOCs) from public open-source intelligence (OSINT) sources and any cybersecurity incident escalated by the ConnectWise security operations center (SOC). These IOCs are used for automated threat hunting and data enrichment to assist SOC analysts. Below is a summary of the IOCs collected. We intend to launch streaming threat feeds based on this data later this year—stay tuned!

Figure 1: Summary of IOCs collected in April 2024

TTPs

The CRU collects tactics, techniques, and procedures (TTPs) from all incidents escalated by the ConnectWise SOC. This information helps us keep tabs on how threat actor behavior changes. Below are the top 10 MITRE ATT&CK® techniques for March 2024—provided for comparison—and April 2024.

Figure 2: Top 10 MITRE ATT&CK techniques observed in March 2024

Figure 3: Top 10 MITRE ATT&CK techniques observed in April 2024

Latest threats

Each month, we highlight threats that we have seen targeting our MSP partners and their clients. We see many of the same threats each month. This month, we are looking at the top five malware the ConnectWise SOC observed in April. Several of these have been covered in previous monthly threat briefs, but this edition includes updated IOCs observed in April 2024.

Malware

Figure 4: Top five malware observed in April 2024

Gootloader

GootLoader is a first-stage loader that has been around since 2020, typically paired with the banking trojan GootKit. Like GhostPulse, GootLoader primarily uses SEO poisoning (T1608.006) to trick their victims into downloading malicious files. The GootLoader campaigns we have observed specifically target law firms, impersonating legal documents such as contracts, subpoenas, or other legal forms (see file names in IOCs below). GootLoader payloads are typically hosted on compromised WordPress sites. SEO poisoning is a common technique, and we strongly recommend not downloading any files from unknown sources.

AsyncRAT

AsyncRAT, short for Asynchronous Remote Administration Tool, is an open-source remote access tool built in C# that is available on Github. It is a legitimate admin tool designed to help IT remotely monitor and control other computers through a secure encrypted connection. It has a robust plugin system and includes features such as client screen viewing, recording, and keylogging.

As a free, open-source tool, several threat actors have been using AsyncRAT for their command and control (C2), establishing a secure connection to the threat actor’s C2 server where they can then use it to steal passwords or deploy additional tools, such as ransomware.

FakeUpdates/SOCGholish

SOCGholish, also known as FakeUpdate(s), is a downloader written in JavaScript that lures victims into downloading malware by pretending to be a software update. It typically relies on [T1189] Drive-by Compromise for [TA0001] Initial Access. As a downloader, its primary purpose is to download other malware, and it has been used to download and deploy Dridex, NetSupport, DoppelPaymer, and others. More specifically, we have recently observed a number of SOCGholish infections downloading NetSupport RAT (see below) during April 2024.

Solarmarker/Jupyter

Solarmarker, also known as Jupyter, Polazert, and Yellow Cokatoo, is a family of malware known for info stealing and its backdoor capabilities. Solarmarker is an infostealer known for stealing passwords and credit card information from its victims’ browsers. It also has command and control (C2) capabilities, such as file transfer and remotely executing commands. Solarmarker is primarily distributed by convincing users to download a malicious file using SEO poisoning (T1608.006). Some recent incidents involve downloading an LNK file (T1204.002) that executes malicious Powershell (T1059.001).

Recent versions of Solarmarker have been using an Autodesk installer. Most of the initial files downloaded include some version of “installer-package.exe”—though the actual filename may vary. Often, a user will download Solarmarker attempting to download a non-malicious, legitimate application, such as a PDF editor. The initial dropper will launch a legitimate installer of the application it is masquerading (T1036) as while the malware installs in the background.

NetSupport RAT

NetSupport Manager is a legitimate remote-control utility first released in 1989. The legitimate application has been modified and repurposed by malicious threat actors and was renamed NetSupport RAT. It supports file transfers, chat with support, inventory management, and remote-control access. Threat actors will commonly attempt to repurpose legitimate tools for nefarious purposes as a [TA0005] Defense Evasion tactic.

New ConnectWise SIEM signatures

Several new ConnectWise SIEM detection signatures were added in April 2024. These include:

• [CRU][Windows] RestrictedAdmin RDP Mode Enabled in Registry via Command Line

Techniques detected: [T1003] OS Credential Dumping, [T1550.002] Pass the Hash

Description: RestrictedAdmin is an authentication mode for RDP that was initially created to secure administrative account credentials against Pass-the-Hash attacks. However, since it causes logons to use network logons instead of interactive logons, it enables hashes to be extracted and used to impersonate users.

RestrictedAdmin mode is disabled by default on newer Windows installs, but threat actors have been observed enabling it on the command line by setting the DisableRestrictedAdmin registry value to 0. This event notification triggers when this behavior is observed using the reg.exe command line utility or PowerShell. It should be verified whether this mode was intended to be enabled since it may present a weakening of NT hash integrity.

• [CRU][Windows] Potential AMSI Bypass via COM Registry

Technique detected: [T1562.001] Impair Defenses: Disable or Modify Tools

Description: In order to bypass built-in PowerShell defenses, attackers have been observed changing the value of a particular COM-related registry key so that it doesn’t point to C:\windows\system32\amsi.dll. This event notification attempts to trigger this behavior by looking for either Registry events that change this value to something other than what would be expected or reg.exe activity relating to that registry value.

• [CRU][Windows] Suspicious Windows Media Player Activity

Technique detected: [T1055] Process Injection

Description: This alert triggers when two processes related to Windows Media Player spawn non-typical processes. Wmpshare.exe and Wmpnscfg.exe are two processes that have been observed to be the target of process injection by threat actors. Any processes being spawned by these two should be verified for malicious intent.

• [CRU][Windows] Suspicious Dialer.exe Activity

Technique detected: [T1055] Process Injection

Description: This alert triggers when dialer.exe is the parent process. Dialer.exe is a Microsoft phone dialer process that has been targeted by threat actors through process injection. Dialer.exe should not be spawning any processes, and the activity should be examined and verified for malicious intent.

• [CRU][Windows] Scheduled Task to Execute Wscript

Technique detected: [T1053.005] Scheduled Task

Description: This event notification alerts on Event ID 4698, which indicates that a scheduled task has been created and there is an inclusion of “wscript” in the content of the scheduled task. This suggests that the scheduled task created involves running a script using wscript. Recent observations of Gootloader activity have included the creation of scheduled tasks to execute a malicious JavaScript file via wscript. In the event of an alert, the task content should be investigated to identify what wscript is scheduled to execute and whether the execution is authorized or malicious.

• [CRU][Windows] Google Chrome Remote Desktop Service Start

Technique detected: [T1218] Remote Access Software

Description: The detection triggers when Google Chrome Remote Desktop starts a new service and connection to allow remote access. This remote access tooling has been used by APT groups, such as Kimsuky.

• [CRU][Windows] InternetShortcut Feature Bypass (CVE-2024-21412) File Create

CVE detected: [CVE-2024-21412]

Description: CVE-2024-21412 is a cybersecurity feature bypass where InternetShortcut (.URL) files are able to access remote InternetShortcut files without identifying the origin from potentially untrusted sources, such as internet downloads, WebDAV, and SMB shares by failing to apply Mark-of-the-Web (MotW).

Exploitation would lead to InternetShortcut files being written to disk. If an InternetShortcut fileZone-Indentifier is absent on a vulnerable host, the presence of a process execution of the file would be seen right after.

New IDS signatures added in April 2024

[ConnectWise CRU] MALWARE LeprechaunHvnc C2 Traffic

[ConnectWise CRU] Microsoft SharePoint Server Signature & Issuer Validation Bypass (CVE-2023-29357) M1

[ConnectWise CRU] Microsoft SharePoint Server Signature & Issuer Validation Bypass (CVE-2023-29357) M2

[ConnectWise CRU] Microsoft SharePoint Server Signature & Issuer Validation Bypass (CVE-2023-29357) M3

[ConnectWise CRU] Microsoft SharePoint Server Signature & Issuer Validation Bypass (CVE-2023-29357) M4

[ConnectWise CRU] Microsoft SharePoint Server Authentication Bypass (CVE-2023-29357) IsSiteAdmin

[ConnectWise CRU] Microsoft SharePoint Server Authentication Bypass (CVE-2023-24955) BDCMetadata

[ConnectWise CRU] Microsoft SharePoint Server Authentication Bypass (CVE-2023-24955) ProcessQuery

[ConnectWise CRU] D-Link NAS Hard-coded Credentials (CVE-2024-3272)

[ConnectWise CRU] Apache pgAdmin <= 6.16 Unauthenticated Remote Command Execution (CVE-2022-4223)

[ConnectWise CRU] Apache pgAdmin <= 8.4 Unauthorized Remote Code Execution (CVE-2024-3116)

[ConnectWise CRU] HUNTING Apache JServ Protocol (AJP) Request Smuggling

[ConnectWise CRU] MALWARE PhantomRAT RSocket TCP C2 Commands

[ConnectWise CRU] MALWARE SSLoad User-Agent

[ConnectWise CRU] MALWARE SSLoad C2 Registration

[ConnectWise CRU] MALWARE SSLoad C2 Tasks

[ConnectWise CRU] MALWARE SSLoad C2 Modules

[ConnectWise CRU] Progress Kemp Flowmon (CVE-2024-2389)

[ConnectWise CRU] HUNTING Potential XML Signatures Reference URI Abuse

[ConnectWise CRU] VK Russian Social Network Open Redirect (away.php)

[ConnectWise CRU] reGeorg Webshell Tunnel M1

[ConnectWise CRU] reGeorg Webshell Tunnel M2

[ConnectWise CRU] reGeorg Webshell Tunnel Response M1

[ConnectWise CRU] reGeorg Webshell Tunnel Response M2

[ConnectWise CRU] Reverse Base64 Encoded EXE Inbound

[ConnectWise CRU] CrushFTP Unauthenticated Arbitrary File Read (CVE-2024-4040) M1

[ConnectWise CRU] CrushFTP Unauthenticated Arbitrary File Read (CVE-2024-4040) M2

[ConnectWise CRU] CrushFTP Unauthenticated Server-Side Template Injection (CVE-2024-4040) M1

[ConnectWise CRU] CrushFTP Unauthenticated Server-Side Template Injection (CVE-2024-4040) M2

[ConnectWise CRU] MALWARE LINE DANCER Shellcode

[ConnectWise CRU] MALWARE Potential LINE DANCER Request

[ConnectWise CRU] MALWARE Potential LINE RUNNER Backdoor

[ConnectWise CRU] MALWARE Potential SparkTar TLS Traffic Signal

[ConnectWise CRU] MALWARE Potential SparkCockpit TLS Traffic Signal

[ConnectWise CRU] MALWARE SparkCockpit Controller AES Key

[ConnectWise CRU] MALWARE Dracula Loader C2 Checkin

[ConnectWise CRU] HUNTING Balada Banker Checkin M1

[ConnectWise CRU] HUNTING Balada Banker Checkin M2