Weekly Threat Landscape Digest – Week 10

1. High-Severity Vulnerability in Cisco Secure Client

• CVE ID: CVE-2025-20206
• Severity: High (CVSS Score: 7.1)
• A security vulnerability exists in the interprocess communication (IPC) channel of Cisco Secure Client for Windows. Attackers with valid local credentials can exploit DLL hijacking by sending crafted IPC messages, leading to arbitrary code execution with SYSTEM privileges.
• Cause: Insufficient validation of resources loaded at runtime when the Secure Firewall Posture Engine (formerly HostScan) is installed.

Affected Products

• Cisco Secure Client for Windows (with Secure Firewall Posture Engine installed)
• Versions earlier than 5.1.8.105

Fixed Versions

• Cisco Secure Client version 5.1.8.105 or later

Recommendations

• Update immediately to version 5.1.8.105 or later.
• Restrict local access to prevent exploitation.
• Monitor system logs for unusual activity related to the affected components.

Reference

• Cisco Security Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-secure-dll-injection-AOyzEqSg \

2. Critical VMware Vulnerabilities Exploited in the Wild

• CVE-2025-22224 (CVSS 9.3): Heap overflow in Virtual Machine Communication Interface, enabling code execution on the hypervisor.
• CVE-2025-22225 (CVSS 8.2): Arbitrary write vulnerability allowing VM escape and potential hypervisor takeover.
• CVE-2025-22226 (CVSS 7.1): Information disclosure vulnerability exposing memory from the host-guest file system.
• VMware has confirmed active exploitation of these vulnerabilities. No workarounds exist—patching is the only mitigation.

Impacted Products

• VMware ESXi
• VMware Workstation Pro / Player
• VMware Fusion
• VMware Cloud Foundation
• VMware Telco Cloud Platform

Security Risks

• Hyperjacking Risk: Attackers can escape a VM and take control of the hypervisor, compromising all VMs on the host.
• Multi-Tenant Environment Vulnerability: Hosting, cloud, and enterprise environments are at high risk.
• No Workarounds: Patching is the only solution.

Fixed Versions

• VMware ESXi: ESXi80U3d24585383, ESXi80U2d24585300, ESXi70U3s24585291
• VMware Workstation 17.x: Version 17.6.3
• VMware Fusion 13.x: Version 13.6.3
• VMware Cloud Foundation: Async patch to ESXi80U3d24585383 or ESXi70U3s24585291
• VMware Telco Cloud Platform & Infrastructure: KB389385

Recommendations

• Apply Security Patches: Update to the latest VMware Security Advisory patches immediately.
• Isolate Vulnerable Systems: If immediate patching is not possible, isolate affected systems from the network.
• Monitor for Exploitation: Utilize IDS, EDR, and log monitoring for suspicious activity.

Reference

• VMware Security Advisory: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25390 

3. Security Updates – Mozilla Firefox and Thunderbird

Mozilla has released security updates addressing multiple vulnerabilities in Firefox and Thunderbird that could lead to arbitrary code execution, denial of service, and information disclosure.

Critical Vulnerability

• CVE-2024-43097 – Integer overflow in the resizeToAtLeast function, potentially leading to out-of-bounds writes and code execution.

High-Severity Vulnerabilities

• CVE-2025-1931 – Use-after-free in WebTransportChild, leading to crashes.
• CVE-2025-1932 – Out-of-bounds access due to an inconsistent comparator in XSLT sorting.
• CVE-2025-1933 – Memory misinterpretation in WASM i32 return values on 64-bit CPUs.
• CVE-2025-1937, CVE-2025-1938, CVE-2025-1943 – Memory safety bugs allowing potential code execution.
• CVE-2025-1930 – Use-after-free in the Windows browser process, possibly allowing a sandbox escape.

Fixed Versions

• Firefox: 136
• Firefox ESR: 115.21, 128.8
• Thunderbird: 136, 128.8 (ESR)

Recommendations

• Update immediately to the latest versions.
• Enable automatic updates for continuous protection.
• Monitor for exploitation using security tools.

References

• https://www.mozilla.org/en-US/security/advisories/mfsa2025-14/
• https://www.mozilla.org/en-US/security/advisories/mfsa2025-15/
• https://www.mozilla.org/en-US/security/advisories/mfsa2025-16/
• https://www.mozilla.org/en-US/security/advisories/mfsa2025-17/
• https://www.mozilla.org/en-US/security/advisories/mfsa2025-18/

4. Security Updates – Android

Google has released the March 2025 Android Security Bulletin, addressing multiple high-risk vulnerabilities, including two actively exploited flaws that pose severe security risks. These vulnerabilities could lead to remote code execution (RCE), privilege escalation (EoP), and denial of service (DoS) attacks, compromising sensitive user data and device security.

Actively Exploited Vulnerabilities

• CVE-2024-43093 – Elevation of Privilege (EoP) in the Android Framework and Google Play system updates, impacting the Documents UI component.
• CVE-2024-50302 – High-severity vulnerability in the Linux Kernel (HID: core), exploited in real-world attacks to gain unauthorized device access and install spyware.

Critical Remote Code Execution (RCE) Vulnerabilities

• CVE-2025-0074, CVE-2025-0075, CVE-2025-0084, CVE-2025-22403, CVE-2025-22408, CVE-2025-22410, CVE-2025-22411, CVE-2025-22412 – Multiple RCE flaws in the Android System, allowing attackers to execute code remotely without user interaction.
• Affected Versions: Android 13, 14, and 15.

Recommendations

• Update immediately to the latest Android security patch.
• Enable automatic updates to ensure timely security fixes.
• Use endpoint security solutions to monitor and detect potential exploits.

Reference

• https://source.android.com/docs/security/bulletin/2025-03-01

5. Critical Vulnerability in Kibana

Elastic has released a security update to address CVE-2025-25012, a critical vulnerability in Kibana with a CVSS score of 9.9. This flaw could allow attackers to execute arbitrary code on vulnerable systems through a prototype pollution exploit, triggered via a crafted file upload and specially crafted HTTP requests.

Affected Versions

• Kibana 8.15.0 to 8.17.0 – Exploitable by users with the ‘Viewer’ role.
• Kibana 8.17.1 and 8.17.2 – Exploitable by users with specific privileges (fleet-all, integrations-all, actions:execute-advanced-connectors).

Fixed Version

• Kibana 8.17.3

Recommendations

• Upgrade to Kibana 8.17.3 or the latest version immediately.
• Restrict user privileges to limit the risk of exploitation.
• Monitor Kibana logs for any unusual activity or unauthorized access attempts.

Reference

• https://discuss.elastic.co/t/kibana-8-17-3-security-update-esa-2025-06/375441

6. Security Updates – NVIDIA

NVIDIA has released security updates for its Hopper HGX 8-GPU High-Performance Computing (HMC) systems, addressing two significant vulnerabilities.

Vulnerabilities

1. CVE-2024-0114 (CVSS 8.1 – High Severity)
   • Affects: HGX Management Controller (HMC)
   • Impact: Allows a malicious actor with administrative access to the BMC to gain administrator access to the HMC.
   • Potential Consequences: Code execution, denial of service (DoS), privilege escalation, information disclosure, and data tampering.
2. CVE-2024-0141 (CVSS 6.8 – Medium Severity)
   • Affects: GPU VBIOS
   • Impact: Allows an attacker with tenant-level GPU access to write to an unsupported registry.
   • Potential Consequence: Denial of service (DoS).

Affected Products

• NVIDIA Hopper HGX 8-GPU

Affected Versions

• HGX-22.10-1-rc67 (1.5.0)
• HGX-22.10-1-rc63 (1.4.0)
• HGX-22.10-1-rc59 (1.3.2)
• HGX-22.10-1-rc57 (1.3.0/1.3.1)

Fixed Version

• Firmware version 1.6.0 and later

Recommendations

• Upgrade to firmware version 1.6.0 or later to mitigate the risks.
• Restrict administrative access to the BMC to prevent unauthorized privilege escalation.
• Monitor GPU activity logs for any unauthorized registry modifications.

Reference

• https://nvidia.custhelp.com/app/answers/detail/a_id/5561

7. Critical Security Updates – HP ThinPro

HP has released a critical security update to address multiple vulnerabilities in HP ThinPro. If exploited, these vulnerabilities could lead to privilege escalation, arbitrary code execution, denial of service (DoS), and information disclosure.

The update patches vulnerabilities in critical components, including the Linux kernel, CUPS, Ghostscript, GStreamer, libarchive, and more. Some of these vulnerabilities have a CVSS score of 9.8 (Critical).

Critical Vulnerabilities

1. GStreamer Vulnerabilities
   • CVE-2024-47606 (9.8), CVE-2024-47615 (9.8), CVE-2024-47607 (9.8), CVE-2024-47538 (9.8)
   • CVE-2024-47600 (9.1), CVE-2024-47537 (9.8), CVE-2024-47613 (9.8), CVE-2024-47539 (9.8)
   • CVE-2024-47540 (9.8), CVE-2024-47834 (9.1), CVE-2024-47597 (9.1), CVE-2024-47598 (9.1)
   • CVE-2024-47774 (9.1), CVE-2024-47776 (9.1), CVE-2024-47775 (9.1), CVE-2024-47777 (9.1)
2. libarchive
   • CVE-2022-36227 (9.8)
3. Linux Kernel
   • CVE-2024-47685 (9.1)
4. ZBar
   • CVE-2023-40890 (9.8), CVE-2023-40889 (9.8)

Affected Versions

• HP ThinPro (prior to HP ThinPro 8.1 SP6)

Fixed Version

• HP ThinPro 8.1 SP6

Recommendations

• Upgrade all HP ThinPro devices to version 8.1 SP6 or later.
• Ensure all systems are updated to prevent exploitation of vulnerabilities.
• Implement a robust patch management process to ensure security updates are applied promptly.

Reference

• https://support.hp.com/us-en/document/ish_12027891-12027915-16/hpsbhf04009

8. Security Updates – Google Chrome

Google has released security updates for Google Chrome, addressing 14 vulnerabilities, including high and medium severity issues. Exploiting these vulnerabilities could result in arbitrary code execution, information disclosure, and denial of service (DoS).

Key Vulnerabilities

• High Severity
  • CVE-2025-1914 – Out-of-bounds read in V8.
• Medium Severity
  • CVE-2025-1915 – Improper Limitation of a Pathname in DevTools.
  • CVE-2025-1916 – Use-after-free in Profiles.
  • CVE-2025-1917 – Inappropriate Implementation in Browser UI.
  • CVE-2025-1918 – Out-of-bounds read in PDFium.
  • CVE-2025-1919 – Out-of-bounds read in Media.
  • CVE-2025-1921 – Inappropriate Implementation in Media Stream.
• Low Severity
  • CVE-2025-1922 – Inappropriate Implementation in Selection.
  • CVE-2025-1923 – Inappropriate Implementation in Permission Prompts.

Fixed Versions

• Stable Channel Update:
  • Chrome 134.0.6998.35 (Linux)
  • Chrome 134.0.6998.35/36 (Windows)
  • Chrome 134.0.6998.44/45 (Mac)
• Extended Stable Channel Updates:
  • Chrome 134.0.6998.36 (Windows)
  • Chrome 134.0.6998.45 (Mac)
• Chrome for Android:
  • Chrome 134 (134.0.6998.39)

Recommendations

• Update Google Chrome to the latest version as soon as possible.
• Enable automatic updates to ensure security patches are applied promptly.
• Monitor security advisories for any follow-up patches or updates.

Reference

• https://chromereleases.googleblog.com/2025/03/stable-channel-update-for-desktop.html
• https://chromereleases.googleblog.com/

9. High-Severity Vulnerabilities in SUSE Rancher

SUSE has released security advisories addressing two high-severity vulnerabilities in Rancher, an open-source container management platform. These vulnerabilities could allow attackers to launch denial-of-service (DoS) attacks and impersonate users.

Key Vulnerabilities

• CVE-2025-23388 (CVSS 8.2) – Unauthenticated Stack Overflow
  • Affects /v3-public/authproviders API.
  • Impact: Allows an unauthenticated attacker to crash the Rancher server, leading to service disruption.
  • Exploitation: Attackers submit malicious data to the API endpoint, preventing legitimate users from accessing the platform.
• CVE-2025-23389 (CVSS 8.4) – Improper Account Binding in SAML Authentication
  • Impact: Allows a local user to impersonate any other user by manipulating cookie values during login.
  • Exploitation: Attackers can gain unauthorized access to Rancher’s sensitive data and perform administrative actions.

Affected Versions

• Rancher v2.8.12 and earlier
• Rancher v2.9.6 and earlier
• Rancher v2.10.2 and earlier

Fixed Versions

• Rancher v2.8.13
• Rancher v2.9.7
• Rancher v2.10.3

Recommendations

• Upgrade Rancher to the latest fixed version.
• Monitor server logs for any signs of suspicious activity.
• Restrict access to authentication APIs to trusted users only.

Reference

• https://github.com/rancher/rancher/security/advisories/GHSA-xr9q-h9c7-xw8q
• https://github.com/rancher/rancher/security/advisories/GHSA-mq23-vvg7-xfm4

10. Critical Vulnerabilities in IBM Storage Virtualize Products

IBM has released a security bulletin addressing two critical vulnerabilities affecting the GUI of their Storage Virtualize products, including SAN Volume Controller, Storwize, Spectrum Virtualize, and FlashSystem. These vulnerabilities could allow unauthorized access and arbitrary code execution on affected systems.

Key Vulnerabilities

• CVE-2025-0159 (CVSS 9.1) – Authentication Bypass
  • Affects the RPCAdapter endpoint.
  • Impact: Allows a remote attacker to bypass authentication using a specially crafted HTTP request, gaining unauthorized access to the system.
• CVE-2025-0160 (CVSS 8.1) – Arbitrary Code Execution
  • Impact: Attackers with access to the system can execute arbitrary Java code due to improper restrictions in the RPCAdapter service.

Affected Products & Versions

• IBM Storage Virtualize (8.5.0.0 – 8.7.2.1)
• IBM SAN Volume Controller
• IBM Storwize V7000, V5000, V5100, V5000E
• IBM FlashSystem (5000, 5100, 5200, 5300, 7200, 7300, 9100, 9200, 9500)
• IBM Storage Virtualize for Public Cloud

Fixed Versions

• Upgrade to IBM Storage Virtualize 8.7.2.2 or later
• Versions prior to 8.7.0.3 should be upgraded to 8.7.0.3
• Versions 8.5.x – 8.6.x should upgrade to 8.6.0.6 or later

Recommendations

• Upgrade affected IBM Storage Virtualize versions immediately.
• Monitor system logs for unauthorized access attempts.
• Restrict access to vulnerable systems where possible.

Reference

• https://www.ibm.com/support/pages/node/7184182

11. Account Takeover Vulnerability in ADSelfService Plus

A high-severity vulnerability (CVE-2025-1723) has been identified in ManageEngine ADSelfService Plus, a widely used self-service password management and single sign-on (SSO) solution.

Key Details

• CVE-2025-1723 (High Severity) 
  • Issue: Improper session handling in ADSelfService Plus.
  • Impact: When Multi-Factor Authentication (MFA) is not enabled, attackers can gain unauthorized access to user enrollment data, leading to potential account takeovers and data exposure.

Affected Versions

• ADSelfService Plus builds 6510 and earlier

Fixed Version

• ADSelfService Plus build 6511

Recommendations

• Upgrade to ADSelfService Plus build 6511 or later.
• Enable Multi-Factor Authentication (MFA) to reduce the risk of unauthorized access.
• Monitor access logs for suspicious activity.

Reference

• https://www.manageengine.com/products/self-service-password/advisory/CVE-2025-1723.html 

12. Privilege Escalation Vulnerability in Windows Disk Cleanup Tool

A high-severity vulnerability (CVE-2025-21420) has been identified in the Windows Disk Cleanup Tool (cleanmgr.exe), allowing attackers to escalate privileges to SYSTEM.

Key Details

• CVE-2025-21420 (High Severity – CVSS 7.8) 
  • Affected Component: Windows Disk Cleanup Tool (cleanmgr.exe)
  • Attack Vector: Local Privilege Escalation (LPE)
  • Exploitation Method: Requires execution of a malicious DLL via DLL sideloading
  • Proof-of-Concept: Available on GitHub
  • Patched Version: February 2025 Patch Tuesday update

Recommendations

• Install the February 2025 Microsoft Security Updates immediately to patch the vulnerability.
• Restrict execution privileges for non-administrative users.
• Monitor system logs for unusual DLL loading activity.

Reference

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21420

13. High-Severity Vulnerability in BeyondTrust Privilege Management for Windows

A high-severity vulnerability (CVE-2025-0889) has been identified in BeyondTrust Privilege Management for Windows, allowing a local authenticated attacker to escalate privileges on a compromised system, potentially leading to complete system control.

Key Details

• CVE-2025-0889 (High Severity – CVSS 7.2) 
  • Issue: Improper handling of COM objects and associated permissions.
  • Exploitation: If an Endpoint Privilege Management (EPM) policy allows automatic privilege elevation, an attacker can manipulate COM objects to gain elevated privileges.
  • Potential Impact: 
    • Gain system-level access
    • Execute arbitrary code with elevated privileges
    • Modify sensitive configurations and compromise data

Affected Versions

• Vulnerable: Privilege Management for Windows prior to 25.2
• Fixed Version: Privilege Management for Windows 25.2 or later

Recommendations

• Upgrade to Privilege Management for Windows version 25.2 or later.
• Restrict privilege elevation policies and audit COM object usage.
• Monitor system logs for suspicious activity related to privilege escalation.

Reference

• https://www.beyondtrust.com/trust-center/security-advisories/bt25-01

14. Security Updates – IBM TXSeries for Multiplatforms

IBM has released a security bulletin addressing a critical LDAP injection vulnerability (CVE-2022-46337) in Apache Derby, which is included in IBM TXSeries for Multiplatforms. This flaw could allow a remote attacker to bypass security restrictions, modify sensitive data, and execute unauthorized database functions.

Key Details

• CVE-2022-46337 (Critical Severity – CVSS 9.1) 
  • Issue: LDAP injection vulnerability in the authenticator of Apache Derby.
  • Impact: A remote attacker can send specially crafted requests to bypass security controls, modify data, and execute sensitive database operations.

Affected Versions

• IBM TXSeries for Multiplatforms 8.1, 8.2, 9.1, and 10.1

Recommendations

• Update to the latest fixed versions as provided by IBM.
• Monitor database logs for suspicious queries or unauthorized access attempts.
• Restrict access to database management interfaces and enforce strong authentication.

Reference

• https://www.ibm.com/support/pages/node/7184192

15. High-Severity Vulnerability in HPE Insight Remote Support

A high-severity XML External Entity (XXE) injection vulnerability (CVE-2024-53675) has been identified in HPE Insight Remote Support, allowing unauthenticated remote attackers to expose sensitive system information.

Key Details

• CVE-2024-53675 (High Severity – CVSS 7.3) 
  • Issue: XXE injection in the validateAgainstXSD method.
  • Impact: Attackers can craft malicious XML documents to access sensitive files with SYSTEM-level privileges.
  • Attack Vector: Remote (No authentication required).

Additional Vulnerabilities

• CVE-2024-53676 (Critical – CVSS 9.8)
  • Directory traversal vulnerability allowing remote code execution.
• CVE-2024-53673 (High – CVSS 8.1)
  • Java deserialization vulnerability allowing unauthenticated code injection.
• CVE-2024-11622 & CVE-2024-53674 (High – CVSS 7.3)
  • Additional XXE vulnerabilities with similar attack vectors.

Affected Versions

• HPE Insight Remote Support versions prior to 7.14.0.629

Recommendations

• Update to version 7.14.0.629 or later immediately.
• Restrict network access to affected systems where updates cannot be applied.
• Monitor for suspicious activity in system logs.

Reference

• https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbgn04731en_us 

16. Anatsa Banking Trojan Infects 220,000 Android Users via Fake File Manager App

A sophisticated Android banking trojan campaign has infected over 220,000 users through a malicious file manager app on the Google Play Store. The malware, identified as Anatsa (TeaBot), was discovered by ThreatLabz, highlighting the growing threat of financial fraud via mobile applications.

Key Details

• Malware Name: Anatsa (TeaBot)
• Distribution Method: Fake file management app with document preview and cloud integration.
• Evasion Techniques: 
  • Delayed payload activation
  • Encrypted communication channels
  • Hiding as a system application

Attack Mechanism

1. Initial Infection: Users install a “File Manager and Document Reader” app.
2. Dropper Execution: The app prompts users to download a fake “update” hosted on GitHub.
3. Malicious Payload Activation: 
   • Loads malicious Dalvik Executable (DEX) files dynamically.
   • Performs anti-emulation checks to evade detection.
4. Banking Credential Theft: 
   • Uses overlay attacks to steal login credentials.
   • Intercepts SMS-based two-factor authentication (2FA) messages.
   • Targets PayPal, HSBC, Santander, and other financial institutions.
5. Persistence & Command Control: 
   • Repeatedly requests Accessibility Service permissions.
   • Communicates with C2 servers for targeted attacks.

Google’s Response

• The malicious app was removed within 48 hours of notification.
• Google initiated a mass uninstallation campaign for affected devices.
• Users who disabled automatic updates must manually remove the application.

Targeted Regions & Global Impact

• The malware’s multilingual support (English, Spanish, German, French) indicates widespread targeting.
• Financial institutions worldwide are enhancing security, with biometric authentication becoming mandatory in some regions (e.g., Bank of Thailand).

Recommendations

• Uninstall suspicious apps and check for unauthorized permissions.
• Enable Google Play Protect for real-time app scanning.
• Avoid downloading updates from unverified sources, especially GitHub repositories.
• Use biometric authentication instead of SMS-based 2FA, as federal agencies warn against its vulnerabilities.

Reference

• https://mobileidworld.com/anatsa-banking-trojan-infects-220000-android-users-through-fake-file-manager-app/

17. Ongoing Threat of “Mr. Hamza” and Allied Hacktivist Groups

• Threat Actor: Mr. Hamza
• Tactics: Primarily DDoS attacks and data leaks
• Targets: Government agencies, intelligence services, military, financial sectors, and critical infrastructure (including energy and nuclear facilities)
• Motivation: Politically driven, targeting Western nations and those supporting Israel
• Collaboration: Works with Holy League, NoName057(16), Z-Pentest to amplify attacks
• Suspected Origin: Moroccan-based actors

Recent Incidents

• March 2, 2025: DDoS attacks on Spanish Defense Staff (EMAD), National Security (DSN), and Spanish Army.
• January 13, 2025: Targeted U.K.’s MI6 and EU Cybersecurity Agency (ENISA).
• December 17, 2024: Claimed DDoS attack on FBIBiospecs.
• December 6, 2024: Participated in a coordinated cyberattack on France, affecting Foreign Affairs Ministry, DGSE, CEA, and ANSSI.

Implications

• Growing threat to national security due to increased coordination with hacktivist groups.
• Targeting critical infrastructure (nuclear and energy sectors) poses major risks.
• Governments and industries must enhance monitoring and defense strategies against large-scale cyberattacks.

Reference

• https://www.hstoday.us/subject-matter-areas/cybersecurity/ongoing-threat-of-mr-hamza-and-allied-hacktivist-groups/

18. Bolstering Defenses Against Ramadan Festive Season Cyber Threats

During Ramadan, cyber threats escalate due to reduced staffing, distracted workforces, and increased digital transactions. UAE Threat Intelligence has detected financially motivated phishing, state-sponsored espionage, and ransomware campaigns targeting organizations and individuals. This circular provides key insights and actionable steps to mitigate these risks.

Key Threat Vectors

1. Financial Fraud (UNC6055)

• Target: Credit card data through fake Ramadan donation and retail websites.
• Tactics: AI-enhanced phishing campaigns, using themes like “Zakat Relief” and “Eid Offers”, hosted on UAE-based IPs.
• Impact: Direct financial loss and erosion of customer trust.

2. Espionage (UNC6068)

• Target: Government and critical sectors.
• Tactics: China-linked spear-phishing campaigns delivering malware (e.g., TINYSHELL, MD5: 0007a47738a8ca8b122e671ee9a0b6aa) disguised as official Ramadan-related communications.
• Impact: Theft of sensitive data from government and corporate environments.

3. Systemic Risks (Ransomware & Exploits)

• Target: Unpatched edge devices and understaffed operations.
• Tactics: Opportunistic ransomware campaigns and infrastructure exploitation during the holiday period.
• Impact: Operational downtime, financial losses, and recovery costs.

Reference:

https://assets.adgm.com/download/assets/20250305+-+Bolstering+Defenses+Against+Festive+Season+Cyber+Threats_ver.1.1+-+Alert+192.pdf/9a32f1e6fb1d11ef80746e09d027edb7 

19. Uncovering .NET Malware Obfuscated by Encryption and Virtualization

Security researchers have identified sophisticated obfuscation techniques used in popular malware families such as Agent Tesla, XWorm, and FormBook/XLoader. These techniques evade sandbox detection, enabling widespread malware distribution. The malware uses Advanced Encryption Standard (AES), code virtualization, staged payloads, and dynamic code loading to hide its intent and evade security measures.

Key Techniques Used by Malware

1. Payload Protection Techniques

• AES Cryptography: Uses symmetric encryption to secure malware payloads.
• Code Virtualization: Malware code is transformed into specialized instructions, making analysis more difficult.

2. Payload Delivery Techniques

• Staged Payloads: Core malware is wrapped in multiple layers to evade detection.
• Portable Executable (PE) Overlay Storage: Payloads are hidden in file overlays to bypass static analysis.
• Dynamic Code Loading via .NET Reflection: Malware executes new code at runtime, bypassing security restrictions.

Security Recommendations

1. Strengthen Endpoint and Network Security

• Deploy Advanced Threat Detection tools to block malicious .NET processes.
• Use behavior-based analysis to detect sandbox evasion techniques.

2. Implement Advanced Threat Intelligence and Sandboxing

• Monitor suspicious PE overlays and dynamic .NET reflection usage.
• Utilize automated unpacking techniques to extract malware configurations.

3. Apply Patch Management and Regular Security Updates

• Keep Windows and security software up to date to prevent privilege escalation exploits.
• Ensure real-time monitoring of C2 activity related to malware threats.

Reference

• https://unit42.paloaltonetworks.com/uncovering-dotnet-malware-obfuscated-by-encryption-and-virtualization/ 

20. Sosano Backdoor Malware Used in UAE-Targeted Attacks

Security researchers have identified a highly targeted email-based cyber-espionage campaign, tracked as UNK_CraftyCamel, which is targeting organizations in the United Arab Emirates (UAE). The campaign focuses on aviation, satellite communications, and critical transportation infrastructure and deploys a Golang-based backdoor named “Sosano.” The attackers leveraged a compromised Indian electronics company to distribute spear-phishing emails containing malicious polyglot files.

Attack Delivery and Infection Chain

• Initial Access:
  • Phishing emails sent using a compromised account from “INDIC Electronics,” a legitimate Indian company.
  • Emails contained malicious URLs directing victims to a spoofed domain indicelectronics[.]net, hosting a malicious ZIP file.
• Payload Delivery:
  • The ZIP archive contained: 
    • An XLS file disguised as a LNK file with a double extension.
    • Two PDF files, both being polyglot files with hidden malware.
• Execution and Malware Deployment:
  • LNK file executed cmd.exe, launching mshta.exe to process the first PDF/HTA polyglot file.
  • The HTA script extracted an executable (HyperInfo[.]exe) and a disguised JPG file (sosano.jpg).
  • The JPG file contained an XOR-encrypted DLL payload (yourdllfinal.dll), which is the Sosano backdoor.

Threat Actor Attribution and Targeting

• Tracked as UNK_CraftyCamel by Proofpoint.
• TTPs overlap with Iranian-aligned threat actors TA451 and TA455.
• Targets UAE’s aviation, satellite communications, and critical infrastructure sectors.
• Highly selective targeting suggests a sophisticated threat actor with advanced operational security awareness.

Reference

https://www.proofpoint.com/us/blog/threat-insight/call-it-what-you-want-threat-actor-delivers-highly-targeted-multistage-polyglot