Skip to main content
An icon of a telephone receiver
Sign In
NEW! Advisories Try For Free

Monthly Threat Brief: March 2024

Posted:
04/22/2024
| By:
Bryson Medlock

Welcome to the latest edition of the monthly threat brief published by the ConnectWise Cyber Research Unit™ (CRU).

In this threat brief, we will provide raw data statistics, intel on specific threats, and a list of new detection signatures added to the ConnectWise SIEM™ throughout the month of March.

For a more detailed explanation of the overall trends and analysis of these numbers, check out our annual and quarterly threat reports. For comparison, February’s threat brief can be found here.

March 2024 stats

IOCs

The CRU collects indicators of compromise (IOCs) from public open-source intelligence (OSINT) sources and any cybersecurity incident escalated by the ConnectWise security operations center (SOC). These IOCs are used for automated threat hunting and data enrichment to assist SOC analysts. Below is a summary of the IOCs collected. We intend to launch streaming threat feeds based on this data later this year—stay tuned!

24-DMDG-1765-Figure1.png

Figure 1: Summary of IOCs collected in March 2024

TTPs

The CRU collects tactics, techniques, and procedures (TTPs) from all incidents escalated by the ConnectWise SOC. This information helps us keep tabs on how threat actor behavior changes. Below are the top 10 MITRE ATT&CK® techniques for February 2024—provided for comparison—and March 2024.

24-DMDG-1765-Figure2.png

Figure 2: Top 10 MITRE ATT&CK techniques observed in February 2024

24-DMDG-1765-Figure3.png

Figure 3: Top 10 MITRE ATT&CK techniques observed in March 2024

Latest threats

Each month we highlight threats that we have seen targeting our MSP partners and their clients. This month, the ConnectWise SOC saw multiple incidents of GhostPulse and Gootloader—both of which are loaders used during initial access to download additional malware

Rusty Loader

The CRU has been tracking a series of malware droppers written in Rust known as Rusty Loader. As a malware dropper, Rusty Loader’s purpose is to download and install additional malware. It appears to primarily be used to load a malicious version of Brute Ratel, an adversary emulation command and control software designed for penetration testers, but frequently used by threat actors for remote administration.

Rusty Loader employs multiple defense evasion techniques to avoid detection, as well as several anti-sandbox techniques to make it more difficult to analyze. Rusty Loader seems to primarily spread through [T1189] Drive-by Compromise using [T1608.006] SEO Poisoning and [T1583.008] Malvertising. When it first loads, it checks to see if it is being run in a debugger or if the filename has been changed, and then it looks at CPU and user information to try to determine if it is being run inside a sandbox. If it determines that it is being run in a sandbox, then instead of running, it loads a 404 image from different sources, such as hxxps[:]//cdn.optinmonster[.]com/wp-content/uploads/2021/07/404-page-examples-featured-image-updated.png

24-DMDG-1765-Figure4.png

Figure 4: 404 image example

Some of the filenames we have seen this loader using include “HSS-7.9.0-install-plain-773-plain.exe” which seems to be mimicking VPN software, “Hotspot Shield 7.9.0”, as well as “OBS_Studio_30.0.2_Full_Installer_x64.exe” which is impersonating some common video recording and streaming software. This method of impersonating commonly used free software is similar to the method we observed last year when threat actors were spreading a malicious version of “Advanced IP Scanner.”

DMDG-1765-MITRE ATT&CK techniques.png

DMDG-1765-IOCs.png

Xz Official Package Compromised (CVE-2024-3094)

xz is a commonly used open-source compression tool commonly used in Linux and other Unix-based operating systems such as macOS. It is common enough that xz is the format typically used to package the Linux kernel, making it a requirement to even boot a Linux system.

At the end of March, a backdoor was discovered in the official xz-utils package. The malicious code began appearing in the official repo in a commit pushed on February 23, 2024 and was discovered a little over a month later on March 28.

The malicious code was pushed by a maintainer known as “Jia Tan.” Jia Tan began submitting patches to xz in October 2021 and then began a social engineering campaign in the xz-devel mailing list, gaining trust and regularly contributing to the project. They were officially given access to become a maintainer in September 2022. We found a detailed timeline available here.

The actual backdoor is very indirect and is only exploitable under very specific circumstances, allowing a remote unprivileged user to connect to a system via public SSH ports. The malicious version of xz was included in Fedora Rawhide, Fedora 40, and some testing, unstable, and experimental distributions of Debian. The malicious code compromised the build process in such a way that a normal user downloading and compiling the code would not end up with the backdoor; however, the build process used as part of different Linux distributions would. Overall, the backdoor was discovered quickly enough that the impact was limited.

New ConnectWise SIEM signatures

Several new ConnectWise SIEM detection signatures were added in March 2024. These include:

  • [O365] full_access_as_app Role Granted

Technique detected: [T1484] Domain Policy Modification

Description: This alert is designed to detect the assignment of the 'full_access_as_app' EWS (Exchange Web Services) role to an instance of an application (i.e., a service principal). This role includes access to all Exchange mailboxes and can be used for malicious purposes. We recommend verifying whether this assignment is expected. The application assigned this role can be seen in Discover under the "modifiedProperties" nested field under the "NewValue" subfield above the Service Principal Display Name.

  • [CRU][Windows] Potentially Unwanted Proxyware – EarnApp

Technique detected: [T1496] Resource Hijacking

Description: This event notification triggers when an executable known to be related to usage of EarnApp is observed. This application offers users monetary compensation in exchange for usage of their internet connection. This leads to a network connection being used as a Residential Proxy, which can be used to proxy malicious activity, causing traffic from this device to potentially be flagged as malicious. It may also indicate a user violating company policy.

  • [CRU][Windows] Potentially Unwanted Proxyware – Honeygain

Technique detected: [T1496] Resource Hijacking

Description: This event notification triggers when an executable known to be related to usage of the Honeygain is observed. This is proxyware that offers a user money in exchange for use of their internet connection. Installing it leads to a network connection being used as a Residential Proxy, which can be used to proxy malicious activity, causing traffic from this device to potentially be flagged as malicious.

  • [CRU][Windows] Potentially Unwanted Proxyware - Peer2Profit

Technique detected: [T1496] Resource Hijacking

Description: This event notification triggers when an executable known to be related to usage of the Peer2Profit is observed. This is proxyware that offers a user money in exchange for use of their internet connection. Installing it leads to a network connection being used as a Residential Proxy, which can be used to proxy malicious activity, causing traffic from this device to potentially be flagged as malicious.

  • [CRU][Windows] Potentially Unwanted Proxyware - Pawns.app

Technique detected: [T1496] Resource Hijacking

Description: This event notification triggers when a library (dll) or executable known to be related to the usage of the Pawns.app is observed. This is proxyware that offers a user money in exchange for use of their internet connection. Installing it leads to a network connection being used as a Residential Proxy, which can be used to proxy malicious activity, causing traffic from this device to potentially be flagged as malicious.

  • [CRU][Windows] Potentially Unwanted Proxyware - Infatica SDK

Technique detected: [T1496] Resource Hijacking

Description: This event notification triggers when either a library file (dll) or executable known to be related to the usage of the Infatica SDK is observed. This SDK allows developers to integrate proxyware capabilities into their applications. When installing an application a user may be prompted to allow use of their internet connection in exchange for free access to premium features. Opting in leads to a network connection being used as a Residential Proxy, which can be used to proxy malicious activity, causing traffic from this device to potentially be flagged as malicious.

  • [CRU][Windows] Potentially Unwanted Proxyware - Bright Data SDK

Technique detected: [T1496] Resource Hijacking

Description: This event notification triggers when either a library file (dll) or executable known to be related to the usage of the Bright Data SDK is observed. This SDK allows developers to integrate proxyware capabilities into their applications. When installing an application a user may be prompted to allow use of their internet connection in exchange for free access to premium features. Opting in leads to a network connection being used as a Residential Proxy, which can be used to proxy malicious activity, causing traffic from this device to potentially be flagged as malicious.

  • [CRU][Windows] Cscript or Wscript Execution Javascript File with MS-DOS Short Name

Technique detected: [T1059.007] Command and Scripting Interpreter: JavaScript

Description: During execution, Gootloader samples copy one stage to disk and persistently executes it using cscript.exe. During this procedure, the cscript.exe command line references the malicious script using an 8.3 short filename, which is an uncommon pattern.

  • [CRU][Windows] Gootloader Payload C2 IOC - xmlrpc.php in powershell script block

Technique detected: [T1071.001] Application Layer Protocol: Web Protocols

Description: Gootloader campaigns are known for dropping payloads that use C2s with xmlrpc.php in the URL. This will show up in PowerShell logs and will likely be observed along with obfuscated code. False positives could potentially occur with PowerShell scripts for remote activity with a WordPress site.

  • [CRU][Windows] Kuiper Ransomware Artifacts

Technique detected: [T1486] Data Encrypted for Impact

Description: Ransom note README_TO_DECRYPT.txt is written to multiple directories. Kuiper encrypted files have the extension .kuiper.

New IDS signatures added in March 2024

[ConnectWise CRU] FortiGate FortiOS Out-of-Bound Write (CVE-2024-21762)

[ConnectWise CRU] JetBrains TeamCity Authentication Bypass (CVE-2024-27198) M1

[ConnectWise CRU] JetBrains TeamCity Authentication Bypass (CVE-2024-27198) M2

[ConnectWise CRU] SolarMarker VNC Client Beacon

[ConnectWise CRU] SolarMarker VNC Server ACK Response

[ConnectWise CRU] SolarMarker VNC Server PSH/ACK Response

[ConnectWise CRU] SolarMarker VNC Server PSH/ACK Response

[ConnectWise CRU] Potential Java Invocation Abuse

[ConnectWise CRU] Adobe ColdFusion Deserialization of Untrusted Data (CVE-2023-38203)

[ConnectWise CRU] Progress OpenEdge Authentication Bypass (CVE-2024-1403)

[ConnectWise CRU] UTF-8 Overlong Encoding Bypass (..) 2bytes

[ConnectWise CRU] UTF-8 Overlong Encoding Bypass (..) 3bytes

[ConnectWise CRU] UTF-8 Overlong Encoding Bypass (..) 4bytes

[ConnectWise CRU] Java RMI Protocol (StreamProtocol)

[ConnectWise CRU] Java RMI Protocol (SingleOpProtocol)

[ConnectWise CRU] Java RMI Protocol (MultiplexProtocol)

[ConnectWise CRU] Java RMI Protocol (Call)

[ConnectWise CRU] Java RMI Protocol (Ping)

[ConnectWise CRU] Java RMI Protocol (DgcAck)

[ConnectWise CRU] Java RMI Protocol (ProtocolAck)

[ConnectWise CRU] Java RMI Protocol (ProtocolNotSupported)

[ConnectWise CRU] Java RMI Protocol (ReturnData)

[ConnectWise CRU] Java RMI Protocol (PingAck)

[ConnectWise CRU] Potential Java Invocation Abuse M2

[ConnectWise CRU] CommVault CommServe MS-SQL EoP

[ConnectWise CRU] CommVault CommServe MS-SQL Impersonation (sqladmin_cv)

[ConnectWise CRU] Microsoft Windows Themes Spoofing (CVE-2024-21320)

[ConnectWise CRU] SolarWinds Security Event Manager AMF Deserialization RCE (CVE-2024-0692)

[ConnectWise CRU] MALWARE SafeRAT C2 Shellcode Response

[ConnectWise CRU] MALWARE SafeRAT C2 Second Stage Request

[ConnectWise CRU] MALWARE Stealit Infostealer Exfiltration

[ConnectWise CRU] MALWARE Loda Loader C2 Beacon M1

[ConnectWise CRU] MALWARE Loda Loader C2 Beacon M2

[ConnectWise CRU] MALWARE Loda Loader C2 Beacon Response M1

[ConnectWise CRU] MALWARE Loda Loader C2 Beacon Response M2

[ConnectWise CRU] Metasploit TCP Shell Session

[ConnectWise CRU] MALWARE Silverfox backdoor

[ConnectWise CRU] Fortra FileCatalyst Workflow 5.x RCE (CVE-2024-25153)

[ConnectWise CRU] QNAP NAS Authentication Bypass (CVE-2024-21899)

[ConnectWise CRU] HUNTING SVG Smuggling

[ConnectWise CRU] Progress Kemp Loadmaster Unauthenticated Command Injection (CVE-2024-1212)

[ConnectWise CRU] .NET Framework Information Disclosure Vulnerability (CVE-2024-29059) M1

[ConnectWise CRU] .NET Framework Information Disclosure Vulnerability (CVE-2024-29059) M2

[ConnectWise CRU] .NET Framework Leaked ObjRefs (CVE-2024-29059)

Related Blog Posts

<< Back to All Blog Posts
02/21/2024
4 min read
Monthly Threat Brief: January 2024
By: Bryson Medlock
Get ready for the next installment of our Monthly Threat Brief series! Gain a new understanding of emerging cyberthreat trends and the state of the MSP threat landscape as it stood in January 2024.
Read the blog
security general icon
Cybersecurity
03/20/2024
4 min read
Monthly Threat Brief: February 2024
By: Bryson Medlock
Check out the next installment of our Monthly Threat Brief series! Gain insight into emerging cyberthreat trends and the state of the MSP threat landscape as it stood in February 2024.
Read the blog
security general icon
Cybersecurity
02/19/2024
12 min read
Why ConnectWise is the top MSP choice for cybersecurity solutions
By: Raffael Marty
Dive into ConnectWise Cybersecurity Management! Discover how solutions from ConnectWise can help you protect against, detect, and respond to potential cyberthreats facing your business and clients.
Read the blog
security general icon
Cybersecurity

Recommended