Emerging Threats

CISO Monthly Roundup, March 2023: APT37 info leak, 3CX supply chain attack, OneNote spreads malware, Nevada ransomware, dissecting DBatLoader, and CVE-2023-23397

Mar 30, 2023
CISO Monthly Roundup, March 2023 CISO Monthly Roundup, March 2023

The CISO Monthly Roundup provides the latest threat research from Deepen Desai and the ThreatLabz team, along with insights on other cyber-related subjects. Over the past month, ThreatLabz captured leaked info from APT37, examined the 3CX supply chain attack, studied malicious OneNote use, analyzed Nevada ransomware, performed a deep-dive on DBatLoader, and released a CVE advisory.

Uncovering secrets of APT37

APT37, also known as ScarCruft or Temp.Reaper is a North Korean threat group that ThreatLabz has been closely monitoring. The group was particularly active in February and March, targeting several individuals in South Korean organizations. During our investigation of this group, ThreatLabz discovered a GitHub repository belonging to one of its members. This member made an operational security mistake, allowing us to access the repository and uncover APT37’s malicious files and activities dating back to October 2020.

Figure 1: An APT37 attack-chain using the CHM file format to launch infection

APT37 focuses on cyber espionage, which it achieves through exfiltrating files of interest. They abuse multiple file formats in their operations, including Windows help files (CHM), HTA, HWP (Hancom office), XLL (MS Excel), and macro-based MS Office files. The group compromises South Korean bulletin board systems (BBS) websites and uses them for C2 infrastructure. In addition to spreading malware, APT37 also conducts widespread phishing attacks in an attempt to capture useful user credentials. 

Read the full expose on APT37

Zscaler Zero Trust Exchange Coverage: Zscaler Posture Control, Advanced Cloud Sandbox, Advanced Threat Protection, SSL Inspection.

3CX supply chain attack

Threatlabz analyzed the Zscaler cloud for indicators of the 3CX supply chain attack following its disclosure on March 29. 3CX is a VoIP IPBX software development company whose 3CX Phone System is used by more than 600,000 companies worldwide and has over 12 million daily users. Our research revealed infections from this attack occurring in February 2023. 

Figure 2: 3CX infection chain

3CX infections affect Windows and MacOS systems. This supply chain attack begins with the exploitation of the 3CXDesktopApp update process. The update packages include a valid (signed) but malicious 3CX MSI installer and 3CX MAC applications. The malicious installer extracts and executes 3CXDesktopApp.exe, which side-loads a backdoor file named ffmpeg.dll. The ffmpeg.dll was reportedly backdoored by threat actors who manipulated the source code, enabling the supply chain attack.

Read the full analysis of the 3CX supply chain attack
Zscaler Zero Trust Exchange Coverage: Advanced Cloud Sandbox, Advanced Threat Protection, SSL Inspection.

OneNote the new distributor of malware

Microsoft’s decision to auto-block macros in downloaded Office documents sent threat actors looking for a new malware delivery mechanism. ThreatLabz noticed an increase in the use of OneNote to distribute threats, during a series of case studies. OneNote is a part of Microsoft Office/365, can be embedded with malicious code, and runs CHM, HTA, JS, WSF, and VBS scripts. Attackers can also execute MSHTA, WSCRIPT, and CSCRIPT from within OneNote and use multi-layer obfuscation to avoid detection. ThreatLabz saw several types of malware being distributed via OneNote including bankers, stealers, and RATs.

Figure 3: Malicious OneNote file delivering IceID malware

OneNote offers attackers several advantages for expanding their reach. The attack vector is less well known than macro-based attacks, and therefore not as well monitored by businesses. Because of OneNote’s inclusion in Microsoft Office/365, it can affect anyone using the platform whether they use the app or not. OneNote does not use the “Mark of the Web” Windows security feature that protects users from harmful downloaded content.

Read OneNote malware case studies

Zscaler Zero Trust Exchange Coverage: Advanced Cloud Sandbox, Advanced Threat Protection, Advanced Cloud Firewall, SSL Inspection.

Nokoyawa spawns Nevada

In December 2022 a new ransomware, Nevada, was being advertised on forums as ransomware-as-a-service. Threatlabz identified several similarities between Nevada and Nokoyawa ransomware, including encryption algorithms, debug strings, and command-line arguments. Nokoyawa ransomware is an active project whose codebase has been detected in at least four other malware variants, notably Karma and Nemty. Nevada is written in Rust, includes support for Linux and 64-bit versions of Windows.

Figure 4: Nokoyawa and Nevada comparison of CreateThread function and debug print statements 

Nokoyawa ransomware first appeared in February 2022, and was written in C. In September, a version of the ransomware written in Rust appeared. Nevada appears to be derivative of the Rust-based version of Nokoyawa. It seems likely that the Nokoyawa threat group is operating parallel code branches of their ransomware to confuse researchers and evade detection.

Read the full Nevada breakdown

Zscaler Zero Trust Exchange Coverage: Advanced Cloud Sandbox, Advanced Threat Protection, SSL Inspection.

DBatLoader hits European manufacturing

ThreatLabz discovered a new DBatLoader (also called ModiLoader) campaign targeting manufacturing organizations in Europe. Attacks begin with a phishing email. The malware payload is delivered via WordPress sites with authorized SSL certificates, which allows the threat to bypass some detection measures. The two main malware families distributed during this campaign are Remcos RAT and Formbook.

Figure 5: Attack chain and execution flow of RemcosRAT

The phishing emails use multiple techniques to convince users to download malware. Some appear to come from official couriers, others have malicious PDFs pretending to be revised orders, sales orders, payment invoices, and similar items. The attackers use multiple file formats and multilayer obfuscation techniques when delivering the payload to the target system. The malware uses the 'Mock Trusted Directories Method' to bypass Windows Users Account Control (UAC) and elevate privileges without triggering a prompt. DBatLoader also creates a copy of itself (with a .url extension) and creates an autorun registry key to achieve persistence.

Read the full DBatLoader Campaign Analysis

Zscaler Zero Trust Exchange Coverage: Advanced Cloud Sandbox, Advanced Threat Protection, Advanced Cloud Firewall, SSL Inspection.

Xloader’s New Code Obfuscation

Xloader, formerly known as Formbook, is information stealing malware that has been sold in criminal forums since 2016. The threat actors behind Formbook updated its name to Xloader in 2020, and released an updated version (v.2.9) in 2022. Further updates came with version 3.9 in October of 2022, and the latest version, 4.3, arrived in January of 2023. Throughout these updates, the threat group behind Xloader updated obfuscation and encryption techniques.

Figure 6: The Zscaler Cloud Sandbox identifies and stops Xloader

ThreatLabz has observed Formbook/Xloader for quite some time, tracking its ongoing development. In 2020, when the malware name was changed, the threat actors adopted a malware-as-a-service (MaaS) model and rented C2 infrastructure to customers. The malware uses multiple obfuscation methods and several layers of encryption to protect its critical code segments from analysis. 

Read in-depth analysis of Xloader 4.3 code obfuscation techniques

Zscaler Zero Trust Exchange Coverage: Advanced Cloud Sandbox, Advanced Threat Protection, SSL Inspection.

Notable vulnerabilities that organizations should prioritize for patching:

CVE-2023-23397: Microsoft Outlook Elevation of Privilege Vulnerability

Microsoft released a security update guide on March 14th to address CVE-2023-23397. This vulnerability affects Microsoft Outlook and allows NTLM credential theft and privilege escalation. To protect yourself from this vulnerability, install the Microsoft Outlook security update and block all outbound TCP445/SMB connections. You can also add users to the Protected User Security Group. Zscaler has added coverage for known exploit attempts of this vulnerability.


About ThreatLabz

ThreatLabz is the embedded research team at Zscaler. This global team includes security experts, researchers, and network engineers responsible for analyzing and eliminating threats across the Zscaler security cloud and investigating the global threat landscape. The team shares its research and cloud data with the industry at large to help promote a safer internet.


The Zscaler Zero Trust Exchange

Zscaler manages the world’s largest security cloud. Each day, Zscaler blocks over 150 million threats to its 6000+ customers, securing over 240 billion web transactions daily. The Zscaler ThreatLabz security research team uses state-of-the-art AI and machine-learning technology to analyze Zscaler Zero Trust Exchange traffic and share its findings.


What to read next: 

Exploring challenges and solutions for API security

Known unknowns: Refining your approach to uncategorized web traffic

2022 Cloud (In)Security Report