Emerging Threats

CISO Monthly Roundup, October 2022: ThreatLabz Data Loss Report; PHP Ducktail infostealer; LilithBot malware; vulnerabilities in OpenSSL, Microsoft, and Apache; Windows CLFS zero-day

Nov 02, 2022
CISO Monthly Roundup, October 2022

The CISO Monthly Roundup (formerly the ThreatLabz monthly report) provides the latest threat research from Deepen Desai and the ThreatLabz team, along with insights on other cyber-related subjects. In October, ThreatLabz released their 2022 Data Loss Report, researched a PHP version of  Ducktail infostealer, and analyzed LilithBot malware. My team also examined OpenSSL, Microsoft, and Apache vulnerabilities, and shared details of a Windows CLFS zero-day discovery.

2022 ThreatLabz Data Loss Report

The 2022 ThreatLabz Data Loss Report is packed with valuable insights for organizations of all sizes. The report contains analysis of nearly 6 billion data loss policy violations occurring between November 2021 and July 2022.  It offers readers ways to balance data security with employee workflows so their organization enjoys stronger data protection without sacrificing productivity. The report examines different types of data loss, where lost data goes, the information threat actors target, and other related topics.

"Data Loss stats from ThreatLabz"
Figure 1: Sensitive data sharing stats are one of many valuable insights in the 2022 ThreatLabz Data Loss Report

Whether accidental or malicious, data loss can lead to catastrophic consequences. ThreatLabz discovered organizations are experiencing an average of 10,000 data policy violations a day. Should one of these incidents become a full-blown data breach, it can cost the organization several million dollars. With cyberattacks on the rise and world governments cracking down on privacy violations, this report offers timely and actionable information to help your business thrive.

Read the full 2022 ThreatLabz Data Loss Report  

Zscaler Zero Trust Exchange Coverage: Advanced Threat Protection, SSL Inspection, Data Loss Prevention.

New PHP Variant of Ducktail Infostealer Targeting Facebook Business Accounts

ThreatLabz discovered a PHP version of Ducktail infostealer in August 2022 that is targeting the general public in addition to the corporate users with FaceBook business accounts. Previous DuckTail campaigns, attributed to a Vietnamese threat group, focused on high-level employees with access to their organization’s FaceBook business account. Earlier versions of DuckTail were based on a binary written with .NetCore and used Telegram as a C2 channel to exfiltrate data.


"malware, infostealer, ducktail"
Figure 2: Ducktail attack chain and flow of execution

The PHP Ducktail, like its predecessor, exfiltrates sensitive information including saved browser credentials and Facebook account information. Stolen data includes a JSON file created by Chrome browser detailing the victim’s local machine state, that can then be used to assist in stealing further information from the target machine.

Ducktail spreads by masquerading as a cracked or free version of MS Office applications, games, subtitle files, porn-related files, and other software. These decoy files often use the .ZIP format to hide the malicious executable, and are made available on file-sharing platforms. 

Learn more about the new DuckTail PHP campaign
Zscaler Zero Trust Exchange Coverage: Advanced Threat Protection, SSL Inspection, Advanced Cloud Sandbox, Advanced Cloud Firewall.

Analysis of LilithBot Malware and Eternity Threat Group

ThreatLabz recently analyzed a sample of the multi-function LilithBot malware and discovered evidence linking it with the Eternity Group. The Eternity Group is associated with the Russian “Jester Group” which has been active since January 2022. Eternity offers malware-as-a-service (MaaS), which includes LilithBot, to paying members. They also have several malware modules which provide a stealer, miner, botnet, ransomware, worm+dropper, and DDoS bot.     

LilithBot is being distributed through a dedicated Telegram group that facilitates access to malware tools through a Tor link. The latest version of LilithBot has advanced capabilities which allow it to be used as a miner, stealer, and a clipper. The Eternity group is continuously updating the malware to include features such as anti-debug and anti-VM checks. They also offer customized viruses with a wide range of features for customers willing to pay $90-$470 USD.


"Lilithbot, malware, Eternity"
Figure 3: Eternity Telegram channel (left) / Eternity Telegram Homepage (right)

LilithBot begins its attack by checking for existing copies of itself, then registering on the target system. It also drops its configuration file which includes several malware and cryptocurrency related fields. If successful, Lilithbot steals information from the victim, uploading the data as a zip file to its command and control.

Read the latest threat research on LilithBot

Zscaler Zero Trust Exchange Coverage: Advanced Threat Protection, SSL Inspection, Advanced Cloud Sandbox, Advanced Cloud Firewall.

Zero Day privilege escalation discovery and other notable vulnerabilities

The ThreatLabz team, as part of our Zero Day vulnerability initiative, discovered a new privilege escalation vulnerability being exploited in the wild (ITW) in September 2022. ThreatLabz team shared the ITW payloads and TTPs with the Microsoft security team as part of responsible disclosure and close collaboration with Microsoft. Microsoft promptly fixed the issue with September and October security updates.

Windows CLFS zero-day vulnerability (CVE-2022-37969):

In September, ThreatLabz captured an in-the-wild zero-day exploit in the Windows Common Log File System Driver (CLFS.sys). In October, ThreatLabz released two blogs delving into the technical details of this Windows CLFS vulnerability.

The first blog investigates the  root cause of the vulnerability. When successfully exploited, CVE-2022-37969 can allow privilege escalation in Windows 10 and Windows 11. To recreate and better understand the problem, ThreatLabz developed a proof-of-concept (PoC) that reliably triggers a system crash by exploiting the CVE-2022-37969 vulnerability. A detailed analysis of ThreatLabz root-cause investigation is available in the full-length blog. For Zscaler customers, Advanced Threat Protection and Advanced Cloud Sandbox offer protection against the in-the-wild zero-day exploit of CVE-2022-37969. See:



"Windows zero-day CLFS vulnerability"
Figure 4: Zscaler Cloud Sandbox detection of CVE-2022-37969

The second blog is an in-depth analysis of an ITW exploit ThreatLabz discovered. This exploit successfully leveraged CVE-2022-37969 to gain privilege escalation on Windows 10 and Windows 11. The blog details the steps used to exploit the vulnerability and shows the different ways it is leveraged against each Windows version.

Read the ThreatLabz root cause analysis of CVE-2022-37969

Read the ThreatLabz exploit analysis of CVE-2022-37969

Zscaler Zero Trust Exchange Coverage: Advanced Threat Protection, Advanced Cloud Sandbox.

Other notable vulnerabilities that organizations should prioritize for patching:

1. OpenSSL Vulnerabilities CVE-2022-3602 & CVE-2022-3786

OpenSSL published an advisory on two high-severity security flaws on November 1st. The two vulnerabilities are CVE-2022-3786 (“X.509 Email Address Variable Length Buffer Overflow”) and CVE-2022-3602 (“X.509 Email Address 4-byte Buffer Overflow”). They affect OpenSSL version 3.0.0 and later, but have been addressed in OpenSSL 3.0.7. ThreatLabz urges organizations to patch these vulnerabilities, as they can crash systems causing a denial of service and potentially provide remote code execution (RCE) capabilities.

How does Zscaler Zero Trust Exchange protect users and workloads?

Zscaler’s proxy based architecture and SSL inspection service are well positioned to defend against exploitation attempts targeting end users through maliciously crafted server certificates. As a trusted man-in-the-middle (MITM), Zscaler scans and validates all server certificates, centrally in the cloud as if Zscaler is the client browser for the destination TLS server, and issues a new server certificate signed by Zscaler or a organization’s issuing CA, essentially preventing the bad cert from ever getting to the end-user.


"OpenSSL vulnerability attack chain stopped by Zscaler"
Figure 5: Zscaler TLS inspection preventing OpenSSL vulnerability exploit attempt

Zscaler Posture Control allows users to scan AWS, AZURE, and GCP environments to identify and prioritize vulnerable workloads and other assets needing protection. Many Zscaler customers have discovered vulnerable workloads in public-facing assets, rapidly mitigating the issue.

Read the full OpenSSL advisory

Zscaler Zero Trust Exchange Coverage: Advanced Threat Protection, SSL Inspection, Zscaler Posture Control

2. Microsoft Exchange Server 2019, 2016, 2013 Vulnerabilities 

ThreatLabz released mitigation recommendations for two zero day vulnerabilities disclosed by Microsoft and described in CVE-2022-41040 and CVE-2022-41082. The vulnerabilities affect Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. Successfully exploiting the vulnerabilities allows adversaries to install a Chopper web shell which facilitates hands-on-keyboard access. Attackers are then able to perform Active Directory reconnaissance and data exfiltration.


"Microsoft Server 2019, 2016, 2013 vulnerabilities"
Figure 6: A possible attack/exploitation flow demonstrating the exploitation of  exchange server vulnerabilities

Read the full list of Microsoft and Zscaler vulnerability mitigation recommendations

Zscaler Zero Trust Exchange Coverage: Advanced Threat Protection, SSL Inspection, Advanced Cloud Sandbox, Zscaler Private Access with Deception.

3. Security Advisory: Apache Text4Shell/Act4Shell Vulnerability

The Apache Software Foundation released an advisory in October, containing mitigations for the Apache Commons Text Remote Code Execution Vulnerability (CVE-2022-42889). These vulnerabilities, also called Text4Shell and Act4Shell, received a lot of attention following the release of a PoC demonstrating the flaw.


"Apache Text4Shell Act4Shell vulnerability"
Figure 7:  Text4Shell/Act4Shell (CVE-2022-42889) exploitation chain 

Successful exploitation of this vulnerability can allow an attacker to perform remote code execution (RCE).

Read ThreatLabz full research on the Text4Shell/Act4Shell vulnerability

Zscaler Zero Trust Exchange Coverage: Advanced Threat Protection, SSL Inspection.

About ThreatLabz

ThreatLabz is the embedded research team at Zscaler. This global team includes security experts, researchers, and network engineers responsible for analyzing and eliminating threats across the Zscaler security cloud and investigating the global threat landscape. The team shares its research and cloud data with the industry at large to help promote a safer internet.

The Zscaler Zero Trust Exchange

Zscaler manages the world’s largest security cloud. Each day, Zscaler blocks over 150 million threats to its 6000+ customers securing over 240 billion web transactions daily. The Zscaler ThreatLabz security research team uses state-of-the-art AI and machine-learning technology to analyze Zscaler Zero Trust Exchange traffic and share its findings.

What to read next: 

2022 ThreatLabz Data Loss Report

The 2022 ThreatLabz State of Ransomware Report

AitM Phishing Attack Targeting Enterprise Users of Gmail