Emerging Threats

ThreatLabZ February 2022 Report: Molerats APT attacks, Formbook rebrands as Xloader, and repelling Log4j threats with Zero Trust

Feb 10, 2022
ThreatLabZ February 2022 Report

This past month, the Zscaler ThreatLabZ security research team has charted new espionage activity from the Molerats APT group, tracked the Xloader credential-stealing malware, and continued to apply zero trust countermeasures against Log4j zero-day exploits.

Molerats APT group takes aim at Middle East political targets

In December 2021, ThreatLabZ identified a new campaign involving macro-based Microsoft Office files circulating in Jordan. ThreatLabz observed several similarities in the C2 communication and .NET payload between this campaign and previous campaigns attributed to the Molerats APT group. During our investigation, we discovered that the campaign has been active since July 2021. The attackers only switched the distribution method in the recent campaign with minor changes in the .NET backdoor.

The Arabic-language campaign targets leading Palestinian political and banking figures, human rights activists, and journalists in Turkey. The malicious Office files allegedly being distributed by the Molerats group employ decoy files using themes related to geopolitical conflicts between Israel and Palestine.

"Molerats Attack chain"
Figure 1. The Molerats APT attack chain

The attack chain uses Dropbox both for C2 calls and, ultimately, data exfiltration. It’s also worth noting that the malicious macro code isn’t particularly complex. When triggered on a compromised Windows machine, it issues a PowerShell command via cmd.exe to run the “ConfuserEx” function to load a runtime module that turns out to be a backdoor, which eventually is responsible for data exfiltration using Dropbox APIs. (Kudos to the Dropbox security team for taking down the attacker Dropbox accounts that were being used in this campaign for C2 activity and data exfiltration following our discovery.)

Zscaler Zero Trust Exchange Coverage: Advanced Threat Protection, SSL Inspection, Cloud Sandbox.

Read more about the new Molerats APT malware campaign here.

Formbook rebrands as “Xloader” malware

The Xloader information-stealing malware is the successor to the Formbook malware. 

In 2017, Formbook’s panel source was leaked, and subsequently, the threat actor behind Xloader moved to a different business model. Rather than distributing a fully functional crimeware kit, Xloader C2 infrastructure is rented to customers. This malware-as-a-service (MaaS) business model is likely more profitable and makes piracy more difficult.

"Xloader C2 communications capture"
Figure 2. Xloader C2 communication capture

Xloader introduced significant improvements compared to its predecessor, especially in command and control network encryption. Key capabilities of Xloader include credential stealing from web browsers and other applications, keylogging, screen captures, stealing saved secrets, and the ability for the attacker to download and execute arbitrary payloads on the infected machine.

Zscaler Zero Trust Exchange Coverage: Advanced Threat Protection, SSL Inspection, Cloud Sandbox.
Learn more about the Xloader malware (including attack chain, code analysis, encryption methods, and communication details) here.

Log4j summary: How Zscaler applies zero trust to block zero-day threats

In the days following Log4j remote code execution vulnerability (CVE-2021-44228) disclosure, the ThreatLabZ team documented the emergence of threat activity exploiting the Apache logging library in the wild–affecting Log4j versions 2.0-beta9 to 2.14.1.

The flaw first came to light in mid-December 2021. The vulnerability could enable an attacker to download and execute a malicious payload by submitting a specially crafted request to a vulnerable machine. That attacker would then control log messages or log message parameters to execute arbitrary code loaded from one of the several supported JNDI endpoints (e.g., LDAP) when message lookup substitution is enabled. The Apache software quickly released a security advisory with patch and mitigation details.

"The Log4j attack lifecycle"
Figure 3. The Log4j attack lifecycle

In further research, ThreatLabZ summarized the impact of this critical Log4j vulnerability (CVSS score of 10 out of 10):

  • More than 1,800 GitHub repositories have key dependencies on the Apache Log4j library.
  • To exploit the flaw, attackers use their own controlled JNDI endpoints (HTTP, LDAP, LDAPS, RMI, DNS, IIOP, etc.) to serve malicious payloads.
  • The potential for exploit is broad: Initial attacks featured cryptomining, botnets, data exfiltration, ransomware, RATs, etc.

We will continue to see new zero-day vulnerabilities being discovered and exploited in the wild. While it is important to patch and remediate, organizations should improve their security posture by adopting zero trust architecture. The best way to protect an organization's data and valuable assets is by deploying a true zero trust network architecture that eliminates the ability for attackers to exploit zero-day vulnerabilities and limits lateral movement by:

  1. Eliminating your external attack surface and making apps invisible
  2. Preventing compromise by blocking malicious content with full SSL inspection
  3. Preventing lateral movement with user-to-app and app-to-app microsegmentation
  4. Preventing data exfiltration by in-line DLP inspection for all your assets

Despite the scale, breadth, and severity of damage resulting from Log4j-exploiting cyberattacks, it’s worth noting that Zscaler and ThreatLabZ continue to confirm no impact to Zscaler services from the CVE-2021-44228 vulnerability.

Zscaler Zero Trust Exchange Coverage

Zscaler ThreatLabz has added coverage to block exploitation attempts of this vulnerability through our Advanced Threat Protection and Advanced Cloud Sandbox Protection.

Advanced Cloud Sandbox Signature - Apache.Exploit.CVE-2021-44228

Advanced Threat Protection Signature - Apache.Exploit.CVE-2021-44228

Review Zscaler’s CVE-2021-44228 advisory here. Read ThreatLabZ’ comprehensive analysis of the Log4j risk here.

About ThreatLabZ

ThreatLabZ is the embedded research team at Zscaler. This global team includes security experts, researchers, and network engineers responsible for analyzing and eliminating threats across the Zscaler security cloud and investigating the global threat landscape. The team shares its research and cloud data with the industry at large to help promote a safer internet.

The Zscaler Zero Trust Exchange

Zscaler manages the world’s largest security cloud. Each day, Zscaler blocks more than 150 million threats to its 4000+ customers. Over the last six months, Zscaler monitored and secured over one trillion cloud application transactions. The Zscaler ThreatLabZ security research team uses state-of-the-art AI and machine-learning technology to analyze Zscaler Zero Trust Exchange traffic and share its findings.

What to read next:

ThreatLabZ December 2021 Report: Holiday shoppers targeted, Log4j hits Apache installs, Cloud (In)Security, and DarkHotel resurfaces

ThreatLabZ November 2021 Report: Multilogin utility gets exploited, phishing attacks target Indian banking customers, and new supply-chain attacks resurrect DanaBot malware

ThreatLabZ October 2021 Report: new Squirrelwaffle loader, expanded Trickbot attack vectors, and double-extortion AtomSilo ransomware