Discover and read the best of Twitter Threads about #magniber
Most recents (2)
#Qakbot once again had some surprises ๐ for us this week. See below for a brief overview of what we found. ๐งต 1/6
First and foremost, #Qakbot seems to have departed from their usual use of LNK files to trigger execution. Instead they now present .vbs or .js files at the root folder of the disk image ๐ฟ. ๐งต 2/6 
This alone would not be significant, since we have observed ๐ .js and .vbs files in Qakbots infection chain before. Now however these files also contain a signature that apparently bypasses Windows MotW / SmartScreen warnings. ๐งต 3/6
#MagnitudeEK is now stepping up its game by using CVE-2021-21224 and CVE-2021-31956 to exploit Chromium-based browsers. This is an interesting development since most exploit kits are currently targeting exclusively Internet Explorer, with Chromium staying out of their reach.
CVE-2021-21224, a type confusion in V8, is used to compromise a renderer process. CVE-2021-31956, a Windows EoP, is used to escape the Chromium sandbox. This is the same combination of vulnerabilities that was suspected to be chained in the #PuzzleMaker attack.
The attacks we have seen so far are targeting only Windows builds 18362, 18363, 19041, and 19042 (19H1โ20H2). Build 19043 (21H1) is not targeted. The exploit for CVE-2021-31956 contains hardcoded syscall numbers relevant just for these builds.
