[2/2]
IOCs
New version:
606fe22545ec46d0934ea0c5f8cb7a68
1900346185266ae49ae893b0b69dfcfd
Older version:
2251bc7910fe46fd0baf8bc05599bdcf
19bceb587e91a1eae6903b1a633260d8
[1/2] We detected a new #FireWood Linux backdoor variant. While most of the features remained the same, we discovered some changes in the configuration and an updated set of commands, such as file-read, HideModule, and a new command to terminate the module.
More details:
intezer.com/blog/threat-...
Update -
CVE-2024-57968 Upload Validation Vulnerability (9.9 CRITICAL)
CVE-2025-25181 SQL Injection (5.8 MEDIUM)
[9/] For more details, check our technical analysis
intezer.com/blog/researc...
www.solissecurity.com/en-us/insigh...
[8/] We followed responsible disclosure guidelines for these vulnerabilities. Since these flaws have been actively exploited for years, and the agreed disclosure period has passed, we believe this information should be publicly available.
[7/] XE Group is adapting. Their focus has shifted from simple credential theft to sophisticated supply chain attacks, leveraging new exploits and enhancing their persistence mechanisms.
[6/] Our analysis of their ASPX webshell revealed significant upgrades, SQL query execution, network scanning, and advanced file system manipulation, marking a clear evolution in their toolkit.
[5/] In recent activity, we found the group reactivated a previously deployed webshell, leveraging credentials stolen in past breaches to deploy further post-exploitation tools.
[4/] In 2020, XE Group exploited an undocumented SQL injection vulnerability in VeraCore software, enabling data extraction. A second vulnerability allowed arbitrary file uploads but required prior authentication. A temporary fix was issued, yet no CVE was assigned.
[3/] XE Group has been operating since 2013, historically focusing on credit card skimming and password theft through web vulnerabilities and webshells. But their methods have evolved.
[2/] These vulnerabilities allow data exfiltration and stealthy persistence, enabling supply chain attacks on the manufacturing and distribution sectors.
[1/] In joint research with Solis Security, we uncovered two zero-day exploits in the VeraCore application actively used by XE Group: an Upload Validation Bypass and an SQL Injection flaw.
Reversing is fun. Reversing with a view is better!
For more details, check the blog I wrote about the attack intezer.com/blog/malware...
[7/] PNGPlug Loader ensures the legitimate app dropped by the MSI runs. Simultaneously, it checks for β360 Total Securityβ antivirus. Based on the results, it decides how to inject payloads and which PNG file to use.
In both cases, the payloads are embedded in the extracted PNGs.
[6/] The infection chain starts with an MSI file that drops a legitimate app and a DLL. The DLL extracts files from a password-protected ZIP containing:
β’ 2 PNG files
β’ A padded DLL (massive file to bypass analysis)
[5/] PNGPlug Loader uses PNG files to store shellcode/PE executables - an old trick with a new twist. It ships a couple of PNG files and decides which to map and inject based on the environment.
[4/] Ultimately, itβs the organization that suffers due to such oversights. In larger organizations, threat actors have significantly higher chances of compromising an employee and gaining access to the organization.
[3/] The MSI files are designed to masquerade as legitimate software installations, targeting workers seeking free and legitimate software. But shouldnβt employers provide workers with the necessary tools and software for their tasks? Or, at the very least, educate them about these attacks?
[2/] The loader (we named PNGPlug) uses padded files to take advantage of file size limits imposed by many security tools to balance performance and processing speed. By inflating the size of its files with padding, it ensures that the files are either skipped or subjected to only partial analysis.
This week, I investigated an active campaign targeting Chinese-speaking users. Seeing China, Taiwan, and Hong Kong as targets instantly piqued my curiosity. The attack has been attributed to the Silver Fox APT.
Several things in this campaign caught my attention. π§΅
Exciting!!
BabbleLoader: A new loader designed to evade antivirus and sandbox detection. It floods its code with junk instructions, crashing disassembly tools.
Using #AI to detect threats?
The misleading junk code can trick AI into interpreting irrelevant actions as meaningful ones & it costs lots of tokens.
