Freely subscribe to our NEWSLETTER

New Python Variant of Chae$ Malware Targets Banking and Logistics Industries
Threat Reference: Global
Risks: Malware/ Data Exfiltration
Advisory Type: Threats
Priority: Standard
Security Researchers have observed new Python variant of Chae$ 4 malware targeting banking and Logistics Industries. Threat Actors are using Chae$ 4 to collect and exfiltrate sensitive information from victims.
Attack Scenario:
1. Victim receives a malicious MSI Installer that usually pretends to be JAVA JDE installer or Anti-Virus software installer.
2. After executing the malicious MSI Installer, malware gets deployed, and downloads required files in %Appdata%/ folder. This folder contains encrypted files and Python scripts.
3. Upon execution of the malware, it unpacks the core module, "Chae$Core" is responsible for setting persistence using Schedule Task and migrating into targeted processes.
4. Chae$Core communicates with C2 Server to download and load the external modules into the infected system.
Indicators of compromise (IOCs), IP Addresses:
• 18[.]228.15[.]16
• 18[.]229.122[.]137
• 13[.]248.205[.]89
• 13[.]248.185[.]41
• ws[://]54[.]233.147[.]24
• ws:[//]18[.]231.31[.]151
• ws:[//]18[.]229.170[.]213
• ws[://]54[.]94.248.[]242
• ws[://]18[.]231.70[.]213
• ws[://]18[.]231.91[.]245
• ws[://]18.230.36[.]203
• ws[://]54.232.236[.]117
Recommendations
It is recommended to take the following security measures:
1. Strengthen Email Security: Implement advanced email filtering and security measures to prevent phishing emails and malicious attachments from reaching your employees’ inboxes.
2. Deploy EDR: Make sure Endpoint Detection & Response tools have been implemented to detect the latest malware and suspicious activities on endpoints.
3. Monitor Network Activity: Deploy comprehensive security solutions that allow real-time monitoring of network activity for any signs of suspicious behaviour.
4. Educate Employees: Raise awareness among your staff about the potential risks associated with opening suspicious emails or documents in general.
5. It is recommended to coordinate with IT/system admin for installation of any required software’s/antivirus.

Fortinet Fix High Severity Vulnerability Impacting Multiple Fortinet Products
Threat Reference: Global
Risks: Cross-site Scripting (XSS)
Advisory Type: Updates/Patches
Priority: Standard
Fortinet has released a patch to fix high severity vulnerability (CVE-2023-29183) – (CVSSv3:7.3).
The exploitation of this vulnerability may allow an authenticated attacker to trigger JavaScript code execution, which then may lead to Cross-site Scripting (XSS) affecting multiple Fortinet products.
Affected Products include FortiProxy version 7.2.0 through 7.2.4, FortiProxy version 7.0.0 through 7.0.10, FortiOS version 7.2.0 through 7.2.4, FortiOS version 7.0.0 through 7.0.11, FortiOS version 6.4.0 through 6.4.12, and FortiOS version 6.2.0 through 6.2.14.
Recommendation: It is recommended to update affected products to their latest available patch version.

Google Fix Critical Vulnerability (CVE-2023-4863) in Chrome, Exploited in the Wild
Threat Reference: Global
Risks: Heap Buffer Overflow
Advisory Type: Updates/Patches
Priority: Elevated
Google has released a patch “116.0.5845.187 for Mac and Linux and 116.0.5845.187/.188 for Windows” to fix a Critical Heap buffer overflow vulnerability “CVE-2023-4863” in WebP.
Researchers have confirmed that an exploit of this vulnerability exists in the wild.
Recommendation: It is recommended to update Google Chrome to its latest available patch version.

Mozilla Patched Critical Zero-Day Vulnerability in Firefox and Thunderbird
Threat Reference: Global
Risks: Arbitrary Code Execution, Heap Buffer Overflow
Advisory Type: Threats
Priority: Elevated
Mozilla has released a patch to fix a critical zero-day (CVE-2023-4863) vulnerability in Firefox and Thunderbird. Successful exploitation of this vulnerability may lead to Arbitrary Code and Heap Buffer Overflow.
Notable CVEs:
[Critical] - CVE-2023-4863 Heap buffer overflow in WebP image format that could result in arbitrary code execution when processing a specially crafted image.
Affected products include Firefox, Firefox ESR, and Thunderbird.
Recommendation: It is recommended to update the affected products to their latest available versions/patch level.

Microsoft Release September 2023 Patch Tuesday for 59 Flaws Including 2 Zero-days
Threat Reference: Global
Risks: Remote Code Execution, Elevation of Privilege, Security Feature Bypass, Information Disclosure, Denial of Service and Spoofing
Advisory Type: Updates/Patches
Priority: Standard
Microsoft have released Patch Tuesday for September 2023 with security updates for 59 flaws, including 2 actively exploited vulnerabilities. Successful exploitation of these vulnerabilities could result in Remote Code Execution, Elevation of Privilege, Security Feature Bypass, Information Disclosure, Denial of Service and Spoofing.
Affected Products include Windows 10, Windows 11, Windows Server 2008, 2012, 2012 R2, 2016, 2019 and 2022, Microsoft Visual Studio 2022, 2019 and 2017, Microsoft 365 Apps for Enterprise, Microsoft Office 2013, 2016, and 2019, Microsoft Office LTSC 2021, Microsoft Word 2013 and 2016, Microsoft Excel 2013 and 2016, 3D Builder, Microsoft Exchange Server, and Microsoft SharePoint.
Notable CVE ID and details:
• [Zero-Day] - [High] - CVE-2023-36802: [CVSS – 7.8] - Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability.
• [Zero-Day] - [Medium] - CVE-2023-36761: [CVSS – 6.2] - Microsoft Word Information Disclosure Vulnerability.
• [High] - CVE-2023-38148: [CVSS – 8.8] - Internet Connection Sharing (ICS) Remote Code Execution Vulnerability.
• [High] - CVE-2023-33136: [CVSS – 8.8] - Azure DevOps Server Remote Code Execution Vulnerability.
• [High] - CVE-2023-36764: [CVSS – 8.8] - Microsoft SharePoint Server Elevation of Privilege Vulnerability.
• [High] - CVE-2023-38146 [CVSS – 8.8] - Windows Themes Remote Code Execution Vulnerability.
• [High] - CVE-2023-38147 [CVSS – 8.8] - Windows Miracast Wireless Display Remote Code Execution Vulnerability.
• [High] - CVE-2023-36757 [CVSS – 8] - Microsoft Exchange Server Spoofing Vulnerability.
• [High] - CVE-2023-36744: [CVSS – 8] - Microsoft Exchange Server Remote Code Execution Vulnerability.
• [High] - CVE-2023-36745: [CVSS – 8] - Microsoft Exchange Server Remote Code Execution Vulnerability.
• [High] - CVE-2023-36756: [CVSS – 8] - Microsoft Exchange Server Remote Code Execution Vulnerability.
• [High] - CVE-2023-35355 [CVSS – 7.8] - Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability.
• [High] - CVE-2023-36742 [CVSS – 7.8] - Visual Studio Code Remote Code Execution Vulnerability.
• [High] - CVE-2023-36758 [CVSS – 7.8] - Visual Studio Elevation of Privilege Vulnerability.
• [High] - CVE-2023-36760 [CVSS – 7.8] - 3D Viewer Remote Code Execution Vulnerability.
• [High] - CVE-2023-36765 [CVSS – 7.8] - Microsoft Office Elevation of Privilege Vulnerability.
• [High] - CVE-2023-36766 [CVSS – 7.8] - Microsoft Excel Information Disclosure Vulnerability.
• [High] - CVE-2023-36770 [CVSS – 7.8] - 3D Builder Remote Code Execution Vulnerability.
• [High] - CVE-2023-36771 [CVSS – 7.8] - 3D Builder Remote Code Execution Vulnerability.
• [High] - CVE-2023-36772 [CVSS – 7.8] - 3D Builder Remote Code Execution Vulnerability.
• [High] - CVE-2023-36804: [CVSS – 7.8] - Windows GDI Elevation of Privilege Vulnerability.
• [High] - CVE-2023-38142: [CVSS – 7.8] - Windows Kernel Elevation of Privilege Vulnerability.
• [High] - CVE-2023-38143: [CVSS – 7.8] - Windows Common Log File System Driver Elevation of Privilege Vulnerability.
• [High] - CVE-2023-38144: [CVSS – 7.8] - Windows Common Log File System Driver Elevation of Privilege Vulnerability.
• [High] - CVE-2023-38161: [CVSS – 7.8] - Windows GDI Elevation of Privilege Vulnerability.
Recommendation: It is recommended to keep applications and operating systems running at the current released patch level and to run software with the least privileges.
Threat Intelligence for the Future
SecurityHQ’s Threat Intelligence team is a cohesive global unit dedicated to Cyber Threat Intelligence. Our team is focused on researching emerging threats, tracking activities of threat actors, ransomware groups, and campaigns, to ensure that they stay ahead of potential risks. Beyond their investigative work, the Intelligence team provides actionable threat intelligence and research, enriching the understanding of SecurityHQ’s customers worldwide. United by a common commitment, the SecurityHQ Threat Intelligence team delivers the insights needed to confidently navigate the intricacies of the cyber security threat landscape.
For more information on these threats, speak to an expert here. Or if you suspect a security incident, you can report an incident here.