VERT’s Cybersecurity News Roundup – Week of February 7, 2022
All of us at Tripwire’s Vulnerability Exposure and Research Team (VERT) are constantly looking out for interesting stories and developments in the infosec world. Here’s what cybersecurity news stood out to us during the week of February 7, 2022. I’ve also included some comments on these stories.
Mac Trojan Comes with Expanded Ability to Drop Secondary Payloads
As reported by Dark Reading, security researchers analyzed a new variant of UpdateAgent and observed that attackers have modified the Mac trojan’s ability to drop additional payloads hosted on public cloud infrastructure. They found that it doesn’t choose between .ZIP archives and mountable disk images for distributing its secondary payloads. Instead, this version comes with the ability to use both attack channels.
Andrew Swoboda | Senior Security Researcher at Tripwire
The UpdateAgent malware that targets Mac has been updated to do more than just drop adware. This malware first surfaced in September of 2020. According to researcher at Microsoft it has been found to contain expanded functionality. It looks like this malware now contains Adload, a Trojan, that contains the functionality for installing unwated applications and additional ad loaders.
New Windows Terminal Version Can Automatically Run Profiles as Administrator
Microsoft has released a new version of the Windows Terminal that can automatically launch profiles as Administrator. According to Bleeping Computer, users can configure Windows Terminal Preview 1.13 to open a profile in an Admin terminal window automatically. Alternatively, they can hold CTRL while clicking on the profile name.
Andrew Swoboda | Senior Security Researcher at Tripwire
Windows Terminal now has the ability to automatically run as an administrator. This feature allows users to launch terminals as an administrator without manually launching the terminal.
Microsoft Moving Forward with WMIC Phase-out
On February 10, Bleeping Computer wrote that Microsoft will begin removing the Windows Management Instrumentation Command-line (WMIC) tool. This phase-out process, which will begin with the latest Windows 11 preview builds in the Dev channel, will deprecate wmic.exe only. It will not affect WMI or the ability to query Windows Management Instrumentation using Windows PowerShell.
Andrew Swoboda | Senior Security Researcher at Tripwire
Microsoft’s removal of WMIC comes to no surprise because they have been pushing PowerShell for a while. By default, PowerShell scripts are not signed are disabled. This means that to execute any scripts, users will need to execute code directly or find a way to bypass that restriction.
Malware Distributors Look to regsvr32.exe for New Attacks
Ever heard of “Squiblydoo?” It’s not a typo. It’s an older attack technique where nefarious individuals use regsvr32.exe to distribute malware through a Word document. As it turns out, malware distributors associated with the Qbot and Lokibot operations are picking up this tactic once again, per Bleeping Computer’s reporting.
Andrew Swoboda | Senior Security Researcher at Tripwire
There has been a increase in the use of regsvr32.exe by malware. regsvr32.exe is used to register and de-register OLEs in the registry. The main method of delivery is through phishing campaigns. Users have to be convinced to click on malicous documents.
Keep in Touch with Tripwire VERT
Want more insights from Tripwire VERT before our next cybersecurity news roundup comes out? Subscribe to our newsletter here.