Marbled Dust leverages zeroday in Output Messenger for regional espionage Microsoft Security Blog
pSince April 2024 the threat actor that Microsoft Threat Intelligence tracks as Marbled Dust has been observed exploiting user accounts that have not applied fixes to a zeroday vulnerability CVE202527920 in the messaging app Output Messenger a multiplatform chat software These exploits have resulted in collection of related user data from targets in Iraq Microsoft Threat Intelligence assesses with high confidence that the targets of the attack are associated with the Kurdish military operating in Iraq consistent with previously observed Marbled Dust targeting prioritiesppMicrosoft Threat Intelligence assesses with moderate confidence that Marbled Dust conducts reconnaissance to determine whether their targets are Output Messenger users and chooses this attack vector based on that knowledge Successful exploitation allows the threat actor to deliver multiple malicious files and exfiltrate data from targetsppUpon discovering the Output Messenger zeroday vulnerability CVE202527920 Microsoft notified Srimax the developer of the messaging app who issued a software update Microsoft also identified a second vulnerability in Output Messenger CVE202527921 for which Srimax has also released a patch however Microsoft has not observed exploitation of this second vulnerability We acknowledge Srimax for their collaboration and for addressing both vulnerabilitiesppIn this blog we present details on how Marbled Dust uses the Output Messenger zeroday exploit in the attack chain of this campaign We also share mitigation and protection guidance and detection details and hunting queries Microsoft Threat Intelligence recommends users upgrade Output Messenger to its latest version to address the vulnerability leveraged by Marbled DustppMicrosoft Threat Intelligence assesses that Marbled Dust operates as a Türkiyeaffiliated espionage threat actor Marbled Dust targets entities in Europe and the Middle East particularly government institutions and organizations that likely represent counter interests to the Turkish government as well as targets in the telecommunications and information technology sectors Marbled Dust overlaps with activity tracked by other security vendors as Sea Turtle and UNC1326ppIn previous campaigns Marbled Dust was observed scanning targeted infrastructure for known vulnerabilities in internetfacing appliances or applications and exploiting these vulnerabilities as a means of gaining initial access to target infrastructure providers They were also observed using access to compromised DNS registries andor registrars to reset the DNS server configuration of government organizations in various countries to intercept traffic enabling them to log and reuse stolen credentialsppThis new attack signals a notable shift in Marbled Dusts capability while maintaining consistency in their overall approach The successful use of a zeroday exploit suggests an increase in technical sophistication and could also suggest that Marbled Dusts targeting priorities have escalated or that their operational goals have become more urgentppMicrosoft security researchers identified the zeroday vulnerability exploited by Marbled Dust This directory traversal vulnerability CVE202527920 in the Output Messenger Server Manager application could allow an authenticated user to upload malicious files into the servers startup directory Marbled Dust exploited this vulnerability to save the malicious file OMServerServicevbs to the startup folderppThe Output Messenger Server Manager application provides the server owner with the option to enable an output drive allowing users to upload and download files from the server Once this is enabled any user can upload files to the server By default these files are stored at CProgram FilesOutput Messenger ServerOfflineMessagesTemp1File on the server Once a user is authenticated they can upload a file and replace the name value in the request with their directory traversal string for example nameProgramDataMicrosoftWindowsStart MenuProgramsStartUpOMServerServicevbsppIn the Output Messenger architecture the client and server communicate to provide messaging file sharing and other collaborative features When the client is launched it connects to the server and sends user credentials to the server for validation before the server authenticates the user Messages sent from the client are forwarded to the server which acts as a relay When a file is shared via the client it can either be directly transferred to another user or stored on the server for later retrievalppOnce Marbled Dust gains access to the Output Messenger server the threat actor can leverage Output Messenger system architecture to gain indiscriminate access to the communications of every user steal sensitive data and impersonate users which could lead to operational disruptions unauthorized access to internal systems and widespread credential compromiseppThe attack chain begins with Marbled Dust gaining access to the Output Messenger Server Manager application as an authenticated user While we currently do not have visibility into how Marbled Dust gained authentication in each instance we assess that the threat actor leverages DNS hijacking or typosquatted domains to intercept log and reuse credentials as these are techniques leveraged by Marbled Dust in previously observed malicious activityppMarbled Dust uses this foothold in a single victim to collect the users Output Messenger credentials and exploit the CVE202527920 vulnerability a directory traversal attack in the Output Messenger Server Manager application that allows an authenticated user to drop malicious files to the servers startup directory Marbled Dust drops the malicious files OMvbs and OMServerServicevbs to the Output Messenger server startup folder and drops the malicious file OMServerServiceexe to the servers Userspublicvideos directoryppMarbled Dust then uses OMServerServicevbs to call OMvbs which is passed to OMServerServiceexe as an argument At the time of reporting file OMvbs was not available for analysis OMServerServiceexe on the other hand is a GoLang backdoor masquerading as the legitimate file of the same name GoLang is particularly effective in this case because it is not sensitive to OS versions In some cases OMServerServiceexe is observed connecting to a hardcoded domain apiwordinfoscom for data exfiltrationppOn the client side the installer extracts and executes both the legitimate file OutputMessengerexe and OMClientServiceexe another GoLang backdoor that connects to a Marbled Dust commandandcontrol C2 domain This backdoor first performs a connectivity check via GET request to the C2 domain apiwordinfoscom If successful a second GET request is sent to the same C2 containing hostname information to uniquely identify the victim The response from the C2 is then directly executed using the command cmd c which instructs the Windows command prompt to run a specific command and then terminateppIn at least one case a victim device with the Output Messenger client software was observed connecting to an IP address attributed to Marbled Dust likely for data exfiltration as these connections coincide with the threat actor issuing commands to collect files with varying file extensions to a RAR file on the desktop This connection to the Marbled Dustattributed IP address is frequently accomplished using plinkthe commandline version of the PuTTY SSH client for WindowsppMicrosoft recommends the following mitigations to reduce the impact of this threat Check the recommendations card for the deployment status of monitored mitigationsppStrengthen operating environment configurationppStrengthen Microsoft Defender for Endpoint configurationppMicrosoft Defender XDR customers can refer to the list of applicable detections below Microsoft Defender XDR coordinates detection prevention investigation and response across endpoints identities email apps to provide integrated protection against attacks like the threat discussed in this blogppCustomers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents hunt for threats and protect their organization with relevant threat intelligenceppAlerts with the following title in the security center can indicate threat activity on your networkppThe following alerts might indicate threat activity associated with this threat These alerts however can be triggered by unrelated threat activity and are not monitored in the status cards provided with this reportppSecurity Copilot customers can use the standalone experience to create their own prompts or run the following prebuilt promptbooks to automate incident response or investigation tasks related to this threatppNote that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft SentinelppMicrosoft customers can use the following reports in Microsoft products to get the most uptodate information about the threat actor malicious activity and techniques discussed in this blog These reports provide the intelligence protection information and recommended actions to prevent mitigate or respond to associated threats found in customer environmentsppMicrosoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actorppMicrosoft Defender XDR customers can search for Output Messenger components in their environment through the XDR portal Intel explorer components search functionppNavigate to Intel Explorer Search for output messenger On the summary tab scroll down to Components on IP and click the View all selection at the bottom to display the full results Note the results of the search may not include the version of the Output Messenger componentppMicrosoft Defender XDR customers can run the following query to find related activity in their networksppOMServerServicevbs scriptppSurface devices that possess the OMServerServicevbs file that attempts to launch the Marbled Dust GoLang backdoorppMarbled Dust C2ppSurface devices that might have communicated with Marbled Dust C2ppExecutable file or launch script requires Microsoft Defender XDRppIdentify devices that might have the executable file or launch script present as part of this activityppMarbled Dust VBS script file hashes requires Microsoft Defender XDRppSearch for the file hashes associated with the Marbled Dust VBS script files used in this activityppFor the latest security research from the Microsoft Threat Intelligence community check out the Microsoft Threat Intelligence Blog httpsakamsthreatintelblogppTo get notified about new publications and to join discussions on social media follow us on LinkedIn at httpswwwlinkedincomshowcasemicrosoftthreatintelligence and on X formerly Twitter at httpsxcomMsftSecIntelppTo hear stories and insights from the Microsoft Threat Intelligence community about the everevolving threat landscape listen to the Microsoft Threat Intelligence podcast httpsthecyberwirecompodcastsmicrosoftthreatintelligencepppp
ppProtect your people data and infrastructure with AIpowered endtoend security from MicrosoftppConnect with us on socialp
ppProtect your people data and infrastructure with AIpowered endtoend security from MicrosoftppConnect with us on socialp