A Cereal Offender: Analyzing the CORNFLAKE.V3 Backdoor

SUMMARY :

This analysis details a campaign involving two threat groups, UNC5518 and UNC5774, deploying the CORNFLAKE.V3 backdoor. UNC5518 compromises legitimate websites to serve fake CAPTCHA pages, luring visitors to execute a downloader script. UNC5774 then uses this access to deploy CORNFLAKE.V3, a sophisticated backdoor with variants in JavaScript and PHP. The malware collects system information, establishes persistence, and can execute various payloads including shell commands, executables, and DLLs. It communicates with command and control servers using HTTP and can abuse Cloudflare Tunnels for traffic proxying. The campaign also involves active directory reconnaissance and credential harvesting attempts via Kerberoasting.

OPENCTI LABELS :

backdoor,node.js,clickfix,php,cornflake.v3,windytwist.sea,kerberoasting


AI COMMENTARY :

1. A Cereal Offender: Analyzing the CORNFLAKE.V3 Backdoor The discovery of CORNFLAKE.V3 highlights a coordinated campaign in which two distinct threat groups collaborate to infiltrate and maintain footholds within targeted environments. The evocative name reflects the stealthy nature of the backdoor and the cereal-themed naming convention that underscores the adversaries’ attention to detail. This report unpacks the tactics and techniques behind UNC5518’s initial intrusion vector and UNC5774’s subsequent deployment of a multifaceted backdoor capable of sophisticated data collection and payload execution.

2. The Adversaries: UNC5518 and UNC5774 UNC5518 initiates the operation by compromising legitimate websites and injecting fake CAPTCHA pages that deceive unsuspecting visitors into executing a downloader script. Once the downloader establishes a foothold, UNC5774 leverages the compromised infrastructure associated with windytwist.sea to deploy the CORNFLAKE.V3 backdoor. This partnership between the two groups streamlines the intrusion process and magnifies the overall impact of the campaign.

3. Anatomy of CORNFLAKE.V3 Developed in both JavaScript and PHP, CORNFLAKE.V3 possesses modular capabilities that enable it to collect comprehensive system information, establish persistence mechanisms, and execute a versatile range of payloads. The backdoor can run shell commands, launch executables and DLLs, and adapt its functionality based on instructions received from command and control servers. This flexibility allows threat actors to pivot rapidly and maintain stealth within compromised environments.

4. Command and Control Infrastructure Communication with C2 servers occurs over HTTP, blending malicious traffic with legitimate web requests. The adversaries exploit Cloudflare Tunnels to proxy traffic and mask the true location of their servers. By abusing these services, the attackers evade traditional detection methods and complicate attribution efforts.

5. Active Directory Reconnaissance and Kerberoasting Beyond deploying CORNFLAKE.V3, the campaign encompasses active directory reconnaissance and credential harvesting attempts via Kerberoasting. By harvesting service account tickets and cracking them offline, the threat actors aim to escalate privileges and deepen their network access, posing a significant risk to enterprise environments.

6. Defense Strategies and Mitigation Organizations can counter this threat by validating website integrity and monitoring for unauthorized changes to web content. Network defenders should scrutinize HTTP traffic patterns for anomalies and flag unexpected Cloudflare Tunnel connections. Implementing robust logging and monitoring for Kerberos ticket requests can help detect suspicious Kerberoasting activity. Regular patching of Node.js, PHP and web server components further reduces the attack surface.

7. Conclusion The CORNFLAKE.V3 campaign exemplifies the evolving sophistication of backdoor malware and the seamless collaboration between threat groups. Through comprehensive threat intelligence and proactive defense measures, organizations can improve their resilience and mitigate the impact of similar attacks.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


A Cereal Offender: Analyzing the CORNFLAKE.V3 Backdoor