In a blog post Monday, Trend Micro researchers Christopher Ordonez and Alvin Nieto detailed the relatively novel technique that leveraged a legitimate rootkit in Avast’s antivirus offering.
Trend Micro, as well as Palo Alto Networks, noted its emergence last year may have filled a void left by the shutdown of REvil.
Ordonez and Nieto suspect the Zoho ManageEngine Active Directory SelfService Plus exploit as the initial attack vector, based on indications that actors leveraged the known vulnerability dubbed CVE-2021-40539.
By accessing the AD, threat actors were able to create a new user account to gain administrative access inside the infected system.
“Once inside, the continuing trend of abusing legitimate tools and functions to mask malicious activities and actors’ presence grows in sophistication.
Both Log4Shell and CVE-2021-40539 were listed as they continue to pose a security risk; and threat actors are taking note.