CVE-2024-26234: Windows 0-day flaw exploited in malware attacks

In a troubling development within the cybersecurity world, security researchers have uncovered a malicious backdoor lurking within a popular Android screen mirroring program called LaiXi. Adding an extra layer of concern, this malware was disguised with a valid Microsoft Hardware Publisher Certificate, highlighting sophisticated tactics by the threat actors.

The discovery began in December 2023 when Sophos X-Ops detected a false positive on a suspicious, yet seemingly legitimate file. Closer analysis revealed typos in the file’s metadata and suspicious links to a company seemingly imitating the reputable Thales Group.

This file wasn’t just suspicious; it acted as a malicious backdoor. While researchers are hesitant to accuse the LaiXi software of deliberate wrongdoing, the connection between this sophisticated backdoor and LaiXi urges extreme caution for users.

Hainan YouHu Technology Co. Ltd is also shown as the publisher of the LaiXi application

“Just as we did in 2022, we immediately reported our findings to the Microsoft Security Response Center. After validating our discovery, the team at Microsoft has added the relevant files to its revocation list (updated today as part of the usual Patch Tuesday cycle; see CVE-2024-26234),” Andreas Klopsch said.

This isn’t the first time threat actors have exploited the Microsoft Windows Hardware Compatibility Program (WHCP). In 2022, signed drivers were used to try and disable endpoint security products. Though unrelated to that incident, this repeated abuse of WHCP certificates reveals a persistent threat to software integrity.

The analysis led to the revelation that the original requesting publisher was none other than Hainan YouHu Technology Co. Ltd, also listed as the publisher for the LaiXi application. Despite no concrete evidence implicating the LaiXi developers in embedding the malicious file, the connections between LaiXi and the malevolent backdoor—coupled with their persistence since at least January 2023—sounded alarms for heightened caution among users.

At its core, the suspicious file hosted a diminutive freeware proxy server, 3proxy, an unusual companion for an authentication client. This proxy was poised to surveil and intercept network traffic, betraying the infected system’s communications. The malware’s modus operandi involved masquerading as a legitimate service, complete with misleading service descriptions, thereby duping victims into a false sense of security.

Sophos researchers dug deeper, uncovering attempts at obfuscation and virtualization through VMProtect, tactics often employed by both legitimate software developers and nefarious actors alike. The intent was clear: to hinder malware analysis and cloak the backdoor’s true nature.

Independent analysis has revealed several variants of this specific backdoor, some predating the discovery by months. This suggests a dedicated, long-term campaign by the threat actors. Although there’s no evidence LaiXi developers were directly involved, the strong association of the malware with their software raises serious concerns.

The Sophos X-Ops team promptly reported their findings to the Microsoft Security Response Center, leading to the revocation of the implicated files. CVE-2024-26234 status updated: Microsoft confirms active exploitation and public disclosure of the vulnerability.