{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/yuze/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Yuze"],"_cs_severities":["medium"],"_cs_tags":["tunneling","command-and-control","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eYuze is a lightweight, open-source tunneling tool written in C, designed for intranet penetration testing but often abused by threat actors. It supports both forward and reverse SOCKS5 proxy tunneling, allowing for the creation of covert communication channels. Yuze is commonly executed via \u003ccode\u003erundll32\u003c/code\u003e, loading \u003ccode\u003eyuze.dll\u003c/code\u003e with the \u003ccode\u003eRunYuze\u003c/code\u003e export. While the project is available on GitHub, its use in conjunction with \u003ccode\u003erundll32\u003c/code\u003e is a strong indicator of suspicious activity. The tool is effective for bypassing network restrictions and masking malicious traffic, making it a valuable asset for attackers seeking to establish persistent access or exfiltrate sensitive data. Defenders should be vigilant for executions of \u003ccode\u003erundll32\u003c/code\u003e that load \u003ccode\u003eyuze.dll\u003c/code\u003e, especially when combined with command-line arguments indicative of tunnel creation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a target Windows system via an exploit or compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker drops \u003ccode\u003eyuze.dll\u003c/code\u003e onto the system, possibly using tools like PowerShell or \u003ccode\u003ecertutil.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003erundll32.exe\u003c/code\u003e to execute the \u003ccode\u003eRunYuze\u003c/code\u003e export within \u003ccode\u003eyuze.dll\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003erundll32.exe\u003c/code\u003e command line includes arguments specifying the tunnel type (reverse or forward), along with the IP address and port of the C2 server or pivot point.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eYuze\u003c/code\u003e establishes a SOCKS5 proxy tunnel to the specified remote endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker configures their tools to use the newly created tunnel for command and control or lateral movement.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the tunneled connection to execute commands, transfer files, or access internal resources.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data or achieves their objective (e.g., deploying ransomware) while masking their traffic through the established tunnel.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful deployment of Yuze can enable attackers to bypass network security controls, move laterally within a network, and exfiltrate sensitive data undetected. While the number of victims directly attributed to Yuze usage is not explicitly available, the tool's capabilities can significantly amplify the impact of other attacks, such as ransomware deployment or intellectual property theft. If successful, an attacker can maintain persistence and continue their malicious activity on the victim's network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Yuze Execution via Rundll32\u003c/code\u003e to detect the execution of Yuze via \u003ccode\u003erundll32.exe\u003c/code\u003e and monitor process creation events.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture command-line arguments for accurate detection of \u003ccode\u003erundll32.exe\u003c/code\u003e executions (logsource: process_creation).\u003c/li\u003e\n\u003cli\u003eInvestigate any \u003ccode\u003erundll32.exe\u003c/code\u003e process loading \u003ccode\u003eyuze.dll\u003c/code\u003e (rule: \u003ccode\u003eDetect Yuze Execution via Rundll32\u003c/code\u003e) and analyze associated network connections for suspicious activity.\u003c/li\u003e\n\u003cli\u003eImplement network monitoring to detect SOCKS5 traffic originating from internal hosts to identify potential Yuze tunnels.\u003c/li\u003e\n\u003cli\u003eReview and harden endpoint security configurations to prevent unauthorized execution of DLLs via \u003ccode\u003erundll32.exe\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-yuze-tunneling/","summary":"This brief describes the detection of Yuze, an open-source tunneling tool often executed via rundll32 to proxy C2 or pivot traffic within a compromised network.","title":"Potential Protocol Tunneling via Yuze","url":"https://feed.craftedsignal.io/briefs/2024-01-yuze-tunneling/"}],"language":"en","title":"CraftedSignal Threat Feed - Yuze","version":"https://jsonfeed.org/version/1.1"}