<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Yuze - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/yuze/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/yuze/feed.xml" rel="self" type="application/rss+xml"/><item><title>Potential Protocol Tunneling via Yuze</title><link>https://feed.craftedsignal.io/briefs/2024-01-yuze-tunneling/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-yuze-tunneling/</guid><description>This brief describes the detection of Yuze, an open-source tunneling tool often executed via rundll32 to proxy C2 or pivot traffic within a compromised network.</description><content:encoded><![CDATA[<p>Yuze is a lightweight, open-source tunneling tool written in C, designed for intranet penetration testing but often abused by threat actors. It supports both forward and reverse SOCKS5 proxy tunneling, allowing for the creation of covert communication channels. Yuze is commonly executed via <code>rundll32</code>, loading <code>yuze.dll</code> with the <code>RunYuze</code> export. While the project is available on GitHub, its use in conjunction with <code>rundll32</code> is a strong indicator of suspicious activity. The tool is effective for bypassing network restrictions and masking malicious traffic, making it a valuable asset for attackers seeking to establish persistent access or exfiltrate sensitive data. Defenders should be vigilant for executions of <code>rundll32</code> that load <code>yuze.dll</code>, especially when combined with command-line arguments indicative of tunnel creation.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker gains initial access to a target Windows system via an exploit or compromised credentials.</li>
<li>The attacker drops <code>yuze.dll</code> onto the system, possibly using tools like PowerShell or <code>certutil.exe</code>.</li>
<li>The attacker uses <code>rundll32.exe</code> to execute the <code>RunYuze</code> export within <code>yuze.dll</code>.</li>
<li>The <code>rundll32.exe</code> command line includes arguments specifying the tunnel type (reverse or forward), along with the IP address and port of the C2 server or pivot point.</li>
<li><code>Yuze</code> establishes a SOCKS5 proxy tunnel to the specified remote endpoint.</li>
<li>The attacker configures their tools to use the newly created tunnel for command and control or lateral movement.</li>
<li>The attacker leverages the tunneled connection to execute commands, transfer files, or access internal resources.</li>
<li>The attacker exfiltrates sensitive data or achieves their objective (e.g., deploying ransomware) while masking their traffic through the established tunnel.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful deployment of Yuze can enable attackers to bypass network security controls, move laterally within a network, and exfiltrate sensitive data undetected. While the number of victims directly attributed to Yuze usage is not explicitly available, the tool's capabilities can significantly amplify the impact of other attacks, such as ransomware deployment or intellectual property theft. If successful, an attacker can maintain persistence and continue their malicious activity on the victim's network.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Detect Yuze Execution via Rundll32</code> to detect the execution of Yuze via <code>rundll32.exe</code> and monitor process creation events.</li>
<li>Enable Sysmon process creation logging to capture command-line arguments for accurate detection of <code>rundll32.exe</code> executions (logsource: process_creation).</li>
<li>Investigate any <code>rundll32.exe</code> process loading <code>yuze.dll</code> (rule: <code>Detect Yuze Execution via Rundll32</code>) and analyze associated network connections for suspicious activity.</li>
<li>Implement network monitoring to detect SOCKS5 traffic originating from internal hosts to identify potential Yuze tunnels.</li>
<li>Review and harden endpoint security configurations to prevent unauthorized execution of DLLs via <code>rundll32.exe</code>.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>tunneling</category><category>command-and-control</category><category>windows</category></item></channel></rss>