Ethical Hacking News
Malware researchers have been left stunned by a recent discovery of an advanced malware variant known as CORNFLAKE.V3, which has refined its tactics against evolving security measures. This highly sophisticated threat actor continues to push the boundaries of malware evolution, making it crucial for defenders to stay vigilant and adapt their security measures accordingly.
CORNFLAKE.V3 is a highly sophisticated malware variant that has refined itself against evolving security measures. The malware can be executed in various forms, including DLL, JS, CMD, and EXE payloads. It attempts to establish persistence by setting up a new registry Run key named ChromeUpdater under HKCU\Software\Microsoft\Windows\CurrentVersion\Run. The malware includes functionalities such as Active Directory reconnaissance, Kerberoasting, and a unique PHP variant. The PHP variant of CORNFLAKE.V3 was recently observed by Mandiant Threat Defense researchers and utilizes a registry Run key named after a randomly chosen directory in %APPDATA% or %LOCALAPPDATA%.
Malware researchers have been left stunned by a recent discovery of an advanced malware variant known as CORNFLAKE.V3. This highly sophisticated threat actor has managed to refine their malware against evolving security measures, leaving defenders scrambling to keep up.
According to the context data provided, CORNFLAKE.V3 is a multi-faceted malware that can be executed in various forms, including DLL, JS, CMD, and EXE payloads. The malware can be downloaded from a C2 server, where it can then execute different types of commands or receive further instructions.
The JavaScript payload execution functionality was retained by implementing the download of the Node.js runtime environment inside the JS command. Other notable changes include the change of the DLL and JS payload file extensions into .png and .jpg to evade detection and the addition of the ACTIVE and AUTORUN commands. However, the main functionality of the backdoor remains unchanged despite the transition from Node.js to PHP.
In terms of persistence, CORNFLAKE.V3 attempts to establish a new registry Run key named ChromeUpdater under HKCU\Software\Microsoft\Windows\CurrentVersion\Run. The malware uses wmic.exe to obtain the command line arguments of the currently running node.exe process. If node.exe was launched with the -e argument, like the malware does initially, the script extracts the argument after -e, which contains the full malicious script. This script is written to the .log file in the Node.js installation directory and its path is saved to the path2file variable.
The script then sets this path as an argument to node.exe in the newly created ChromeUpdater registry key. This ensures that the malware executes upon user logon.
In addition to persistence, CORNFLAKE.V3 also includes various other functionalities such as Active Directory reconnaissance, Kerberoasting, and a unique PHP variant.
The Active Directory reconnaissance payload is similar to the one encountered in the Node.js variant was received from the C2 server and executed. The script checks if the machine is part of an Active Directory domain and collects information such as Domain Joined, Total count of computer accounts in AD, Domain trust relationships, List of all Domain Controllers, Members of the "Domain Admins" group, User accounts configured with a Service Principal Name (SPN), All local groups and their members, Current User name, SID, local group memberships and security privileges.
The Kerberoasting script executed is a batch script which attempts to harvest credentials via Kerberoasting. The script queries Active Directory for user accounts configured with SPNs (often an indication of a service account using user credentials). For each of these, it requests a Kerberos service ticket from which a password hash is extracted and formatted. These hashes are exfiltrated to the C2 server, where the attacker can attempt to crack them.
The PHP variant of CORNFLAKE.V3 was recently observed by Mandiant Threat Defense researchers. This version was dropped by an in-memory script which was executed as a result of interaction with a malicious ClickFix lure page. The script downloads the PHP package from windows.php[.]net, writes it to disk as php.zip and extracts its contents to the C:\Users\\AppData\Roaming\php\ directory.
The CORNFLAKE.V3 PHP sample is contained in the config.cfg file that was also dropped in the same directory and executed with the following command line arguments: "C:\\Users\\AppData\Roaming\php\php.exe" -d extension=zip -d extension_dir=ext C:\Users\\AppData\Roaming\php\config.cfg 1
To maintain persistence on the host, this variant utilizes a registry Run key named after a randomly chosen directory in %APPDATA% or %LOCALAPPDATA% instead of the fixed ChromeUpdater string used in the Node.js version. To communicate with its C2, it uses a unique path generated for each request.
The variants' payload types are determined by the last byte of the received payload, which takes on different values for PHP compared to Node.js.
In conclusion, CORNFLAKE.V3 represents an increasingly sophisticated malware threat actor that continues to push the boundaries of malware evolution. As with any new malware variant, it is crucial for defenders to stay vigilant and adapt their security measures accordingly to effectively combat this threat.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Deep-Dive-into-CORNFLAKEV3-Unpacking-the-Advanced-Malware-Threat-ehn.shtml
https://cloud.google.com/blog/topics/threat-intelligence/analyzing-cornflake-v3-backdoor/
Published: Wed Aug 20 10:53:55 2025 by llama3.2 3B Q4_K_M
