Monthly Cyber Security Threats Update – February 2024
In this month's cyber threats rollup, we have observed continued cyber-attacks from well-known threat actors and state sponsored attacks from China, Russia, and North Korea. We also saw the resurgence of Bumblebee malware and the continued campaign by an unknown actor who uses malvertising to distribute the Rhadamanthys infostealer.
We also saw large range of attack techniques from the use of Calendly meeting links and WhatsApp messages, through to methods of hiding malware in PNG files and emails impersonating booking requests from Booking.com. We also observed the discovery of a new backdoor attack that targets macOS users.
Our Keysight Application and Threat Intelligence (ATI) Research Center stays alert to this changing threat landscape and has created a number of new Threat Campaigns and Audits to keep our customers and partners safe, by simulating the attacks and incorporating them into Threat Simulator, our breach and attack simulation (BAS) platform.
Read on to learn about these new simulations and how we can assist you in maintaining your safety, no matter where you are in the world.
New Threat Campaigns
Figure 1: Recent Threat Campaigns available in Threat Simulator
One year later, Rhadamanthys is still dropped via malvertising
The article outlines a threat campaign by an unknown actor who uses malvertising to distribute the Rhadamanthys info stealer. The actor impersonates well-known brands in sponsored search results, tricking users into clicking malicious ads which lead to decoy websites. Upon clicking the ad, victims are tricked into downloading a dropper, which retrieves Rhadamanthys via a URL. Rhadamanthys attempts to steal credentials stored in applications such as PuTTY, WinSCP and mail programs. The campaign has been ongoing since 2023 and has been observed to target business users.
GUloader Unmasked: Decrypting the Threat of Malicious SVG Files
The article discusses a recent campaign involving GUloader, a sophisticated malware loader that uses evasion techniques such as polymorphic code and encryption to alter its structure and avoid detection by antivirus software and intrusion detection systems. The campaign is characterized by the distribution of GUloader through a malicious SVG (Scalable Vector Graphics) file delivered via email. Upon opening the SVG file, several actions are triggered leading to the infiltration of the victim's network. The malware modifies the Registry run key to achieve persistence and can download and deploy various other malware variants.
Calendar Meeting Links Used to Spread Mac Malware
North Korean state-sponsored hackers, reportedly a subgroup of the Lazarus hacking group known as BlueNoroff, are targeting individuals in the cryptocurrency space. The attackers impersonate credible cryptocurrency investors and use the scheduling application Calendly to send malicious meeting links. The links prompt the user to run a script that installs malware on macOS systems. Victims are tricked into clicking the link under the guise of a video conference call. The malicious script gives hackers control over the victim's computer, leading to potential theft of funds.
BlackCat Ransomware Affiliate TTPs | Huntress Blog
The article describes a ransomware attack executed through the ScreenConnect application. The threat actor gained access to an endpoint via a rogue ScreenConnect instance, downloaded and executed the ALPHV/BlackCat ransomware variant, which is offered as Ransomware as a Service (RaaS). The ransomware was able to move laterally within the infrastructure and targeted named endpoints. The affected entity appears to be within the healthcare community. Two vulnerabilities and software weaknesses in ScreenConnect were mentioned in the text.
Xeno RAT: A New Remote Access Trojan with Advance Capabilities
Cyfirma describes a campaign involving the use of Xeno RAT, an advanced malware available for free on GitHub. The threat actor customized the settings of Xeno RAT and disseminated it via the Discord CDN, primarily through a shortcut file disguised as a WhatsApp screenshot. The malware employs multiple evasion tactics including anti-debugging techniques, obfuscation within files/code, and obfuscated network traffic. It also maintains persistence by adding itself as a scheduled task and leverages the DLL search order functionality in Windows to load the malicious DLL into a trusted executable process. The article does not specify any affected entities, regions, or exploited vulnerabilities.
When Stealers Converge: New Variant of Atomic Stealer in the Wild
Bitdefender detected a new variant of the AMOS (Atomic) Stealer, a prevalent threat for macOS users. This malware variant a combination of Python and Apple Script to steal data and remain covert. It targets browser data, user account password, and specific system files, and uses tactics to identify sandbox or emulator execution. The malware also shares code with the RustDoor backdoor. The stolen data is sent to the C2 server.
Hackers Use Steganography Methods To Hide Malware In PNG File
Threat actor UAC-0184 is employing steganography techniques to hide Remcos RAT malware in PNG files and target Ukrainian entities based in Finland. The threat actor is using the IDAT loader to obscure malicious code, enabling the malware to evade detection and execute in memory. The Remcos RAT allows the attacker to control infected computers, steal data, and monitor activities. Morphisec Threat Labs identified the threat and successfully prevented numerous attacks. The threat actor also uses deceptive recruitment tactics, as revealed in a phishing email posing as an IDF consultant.
Abyss Locker Ransomware Attacks Microsoft Windows and Linux Users
FortiGuard Labs reports on the Abyss Locker ransomware, which targets Microsoft Windows and Linux platforms, particularly those using VMware ESXi systems. Based on the HelloKitty ransomware source code, Abyss Locker steals and encrypts victims' files, and demands a ransom for file decryption. This ransomware was first detected in July 2023, but its origins may date even earlier. The Windows version of Abyss Locker was discovered in January 2024, with a second version and a Linux variant identified shortly after. The ransomware samples have been submitted from various regions, indicating a widespread attack.
Earth Preta Campaign Uses DOPLUGS to Target Asia
The article describes a campaign called SMUGX, attributed to the APT group Earth Preta, targeting Asian countries including Taiwan, Vietnam, and Malaysia. The campaign uses a customized PlugX malware, named DOPLUGS, different from general PlugX malware, which is used for downloading the latter. The DOPLUGS malware uses the KillSomeOne module, a USB worm.
Unveiling UAC-0184: The Steganography Saga of the IDAT Loader Delivering Remcos RAT to a Ukraine Entity in Finland
The text describes a cyber-attack campaign orchestrated by threat actor UAC-0184, targeting Ukrainian entities based in Finland. The attack uses the IDAT loader to deliver the Remcos Remote Access Trojan (RAT), using steganography as a technique for defense evasion. The IDAT loader also loads other malware families like Danabot, SystemBC, and RedLine Stealer. The attack was initiated through a carefully crafted phishing email.
SEO Poisoning to Domain Control: The Gootloader Saga Continues
The threat actor initiated the attack by exploiting search engine optimization (SEO) poisoning to cause a user to download and execute a Gootloader malware. This was followed by the deployment of a Cobalt Strike beacon payload and the use of SystemBC to gain Remote Desktop Protocol (RDP) access into the network, compromising domain controllers and other key servers. The attacker continued to move laterally within the network, disabling security measures and attempting to deploy more payloads. Despite setbacks from active security defenses, the threat actor persisted and managed to gain access to sensitive files and servers. It is unconfirmed whether any data was exfiltrated.
Ongoing Phishing Campaign Targets Healthcare and Cryptocurrency Users via ScreenConnect
Cyble describes a phishing campaign targeted at the cryptocurrency community and healthcare organizations in the US, led by unidentified Threat Actors (TAs). The TAs exploit ScreenConnect, a legitimate remote support tool, for malicious purposes. The campaign uses sophisticated tactics such as subdomain takeover to host phishing sites and lure victims into downloading ScreenConnect clients. Once compromised, the TAs can conduct further malicious operations, including data theft and ransomware deployment. The campaign indicates a particular focus on the healthcare sector's vulnerabilities.
Intruders in the Library: Exploring DLL Hijacking
Unit42 discusses the technique of Dynamic-link library (DLL) hijacking used by various threat actors for cyber espionage and system compromise. Both nation-state Advanced Persistent Threat (APT) groups and cybercrime threat actors use this technique as it provides a stealthy way to run malware, evade detection, and establish a foothold in the system. The actors exploit vulnerabilities in legitimate executables to load and run a malicious DLL, often using different variations like DLL side-loading, DLL search order hijacking, and phantom DLL loading. The article highlights real-world examples, including attacks from the Stately Taurus APT group and cybercriminals using AsyncRAT and PlugX Remote Access Trojan (RAT).
DarkGate: Opening Gates for Financially Motivated Threat Actors
EclecticIQ analysts describe a cybercrime campaign involving the use of the DarkGate loader by financially motivated threat actors, such as TA577, Ducktail, BianLian, and Black Basta. These actors primarily target financial institutions in Europe and the USA, deploying the DarkGate loader through tactics like double extortion, phishing emails, and abusing legitimate channels like Google's DoubleClick Ad. The DarkGate loader is used to create an initial foothold and deploy different types of malware within the victims' corporate networks, thus increasing the number of infected devices and volume of data exfiltrated. The loader is also advertised as a Malware-as-a-Service (MaaS) tool on cybercrime forums, offering features like hidden virtual network computing (hVNC), user interface for data exfiltration, keylogger, and a rootkit module.
Analysis of Nood RAT Used in Attacks Against Linux (Gh0st RAT's Variant)
Nood RAT, a Linux variant of Gh0st RAT developed by the C. Rufus Security Team of China, has been used in various vulnerability attacks since 2018. The malware disguises itself as a legitimate program and enables threat actors to carry out multiple malicious activities, including downloading malicious files, stealing system's internal files, and executing commands. It is equipped with encryption features to avoid network packet detection. Notable attacks include WebLogic vulnerability attacks and Cloud Snooper APT attacks.
SNS Sender | Active Campaigns Unleash Messaging Spam Through the Cloud
SentinelOne discusses a new tool called SNS Sender used by a threat actor known by the alias ARDUINO_DAS for SMS phishing attacks using AWS SNS. This tool sends bulk SMS messages containing phishing links. The attacks often masquerade as a message from the United States Postal Service (USPS) about a missed package delivery. AWS credentials compromised from an environment not under SNS sandbox restrictions are needed for the script to run. The actor has been linked to numerous phishing kits used to steal personal and payment card information.
Thousands of Hijacked Major-Brand Subdomains Found Bombarding Users With Millions…
The article describes a campaign called 'SubdoMailing' orchestrated by a threat actor named 'ResurrecAds'. The actor hijacks subdomains of big brands and institutions, such as MSN, VMware, and McAfee, then uses these domains to send millions of spam and phishing emails daily. The emails are designed to appear authentic, bypassing security measures due to the credibility of the hijacked domains. The campaign's main objective is to generate as many ad clicks as possible for financial gain.
Online Travelers at Risk: Agent Tesla Malware Attacks Travel Industry
The article describes a malicious cyber campaign that is delivered via email with a PDF attachment that downloads a Remote Access Trojan (RAT), infecting the system. The email impersonates a booking request from Booking.com and attempts to scam the recipient into opening the attachment. Upon execution, a sophisticated multi-stage obfuscation strategy is used to load the Agent Tesla malware, which allows attackers to conduct malicious activities such as data theft and executing commands on compromised systems.
Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
Trend Micro documented the use of CVE-2024-1708 and CVE-2024-1709 vulnerabilities in ScreenConnect to deploy LockBit, XWorm and Cobalt Strike malware. The main target of the threat actors appears to be businesses reliant on this software.
Fake Developer Jobs Laced With Malware
A malicious npm package, identified as 'execution-time-async', was discovered by Phylum masquerading as a code profiler, but actually installing several harmful scripts, including a cryptocurrency and credential stealer. The code was hidden in a test file, with the attackers likely assuming it would not be inspected for malware. The malicious package was linked to suspect repositories on GitHub. Subsequent updates to the package involved changes in tactics, including self-hosting the malicious npm dependency and shifting activities between different GitHub repositories. The campaign appears to be a social engineering effort targeting developers, possibly in the guise of a coding interview or job application.
TrollAgent That Infects Systems Upon Security Program Installation Process (Kimsuky Group)
AhnLab warned that a threat actor has been distributing malware strains through a Korean construction association's website. Users are unknowingly downloading the malware when they install necessary security programs to access the site's services. The malware strains, a backdoor malware and an infostealer, are embedded in the security program installers. Once installed, these malware strains can execute commands from the threat actor and collect data from the infected system. The malware strains are signed with a stolen valid certificate from a Korean defense company, which allows them to bypass anti-malware product detection.
8220 Gang Cyber Threats: Cloud Infrastructure and Cryptomining Tactics
Uptycs talks about The 8220 Gang, a Chinese-based threat actor group, which has launched a cyber-attack campaign targeting cloud-based infrastructure. From May 2023 to February 2024, the group exploited known vulnerabilities, including CVE-2021-44228 and CVE-2022-26134, on both Linux and Windows platforms. They used advanced evasion techniques such as disabling security enforcement and modifying firewall rules. This campaign has affected numerous organizations globally relying on cloud infrastructure. The 8220 Gang's tactics have evolved over time, demonstrating an increase in cybercriminal capabilities, and posing a heightened risk to cloud security.
Lessons from the iSOON Leaks
iSOON, a Chinese company, has developed a variety of products for cyber espionage, including systems for monitoring dissidents on Twitter, analyzing massive amounts of stolen emails, and conducting automated penetration testing. These products allow for a variety of attacks such as bypassing Twitter's two-factor authentication, extracting personal information and IP addresses from email headers, and running phishing campaigns. The products have been sold to the Chinese Ministry of Public Security (MPS) and are used to monitor and collect evidence against critics of the Chinese government. The company has ties to known Chinese advanced persistence threat (APT) groups such as Chengdu 404.
Threat Brief: ConnectWise ScreenConnect Vulnerabilities (CVE-2024-1708 and CVE-2024-1709)
The article discusses two vulnerabilities impacting ConnectWise's remote desktop software application, ScreenConnect. These vulnerabilities, identified as CVE-2024-1708 and CVE-2024-1709, could allow an attacker to execute remote code or bypass authentication, potentially leading to access to confidential data or critical systems. ConnectWise has confirmed the occurrence of compromised accounts. The article also mentions that proof-of-concept exploits are already available and that the vulnerabilities are likely to be actively targeted by various threat actors, including cybercriminals and nation-state actors.
Russian Hackers Launch Email Campaigns to Demoralize Ukrainians
A Russian-aligned threat actor has been deploying a disinformation campaign, called Operation Texonto, against Ukrainian citizens. The campaign, which began in November 2023, involves sending emails to sow doubt about Ukraine's progress in the ongoing conflict. The emails contain warnings about potential heating interruptions, medicine shortages, and food shortages. The threat actor also executed a spear-phishing campaign to steal Microsoft Office 365 credentials, with a Ukrainian defense company and an EU agency being targeted. The same email server was later used for a spam campaign.
Migo - a Redis Miner with Novel System Weakening Techniques - Cado Security
The article discusses a novel malware campaign, named Migo, that targets Redis servers for mining cryptocurrency on the underlying Linux host. The campaign, observed by Cado Security Labs researchers, utilizes new system weakening commands against Redis for initial access, and delivers Migo as a Golang ELF binary with compile-time obfuscation. The malware also deploys a modified version of a popular user mode rootkit to hide processes and on-disk artifacts.
Attackers Quick to Weaponize CVE-2023-22527 for Malware Delivery
Threat actors are exploiting a critical vulnerability, CVE-2023-22527, in the Atlassian Confluence Data Center and Confluence Server. This vulnerability allows unauthenticated attackers to execute arbitrary code on the vulnerable server. The attackers are using this vulnerability to deliver the C3Pool Cryptominer malware, which hijacks computing resources to mine Monero cryptocurrency. The malware is spread by injecting Wget commands into the vulnerable server, which then download the malware from a specific URL. This technique has been used in the past to exploit multiple vulnerabilities in various libraries and frameworks.
Operation Texonto: Information operation targeting Ukrainian speakers in the context of the war
Welivesecurity discusses Operation Texonto, a cyber campaign aligned with Russia, primarily targeting Ukrainian IT infrastructure, though other European entities were also affected. The operation involved disinformation and psychological operations (PSYOPs) via spam emails, designed to create doubt and unease among Ukrainians. The campaign also included a spear-phishing attack aimed at stealing Microsoft Office 365 account credentials from a Ukrainian defense company and an EU agency. The report also revealed a strange twist where one of the domains used for the PSYOP campaign was later used for Canadian pharmacy spam, a type of illegal activity popular within the Russian cybercrime community.
AsukaStealer, a Revamped Version of the ObserverStealer, Advertised as Malware-as-a-Service
A Malware-as-a-Service (MaaS) dubbed 'AsukaStealer' was detected by Cyble Research & Intelligence Labs, being advertised on a Russian-language cybercrime forum. The malware, written in C++, collects information from browsers, extensions, Discord tokens, FileZilla sessions, Telegram sessions, crypto wallets, screenshots from Desktop, and maFiles from the Steam Desktop Authenticator application. It is suspected to be a revamped version of the ObserverStealer malware. The malware is sold for USD 80 per month and is hosted on a C&C infrastructure similar to ObserverStealer. While the source of infection is unclear, phishing is suggested as a potential method of delivery. The malware is being offered on Russian cybercrime forums, indicating a probable Russian origin.
Astaroth, Mekotio and Ousaban abusing Google Cloud Run in LATAM-focused malware campaigns
Talos describes a high-volume malware distribution campaign that utilizes Google Cloud Run for spreading several banking trojans, including Astaroth, Mekotio and Ousaban. The threat actors are targeting entities across Latin America and Europe, with a significant increase in activity observed since September 2023. The malware is delivered through malicious Microsoft Installers (MSIs) serving as droppers for the final payload. The campaigns for these malware families are believed to be interconnected. The present version of Astaroth is threatening over 300 organizations in 15 different countries in Latin America.
Agniane Stealer: Information stealer targeting cryptocurrency users
The Agniane Stealer is an information-stealing malware primarily targeting cryptocurrency wallets. It gained popularity on the internet in August 2023 and is being actively marketed and sold through a Telegram channel. The malware is distributed via ZIP files downloaded from compromised websites. Once on the host machine, the malware collects and exfiltrates files, credentials, credit card details, and wallets, and communicates with its command and control (C2) server. The malware also employs various obfuscation and anti-VM/debug techniques to remain undetected.
TinyTurla Next Generation - Turla APT spies on Polish NGOs
The Russian cyber espionage group Turla has developed and deployed a new backdoor, TinyTurla-NG (TTNG), following the coding style and functionality of its predecessor, TinyTurla. TTNG, described as a 'last chance' backdoor, is used when all other unauthorized access mechanisms have failed or been detected on the infected systems. The backdoor has been active since December 2023, targeting Polish non-governmental organizations (NGOs), particularly those supporting Ukraine during the Russian invasion. In addition to TTNG, Turla has also deployed PowerShell scripts, TurlaPower-NG, to exfiltrate key material used to secure password databases of popular password management software. The group is compromising WordPress-based websites to serve as command-and-control endpoints for TTNG.
Massive utility scam campaign spreads via online ads
Malwarebytes describes a scam operation in which threat actors create fraudulent utility ads that appear in Google search results. When users search for keywords related to their energy bill, they are shown these malicious ads which then lead them to call a number. The scammers use scare tactics to convince victims that they owe unpaid bills or offer too-good-to-be-true deals, leading to financial loss for the victims. The scammers have registered multiple domain names and created websites to give a sense of legitimacy to their operation. Most of these ads were found to be registered by individuals from Pakistan.
Hamas-linked SameCoin campaign malware analysis - HarfangLab EDR
Harfang describes an attack campaign, attributed to a threat actor associated with Hamas, dubbed 'SameCoin'. The infection vector is an email impersonating the Israeli National Cyber Directorate (INCD), tricking victims into downloading malicious files disguised as 'security patches'. The affected entities are primarily Israeli citizens targeted by an email attack which was sent on February 11, 2024. The campaign infects victims with a wiper which under certain circumstances could also infect other hosts in the network through Active Directory Services Interfaces. The attack shows similarities with the Arid Viper APT usually associated with Hamas.
Diving Into Glupteba's UEFI Bootkit
Unit42 describes an advanced and multipurpose malware named Glupteba that has been active for over a decade. The malware uses a new and previously unreported feature, a UEFI bootkit, to control the OS boot process, hide itself, and create a stealthy persistence. Glupteba has evolved from a simple backdoor to a potent botnet and is known for its elaborate infection chains. In recent campaigns, it was distributed through pay-per-install (PPI) services.
Coyote Malware Leverage NodeJS to Attack Users of 60+ Bank Users
The article describes a cyber-attack perpetrated by unidentified threat actors using a malware known as 'Coyote'. This malware leverages NodeJS to target users of over 60 banks, primarily in Brazil. The attackers exploit NodeJS to steal online banking credentials by altering the login page of the bank's website, thus enabling them to gain unauthorized access to user accounts. The Coyote malware is unique as it employs modern technologies like Node.js, .NET, and Nim, showcasing an evolution in the sophistication of banking Trojans.
Bumblebee Buzzes Back in Black
A resurgence of Bumblebee malware has been detected by Proofpoint researchers after a four-month hiatus, with numerous emails targeting U.S. organizations. The emails contained OneDrive URLs that led to a Word file, which subsequently created a script in the Windows temporary directory and executed a dropped file using 'wscript'. The next stage involved a PowerShell command which downloaded and ran the Bumblebee DLL. The attack chain was notably different from previous Bumblebee campaigns. Proofpoint did not attribute the activity to a specific threat actor but noted similarities with previous TA579 activities. The Bumblebee loader is assessed as a potential initial access facilitator for delivering subsequent payloads like ransomware.
The (D)Evolution of Pikabot
The article describes an analysis of the malware Pikabot, revealing its anti-analysis techniques, string obfuscation, junk instruction, anti-debug methods, and anti-sandbox evasion. The malware acts as a backdoor, allowing attackers to control infected systems and distribute other malicious payloads. The latest variant of Pikabot has notable changes compared to previous versions, and it uses similar distribution methods, campaigns, and behaviors as Qakbot. The malware stops execution if the system's language is Russian or Ukrainian, suggesting the threat group behind it is Russian speaking and may reside in Ukraine or Russia.
Fileless Revenge RAT Malware
The threat actor makes use of legitimate tools to distribute Revenge RAT malware, making it harder for users to identify malicious activity. The main aim is to run the Revenge RAT malware, which is done through a series of actions involving the creation and running of various files. The malware is designed to connect to a C2 and download an HTML file, which it then decompresses to generate additional malware. If the C2 URL is inaccessible, the actor uses a different URL. The malware also registers files used in the attack as exceptions in Windows Defender, thereby avoiding detection. The ultimate goal of the actor is to steal data from the victim's PC and send it to a C2.
CVE-2024-21412: Water Hydra Targets Traders with Microsoft Defender SmartScreen Zero-Day
The article describes a sophisticated cyber-attack campaign led by the APT group known as Water Hydra. This group, first detected in 2021, has targeted financial markets, using techniques such as phishing and exploiting vulnerabilities like CVE-2024-21412 to bypass security measures. The campaign has primarily affected traders in the financial market, with a significant focus on the European region. The group has shown a high level of technical skill, exploiting undisclosed zero-day vulnerabilities and using sophisticated attack patterns. The campaign involved the use of the DarkMe malware and also exploited the WinRAR code execution vulnerability CVE-2023-38831.
Raspberry Robin Keeps Riding the Wave of Endless 1-Days
The malware Raspberry Robin, first reported by Red Canary in 2021, has continued to evolve with new features and evasions. It has also begun using new exploits for privilege escalation, one of which was sold on the Dark Web as a 0-day exploit half a year before it was publicly disclosed. Raspberry Robin is part of a larger malware ecosystem and acts as an initial access broker for additional malware deployment by other crime groups, including EvilCorp and TA505. It has demonstrated a rapid adoption of exploits and it is believed that it purchases these from an exploit developer, rather than creating them in-house. This malware poses a substantial threat due to its continuous evolution and rapid adoption of new exploits.
New MacOS Backdoor Written in Rust Shows Possible Link with Windows Ransomware Group
Bitdefender researchers discovered a new backdoor malware targeting Mac OS users, identified as Trojan.MAC.RustDoor. This malware, written in Rust, is distributed as a Visual Studio update, targeting both x86_64 Intel and ARM architectures. It has been operating undetected for at least three months since November 2023. The malware has backdoor functionality allowing it to collect and upload files and gather machine information.
New Malware Mimic as Visual Studio Update to Attack macOS users
A new backdoor has been discovered that targets macOS users. The backdoor, written in Rust, mimics a Visual Studio Update and has been found in three variants, all distributed as FAT binaries with Mach-O files for x84_64 Intel and ARM architectures. The malware dates back to early November 2023, with the latest sample found on February 2nd, 2024. Bitdefender has traced the backdoor to the BlackBasta and ALPHV/BlackCat ransomware operators. The backdoor supports various commands and is used for data exfiltration among other functions.
U.S. DoJ Dismantles Warzone RAT Infrastructure, Arrests Key Operators
The US Justice Department announced the seizure of online infrastructure used to sell a remote access trojan (RAT) known as Warzone RAT. The malware was being sold and supported by two individuals who were arrested and indicted in Malta and Nigeria. The RAT was used by cybercriminals to secretly access and steal data from victims' computers. It was sold under the malware-as-a-service (Maas) model and had the ability to browse victim file systems, record keystrokes, and steal victim usernames and passwords. The malware was first documented as part of a cyber-attack targeting an Italian organization in the oil and gas sector.
The Importance of Patching: An Analysis of the Exploitation of N-Day Vulnerabilities
The article describes a campaign exploiting resolved N-Day vulnerabilities in Fortinet. The threat actors target unpatched vulnerabilities in the FortiGate platform, affecting Government, service provider, consultancy, manufacturing, and large critical infrastructure organizations. The attack leads to data loss and OS and file corruption. The threat actors use complex methods to exploit these vulnerabilities, suggesting advanced capabilities, potentially of a nation-state. The malware used in these incidents is specifically customized for FortiOS.
Python Info-stealer Distributed by Malicious Excel Document
Fortinet describes a high-severity cyber-attack campaign orchestrated by a Vietnamese-based group. The attack begins with a malicious Excel document that downloads a series of files to obfuscate its activities and steal information. The malware specifically collects browser cookies and login data, which is then compressed and sent to the attacker's Telegram bot. The stolen information can be used for future attacks. The group uses open platforms to download stages of the attack, making it difficult to trace. The attack impacts Microsoft Windows users.
MAR-10448362-1.v1 Volt Typhoon
The document describes a cyber threat campaign orchestrated by the People's Republic of China (PRC) state-sponsored cyber group known as Volt Typhoon. The group compromised a critical infrastructure system using three files that enable discovery and command-and-control. These files consist of an open-source Fast Reverse Proxy Client (FRPC) tool, a Fast Reverse Proxy (FRP), and a port scanner known as ScanLine. The infrastructure has not been specified, but the attack pattern involves the use of proxy and scanning utilities to compromise the system and establish control.
HijackLoader Expands Techniques to Improve Defense Evasion
The article discusses a recent variant of HijackLoader, a tool that is becoming increasingly popular among adversaries for deploying additional payloads and tooling. The HijackLoader variant uses sophisticated techniques to enhance its complexity and evasion capabilities. It employs a series of evasion techniques, including process hollowing, process doppelganging, and unhooking, making it harder for analysts to understand and for security systems to detect. The malware communicates with a remote server, checks for an active internet connection, and downloads additional payloads.
Coyote: A multi-stage banking Trojan abusing the Squirrel installer
The article describes a sophisticated banking Trojan malware, named Coyote, mainly targeting users of over 60 Brazilian banking institutions. The malware uses the Squirrel installer for distribution and leverages NodeJS and Nim programming language as a loader. The Trojan achieves persistence by abusing Windows logon scripts and monitors all open applications on the victim's system, waiting for a specific banking application or website to be accessed. Once any banking-related application is executed, the malware contacts the C2 with this information and can perform various actions ranging from keylogging to taking screenshots. The malware communicates with its command-and-control server using SSL channels with a mutual authentication scheme.
Backdoor Activator Malware Running Rife Through Torrents of macOS Apps
The threat actor is not explicitly mentioned in the article. The campaign involves a macOS malware named macOS.Bkdr.Activator, which is being spread through cracked copies of popular software available on torrent sites. The malware is delivered in a multi-stage process via a torrent link, leading to the installation of two malicious executables. The malware then asks for an administrator password to disable Gatekeeper settings, allowing apps from 'Anywhere' to run on the device. The malware's main objectives appear to be infecting macOS users on a large scale, potentially to create a botnet or deliver other malware at scale.
Unveiling the intricacies of DiceLoader
Sekoia warned that the threat actor group known as FIN7 has been found to be using DiceLoader malware in its cyber-attack campaigns since 2021. The malware is dropped by a PowerShell script and includes loaders, ransomware, and custom malware such as the Carbanak Backdoor and Domino Loader. The malware targets various sectors, including retail, hospitality, and the food service industry, in countries such as the United States, the United Kingdom, Australia, and France. The group disguises its malicious activities behind front companies and has affiliations with other cybercriminal organizations.
THREAT ALERT: Ivanti Connect Secure VPN Zero-Day Exploitation
Cybereason discusses a cyber threat campaign that exploits vulnerabilities in Ivanti VPN appliances. The threat actors, including a China-nexus espionage group known as UNC5221, use the vulnerabilities to gain unauthorized command execution and system access on Internet-facing security devices. They modify Ivanti components to allow persistent access within the network, escalate privileges, and target sensitive internal systems and data. The actors also execute arbitrary commands on the system, steal sensitive configuration data, and establish reverse tunnels for persistent access and data exfiltration. The campaign is not limited to any specific regions or industries.
HeadCrab: A Novel State-of-the-Art Redis Malware
AquaSec discusses a new severe threat, known as HeadCrab, which has been infiltrating Redis servers worldwide since September 2021. HeadCrab uses a custom-made malware undetectable by traditional anti-virus solutions to compromise a large number of Redis servers, with at least 1,200 servers already under its control. The HeadCrab botnet operates by targeting Redis servers, using them to move laterally to other servers. The main impact of the attack is resource hijacking for cryptocurrency mining. The victims seem to have little in common, but the attacker seems to have a deep understanding and expertise in Redis modules and APIs.
Distribution of RAT Malware Disguised as a Gambling-related File
The article describes a campaign where RAT malware is being spread disguised as an illegal gambling-related file. The malware is distributed via a shortcut (.lnk) file and downloads the RAT directly from HTA. The malware targets users interested in gambling, as evidenced by the content within the downloaded Excel file. An additional executable is also downloaded which is the Venom RAT malware, capable of leaking keylogging and user credentials, and performing various malicious activities. The threat actor also uses various types of RAT malware including Pandora hVNC malware. No specific threat actor or affected regions are mentioned.
Unmasking a Financial Services Intrusion: REF0657
Elastic Security describes a cyber intrusion that targeted a financial services organization in South Asia in December 2023, executed by an unidentified threat group. The attackers used a diverse set of open-source tools and engaged in various activities including discovery, enumeration, and data exfiltration. The attackers also used the victim's internal enterprise software against them and leveraged various tunneling techniques to execute Cobalt Strike. The intrusion was characterized by rapid movement within the victim's network and meaningful data extraction within 24 hours.
Mispadu Malware Exploits Windows SmartScreen Flaw to Attack Users
This article discusses a variant of Mispadu stealer that targets victims in Mexico by exploiting the Windows SmartScreen vulnerability CVE-2023-36025. The malware is downloaded and executed on the victim's system, gathering information about the system's time zone, and using AES encryption for various decryptions. It establishes C2 communication and uses SQLite to gather history databases from Microsoft Edge and Google Chrome browsers, storing them in the %TEMP% directory. The malware then extracts the URLs and checks them against a targeted list. The information is sent to the C2 and could be used for further cybercriminal activities.
Exploring the (Not So) Secret Code of BlackHunt Ransomware
The article describes a ransomware variant named BlackHunt that emerged in 2022 and has since compromised around 300 companies in Paraguay. BlackHunt is notable for its similarities to LockBit and REvil ransomware, suggesting that it uses leaked code from these previous threats. The ransomware is a C++ executable and uses a variety of techniques to operate stealthily, alter system functionality, and encrypt data.
Hackers Abuse Google Search Ads to Attack IT and System Admins
The article discusses the Nitrogen campaign, wherein hackers use malicious search ads and BlackHat SEO tactics to distribute malware. They exploit hacked WordPress websites to host harmful PHP shell scripts and manipulate search engine algorithms to redirect users to their malicious websites. The hackers target a popular tool named WinDirStat used by IT professionals and system administrators. The attackers' elaborate filtering system serves a decoy site to unsuspecting users who download and execute fake software, leading to malware infiltration.
Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation
The blog post details an extensive cyber espionage campaign exploiting high-impact zero-day vulnerabilities, CVE-2023-46805 and CVE-2024-21887, on Ivanti Connect Secure VPN and Ivanti Policy Secure appliances. The campaign was first noticed by cybersecurity company Mandiant on Jan. 12, 2024. The threat actor, tracked as UNC5221 and suspected to have links to China, was able to execute arbitrary commands on the appliance with elevated privileges. The exploitation of these vulnerabilities began as early as Dec. 3, 2023. Mandiant has detected broad exploitation activity by UNC5221 and other threat groups, indicating that the vulnerabilities have been adopted by other groups beyond UNC5221.
Distribution of Qshing Emails Disguised as Payslips
AhnLab describes a phishing campaign in which threat actors distribute Qshing emails impersonating the Ministry of Finance of the People's Republic of China. The emails contain a QR code that, when scanned, leads to a phishing site or a malicious app installation. The emails are disguised as paycheck receipts and prompt the user to scan the QR code to receive a wage subsidy. In the process, the threat actor collects personal data including credit card numbers, phone numbers, and passwords. The sender email address is also forged to look like it's coming from 'ahnlab.com'.
Distribution of Zephyr CoinMiner Using Autoit
The AhnLab SEcurity intelligence Center (ASEC) discovered a CoinMiner targeting the cryptocurrency, Zephyr. The CoinMiner is spread in a compressed file, which contains several scripts and executables. Upon decompression, two Javascript files are created and executed. These scripts then generate an executable in the %temp% directory.
HackersExploit Trusted Platform Redirect Flaws For Phishing Attacks
The article describes a campaign where threat actors are exploiting trusted platforms redirect flaws to carry out phishing attacks. They take advantage of open redirect vulnerabilities to avoid detection and leverage the reputation of the trusted platforms. The attackers use legitimate websites to redirect users to harmful URLs. They manipulate URL parameters to redirect users to malicious sites, embedding these links in phishing emails. The article does not specify the threat actor, affected entities or regions, or the specific vulnerabilities exploited.
ApateWeb: An Evasive Large-Scale Scareware and PUP Delivery Campaign
The article describes a large-scale cyber campaign called ApateWeb, led by unidentified threat actors. The campaign uses a network of over 130,000 domains to deliver scareware, potentially unwanted programs (PUPs), and other scam pages, potentially exposing victims to more severe cyber threats. The attack pattern involves a multilayered system of intermediate redirections between the entry point and delivery of the final malicious payload. The campaign exploits the victims' trust through phishing emails and embedded JavaScript on compromised websites, rather than exploiting specific vulnerabilities.
New audits
Right-to-Left Override - 'mimitxt.exe': Execute binary with obfuscated name (PowerShell); Technique T1036.002; Tactic TA0005
Right-to-Left Override (RTLO), it is a Unicode character (U+202E) that influences the visual display of text, causing subsequent characters to be shown in reverse order. This character is often used for legitimate purposes in languages that are written from right to left, but it can also be abused by adversaries for obfuscation in filenames or other textual content.
This audit simulates a malicious technique where attackers leverage the Right-to-Left Override (RTLO) character to obfuscate the name of a binary file, aiming to evade security measures that validate code signatures before execution.
In this scenario, the binary is utilizing the RTLO character to mislead and potentially deceive users and security tools.
Ingress Tool Transfer - 'IEExec.exe': Download malicious file with Ieexec.exe (Command Prompt); Technique T1105; Tactic TA0011
IEExec.exe is an executable file associated with the Microsoft .NET Framework, specifically designed for hosting managed applications launched via URLs.
If IEExec.exe is being used to download or execute malicious files, it poses a security risk, because it can download and run attacker code from remote location.
This audit uses this executable to download from an URL a malicious file on the local machine.
We replicate real-world threats, allowing you to safely test your controls to ensure that your security posture is prepared and armed with identifiable Indicators of Compromise (IOC). With Threat Simulator, you can quickly determine your ability to defend yourself against the latest attacks seen in the news and answer this question while shortening the time to remediate with our recommendations.
Keysight is an S&P 500 technology company; we are headquartered in California and operate in over 100 countries worldwide. With 20+ years of network and security excellence, our global Application and Threat Intelligence (ATI) Research Center stays current on the latest threats. By using Threat Simulator, you can proactively identify, remediate, and validate security vulnerabilities.
Stay ahead of the curve in the ever-changing world of cybersecurity with Keysight.
Visit our website for more information.