Monthly Cyber Security Threats Update – March 2024 Rollup

Our regular readers will know that every month we discuss the latest cyber security threats and how we build simulations into Threat Simulator, our breach and attack simulation (BAS) product. We do this so our customers and partners can quickly identify, remediate, and validate security vulnerabilities and therefore stay protected.

In this month's cyber threats rollup, we have seen prolific Chinese Threat Campaigns and well as Ransomware attacks that frequently target government and critical infrastructure institutions such as hospitals, universities, emergency services, and jail facilities.

We have also seen novel and emerging threats such as AI generated deepfake videos, as well as a curious state-sponsored attack which targeted European diplomats with malicious PDFs disguised as invitations to a wine-tasting party hosted by the Ambassador of India.

Our Keysight Application and Threat Intelligence (ATI) Research Center stays alert to this range and sophistication of threats and has created a number of new Threat Campaigns and Audits to keep you safe, by simulating these attacks and incorporating them into Threat Simulator, our breach and attack simulation (BAS) platform.

Read on to learn about these new simulations and how we can assist you in maintaining your safety, no matter where you are in the world.

New audits

Network audit:

CVE-2024-21887- Ivanti Connect Secure and Policy Secure Gateways Command Injection

This audit exploits a command injection vulnerability in the web components of Ivanti Connect Secure and Ivanti Policy Secure Gateways. This vulnerability is due to the insufficient validation of HTTP arguments. In the web application, two different paths are susceptible to system command injection. The user-submitted data is directly employed in the Python Popen function without undergoing any sanitization. Consequently, an attacker can inject ";command;" and execute shell commands. A remote authenticated attacker could exploit this vulnerability by sending a crafted request to a target server. Successful exploitation could result in arbitrary shell command execution under the security context of the root user.

New endpoint audits:

Technique T1580; TACTIC TA0007

Cloud Infrastructure Discovery - AWS EC2 Instance Enumeration: AWS Command Line Interface

Adversaries may leverage the AWS CLI command "aws ec2 describe-instances" to perform EC2 instance discovery. This command allows attackers to obtain comprehensive information about existing EC2 instances within an AWS environment, enabling them to identify potential targets for further exploitation or reconnaissance.

Cloud Infrastructure Discovery - AWS S3 Storage Enumeration: AWS Command Line Interface

Attackers can employ the AWS CLI command "aws s3api list-buckets" to enumerate and list all S3 buckets within an AWS environment. This allows them to identify and gather information about existing storage resources, potentially facilitating unauthorized access or further reconnaissance on sensitive data stored within those buckets.

Cloud Infrastructure Discovery - AWS EC2 Snapshots Enumeration: AWS Command Line Interface

Attackers can utilize the AWS CLI command "aws ec2 describe-snapshots" to enumerate and retrieve information about Amazon EBS (Elastic Block Store) snapshots within an AWS environment. This technique allows them to identify existing snapshots, understand the backup and storage configurations, and potentially gather sensitive information that could be exploited for further attacks or reconnaissance.

Cloud Infrastructure Discovery - AWS EC2 Volumes Enumeration: AWS Command Line Interface

Attackers can utilize the AWS CLI command "aws ec2 describe-volumes" to enumerate and retrieve information about Amazon EBS (Elastic Block Store) volumes within an AWS environment. This technique allows them to identify existing volumes, understand storage configurations, and potentially gather information about the data stored on these volumes. This information could be exploited for further attacks or reconnaissance.

New Threat Campaigns

A screenshot of a computer program Description automatically generated

Figure 1: Recent Threat Campaigns available in Threat Simulator

It'll be back: Attackers still abusing Terminator tool and variants

Sophos describes a threat campaign that involves threat actors exploiting vulnerable drivers, specifically Zemana drivers, to disable AV and EDR solutions at the kernel level. This strategy, known as Bring Your Own Vulnerable Driver (BYOVD), has become popular among lower-tier threat actors and ransomware operators. The attacks often involve the use of off-the-shelf tools, such as Terminator, sold on criminal forums. Specific attacks mentioned in the article targeted a healthcare organization and involved the use of XMRig cryptominer and the Nim version of Terminator. The article also suggests that some threat actors are considering creating their own malicious drivers signed with stolen or leaked certificates.

APT29 Uses WINELOADER to Target German Political Parties

The Russian Federation-backed threat group APT29, linked to Russia's Foreign Intelligence Service (SVR), conducted a phishing campaign targeting German political parties in February 2024. The campaign used a new backdoor variant named WINELOADER, delivered through a first-stage payload ROOTSAW (aka EnvyScout). The phishing emails contained a malicious ZIP file hosted on an actor-controlled compromised website. This is the first time APT29 targeted political parties, marking a shift from its usual focus on diplomatic missions. The group also used German-language lure content for the first time. This activity is viewed as a threat to Western political parties and suggests a shift in operational focus.

Xehook Stealer: Evolution of Cinoshi's Project Targeting Over 100 Cryptocurrencies and 2FA Extensions

Cyble describes a campaign by an unidentified threat actor involving a .NET-based malware named Xehook Stealer, which targets Windows operating systems. The malware, discovered by CRIL in January 2024, has dynamic data collection capabilities, supports over 110 cryptocurrencies, and has 2FA extensions. Furthermore, it has a potential connection with Agniane Stealer and the Cinoshi project, indicating possible rebranding and development iterations. The malware is distributed via SmokeLoader binaries, and it shares significant code overlaps with Agniane Stealer. The Xehook Stealer targets Chromium and Gecko-based browsers and is sold on a subscription model.

The threat campaign involves unidentified threat actors targeting cloud services with application consent attacks, primarily against clients using Microsoft Azure. The actors leverage legitimate but compromised accounts to create malicious applications within the cloud environment, requesting user consent to access protected resources. Once granted, the actors can persistently access these resources, even if account security measures are changed. These attacks have been observed to originate from various VPN and VPS IP addresses.

SSO-Based Phishing Attack Trick Users into Sharing Login Credentials

Lokkout and GBHackers describe a phishing campaign where threat actors employ a new Single Sign-On (SSO) based phishing attack to trick users into sharing their login credentials. The phishing kit used in the campaign targets crypto and the Federal Communications Commission (FCC) on mobiles. It was found by Lookout and the method used includes email, SMS, and voice phishing. The victims targeted are mainly from the United States. The threat actor primarily impersonates the FCC Okta and various brands, with Coinbase being the most targeted.


The threat actor referred to as Earth Kapre or RedCurl has been carrying out cyberespionage operations since November 2018. They focus on corporate espionage and have targeted a variety of sectors across several countries. Their tactics involve a mix of custom malware and public hacking tools, with a particular focus on stealth and avoiding detection. Rather than direct financial theft or ransomware attacks, they focus on stealing internal corporate documents. Their activities have been observed in the U.K., Germany, Canada, Norway, Russia, and Ukraine.

Malware Disguised as Installer from Korean Public Institution (Kimsuky Group)

The Kimsuky group is distributing malware disguised as an installer from a Korean public institution, signed with a legitimate certificate from a Korean company. The malware is a dropper that creates the Endoor backdoor, which is also used to download additional malware or install screenshot-taking malware. The malware was not disguised as a specific program but made to look like a general legitimate program. In some cases, the backdoor was used to install other malware like Mimikatz and a screenshot-taking malware. The actor also used Nikidoor, distributed via spear phishing attacks. The malware was used in South Korea and is constantly employed in other attacks.

CryptoWire with Decryption Key Included - ASEC BLOG

AhnLab Security Intelligence Center (ASEC) has reported a resurgence of CryptoWire, a ransomware strain that was originally widespread in 2018. The malware is usually distributed through phishing emails and uses Autoit script. CryptoWire persists by copying itself into the local system and registering a schedule to the task scheduler. The ransomware also expands its encryption process to local and network connected environments and deletes recovery options. Encrypted files require a decryption key, which is either included in the Autoit script or transmitted to the threat actor's server.

BianLian GOs for PowerShell After TeamCity Exploitation

The threat actor group BianLian has moved to extortion-only operations since the release of a decryptor for their malware by Avast in January 2023. The group exploited vulnerabilities in a TeamCity server, leveraging CVE-2024-27198 /CVE-2023-42793 for initial access. Post exploitation, the group found additional infrastructure to exploit, deploying malicious files and scripts, including a PowerShell implementation of their GO backdoor. The group also created a new user account and attempted a Security Accounts Manager (SAM) credential dumping technique. The campaign was detected and analyzed by GuidePoint's Research and Intelligence Team (GRIT).

Prolific Chinese Threat Campaign Targets 100+ Victims - Infosecurity Magazine

A major Chinese cyber-espionage campaign has been linked to the 'cybersecurity' firm I-Soon, known as the Earth Krahang APT campaign. This campaign is associated with a previously discovered Chinese actor, Earth Lusca, suspected of being the penetration team behind I-Soon. The threat actor targeted 116 organizations in 35 countries, compromising at least 70 of them, primarily in southeast Asia. The actor uses tactics like VPN servers on compromised public-facing servers, brute-force attacks to obtain email credentials, and uses these credentials to exfiltrate victim emails with the ultimate goal being cyber-espionage.

CGSI Probes: ShadowSyndicate Group's Possible Exploitation of Aiohttp Vulnerability (CVE-2024-23334)

The campaign involves a security flaw (CVE-2024-23334), a directory traversal vulnerability in aiohttp, which if exploited, allows unauthenticated remote attackers to access sensitive information from arbitrary files on the server. The ShadowSyndicate group, a Ransomware-as-a-Service (RaaS) affiliate, has shown interest in exploiting this vulnerability. The aiohttp instances are particularly prevalent in the United States, Germany, and Spain. A patch has been released in the last week of January 2024 to address the vulnerability, and immediate patching to the latest versions is strongly recommended.

Azure Batch Misused for Crypto Mining

An unidentified threat actor exploited an unpatched TeamCity server to deploy a CoinMiner in Azure. The attacker gained access to the Azure environment with administrative rights. They then created a resource group, built batch accounts, and requested a batch limit increase from Microsoft support to boost mining capacity. The attacker used Azure Batch capabilities to create a complete autonomous crypto-mining system.

Andariel Group Exploiting Korean Asset Management Solutions (MeshAgent)

The Andariel group, a known cyber threat actor, has been conducting continuous attacks on Korean companies. The group exploits Korean asset management solutions to install malware such as AndarLoader and ModeLoader. AndarLoader is used to download executable data, and ModeLoader is used to establish communication with the command and control (C&C) server. These tools, along with others like MeshAgent, are used to remotely control victims' systems. The group has also been known to use tools like Mimikatz to steal system credentials. Ultimately, these attacks are focused on both obtaining sensitive information and gaining financial profits.

CISA Updates Phobos Ransomware IoCs List in New Joint Advisory

Heimdal Security Blog details a recent update by CISA, the FBI, and MS-ISAC regarding the Phobos ransomware, which frequently targets government and critical infrastructure institutions such as hospitals, universities, emergency services, and jail facilities. The update includes a comprehensive list of Indicators of Compromise (IoCs) and tactics used by the Phobos ransomware, which primarily relies on phishing campaigns for reconnaissance and initial access to vulnerable networks. Phobos affiliates also actively search for exposed Remote Desktop Protocol (RDP) ports, which they compromise using brute force tools. Once they find a breach, they escalate privileges by running commands to install Phobos payloads with elevated privileges enabled.

European Diplomats Targeted With Phony Invitations to a Wine-Tasting Party

The article describes a cyber espionage campaign that targeted European diplomats. A threat actor, suspected to be state sponsored, sent malicious PDFs disguised as invitations to a wine-tasting party hosted by the Ambassador of India. The PDFs contained a link to a fake questionnaire that redirected users to a malicious ZIP archive hosted on a compromised site, initiating an infection chain. A malicious HTA file would be installed if users clicked on the link to the phony questionnaire. The campaign is characterized by its very low volume and advanced tactics, techniques, and procedures (TTPs). Zscaler, who discovered the campaign, has named this threat actor SPIKEDWINE.

WhiteSnake Stealer: Unveiling the Latest Version – Less Obfuscated, More Dangerous

The threat research team from SonicWall Capture Labs has identified a new variant of WhiteSnake Stealer, a malicious software capable of extracting sensitive data from compromised systems. The malware verifies the presence of mutex to prevent multiple instances from running simultaneously. It is capable of stealing data from various sources such as web browsers, messaging apps, FTP clients, and cryptocurrency wallets. Additionally, it can capture screenshots, keystrokes, and record audio via the victim's microphone. It can also exfiltrate data to the attacker's command and control center.

New Banking Trojan "CHAVECLOAK" Targets Brazil

A threat actor has been found utilizing a malicious PDF file to propagate the banking Trojan CHAVECLOAK, specifically targeting users in Brazil with the goal of stealing sensitive financial information. The attack begins with a decoy PDF document that downloads a ZIP file, which utilizes DLL side-loading techniques to execute the malware. The MSI installer uses a legitimate execution file to run a malicious DLL named 'Lightshot.dll', which conducts unauthorized activities, including data theft. The malware monitors user activities, capturing sensitive information such as usernames, passwords, and bank-related information. It then sends the stolen data to its Command and Control server.

Reverse Engineering Snake Keylogger: Full .NET Malware Analysis

ANY.RUN describes a phishing campaign that uses the Snake Keylogger malware to steal sensitive information from infected systems. The malware is delivered via a multi-stage attack that involves various techniques such as dynamic code execution, code reassembly, obfuscation, steganography, and anti-analysis techniques. The malware steals credentials from various browsers and applications, kills certain processes related to security and monitoring, and exfiltrates the collected data via FTP, SMTP, or Telegram.

The campaign detailed in the article involves a sophisticated attack orchestrated by an unidentified threat actor. The attack begins with the victim receiving a PDF file containing a malicious URL. Upon clicking the link, the victim downloads a deceptive installer which acts as a dropper for the Agent Tesla malware. This malware is a remote access trojan (RAT) that specializes in infiltrating and exfiltrating sensitive information. The attack was observed globally, affecting Threat Emulation customers in various regions. The threat actor exploited the trust of users in Adobe Acrobat Reader updates to deliver the malicious payload.

Rise in Deceptive PDF: The Gateway to Malicious Payloads

McAfee discusses a malware campaign that uses PDF files to distribute a notable malware, AgentTesla. The malware is embedded in PDF files attached to seemingly harmless emails. When a victim opens the PDF, it triggers execution of a malicious JavaScript payload, leading to the download and execution of a PowerShell script. This script then decrypts and executes a binary, injecting AgentTesla payload into legitimate processes to evade detection. The malware communicates with command-and-control servers, exfiltrating sensitive data through Telegram bots. It also establishes scheduled tasks and registry entries for persistence on the infected system.

Detecting and Blocking Tycoon's latest AiTM Phishing Kit - Security Boulevard

The article describes a phishing campaign orchestrated by Tycoon, who uses an adversary-in-the-middle (AiTM), Phishing-as-a-Service (PhaaS) platform. This platform uses a reverse proxy to intercept and replay credentials and MFA prompts, and it has the ability to defeat most MFA factors, such as SMS, TOTP, Push, and Number Matching. The new version of Tycoon's phishing kit has new obfuscation and anti-detection capabilities. Current security solutions are struggling to handle these attacks due to countermeasures like anti-bot, captchas, and turnstiles.

Warning Against Infostealer Disguised as Installer

The campaign involves the distribution of the StealC and Vidar malware strains, disguised as installers or software cracks. The malware is distributed through platforms like Discord, GitHub, Dropbox, and is designed to redirect victim’s multiple times from malicious webpages disguised as download pages. The StealC malware steals key information like system, browser, cryptocurrency wallet, Discord, Telegram, and mail client data. The Vidar malware accesses account profiles on platforms like Steam and Telegram to obtain the C2 address. Both malware strains employ techniques such as checking file names, downloading a PNG file, creating, and injecting into a normal process, manual ntdll mapping, and Heaven's Gate to hinder analysis by security products.

Hackers Using Cracked Software on GitHub to Spread RisePro Info Stealer

RisePro stealer has been embedded in fake cracked software distributed via GitHub and presented complex anti-debugging techniques in order to obfuscate its features. The trojanized software where this malware is residing in is a .NET executable which will crash popular reverse engineering tools due to its size. In addition, it also presents virtualized instructions that will make sandbox testing difficult for malware researchers. Exfiltrated data is sent to specific Telegram channels.

Large-Scale StrelaStealer Campaign in Early 2024

The StrelaStealer malware has been involved in a series of campaigns targeting organizations in the EU and U.S. The malware steals email login data and sends it to the attacker's C2 server. It is delivered through spam emails which contain an attachment that initiates the malware's DLL payload. The threat actor frequently changes the email attachment file format and updates the DLL payload to evade detection. Large-scale campaigns have been observed since the first emergence of the malware in 2022 with no signs of slowing down.

Beware of New 'HelloFire' Ransomware Actor Mimic as a Pentester

The article describes a new threat in the form of a ransomware encryptor called 'HelloFire' This malicious software uses deceptive tactics, posing as a legitimate penetration testing activity to mask its harmful intent. The ransomware does not have a traditional leak site, nor does it use typical branding. Instead, it uses specific email domains in its ransom note to undermine the credibility of the attack as a legitimate pen test. The encrypted files have the extension '.afire,' and a comprehensive list of services, directories, and files are targeted to maximize the impact on infected systems. There are suggestions of a potential Russian connection due to the references to the word 'hello' in both English and Russian within the ransomware note and the Program Database (PDB) path.

TeamCity Vulnerability Exploits Lead to Jasmin Ransomware, Other Malware Types

The article discusses a cyber threat campaign that exploits two vulnerabilities within the JetBrains TeamCity On-Premises platform, CVE-2024-27198 and CVE-2024-27199. These vulnerabilities allow attackers to bypass authentication measures and gain administrative control over affected servers. The threat actors drop various types of malware including Jasmin ransomware, XMRig cryptocurrency miner, Cobalt Strike beacons, and the SparkRAT backdoor. They also execute domain discovery and persistence commands. The threat actors seem to be indiscriminate, with no specific regions or industries reported as targets.

RATs Distributed Through Skype, Zoom, and Google Meet Lures

The article describes a cyber threat campaign that started in December 2023, where an unidentified threat actor created fraudulent Skype, Google Meet, and Zoom websites to distribute malware. Specifically, the actor spread Remote Access Trojans (RATs) including SpyNote RAT for Android platforms, and NjRAT and DCRat for Windows systems. The fake websites closely resembled the actual sites and hosted on shared web hosting. Clicking on certain buttons on these sites initiated the download of malicious files.

Unveiling Earth Kapre aka RedCurl's Cyberespionage Tactics With Trend Micro MDR, Threat Intelligence

The article details an investigation into cyberespionage tactics employed by threat group Earth Kapre, also known as RedCurl or Red Wolf. The group has been actively conducting phishing campaigns targeting organizations in several countries, including Russia, Germany, Ukraine, the UK, Slovenia, Canada, Australia, and the US. The attackers use phishing emails with malicious attachments, which trigger the creation of a scheduled task for persistence and unauthorized data transmission upon opening. They also utilize Powershell.exe and curl.exe to procure the subsequent stage downloader and use the Program Compatibility Assistant (pcalua.exe) to execute malicious command lines. The article underscores the ongoing threat posed by Earth Kapre and the critical role of advanced threat detection and response solutions in combating such threats.

Crambus: New Campaign Targets Middle Eastern Government

The Iranian espionage group Crambus, also known as OilRig or APT34, carried out an eight-month-long intrusion against a Middle Eastern government between February and September 2023. The group stole files and passwords from at least 12 computers and installed backdoors and keyloggers on dozens more. Their methods included deploying malware and configuring port-forwarding rules on compromised machines for remote access. The group also modified Windows firewall rules to enable remote access. The use of the PowerShell backdoor PowerExchange was a significant feature of the campaign.

Beware of Malicious Notepad++ Websites that Attack Developers

Threat actors are targeting Notepad++ users, a widely used text editor, via malicious websites. Notepad++ offers a large pool of potential victims including developers and users. Exploiting vulnerabilities in Notepad++ can provide access to sensitive data and systems, and targeting popular software increases the likelihood of successful attacks and intensifies their impact. Cybersecurity researchers discovered that threat actors are actively attacking developers via these websites. The threat actors distribute modified versions of text editors, and the malicious versions have similar functionalities. There is a high probability that these modified editors aim to deliver the next infection stage, with identical Linux/macOS app changes suggesting a possible Linux backdoor mirroring the macOS one.

GhostSec's joint ransomware operation and evolution of their arsenal

The hacker group GhostSec and the Stormous ransomware group have been jointly conducting double extortion ransomware attacks across various industries and countries. They have developed a new ransomware-as-a-service (RaaS) program, GhostLocker 2.0, and have been involved in attacks against websites using tools such as the GhostSec Deep Scan tool and GhostPresser. Their targets have included Israel's industrial systems, critical infrastructure, and technology companies. The group has also claimed that affected organizations include Israel's Ministry of Defense.

Evasive Panda Targets Tibet With Trojanized Software - Infosecurity Magazine

The China-aligned APT group Evasive Panda, also known as BRONZE HIGHLAND and Daggerfly, launched a sophisticated cyber-espionage campaign targeting Tibetans across various countries and territories. The operation, ongoing since at least September 2023, combined targeted watering hole tactics and supply-chain compromises with trojanized Tibetan language translation software installers. The attackers leveraged the Monlam Festival, a major religious gathering, to target individuals associated with Tibetan Buddhism, compromising the festival organizer's website for a watering hole attack. The same website and a Tibetan news site hosted malicious downloads, including two full-featured backdoors for Windows and an unknown number of payloads for macOS. The campaign also saw the deployment of various malicious downloaders and backdoors, including a previously undocumented backdoor for Windows named Nightdoor.

Tales Of Valhalla - March 2024 - Nextron Systems

The article outlines several malware threats observed by the Nextron Threat Research Team. The discussed threats include MrAgent, a binary designed to automate and track the ransomware deployment across large environments with numerous hypervisor systems, GuLoader, a first-stage shellcode-based malware that is typically used to download other types of malware like Agent Tesla and Lokibot, HemiGate, a backdoor used by the threat actor known as Earth Estries, and IronWind, an initial access downloader. The threats are detected and analyzed using Nextron's digital forensics tools.

Kaspersky crimeware report: Android malware

The article describes a cyber threat campaign conducted in 2023, which saw the deployment of three different forms of malware targeting mobile devices. The Android operating system was the main target for these attacks. The malware strains, Tambir, Dwphon, and Gigabud, were primarily used for data theft and system compromise. Tambir, disguised as an IPTV app, targeted users in Turkey and collected data such as SMS messages and keystrokes. Dwphon, embedded within system update applications, targeted Chinese OEM manufacturers, and collected device and personal information. Gigabud, a Remote Access Trojan (RAT), focused on stealing banking credentials from users in Southeast Asia and was disguised as various local apps.

COM Objects Hijacking

The article discusses the COM Hijacking technique used by threat actors and various malware families for achieving persistence and privilege escalation in target systems. The technique manipulates the Component Object Model (COM) of Windows systems. The study identified the most exploited COM objects in 2023. Malware families like Padodor/Berbew and RATs like RemcosRAT and AsyncRAT are known to use this technique. The article also mentions the use of the technique in connection with vulnerabilities, such as CVE-2024-21412, for distributing the Darkme RAT.

Disguised Adobe Reader Installer That Install Infostealer Malware

GBHackers and AhnLab discuss a phishing attack that exploits Adobe Reader. The attack begins with a fake PDF file, written in Portuguese, which prompts users to download and install Adobe Reader. However, instead of Adobe Reader, users are prompted to download and install malware. The execution procedure of the downloaded file, named Reader_Install_Setup.exe, has three stages, file creation, DLL Hijacking , UAC Bypass, and Information Leak. The malware collects system and browser information and sends it to the C2 server.

ShadowRay: First Known Attack Campaign Targeting AI Workloads Exploited In The Wild

A widespread attack campaign exploiting a vulnerability in Ray, a popular open-source AI framework, has been discovered. The vulnerability, known as ShadowRay (CVE-2023-48022), allows attackers to take control of companies' computational power and leak sensitive data through a port-forwarding rule of the Ray management dashboard. Organizations across various sectors, including education, cryptocurrency, and biopharma, have been affected. Despite being disputed and thus not addressed with a patch, the flaw has been actively exploited for the past seven months. Many development teams and scanning tools are unaware of this threat due to its disputed status.

New Go loader pushes Rhadamanthys stealer

Malwarebytes describes a malvertising campaign using a loader written in the Go language to deploy the Rhadamanthys stealer. The threat actor impersonated the PuTTY homepage with a malicious ad that appears at the top of Google search results. When clicked, the ad redirects users to a fake site from which the malware is downloaded. The loader checks the victim's IP address before retrieving a follow-up payload from another server, which executes the Rhadamanthys payload. The campaign seems to be targeted at users in the US.

Ransomware: Attacks Continue to Rise as Operators Adapt to Disruption | Symantec Enterprise Blogs

The article describes a continued rise in ransomware attacks despite a slight decrease in the number of attacks claimed by ransomware actors. The primary vector for these attacks has shifted from botnets to vulnerability exploitation. The most significant ransomware threats include LockBit and Noberus, with notable disparities between claimed attacks and those investigated by Symantec. Ransomware attackers have also started leveraging dual-use tools and specific techniques such as Esentutl and DPAPI.

CVE-2024-21412: DarkGate Operators Exploit Microsoft Windows SmartScreen Bypass in Zero-Day Campaign | Trend Micro (US)

The article describes a zero-day attack campaign carried out by the DarkGate operators. The threat actors exploited the CVE-2024-21412 vulnerability in Microsoft SmartScreen to bypass security measures and deploy the DarkGate malware. The campaign involved the use of open redirects in technologies such as the Google Ads ecosystem to disseminate the malware. The DarkGate malware is complex and has evolved to employ multiple evasion techniques, making it difficult to detect and analyze. The affected regions or specific targets of the campaign are not mentioned in the text.

Operation FlightNight: Indian Government Entities and Energy Sector Targeted by Cyber Espionage Campaign

An unidentified threat actor has been targeting Indian government entities and the energy sector since March 7th, 2024, using a modified version of the open-source information stealer HackBrowserData. Delivered via a phishing email masquerading as an invitation from the Indian Air Force, the malware exfiltrates data to Slack channels used by the attacker. Agencies responsible for electronic communications, IT governance, and national defense, as well as private Indian energy companies, were targeted. The actor stole 8.81 GB of data, potentially aiding further intrusions into the Indian government's infrastructure. The actor's methods strongly resemble an attack reported on January 17, 2024, suggesting a likely connection. The motive behind the attacks is believed to be cyber espionage.

The article describes a cyberattack campaign conducted by the Iran-aligned threat actor TA450. The group targeted Israeli employees at large multinational organizations by sending phishing emails with PDF attachments containing malicious links. The threat actor's tactics have evolved, as they have recently relied on including malicious links directly in the body of the email, rather than in attachments. The links lead to file-sharing sites such as Egnyte, Onehub, Sync, and TeraBox. If a target clicks on the link, a ZIP archive containing a compressed MSI is downloaded, which installs the AteraAgent remote administration software known to be abused by TA450.

The Updated APT Playbook: Tales from the Kimsuky threat actor group

The article describes a cyber espionage campaign believed to be carried out by the Kimsuky threat actor group, also known as Black Banshee or Thallium. The group primarily targets South Korean government entities, individuals associated with Korean unification, and global experts in fields relevant to the regime's interests. The tactics include using weaponized Office documents, ISO files, and shortcut files (LNK files), and recently, CHM files. Once executed, these CHM files perform different operations and allow the group to gain undetected access to the target's system and collect intelligence. The group continuously updates its tactics to bypass modern security measures.

Taking a deep dive into SmokeLoader

The article provides a detailed analysis of the Smoke Loader malware, a sophisticated piece of software primarily used for loading subsequent stages of malware onto systems. It is particularly adept at stealing information, such as credentials. Smoke Loader utilizes advanced anti-analysis and anti-debugging techniques, making detection challenging. It is typically disseminated through malicious documents, primarily Word or PDF files, often distributed via spam emails or targeted spear-phishing campaigns. The malware has been exclusively available to threat actors based in Russia since 2014.

Around We Go: Planet Stealer Emerges

The article discusses an emerging information-stealing trojan project named Planet Stealer, which is offered for sale in underground forums. This malware is designed to collect and exfiltrate sensitive information from victim hosts where it has gained an initial foothold. It has been utilized by one or more active threat actors in recent campaigns. The malware has several capabilities including browser information theft, cryptocurrency wallet theft, messenger and game client credential theft, and evasion of virtualization/sandbox. The malware communicates with the command and control server using HTTP API with inner JSON data.

PIKABOT, I choose you! — Elastic Security Labs

The Elastic Security Labs team has identified new campaigns of the PIKABOT loader, a tool used by malicious actors to distribute payloads such as Cobalt Strike or launch ransomware. This version of PIKABOT uses a new unpacking method and heavy obfuscation, with added string decryption implementation and changes to obfuscation functionality. The campaign began on February 8th and involved emails with hyperlinks leading to ZIP archive files containing a malicious obfuscated Javascript script. The loader uses a new technique to combine scattered chunks of encrypted data from the .data section. The core module has also undergone changes, including toned-down obfuscation and removal of AES during network communications.

Curious Serpens' FalseFont Backdoor: Technical Analysis, Detection and Prevention

The article discusses a cyber espionage campaign led by the Iranian-affiliated threat actor, Curious Serpens, also known as Peach Sandstorm, APT33, Elfin, HOLMIUM, MAGNALIUM, or REFINED KITTEN. The group has been active since 2013 and targets organizations across the Middle East, the United States, and Europe. The primary attack tool is a backdoor named FalseFont, which is delivered through a fake job recruitment process, impersonating legitimate human resources software. FalseFont is capable of executing commands, manipulating the file system, capturing screens, and stealing credentials.

Stories from the SoC Part 1: IDAT Loader to BruteRatel

The article describes a cyber threat campaign by financially motivated threat groups, which involves the deployment of a new malware loader named IDAT Loader. The loader is unique as it retrieves data from PNG files, searching for specific offsets. It is distributed via a FakeUpdates campaign and further utilizes malvertising and drive-by downloads for initial malicious payload execution. The IDAT Loader also employs advanced techniques such as Process Doppelgänging and the Heaven's Gate technique. The campaign also involves the use of BruteRatel C4 (BRC4) framework and SecTop RAT.

Hunting PrivateLoader: The malware behind InstallsKey PPI service

The malware downloader PrivateLoader, widely used by the Russian Pay-Per-Install service InstallsKey, has been updated with new string encryption algorithm and communication protocol. It is primarily distributed through SEO-optimized websites offering cracked software but is also spread by other malware downloaders like SmokeLoader. PrivateLoader downloads and executes various malware families, mostly stealers and loaders, and has dropped more than 2300 payloads in the past year. It has been observed downloading the RisePro infostealer from VKontakte, a Russian social media site. The malware is spread globally, with a higher incidence in emerging economies like Africa, Asia, and South America.

z0Miner Exploits Korean Web Servers to Attack WebLogic Server

The threat actor 'z0Miner' has been launching attacks on vulnerable Korean WebLogic servers. The attack pattern involves the exploitation of Korean web servers, which are then used as download servers for malware distribution. The threat actor uses network tools such as Fast Reverse Proxy (FRP), NetCat, and AnyDesk, and exploits vulnerabilities like CVE-2020-14882 and CVE-2020-14883. Windows systems are attacked with powershell.exe and certutil.exe, while Linux systems are targeted with the curl command. The campaign also involves cryptojacking by distributing different versions of the XMRig miner.

Muddled Libra Hackers Using Pen Testing Tools To Gain Admin Access

The Muddled Libra hacking group, which emerged in late 2022, is using pen testing tools to gain admin access to targeted systems. The group is known for its 0ktapus phishing kit that allows low-skilled attackers to emulate mobile authentication pages to gather credentials and MFA codes. The group has been attributed to several complex supply chain attacks targeting cryptocurrency. The group targets victims through lookalike domains in smishing attacks, using short-lived domains via various providers. The group is known to use legitimate tools like SharpHound, ADRecon, and Angry IP Scanner for consistent discovery methods, aiming for data and credential theft. They are now seen to be shifting towards an 'encrypt and extort' model, targeting larger organizations in the same industry.

Under the Hood of SnakeKeylogger: Analyzing its Loader and its Tactics, Techniques, and Procedures

The Snake Keylogger is a Trojan Stealer that emerged as a significant cyber threat in November 2020. This malicious tool is developed using .NET and is equipped with functionalities such as keylogging, credential theft, and screen capturing. It also has the ability to gather clipboard data, browser credentials, and conduct system and network reconnaissance. It employs a multifaceted approach to data exfiltration, leveraging various Command and Control servers such as FTP, SMTP, and Telegram for discreet data transmission. The malware also uses a variety of cryptors or loaders to obfuscate its code and evade detection.

Tycoon 2FA: an in-depth analysis of the latest version of the AiTM phishing kit

Sekoia details an investigation into the Tycoon 2FA phishing kit, used by threat actors to carry out widespread and effective attacks. This Adversary-in-The-Middle (AiTM) phishing kit is associated with the Phishing-as-a-Service (PhaaS) platform and is used to intercept session cookies during a legitimate session-based authentication, allowing for the bypassing of multi-factor authentication. The Tycoon 2FA kit saw widespread use from August 2023 to late February 2024, after which it underwent changes to enhance obfuscation and anti-detection capabilities. The article provides in-depth technical analysis of the kit's operations, changes in its recent version, and tips for tracking the associated infrastructure.

APT28 Hacker Group Targeting Europe, Americas, Asia in Widespread Phishing Scheme

APT28 threat actor has been coordinating massive phishing attacks in Europe, South America, North America and Asia, luring victims to open infected documents.The attack steps involve the use of JavaScript payloads embedded in the luring documents, which will abuse a Windows feature called “search:ms”.Later it will deploy MASEPIE, OCEANMAP and STEELHOOK malware Finally, NTLM credential hashes can be stolen by the attacker.

MSSQL to ScreenConnect | Huntress Blog

The described campaign involves an unidentified threat actor targeting endpoints running MSSQL Server or MSSQL Express. The attacker used automated attacks with a systematic sequence and timing of commands, indicating the use of a script or playbook. The initial access was through an MSSQL event, followed by attempts to activate stored procedures and execute commands, some of which were encoded. The attack also involved attempts to install an MSI file and a ScreenConnect instance, both of which appeared to fail. The threat actor had SYSTEM level access and used multiple IP addresses during the attack.

Bringing Access Back — Initial Access Brokers Exploit F5 BIG-IP (CVE-2023-46747) and ScreenConnect

Mandiant presented a campaign that involves a Chinese threat actor, UNC5174, exploiting various vulnerabilities such as CVE-2023-46747, CVE-2024-1709, CVE-2023-22518, CVE-2022-0185, and CVE-2022-3052. The actor targeted U.S. defense contractor appliances, UK government entities, and institutions in Asia, U.S., Canada, and Southeast Asia. After successful exploitation, they created administrative accounts and executed bash commands. Their actions were identified through log files, and they left artifacts of extensive reconnaissance, web application fuzzing, and aggressive scanning for vulnerabilities. UNC5174 is assessed with moderate confidence to be unique to the People's Republic of China (PRC) and is believed to be a contractor for China's Ministry of State Security (MSS).

Two Chinese APT Groups Ramp Up Cyber Espionage Against ASEAN Countries

Two China-linked advanced persistent threat (APT) groups, including Mustang Panda, have been conducting a cyber espionage campaign against entities and countries associated with the Association of Southeast Asian Nations (ASEAN). The threat actors have targeted Myanmar, the Philippines, Japan, and Singapore with phishing emails designed to deliver two malware packages. These packages, created to coincide with the ASEAN-Australia Special Summit, contain a ZIP file with an executable that deploys a known Mustang Panda malware and a screensaver executable that retrieves next-stage malicious code from a remote IP address. Additionally, a new Chinese threat actor known as Earth Krahang has targeted 116 entities across 35 countries. The leak from a Chinese government contractor, I-Soon, has provided insights into how the Chinese government outsources parts of its cyber operations to private third-party companies.

Infostealer Disguised as Adobe Reader Installer - ASEC BLOG

The AhnLab Security Intelligence Center discovered a new attack campaign in which a threat actor is distributing malware disguised as Adobe Reader installer. Users are tricked into downloading and running a fake PDF file, written in Portuguese, which prompts them to download the disguised malware. Once the malicious file is executed, it creates additional malicious files, bypasses user account control (UAC) via DLL hijacking, and leaks information. The malware collects system and browser information and communicates with C2 servers. It also creates a path that is added to Windows Defender exclusion and hides additional malicious files.

VCURMS: A Simple and Functional Weapon

An unidentified threat actor is conducting a phishing campaign to distribute new versions of VCURMS and STRRAT remote access trojans (RATs). The malware is primarily spread through emails that encourage users to download a malicious Java downloader. The malware is hosted on public services like Amazon Web Services (AWS) and GitHub and uses a commercial protector to avoid detection. Once downloaded, the malware gives attackers control over infected systems. The campaign targets all platforms with Java installed, affecting any organization that falls prey to the phishing emails.

Stopping a K-12 cyberattack (SolarMarker) with ThreatDown MDR | Malwarebytes

In 2024, a large K-12 school district partnered with ThreatDown MDR to bolster its cybersecurity posture. Shortly after, ThreatDown MDR analysts detected unusual activity patterns, which were identified as the work of SolarMarker, a sophisticated backdoor. This malware had been present in the district's system since at least 2021, likely exfiltrating data over an extended period. The malware utilized a Base64-encoded string as a decryption key and targeted a specific file path for encoded data.

ASEAN Entities in the Spotlight: Chinese APT Group Targeting

Two Chinese Advanced Persistent Threat (APT) groups, including one known as Stately Taurus, have been conducting cyberespionage activities against the Association of Southeast Asian Nations (ASEAN) and its member countries. Using two malware packages, the groups targeted entities in Myanmar, the Philippines, Japan, and Singapore. The timing of these campaigns aligned with the ASEAN-Australia Special Summit. The second APT group compromised an ASEAN-affiliated entity and targeted various Southeast Asia government entities. The attack consists of downloading legitimate signed software vulnerable to DLL sideloading. The malicious DLLs used in sideloading, gain persistence, and open a communication channel to the attacker's C2 server.

WogRAT Malware Exploits aNotepad (Windows, Linux)

The threat actor has been using WogRAT malware to target both Windows and Linux systems. The malware is being distributed through a free online notepad platform, aNotepad, disguised as legitimate utility tools. The malware collects basic system information and sends it to the command and control server, supporting various commands. The main targets of these attacks seem to be Asian countries, including Hong Kong, Singapore, China, and Japan.

Magnet Goblin Targets Publicly Facing Servers Using 1-Day Vulnerabilities

Check Point Research describes a financially motivated cyber threat campaign run by an actor named Magnet Goblin. This threat actor rapidly adopts 1-day vulnerabilities in public-facing services, like Ivanti Connect Secure VPN, to gain initial access to systems. The actor uses malware belonging to a custom family called Nerbian, including NerbianRAT and MiniNerbian, which are designed for both Windows and Linux. The actor has targeted Magento, Qlik Sense, and possibly Apache ActiveMQ to deploy its malware, and also uses remote monitoring and management software such as ConnectWise's ScreenConnect. The campaign appears to be global in nature.

Redfly: Espionage Actors Continue to Target Critical Infrastructure

Threat actor group 'Redfly', identified by Symantec's Threat Hunter Team, used the ShadowPad Trojan to infiltrate a national grid in an Asian country, maintaining access for about six months. The group stole credentials and compromised multiple computers within the organization's network. The attacks were part of a larger trend of espionage targeting critical national infrastructure (CNI) globally. The threat actor used tools such as ShadowPad, Packerloader, and a keylogger to achieve their objectives. The campaign exhibited a significant level of persistence, with the actors maintaining a presence on the network for a long duration, even after the initial compromise.

Dropbox Used to Steal Credentials and Bypass MFA in Phishing Campaign - Infosecurity Magazine

A sophisticated phishing campaign was conducted by unidentified threat actors, who exploited Dropbox's legitimate infrastructure to bypass multifactor authentication (MFA) protocols and steal login credentials. The attackers targeted a Darktrace customer and sent phishing emails from a legitimate Dropbox address to trick the users into opening a malicious PDF file. This file contained a link to a fake Microsoft 365 login page designed to harvest credentials. The threat actors managed to bypass MFA by using valid tokens and remained undetected by traditional security tools. Moreover, they used VPN services like ExpressVPN and HideMyAss to mask their real location. The incident underlines the increasing exploitation of popular services to trick targets and the growing adeptness of attackers at evading standard security protocols.

At Keysight, enhancing the security posture of our customers is our utmost priority, Threat Simulator proactively replicates cyber threats, enabling you to swiftly discover, address, and validate security vulnerabilities before they escalate into serious issues.

Leveraging over two decades of expertise in network and security, our global Application and Threat Intelligence (ATI) Research Center stays updated with the newest threats. This allows us to develop simulations of these threats within hours of their detection.

Our Threat Campaigns are carefully crafted to replicate real-world scenarios, allowing you to test your controls manually or automatically. By doing so, you can ensure that your security posture is armed with identifiable Indicators of Compromise (IOC). Our Threat Campaigns are now enriched with behavioral audits, based on the analysis of the malicious files associated with a specific threat.

Stay ahead of the curve in the ever-changing world of cybersecurity with Keysight.

Visit our website for more information.