Our Keysight Application and Threat Intelligence (ATI) Research Center remains alert to a growing range of cyber threats.
In April, we created many new Threat Campaigns and Audits to keep you safe, by simulating the latest attacks and incorporating them into Threat Simulator, our breach and attack simulation (BAS) platform. We do this so our customers and partners can quickly identify, remediate, and validate security vulnerabilities and therefore stay protected.
This month we have seen threats such as the Rhysida ransomware targeting every sector from finance to public sector. A new threat actor named ‘Starry Addax’ have even targeted human rights activists.
There have been notable uses of AI with threat actors such as TA547 using large language models (LLMs) to help create malware campaigns, and an increase in using YouTube to distribute malware, specifically Infostealers such as RedLine, Vidar, and LummaC2.
We have also observed clever techniques such as Malvertising campaigns making installers look more legitimate by digitally signing it and hosting it on Dropbox.
And among many other things we have seen the Akira ransomware variant, known to disable security software, utilize a double-extortion model, and threaten to publish exfiltrated data on the Tor network.
Read on to learn about these new simulations and how we can assist you in maintaining your safety, no matter where you are in the world.
New endpoint security:
New Endpoint Audits
Trusted Developer Utilities Proxy Execution – ‘Microsoft.NodejsTools.PressAnyKey.exe’: Download eicar through PowerShell; Technique T1127
Microsoft.NodejsTools.PressAnyKey.exe is a legitimate and signed binary that, unfortunately, can be used in malicious ways other than the scenarios it has been created for. This tool is present in software development environments that have installed Microsoft Visual Studio together with NodeJS extension. The executable poses a risk since it can execute any command or executable passed as one of its arguments, while evading defensive measures since it has a valid application signature/certificate. This audit uses the Microsoft.NodejsTools.PressAnyKey.exe to create a new PowerShell session that will decrypt in memory, using a XOR cipher and a predefined key, an encrypted Eicar sample. The Eicar component is a dummy file, used in industry to test anti-virus solutions.
New Assessments:
Endpoint – Malware Emulation: Rhysida March 2024
This assessment emulates the activity of the malware sample identified with the SHA256 hash: b55ecbddcbed916481ad537807cd3e33cb71814be6ce8e03eb63b629ccb8c692. Rhysida is a ransomware variant that targets the education, healthcare, manufacturing, information technology, and government sectors. Open-source reporting has confirmed Rhysida operating in a ransomware-as-a-service (RaaS) capacity, where ransomware tools and infrastructure are leased out in a profit-sharing model. Any ransoms paid are then split between the group and the affiliates. This assessment emulates the infection and will not execute the actual malware. The emulation binary is generated on-demand, for each assessment run.
Network audits:
Trend Micro Apex One and OfficeScan Directory Traversal
This audit exploits a directory traversal vulnerability in Trend Micro Apex One and OfficeScan. The vulnerability is due to improper validation of user-supplied file name in the X_DTAS_Archive_Filename HTTP header when handling a request for sample file upload. Since a remote unauthenticated attacker can control both the file name and file content, this directory traversal vulnerability could allow the attacker to modify executable files in the target system, which could then lead to remote code execution in the context of IUSR account.
Citrix Application Delivery Controller Information Disclosure via file_download Function
An information disclosure vulnerability exists in Citrix Application Delivery Controller (ADC) and Gateway. This vulnerability can be triggered by calling the function file_download() in the PHP rapi.php script. The flaw may be exploited by an authenticated attacker to access sensitive data. This flaw can also be exploited by unauthenticated attacker when combining it with CVE-2020-8193.
Adobe ColdFusion CKEditor upload.cfm Unrestricted File Upload
This audit exploits an unrestricted file upload vulnerability in Adobe ColdFusion CKEditor. The vulnerability is due to improper restrictions on the files uploaded by users. By successfully exploiting this vulnerability, a remote, unauthenticated attacker could upload arbitrary files and execute them on the target server.
Apache Struts OGNL action/redirect/redirectAction Command Execution
This audit exploits command execution vulnerability in Apache Struts. A specially crafted HTTP GET or POST requests can be sent to the Apache Struts server to execute arbitrary code with user privileges.
Apache Solr DataImportHandler Code Execution
This audit exploits a script injection vulnerability in Apache Solr via “dataConfig” parameter in the DataImportHandler module. DataImportHandler (DIH) module allows the user to pull in data from databases and other sources. The “dataConfig” parameter allows to specify the entire DIH config as a request parameter. Since a DIH config can contain scripts, this allows the attacker to construct a threatening request on the server. Successful exploitation will result in code execution, in the context of the user running the Apache Solr service.
Apache Tomcat JSP Upload Remote Code Execution
This audit exploits a remote command execution vulnerability in Apache Tomcat. The vulnerability allows attackers to upload arbitrary files to the Tomcat application server by utilizing the HTTP PUT method. By uploading a .JSP file to the Tomcat Application Server, an attacker can execute malicious code on the remote machine.
Zoho ManageEngine ServiceDesk Plus Arbitrary File Upload
This audit exploits a file upload vulnerability in Zoho ManageEngine ServiceDesk Plus. Files can be uploaded to the target by sending an HTTP POST request with a parameter ‘module’ equal to ‘CustomLogin’. An attacker can send a malicious HTTP POST request to upload an arbitrary file to ‘/custom/login’ folder. Successful exploitation may lead to creation and execution of arbitrary files by an authenticated user with minimum permissions (for example, guest).
Adobe Flash Player 10.2.153.1 SWF Memory Corruption
Adobe Flash Player before 10.2.154.27 on Windows, Mac OS X, Linux, and Solaris and 10.2.156.12 and earlier on Android; Adobe AIR before 2.6.19140; and Authplay.dll (aka AuthPlayLib.bundle) in Adobe Reader 9.x before 9.4.4 and 10.x through 10.0.1 on Windows, Adobe Reader 9.x before 9.4.4 and 10.x before 10.0.3 on Mac OS X, and Adobe Acrobat 9.x before 9.4.4 and 10.x before 10.0.3 on Windows and Mac OS X allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted Flash content, object type confusion, ActionScript that adds custom functions to prototypes, and Date objects; and as exploited in the wild in April 2011. This audit delivers an attack consistent with executing arbitrary code in the context of the user logged in with user interaction by way of visiting a malicious webpage.
New Threat Campaigns:
Figure 1: Recent Threat Campaigns available in Threat Simulator
Security Brief: TA547 Targets German Organizations with Rhadamanthys Stealer
The threat actor TA547 targeted German organizations with an email campaign, delivering Rhadamanthys malware through an impersonated email of a German retail company, Metro. The campaign involved a PowerShell script, suspected to be generated by a large language model (LLM) such as ChatGPT, Gemini, CoPilot, etc. The malware was executed through an LNK file contained in a password-protected ZIP file.
Malvertising campaign targeting IT teams with MadMxShell
The threat actor employs a multi-stage attack, where each stage involves the use of obfuscated shellcodes, DLL sideloading, and XOR keys for encoding and decoding. The malware attempts to disable Windows Defender and sets up persistence for further exploitation. It communicates with the C2 server via DNS MX queries and responses. The malware is capable of collecting system information, executing commands, and performing basic file manipulation operations.
Connect:fun Attacking Organizations Running FortiClient EMS
A new cyber threat campaign, named ‘Connect,fun’, is targeting organizations using Fortinet’s FortiClient EMS. The campaign, observed by Forescout Research – Vedere Labs, exploits a critical SQL injection vulnerability (CVE-2023-48788) in Fortinet’s security management solution. The campaign has been active since 2022, but exploitation attempts have increased since the disclosure of the vulnerability in March 2024. The campaign uses ScreenConnect and Powerfun as post-exploitation tools and has been associated with a media company whose FortiClient EMS was vulnerable and exposed to the internet. The exploitation of this vulnerability can lead to unauthorized access, data theft, lateral movement within the network, and potentially a full-scale breach of the organization’s cyber defenses.
Phishing Case Under the Guise of Korean Portal Login Page – ASEC BLOG
AhnLab Security Intelligence Center (ASEC) has detected a phishing campaign that mimics Korean portal login pages. The threat actor uses the actual source code from the legitimate websites to create phishing pages that are almost indistinguishable from the real ones. The phishing pages are designed to steal users’ login credentials by modifying the address and method for sending ID and password. The threat actor used NoCodeForm platform to exfiltrate the account credentials. This phishing campaign has been targeting users through email attachments from unknown sources.
Attackers exploiting new critical OpenMetadata vulnerabilities on Kubernetes clusters
The article describes a cyber-attack campaign where threat actors exploit vulnerabilities in the OpenMetadata platform to breach Kubernetes environments. The identified vulnerabilities (CVE-2024-28255, CVE-2024-28847, CVE-2024-28253, CVE-2024-28848, CVE-2024-28254) are used to bypass authentication and achieve remote code execution. Attackers then establish control over the compromised system, conduct reconnaissance, and deploy a cryptomining-related malware downloaded from a remote server. While the report does not identify specific regions affected, it mentions the use of a server based in China. No specific threat actor is identified.
Trend Micro Collaborated with Interpol in Cracking Down Grandoreiro Banking Trojan | Trend Micro (US)
The article reports on Trend Micro’s collaboration with Interpol in tracking down the administrators of the Grandoreiro banking trojan. The Grandoreiro malware, first appeared in 2018, primarily targets users in Latin America and Europe and spreads via phishing emails impersonating legitimate organizations. Once installed on a system, it operates as a banking trojan, aiming to steal sensitive financial information.
Cyberespionage Group Earth Hundun’s Continuous Refinement of Waterbear and Deuterbear | Trend Micro (US)
The article discusses the activities of the cyberespionage group Earth Hundun, also known as BlackTech, that has been active in the Asia-Pacific region for several years, targeting technology and government sectors. The group is known for its use of the Waterbear backdoor, a complex malware entity with many evasion techniques. In 2022, the group started using an advanced variant of Waterbear, known as Deuterbear, which has several updates including anti-memory scanning and decryption routines.
Raspberry Robin and its new anti-emulation trick
The article describes a cyber threat campaign involving Raspberry Robin, a malware first reported by Red Canary in 2021 and noted as the 9th most prevalent threat in 2023. The malware, which initially started as a worm, evolved into an initial access broker for other threat actors, and its success is due to its constantly evolving evasion capabilities. The recent variant of Raspberry Robin was found to feature unknown anti-emulation techniques. The malware was distributed via a fake crack/keygen website, which instead of providing advertised software, provided zip files containing the malware. Raspberry Robin seems to be the first malware to use VDLL specific function import as an anti-emulation trick, which makes it difficult to detect and analyze.
Threat Actor Profile: TransparentTribe
Cyble describes the activities of TransparentTribe, an Advanced Persistent Threat (APT) group operating out of Pakistan. The group primarily targets Indian government organizations, military personnel, and defense contractors, with the objective of gathering sensitive information, conducting cyber espionage, and compromising security. Their methods include creating fake websites and documents, using custom-developed malware, and exploiting various platforms including Windows and Android. They also use several infection vectors including malicious document files, PowerPoint files, Excel sheet files, and Linux Desktop entry files. The group has exploited vulnerabilities such as CVE-2012-0158 and CVE-2010-3333 and has targeted numerous countries beyond India and Afghanistan.
Malicious helpers: VS Code Extensions observed stealing sensitive information
ReversingLabs presented several Visual Studio Code extensions that deceive users to leak credentials. The malicious add-ons (clipboard-helper-vscode, code-ai-assistant, codegpt-helper and mycodegpt-assistant) could be found on Visual Studio Code Marketplace. Fortunately, they have been disabled. Such extensions inspect the clipboard buffer for saved credentials or prompt the user to enter their secret API keys. Exfiltrated data is done through Discord webhooks.
AI meets next-gen info stealers in social media malvertising campaigns
Cybercriminals are utilizing the popularity of AI-powered software to conduct malicious operations on social media. Using AI tools as a facade, these threat actors hijack Facebook profiles and run sponsored malvertising campaigns designed to trick users into downloading malicious versions of popular AI software. These campaigns direct users to webpages that download a variety of stealers to harvest sensitive information from compromised systems. The cybercriminals constantly change and adapt the malicious payloads to avoid detection.
Connect New exploit campaign in the wild target’s media company
The campaign, named Connect,fun by Forescout Research – Vedere Labs, involves a threat actor exploiting the CVE-2023-48788 vulnerability in Fortinet’s FortiClient EMS. The threat actor targets organizations running the vulnerable software and uses the post-exploitation tools ScreenConnect and Powerfun. The campaign involves a sequence of commands to attempt command execution, SQL injections, and the downloading of a malicious payload and remote management tools. The threat actor has been active since 2022, predominantly targeting Fortinet appliances and using Vietnamese and German languages in their infrastructure. The campaign is not automated but involves manual exploitation attempts.
ToddyCat’s traffic tunneling and data extraction tools
Securelist details the operations of the Advanced Persistent Threat (APT) group, ToddyCat, which primarily targets governmental organizations in the Asia-Pacific region, including defense-related entities. The group’s main goal is to steal sensitive information from hosts. To automate the data harvesting process and maintain constant access to compromised infrastructures, the group uses a variety of tools such as Reverse SSH Tunnel, SoftEther VPN, Ngrok agent and Krong, and FRP client. They also use Cuthead for data collection and TomBerBil for stealing passwords from browsers.
Latrodectus: This Spider Bytes Like Ice
Proofpoint’s Threat Research team and Team Cymru S2 Threat Research team have observed a new malware named Latrodectus being used in email threat campaigns since late November 2023. The Latrodectus malware, distributed initially by threat actor TA577 and subsequently by TA578, serves as a downloader with sandbox evasion functionality. It was discovered to share infrastructure overlap with historic IcedID operations and is likely created by IcedID developers. Although initially thought to be a new variant of IcedID, it was confirmed to be a distinct malware. The malware has been used in several campaigns, primarily by actors considered initial access brokers (IABs). It is anticipated that Latrodectus will become increasingly used by threat actors, especially those who previously delivered IcedID.
Threat Bulletin – New variant of IDAT Loader
A new variant of the IDAT loader has been identified by Morphisec, which is used to deliver various malware payloads based on the attacker’s assessment of the victim’s system. The attack begins by downloading a setup file from the Windows app store. The application is delivered as an MSIX file which is edited to include a custom action executed through a PowerShell signed script. This script redirects to the first C2 which loads the IDAT loader.
Multiple Chinese Hacking Groups Exploiting Ivanti Connect Secure VPN Flaw
A series of sophisticated cyberattacks have been launched by Chinese nexus espionage groups, specifically UNC5325 and UNC5337. Their focus has been the exploitation of vulnerabilities in Ivanti Connect Secure VPN appliances, using custom malware families and new tactics, techniques, and procedures (TTPs). The groups have been able to facilitate lateral movement within compromised networks and compromise Active Directory systems. This has underscored the importance of timely patching and proactive cybersecurity practices. The groups have also shown adaptability, targeting other critical infrastructures in a campaign identified as BRICKSTORM.
Outlook Login Panel Themed Phishing Attack Evaded All Antivirus
A sophisticated phishing attack that mimics the Outlook login panel has been discovered by cybersecurity researchers, bypassing all antivirus detections. The phishing page is hosted on a domain designed to resemble a legitimate Microsoft URL and uses advanced obfuscation techniques to evade detection. Users are tricked into revealing their login credentials. The attack was reported by a security researcher on Twitter. The attackers have put significant effort into making the page look authentic, making it difficult for users to identify it as a scam.
SuperSize Me
Trellix discusses a cyberattack campaign involving the distribution of oversized malware payloads via archive files. The attackers employ file inflation techniques to evade detection by overwhelming scanning engines with large files, sometimes exceeding 100MB in size. These files are compressed to avoid immediate detection and to enable efficient distribution. The malware is typically delivered via email attachments or URLs and often involves the use of Portable Executable files (EXE and DLL).
From OneNote to RansomNote: An Ice-Cold Intrusion
In February 2023, a threat actor used Microsoft OneNote files to gain initial access and deliver IcedID malware. The actor remained inactive, other than beaconing, for over 30 days. The actor then used Cobalt Strike and AnyDesk to target a file server and backup server. Data was exfiltrated using FileZilla before deploying Nokoyawa ransomware. The threat actor limited the scope of attack to these two critical servers rather than the entire network. The attack is complex and goes through multiple steps achieving persistence, gathering system information and spreading through lateral movement.
Unveiling the Fallout: Operation Cronos’ Impact on LockBit Following Landmark Disruption
The campaign details the disruption of LockBit, a notorious ransomware group. After the disruption, there were widespread discussions on underground forums, with speculation that LockBit would rebrand and return as has happened with other cybercrime groups. The disruption led to increased paranoia among other ransomware-as-a-service (RaaS) groups, who started to self-reflect and investigate how they could avoid infiltration. LockBit tried to maintain a facade of control, and there was speculation about the identity of its operator, LockBitSupp.
Metasploit Meterpreter Installed via Redis Server
The AhnLab Security Intelligence Center discovered a campaign exploiting the Redis service, in which threat actors install the Metasploit Meterpreter backdoor. The attacks, using the older Redis 3.x version, involved the use of PrintSpoofer for privilege escalation, followed by the installation of Metasploit’s Stager malware. The attackers then used a reverse TCP method to execute Stager, which connects to a C&C server to download the Meterpreter backdoor, allowing them to take control of the infected system. While the campaign has been ongoing since the previous year, recent attacks have seen a shift from using PowerShell to the CertUtil tool for PrintSpoofer installation.
Bing ad for NordVPN leads to SecTopRAT | Malwarebytes
A recent malvertising campaign has been reported, targeting users of the Bing search engine. The threat actors behind this campaign are impersonating the popular VPN software NordVPN, luring users to a decoy site that appears almost identical to the original NordVPN site. When users download what they believe to be NordVPN software, they are actually installing a Remote Access Trojan (RAT) known as SecTopRAT onto their computer. The threat actors have tried to make their malicious installer look more legitimate by digitally signing it and hosting it on Dropbox.
KageNoHitobito Ransomware Attacking Windows Users
GBHackers discusses two ransomware threats, KageNoHitobito and DoNex, which are targeting Windows users worldwide. KageNoHitobito has been detected in multiple countries and is suspected to have been spread through file-sharing services disguised as legitimate software or game cheats. It encrypts data and demands a ransom through sophisticated means. DoNex, which emerged in early March 2024, has a data leak site and can encrypt files on both local and network drives. It is highly configurable, allowing it to adapt its operations based on the environment it infects. Both ransomware threats represent significant cybersecurity risks due to their sophisticated attack methods and international reach.
Threat Actors Hack YouTube Channels to Distribute Infostealers (Vidar and LummaC2)
Threat actors are increasingly using YouTube to distribute malware, specifically Infostealers such as RedLine, Vidar, and LummaC2. They exploit well-known YouTube channels, some with up to 800,000 subscribers, to distribute these malwares. The malware is often disguised as cracked versions of commercial software and attached in the video descriptions or comment sections. These Infostealers collect and steal various user information from infected systems and can also download and install additional malware. The same threat actors are believed to be behind multiple distribution cases due to shared C&C server addresses. To avoid detection, the threat actors use methods such as password-protected compression and file size enlargement.
Pakistani APTs Escalate Attacks on Indian Gov. Seqrite Labs Unveils Threats and Connections
Seqrite Labs describes a cyberattack campaign carried out by Pakistan-linked Advanced Persistent Threat (APT) groups, SideCopy and APT36 (Transparent Tribe), primarily targeting Indian government and defense entities. SideCopy deployed its commonly used AllaKore RAT in multiple campaigns, whereas APT36 continuously used Crimson RAT. The attackers employed spear-phishing, compromised domains to host payloads, and used encoded or packed versions of their malware to evade detection. The campaign also involved the sale of access to Indian entities in underground forums and disruptive attacks such as DDoS and database leaks.
#StopRansomware: Akira Ransomware
The joint Cybersecurity Advisory (CSA) released by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Europol’s European Cybercrime Centre (EC3), and the Netherlands’ National Cyber Security Centre (NCSC-NL) details the activities of the Akira ransomware threat actors. Since March 2023, these actors have targeted businesses and critical infrastructure entities across North America, Europe, and Australia, impacting over 250 organizations and accruing about $42 million in ransomware proceeds by early 2024. The Akira ransomware variant, initially focused on Windows systems, later introduced a Linux variant targeting VMware ESXi virtual machine. Early versions of Akira were written in C++, but a new variant named ‘Megazord’ using Rust-based code was introduced in August 2023. The actors are known to disable security software, utilize a double-extortion model, and threaten to publish exfiltrated data on the Tor network.
Suspected CoralRaider continues to expand victimology using three information stealers
A new campaign identified by Cisco Talos, believed to be operated by threat actor CoralRaider, has been distributing three well-known infostealer malware (Cryptbot, LummaC2, and Rhadamanthys) since February 2024. The campaign uses a PowerShell command-line argument embedded in an LNK file to bypass antivirus products and deliver the malware to the victims’ systems. In addition, it achieves User Account Control bypass using a living-off-the-land-binary called FoDHelper.exe. The malware is hosted on the Content Delivery Network (CDN) cache domain which acts as a download server. This campaign impacts multiple countries and seems to be a widespread attack on various business verticals and geographies. The threat actor uses 9 C2 domains.
TA558 Hackers Weaponize Images for Wide-Scale Malware Attacks
The threat actor known as TA558 is using steganography to deliver a wide range of malware such as Agent Tesla, FormBook, Remcos RAT, LokiBot, GuLoader, Snake Keylogger, and XWorm, among others. This obfuscation technique allows the group to hide the malicious code within image files, making it harder for security tools to detect. The group has been noted for their extensive use of this technique, sending VBSs, PowerShell code and other forms of malware through this method.
Unplugging PlugX: Sinkholing the PlugX USB worm botnet
In September 2023, a command-and-control server linked to the PlugX worms was sinkholed. The worm, which had been previously documented by Sophos, continued to infect between 90,000 to 100,000 unique public IP addresses daily, despite its initial launch being almost four years prior. The worm was discovered to have disinfection capabilities for both the compromised workstation and the USB drive. The worm was traced back to a Chinese campaign targeting government related users and a specific organisation in Japan, starting in 2008.
Hackers Use Weaponized PDF Files to Deliver Byakugan Malware
Fortinet discusses a cyber-attack campaign where hackers are using weaponized PDF files to deliver Byakugan malware, developed in NodeJS, onto Windows systems. The malicious PDF tricks victims into clicking a link that activates a downloader, resulting in the installation of the malware. The malware has several features including screen monitoring, keylogging, browser information stealing, and file manipulation among others.
Elevating the Stakes: The Enhanced Arsenal of the Fake E-Shop Campaign
The fake e-shop campaign, initially detected in 2021 and primarily targeting Malaysian banks, has significantly evolved to include banks in Vietnam and Myanmar.The threat actor finds victims using social media and send them through private messages links to phishing websites used for online payments.
Analysis of the APT31 indictment
The article discusses the actions of APT31, also known as BRONZE VINEWOOD, Zirconium or Judgment Panda, a Chinese-speaking threat actor attributed to China’s Ministry of State Security. This actor has been active for 14 years, using malware such as RAWDOOR and recently cracked versions of CobaltStrike to conduct cyber-espionage. The group has targeted entities in the U.S, Europe, and other regions across the globe, including high-profile entities like the U.S government, the Finnish parliament, and Russian media and energy companies. APT31 has shown a two-band approach to hacking, targeting subsidiaries, MSPs, or even family members of its targets as a means of initial access. The actor is known for its speed in adapting to political events and quickly changing targets.
Agent Tesla Targeting United States and Australia: Revealing the Attackers’ Identities
Check Point Research discusses a series of cyberattacks orchestrated by the threat actors identified as ‘Bignosa’ and ‘Gods’, who were responsible for malware and phishing campaigns. Using the Agent Tesla malware, they targeted machines to steal sensitive information including keystrokes and login credentials. Primarily targeting organizations in the United States and Australia, the attacks were executed through phishing emails and spam campaigns. The investigations traced back their activities to Africa, specifically to a Kenyan man, Nosakhare Godson, and a Nigerian web designer, Kingsley Fredrick. Despite their attempts at obfuscation, the threat actors left digital footprints, which allowed the investigators to identify them and their methods of operation.
OfflRouter virus causes Ukrainian users to upload confidential documents to VirusTotal
The article describes a cyber threat campaign originating from Ukraine involving a rare multi-module virus named OfflRouter. The virus, active since 2015, infects Word documents through malicious VBA code delivered via the .NET interop functionality. OfflRouter is suspected to be the work of an inexperienced developer, given the choice of infection mechanism and several mistakes in the code. The virus has primarily affected Ukrainian organizations and has remained active and undetected for a long period due to the author’s design choices.
GuptiMiner: Hijacking Antivirus Updates for Distributing Backdoors and Casual Mining
Avast describes a malware campaign named GuptiMiner. The campaign involved the hijacking of an eScan antivirus update mechanism to distribute backdoors and coinminers. The campaign was reportedly linked to a threat actor that possibly had ties to Kimsuky, a notorious North Korean APT group. The malware primarily targeted large corporate networks and used a variety of techniques, including DNS requests to the attacker’s DNS servers, DLL sideloading, extracting payloads from innocent-looking images, and signing its payloads with a custom trusted root anchor certification authority. The malware campaign was resolved when Avast disclosed the vulnerability to eScan and India CERT.
New Fake E-Shopping Attack Hijacking Users Banking Credentials
A fraudulent e-shop campaign has been operating in Southeast Asia in which threat actors employ phishing websites to distribute a malicious Android application package (APK) that steals user credentials, can take screenshots, and exploit accessibility services on the victim’s device. The campaign, initially active in Malaysia, expanded to Vietnam and Myanmar, targeting login credentials of several banks through social engineering and phishing attacks. The malware has evolved, incorporating features like screen sharing and exploiting accessibility services for enhanced data theft. The attackers have also started using phishing emails for initial access and control servers for managing operations.
Meet the New Flexible Kapeka Backdoor With Destructive Attacking Capabilities
A new backdoor named “Kapeka” has surfaced in mid-2022, primarily targeting victims in Eastern Europe. Kapeka is utilized as an initial stage toolkit by the threat actors known as Sandworm, who have ties to the Russian nation-state hackers operating under the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). The backdoor overlaps with GreyEnergy and Prestige Ransomware attacks and is known to extract and relay system information back to the threat actors, while also allowing tasks to be passed back to the compromised machine. It has been speculated that Kapeka was used during the deployment of Prestige Ransomware in late 2022. The backdoor is also a successor of GreyEnergy and can be dropped into a system and set up persistence via a dropper.
RUBYCARP: A Detailed Analysis of a Sophisticated Decade-Old Botnet Group
The Sysdig Threat Research Team discovered a botnet operated by a Romanian threat actor group dubbed RUBYCARP. This group has been active for at least 10 years and employs public exploits and brute force attacks to deploy its botnet. It uses its botnet for financial gain through cryptomining and phishing. It targets vulnerable Laravel applications and WordPress sites to gain access and then installs a backdoor. RUBYCARP also runs phishing operations to steal financially valuable assets, such as credit card numbers.
It Was Not Me! Malware-Initiated Vulnerability Scanning Is on the Rise
Unit42 discusses a growing trend of malware-initiated scanning attacks by threat actors. These actors use malware to infect hosts and leverage their resources for high-volume scanning of potential targets, effectively covering their tracks and bypassing geofencing. They also aim at expanding botnets. The scanning activities mainly focus on identifying vulnerabilities in networks or systems, and they particularly target routers, web application development/testing frameworks, and collaboration tools.
From IcedID to Dagon Locker Ransomware in 29 Days
In August 2023, a phishing campaign was launched using PrometheusTDS to distribute the IcedID malware. This led to the deployment of a Cobalt Strike beacon, which was then used for intrusion. The threat actor employed a custom PowerShell tool called AWScollector to carry out malicious activities, including data discovery, lateral movement, data exfiltration, and ransomware deployment. It is also noted the use of Group Policy distributed Cobalt Strike beacons to a specific privileged user group. The entire operation took 29 days from intrusion to ransomware deployment.
The New Version of JsOutProx is Attacking Financial Institutions in APAC and MENA via Gitlab Abuse
The threat actor SOLAR SPIDER is using a new version of the JSOutProx malware to target financial services and organizations in the APAC and MENA regions. The malware uses a combination of JavaScript and .NET, with the .NET (de)serialization feature interacting with a core JavaScript module on the victim’s machine, enabling various malicious activities. The campaign uses impersonation attacks and misleading notifications to execute the malicious code. The spike in activity was identified in February 2024, but the malware was first identified in 2019. Recently, the malware has shifted from using GitHub to GitLab for hosting its malicious payloads.
Hackers Targeting Human Rights Activists in Morocco and Western Sahara
In Morocco and the Western Sahara region, a new threat actor named ‘Starry Addax’ is targeting human rights activists. The attackers use phishing attacks to trick victims into installing malicious Android apps and serve credential harvesting pages for Windows users. The goal of these attacks is to gain unauthorized access to sensitive information.
Exploring MadMxShell’s Infrastructure: Rapid Pivoting for Actionable Insights – Securite360
Securite260 described an unidentified threat actor utilizing Google maldvertising to target IT professionals. This is executed through a new backdoor named ‘MadMxShell’. The attackers register domains that mimic well-known IP scanners to trick victims into downloading a zip archive, which contains a malicious DLL that is sideloaded via a legitimate executable. The attackers utilize DNS requests and encrypted shellcodes to communicate with the final payload’s Command and Control (C2) server and multiple stages of DLL sideloading to avoid detection. The attackers also use legitimate Content Delivery Network (CDN) servers and typosquatted domains to hide their infrastructure.
Cyber Espionage: Turla APT’s Attack Europe Organization With Backdoor
The article describes a failed cyber espionage attempt by the Russia-based Turla Advanced Persistent Threat (APT) group, aimed at infiltrating an Albanian organization. This incident is part of a larger campaign targeting European countries, including Poland. The Turla APT group is known for its sophisticated cyber espionage operations, often aimed at organizations with links to government sectors across Baltic and Eastern European countries. The failed attempt involved a file uploaded to the VirusTotal web interface, which contained a list of IP addresses, including one associated with the “TinyTurla-NG” (TTNG) backdoor.
ScrubCrypt Deploys VenomRAT with an Arsenal of Plugins
The threat actor, identified by FortiGuard Labs as the 8220 Gang, targets Microsoft Windows users through a sophisticated phishing campaign. The attack begins with a phishing email containing malicious SVG files that, when clicked, download a ZIP file containing malware obfuscated with the BatCloak tool. ScrubCrypt is then used to load the final payload, VenomRAT, which communicates with a command-and-control server to install various plugins on the victims’ systems. These plugins include VenomRAT version 6, Remcos, XWorm, NanoCore, and a stealer specifically designed for crypto wallets. The actor also employs evasion techniques, such as ScrubCrypt and BatCloak, to avoid detection by antivirus products.
Botnets Continue Exploiting CVE-2023-1389 for Wide-Scale Spread
The threat campaign involves exploiting a command injection vulnerability, CVE-2023-1389, in the web management interface of the TP-Link Archer AX21 (AX1800). Multiple attacks have been observed, primarily from botnets like Moobot, Miroi, AGoent, and the Gafgyt Variant. The attackers utilize these botnets to gain remote control over the vulnerable systems. The botnets fetch script files from different IP addresses to download ELF files for further infection and establish a connection with the command-and-control server. Some botnets like Gafgyt and Moobot also initiate DDoS attacks.
Threat Brief: Operation MidnightEclipse, Post-Exploitation Activity Related to CVE-2024-3400
The article describes a cyber security threat named Operation MidnightEclipse, which exploits a critical command injection vulnerability, CVE-2024-3400, in Palo Alto Networks PAN-OS software. The threat actor uses this vulnerability to execute arbitrary code with root privileges on the firewall. The attack affects PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewall configurations with a GlobalProtect gateway and device telemetry enabled. The attacker deploys a cronjob to execute commands hosted on an external server and then deploys a second Python-based backdoor, referred to as UPSTYLE.
“Totally Unexpected” Package Malware Using Modified Notepad++ Plug-in (WikiLoader)
AhnLab Security Intelligence Center (ASEC) discovered a malicious campaign involving the distribution of a modified version of the default Notepad++ plug-in, mimeTools.dll. The threat actor embedded an encoded malicious shellcode in the dll file and exploited the fact that mimeTools.dll is loaded automatically when Notepad++ is launched. The malware activates as soon as the user launches Notepad++, decrypts the shellcode, and executes it, eventually leading to the downloading and execution of additional shellcode from a C2 server. This malware strain also uses multiple indirect syscall techniques to evade anti-malware products.
Threat Actors Deliver Malware via YouTube Video Game Cracks
Proofpoint discovered several YouTube channels distributing malware (such as Vidar, StealC and Lumma stealers) disguised as pirated video games and related content. The channels target consumer users, especially children, who lack enterprise-grade security on their home computers. The videos instruct users on downloading software or upgrading video games for free, but the links provided in the video descriptions lead to malware, including Vidar, StealC, and Lumma Stealer. The threat actors use compromised accounts, often with large subscriber bases, to distribute the malware. In addition to YouTube, the threat actors also use Discord servers to distribute malware.
Securonix Threat Research Security Advisory: Analysis of Ongoing FROZEN#SHADOW Attack Campaign Leveraging SSLoad Malware and RMM Software for Domain Takeover
The Securonix Threat Research team reported an attack campaign that used SSLoad malware, Cobalt Strike implants, and ScreenConnect RMM software to infiltrate systems and take over network domains. The attack began with a phishing email and a JavaScript file that deployed the malware. The attackers then installed RMM software, moved laterally across the system, and ultimately created their own domain admin account. This allowed them to gain full control of the system and perform various malicious activities.
North Korea’s Lazarus Group Deploys New Kaolin RAT via Fake Job Lures
The Lazarus Group, linked to North Korea, launched a sophisticated cyberattack using job offer lures to deliver a remote access trojan (RAT) called Kaolin. The attack chain involved multiple stages, utilizing malware to change the timestamp of specific files and load DLL binaries from a command-and-control server. The delivered RAT facilitated a rootkit known as FudModule, which leveraged an exploit in an appid.sys driver to disable security mechanisms. The campaign, known as Operation Dream Job, involved the use of social media and instant messaging platforms. It also used shellcode from a hacked website to launch a DLL-based loader named RollFling, which initiated the next-stage malware, RollSling.
Smoke and (screen) mirrors: A strange signed backdoor
Sophos X-Ops identified a malicious backdoor disguised as a legitimate executable signed by a valid Microsoft Hardware Publisher Certificate. The suspicious file was previously bundled with a setup file for a product named LaiXi Android Screen Mirroring. The backdoor embeds a tiny freeware proxy server called 3proxy, likely intended to monitor and intercept network traffic on infected systems. A unique feature of this campaign is the abuse of Microsoft Windows Hardware Compatibility Program (WHCP) by the threat actor to obtain valid certificates.
AGENT TESLA Malware Steals login Credentials From Chrome and Firefox
The threat actors identified as ‘Bignosa’, and ‘Gods’ launched a malware campaign targeting organizations in the United States and Australia. The campaign involved phishing emails with fake purchase orders that tricked victims into clicking malicious links. These links led to the download and execution of an obfuscated Agent Tesla sample, protected by Cassandra Protector, which stole keystrokes and login credentials. The actors used a large email database and multiple servers for Remote Desktop Protocol (RDP) connections and malware campaigns. The campaign involved a multi-step preparation phase before distributing malicious spam.
Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400)
A threat actor, referred to as UTA0218, exploited a zero-day vulnerability (CVE-2024-3400) in the GlobalProtect feature of Palo Alto Networks PAN-OS, allowing for unauthenticated remote code execution. The actor exploited the vulnerability to create a reverse shell, download tools, exfiltrate configuration data, and move laterally within networks. They also developed and attempted to deploy a Python-based backdoor named UPSTYLE.
Navigating the XZ Utils Vulnerability (CVE-2024-3094) | CSA
The article describes a backdoor vulnerability named CVE-2024-3094 in the XZ Utils software, commonly used for lossless data compression in Linux and macOS systems. The nefarious actor exploited this vulnerability to compromise SSHD authentication and potentially gain unauthorized system access. The backdoor was concealed by the developer during the RPM or DEB packaging process for x86-64 architecture, and the compromised binary was distributed within the package. The backdoor gets triggered by remote, unprivileged systems connecting to public SSH ports, leading to performance issues and potential unauthorized access. Several Linux distributions, including Debian, Fedora, and Kali Linux, among others, were affected.
Open RAN: Attacks against mobile operators from the outside in practice
The article describes the potential security risks associated with Open RAN in the telecommunication industry. It explores how the vulnerabilities in Open RAN’s architecture could potentially be exploited by threat actors to compromise the security of mobile telecommunications networks. The analysis identifies various potential attack vectors and practical attack strategies against current Open RAN implementations, using the state-of-the-art open-source O-RAN stack as a case study.
Analysis of Native Process CLR Hosting Used by AgentTesla
The SonicWall Capture Labs threat research team has observed a fileless .Net managed code injection in a native 64-bit process. The cyber threat involves an initial infection vector through a Word document received as an email attachment that prompts the user to enable a VBA macro. When enabled, the macro downloads and executes a 64-bit Rust executable from the internet, which injects malicious AgentTesla payload into its own process memory. The malware then proceeds to disable Event Tracing for Windows (ETW), download an encoded shellcode, and execute it. It also employs memory patching to bypass AMSI and disable event tracing a second time. The threat finishes with the shellcode hosting CLR and executing managed code from a native code.
XZ Utils Backdoor | Threat Actor Planned To Inject Further Vulnerabilities
An unidentified threat actor launched a supply chain attack that compromised the xz compression libraries used by Linux distributions. The actor used a backdoor to specifically target Debian and Fedora distributions, and the operation was spread over two years. The backdoor was introduced in two iterations of the compromise (version 5.6.0 and 5.6.1), with the second iteration adding the ability to execute additional shell scripts, indicating plans for further backdoors. The actor also attempted to gain maintainership of the xz project through deceptive emails. The operation demonstrated the risk of supply chain attacks in Open-Source Software (OSS) projects and exploited gaps in the reputation process and the absence of audits on released tarballs.
Black Hat SEO Leveraged to Distribute Malware
Threat actors create a fake website on web hosting services undetected by the hosting service itself. They employ evasion techniques to avoid detection, such as verifying the referral URL and redirecting users accordingly. Through a sequence of actions involving obfuscated scripts, redirection, and payload delivery, they trick users into downloading malware instead of desired files. The payload file initiates a series of obfuscation, deobfuscation, and malicious activities, including the installation of a malicious DLL and execution of encoded commands. The campaign also involves dropping a malicious browser extension into a user’s directory.
DarkBeatC2: The Latest MuddyWater Attack Framework
DeepInstinct describes an ongoing cyber campaign by Iranian threat actors, particularly MuddyWater, against Israeli organizations. The threat actors are observed to be leveraging information from previous breaches to conduct supply-chain attacks. They are also using a previously unreported C2 framework, dubbed “DarkBeatC2.” The article provides a deep-dive analysis of the attacks, detailing the techniques, tools, and procedures used by the actors. The attacks have significantly increased since the start of the “Swords of Iron War” and the reporting on these has been limited mainly to mainstream news reports without much technical details.
Unraveling Cyber Threats: Insights from Code Analysis
The threat actor, identified as theaos, launched a high severity cyber-attack leveraging a malicious PyPI package named discordpy_bypass-1.7, published on March 10, 2024. The package was designed to covertly extract sensitive information from victim’s systems using persistence techniques, browser data extraction, and token harvesting. It targets all platforms where PyPI packages can be installed. The attack procedures include obfuscation techniques, evasion techniques targeting analysis environments, and multiple checks to detect debugging or analysis environments. The vulnerabilities exploited are not specifically mentioned in the text.
Earth Hundun’s Hackers Employ Waterbear And Deuterbear Tools
The article outlines a cyberattack campaign initiated by the Earth Hundun (BlackTech) cyberespionage group. The group has been using the Waterbear virus family, known for its anti-analysis abilities, to conduct advanced cyberattacks. A new variant, Deuterbear, has been developed with enhanced evasion strategies. The group has been targeting networks in the Asia Pacific region, with the malware versions coexisting within the infected systems. These attacks are highly sophisticated, with multiple network layers involved, demonstrating a deep understanding of the target networks.
From Social Engineering to DMARC Abuse: TA427’s Art of Information Gathering
The North Korean aligned threat group TA427, also known as Emerald Sleet, APT43, THALLIUM or Kimsuky, has been engaging in long-term exchanges of strategic information through benign conversation starter campaigns. The group uses tactics such as DMARC abuse, typosquatting, private email account spoofing, and web beacons to establish contact and legitimacy, mainly targeting US and South Korea foreign policy experts. The group has been particularly active since 2023, focusing on soliciting opinions on nuclear disarmament, US-ROK policies, and sanction topics. The group is known for its social engineering expertise and has impersonated various think tanks, non-governmental organizations, media, academia, and government personnel for its campaigns.
Malware campaign attempts abuse of defender binaries
A ransomware campaign where legitimate executables and DLLs from Sophos, AVG, BitDefender, Emsisoft, and Microsoft, are being modified by threat actors to carry their malicious payloads. The attackers overwrite the entry-point code and insert the decrypted payload as a resource, impersonating the legitimate files to sneak onto systems. The affected files were part of the 2022.4.3 version of the Windows Endpoint product. The payloads seen in the investigation vary and include Cobalt Strike, Brute Ratel, Qakbot, Latrodectus, among others. The campaign appears to be associated with more than one criminal group. The purpose of this impersonation is to confuse analysts and avoid detection.
Hackers Hijacked Notepad++ Plugin To Inject Malicious Code
Hackers manipulated a widely used plugin, ‘mimeTools.dll’, for the text and source code editor Notepad++. The original functionalities of the plugin were not affected, but the DllEntryPoint code was modified. This allowed the hacker to inject malicious code which was activated as soon as the plugin was loaded, unbeknownst to the user. The attack was initiated when Notepad++ was launched, automatically loading the compromised plugin. A file within the plugin package named ‘certificate.pem’ contained the malicious shell code, which was decrypted and executed to carry out the attack.
ArcaneDoor – New espionage-focused campaign found targeting perimeter network devices
The ArcaneDoor campaign is a state-sponsored cyber-attack targeting perimeter network devices from multiple vendors, primarily in the telecommunications and energy sectors. The actor, identified as UAT4356 by Talos and STORM-1849 by Microsoft Threat Intelligence Center, utilizes bespoke tools for espionage and demonstrates an in-depth knowledge of the devices they target. The actor deploys two backdoors, Line Runner and Line Dancer, for malicious actions including configuration modification, reconnaissance, and network traffic capture/exfiltration. Cisco’s investigation identified two vulnerabilities (CVE-2024-20353 and CVE-2024-20359) exploited in the campaign.
Rhadamanthys Malware Disguised as Groupware Installer (Detected by MDS) – ASEC BLOG
The Rhadamanthys malware is being distributed under the guise of an installer for groupware. The threat actor created a fake website that resembles the original and used search engine ads to direct users to it. The malware employs an indirect syscall technique to evade detection by anti-malware and analysis programs and injects itself into normal Windows system programs and other specific programs located in the ‘Windows Media Player’ path. The malware ultimately acts as an infostealer, exfiltrating user information from the infected PC.
Redline Stealer: A Novel Approach
A new packed variant of the Redline Stealer trojan, known for utilizing Lua bytecode to perform malicious activities, was discovered. The campaign abuses GitHub to host the malware file and uses Microsoft’s official account in the vcpkg repository. The regions affected include North America, South America, Europe, and Asia, extending to Australia. The malware encourages the spread of the infection by urging users to install it on a friend’s computer during installation. Multiple techniques were used for persistence and the malware communicates with its C2 server over HTTP.
MuddyWater campaign abusing Atera Agents
Iranian state-sponsored threat actor MuddyWater has been actively using a legitimate remote monitoring and management (RMM) tool called Atera Agent in a cyber campaign since October 2023. The actor has been testing and leveraging different RMM tools since 2021, with Atera Agent being the most recent. The campaign involves spearphishing emails and the misuse of Atera’s free trial offers. The Atera Agent installation packages linked to MuddyWater have seen significant increase since October 2023 through to April 2024.
Analyzing Forest Blizzard’s custom post-compromise tool for exploiting CVE-2022-38028 to obtain credentials
The Russian-based threat actor Forest Blizzard (STRONTIUM) has been using a custom tool named GooseEgg to steal credentials and elevate privileges in compromised networks. The actor exploits the CVE-2022-38028 vulnerability in Windows Print Spooler service by modifying a JavaScript constraints file and executing it with SYSTEM-level permissions. The targets include Ukrainian, Western European, and North American government, non-governmental, education, and transportation sector organizations. Forest Blizzard uses GooseEgg as part of post-compromise activities which allows the threat actor to support objectives such as remote code execution, installing a backdoor, and moving laterally through compromised networks.
At Keysight, enhancing the security posture of our customers is our utmost priority, Threat Simulator proactively replicates cyber threats, enabling you to swiftly discover, address, and validate security vulnerabilities before they escalate into serious issues.
Leveraging over two decades of expertise in network and security, our global Application and Threat Intelligence (ATI) Research Center stays updated with the newest threats. This allows us to develop simulations of these threats within hours of their detection.
Our Threat Campaigns are carefully crafted to replicate real-world scenarios, allowing you to test your controls manually or automatically. By doing so, you can ensure that your security posture is armed with identifiable Indicators of Compromise (IOC). Our Threat Campaigns are now enriched with behavioral audits, based on the analysis of the malicious files associated with a specific threat.
Stay ahead of the curve in the ever-changing world of cybersecurity with Keysight.
Visit our website for more information.