In today’s ever-evolving cyber security landscape, merely being aware of the new threats is no longer sufficient to safeguard your most valuable assets: your people, data, and reputation. Our Application and Threat Intelligence team has created new simulations of the latest threats and built them into Threat Simulator, our industry-leading breach and attack simulation (BAS) product.
In November alone, we added over 70 new Threat Campaigns, providing automated simulations for everything from CVE-2023-4966, identified by the Department of Homeland Security as a vulnerability affecting Citrix NetScaler ADC and NetScaler Gateway appliances, to Rhysida Ransomware and Scattered Spider, known for their attacks on MGM Resorts and Caesars Entertainment. The FBI and CISA have recently released a joint cybersecurity advisory on both Rhysida Ransomware and Scattered Spider.
These simulations are carefully crafted to replicate real-world scenarios, allowing you to test your controls manually or automatically. By doing so, you can ensure that your security posture is up to par and well-prepared, armed with identifiable Indicators of Compromise (IOC). But that’s not all, our solution also offers the ability filter and prioritize threats based on your specific regional and industry preferences. This tailored approach ensures that you focus on the threats that matter most to your organization.
We have also created new Kill Chain Assessments for Royal Ransom and new Audits for Safe Mode Boot, Command and Scripting Interpreter, as well as Exfiltration Over Web Service – Exfiltration to Cloud Storage.
For more details on the latest threats and simulations we have covered this month, please read on.
New Threat Campaigns
Figure 1: Some of the latest Threat Campaigns in the UI
Elastic catches DPRK passing out KANDYKORN — Elastic Security Labs
Elastic Security Labs published a report regarding DPRK’s Lazarus Group targeting blockchain engineers on a public Discord server. The attackers used a Python application posing as a cryptocurrency arbitrage bot to gain initial access to the victims’ environment. The intrusion involved multiple complex stages employing defense evasion techniques and deploying new or known malware such as SUGARLOADER, HLOADER, KANDYKORN. The attack was traced back to a Python application delivered via a direct message on a public Discord server. The final stage of the attack is KANDYKORN which is a backdoor that gives the C2 server file tampering capabilities on the victim system.
A Deep Dive into Brute Ratel C4 payloads – CYBER GEEKS
The article provides a technical analysis of Brute Ratel C4, similar to Cobalt Strike. The malware uses an API hashing technique and can execute 63 different commands issued by the C2 server. It encrypts data transmitted to the C2 server using a specific key, and a password is used for authentication. The software is versatile, capable of file manipulation, process spoofing, data exfiltration, and more.
Uncovering The New Java-Based SAW RAT’s Infiltration Strategy via LNK files
Cyble discovered a new Java-Based Remote Access Trojan (RAT) named Saw RAT. The RAT is delivered via a ZIP archive file, which is initiated through a .lnk file that triggers a JavaScript, ultimately leading to the execution of the malicious RAT. The Saw RAT can collect system information, transfer files, list directories and execute arbitrary commands. The source of the ZIP archive and the targeted victims remain unknown. The RAT is capable of establishing a connection with a remote server, which can issue various commands to the victim’s system.
GoTitan Botnet – Ongoing Exploitation on Apache ActiveMQ
A critical vulnerability (CVE-2023-46604) in Apache Active MQ is being actively exploited by threat actors to disseminate various strains of malware. The affected systems are any running Apache Active MQ versions prior to 5.15.16, 5.16.7, 5.17.6, and 5.18.3. The attackers initiate a connection to ActiveMQ, transmit a crafted packet, and trigger unmarshaling of a class under their control, which leads to the loading of a malicious XML application configuration file from a network location via HTTP. Multiple malware strains, including a newly discovered botnet named GoTitan, PrCtrl Rat, Sliver, Kinsing, and Ddostf, have been identified.
The Continued Evolution of the DarkGate Malware-as-a-Service
Trellix presented a report regarding an emerging malware family named DarkGate, developed and sold as Malware-as-a-Service (MaaS) by an actor known as RastaFarEye. The DarkGate malware, initially discovered in 2018, has been continuously developed to bypass security products. DarkGate is a Remote Access Trojan (RAT) that enables attackers to compromise victim systems and has been used against companies worldwide. The malware is primarily delivered through phishing emails and collaborative applications like Microsoft Teams.
WailingCrab Malware Abuse Messaging Protocol for C2 Communications
The article details a sophisticated malware known as WailingCrab, also referred to as WikiLoader, which has been observed developing its C2 communication techniques, including the abuse of the MQTT IoT messaging protocol. The malware is often distributed through an initial access broker called Hive0133 and has been predominantly used in email campaigns targeting Italian entities. The campaigns often exploit themes such as overdue delivery or shipping invoices and have recently favored the use of PDF attachments with malicious URLs. The backdoor component of WailingCrab has been in contact with the C2 since mid-2023 via MQTT, a move designed to avoid detection.
Israel-Hamas War Spotlight: Shaking the Rust Off SysJoker
The article discusses the evolution of SysJoker, a multi-platform backdoor used in targeted attacks by a Hamas-related threat actor. The malware, originally discovered in 2021, has undergone significant changes including a shift to Rust language and the use of OneDrive instead of Google Drive for storing command and control server URLs. Most notably, the threat actor has targeted Israeli organizations, revealing ties to previous attacks known as Operation Electric Powder. This evolution of SysJoker indicates a significant level of sophistication and suggests potential for further development and attacks.
IPStrom Takedown Russian Mastermind Pleads Guilty
The article describes a cybercrime operation orchestrated by Sergei Makinin, a Russian and Moldovan national, involving the IPStorm botnet. The botnet, developed and deployed by Makinin, infected thousands of Windows, Linux, Android, and Mac devices, turning them into proxies for a for-profit scheme. The malware was distributed through a legitimate peer-to-peer network called InterPlanetary File System (IPFS), enabling threat actors to conceal their malicious activities.
FBI Warns: Scattered Spider Forms Alliance with Black Cat Ransomware
The cybercriminal group Scattered Spider, also known as Starfraud, UNC3944, Scatter Swine, and Muddled Libra, has updated its tactics to incorporate BlackCat ransomware. The group, known for its attacks on MGM Resorts and Caesars Entertainment, employs social engineering for data theft, and now uses ransomware to encrypt VMware Elastic Sky X integrated servers. They have communicated with victims through TOR, Tox, email, or encrypted applications after encrypting the servers. The group uses phishing emails, push bombing, and SIM swapping to obtain credentials, install remote access tools, and bypass MFA. They also use tunneling tools such as Fleetdeck[.]io, ngrok, and Pulseway for access and employ off-the-grid living techniques to avoid detection.
CyberheistNews Vol 13 #48 Bloomberg Crypto Channel Hack Exposes Discord Users to Phishing Attacks
The article reports on a phishing attack targeting Discord users, orchestrated via a compromised Bloomberg Crypto account formerly known as X/Twitter. The attackers posted a link to a phishing site on the account, posing as a Bloomberg Discord server. To trick users into providing their Discord credentials, they used a typosquatting domain similar to a legitimate one. Users were given 30 minutes to complete a verification process on the phishing site.
New Persian Remote World Selling a Suite of Malicious Tools
Cyble’s report outlines a threat from a website called Persian Remote World, which sells a variety of malicious tools including Remote Access Trojans (RATs), loaders, and crypters. The RAT offered by the site can perform a wide range of operations such as privilege escalation, defense evasion, firewall manipulation, keylogging, and credential theft. In addition, the RAT can perform ransomware functionalities.
Diamond Sleet supply chain compromise distributes a modified CyberLink installer
Microsoft security researchers discovered that the North Korean threat actor Diamond Sleet has executed a supply chain attack by trojanizing a CyberLink application installer to include malicious code. This malware named LambLoad, decrypts and loads a second-stage payload. The campaign uses a valid CyberLink certificate and involves checks to limit execution time and evade security product detection.
Unveiling Parallax RAT: A Journey from Infection to Lateral Movement
eSentire threat hunters discovered how a user searching for a Fortinet VPN client was infected with Parallax RAT through a drive-by download. This RAT was then used to deploy PsExec for lateral movement to the Domain Controller. Once there, the threat actor dropped and executed NetSupport RAT, achieving persistence on the host by placing itself in the Startup folder. The threat actor also used evasion techniques, including anti-disassembly measures and RC4 encryption. Although the developers of Parallax RAT shut down the project, the cracked version of the tool is available in the wild.
Unmasking NJRAT: A Deep Dive into a Notorious Remote Access Trojan Part2
Infosec Write-ups presented the notorious Remote Access Trojan (RAT) named NjRAT and its capabilities. The malware is capable of downloading a file, handling Zip data stream, adding extra plugins, screen capture, and updating itself with new code. It can also be a keylogger and store keystrokes with process names and dates. The malware has a function that can detect specific running processes and kill itself to prevent detection. It can also set the ProcessBreakOnTermination flag to 1, causing the computer to crash if the malware process is killed.
Unfolding Remcos RAT- 4.9.2 Pro
Infosec Write-ups published a very detailed article regarding the innerworkings of Remcos RAT, a commercially available tool often used by hackers for unauthorized activities. The RAT establishes a backdoor to enable comprehensive remote control over the compromised system. It can also record keystrokes, intercept clipboard data, gain persistence and tamper with Microsoft Defender configurations. Remcos has a modular architecture and is mainly developed in C#, with some components in C++.
Circumstances of the Andariel Group Exploiting an Apache ActiveMQ Vulnerability (CVE-2023-46604)
AhnLab discovered that the Andariel threat group is exploiting the Apache ActiveMQ remote code execution vulnerability (CVE-2023-46604) to install malware, predominantly on South Korean entities. The group uses spear phishing, watering hole, and supply chain attacks, and also exploits other vulnerabilities like Log4Shell. Recently, they have been found to install NukeSped and TigerRat backdoors or CobalStrike tool after the injection of a malicious Java class inside the Apache ActiveMQ. NukeSped is a backdoor which can exfiltrate files from the infected system, execute commands and terminate processes.
Unmasking AsyncRAT New Infection Chain
McAfee found a cybersecurity incident involving AsyncRAT, a stealthy malware that compromises computer systems to steal sensitive information. The infection chain begins with a malicious URL in a spam email, which triggers the download of a HTML file containing an ISO. This file then connects to external URLs, downloading a PowerShell script and initiating a series of non-PE file executions. Ultimately, it injects a hexadecimal-encoded PE file into a legitimate process, RegSvcs.exe, which then connects to an AsyncRAT server. This malware records user activities, steals credentials, browser data, and crypto-related information, which is then exfiltrated over TCP to an IP address and port.
Popping Blisters for research: An overview of past payloads and exploring recent developments
The article discusses the evolution of the Blister malware, a payload loader that has been observed to shift from dropping Cobalt Strike beacons to deploying Mythic agents. Blister is primarily used in targeted attacks, with most samples featuring environmental keying. In addition to the change in payloads, Blister’s developers have also started obfuscating the initial stage of the malware, making it more evasive. While the threat actor behind Blister is not explicitly mentioned, past activity linked to the malware has been associated with Evil Corp. The article does not specify the industries or regions affected by the Blister campaign.
MAR-10478915-1.v1 Citrix Bleed
The article reports on a threat identified by the Department of Homeland Security (DHS) concerning the exploitation of a vulnerability, CVE-2023-4966, affecting Citrix NetScaler ADC and NetScaler Gateway appliances. The malicious files used in this campaign include a Windows Batch file (.bat), an executable (.exe), a Dynamic Link Library (.dll), and a Python script (.py). These files are used to save registry hives, dump the Local Security Authority Subsystem Service (LSASS) process memory to disk, and attempt to establish sessions via Windows Remote Management (WinRM).
Scattered Spider Attack Analysis
The article presents an analysis of a cybercrime incident attributed to the group ‘Scattered Spider’. The group initiated the attack with social engineering techniques, gaining access to the cloud environment of a customer. They exploited credentials and moved laterally within the network, using both cloud and on-premises environments. The group demonstrated a deep understanding of these environments and exploited gaps in security policies and procedures.
US, Australian security agencies warn of LockBit 3.0 ransomware exploiting Citrix Bleed vulnerability
The U.S. and Australian security agencies issued a joint advisory on the exploitation of Citrix Bleed (CVE-2023-4966) by LockBit 3.0 ransomware affiliates. The threat actors leveraged this vulnerability, affecting Citrix NetScaler ADC and Gateway appliances, to bypass multi-factor authentication and hijack legitimate user sessions. The aerospace company Boeing and its distribution business, Boeing Distribution Inc., were among the victims. The LockBit ransomware gang threatened and later leaked over 43 GB of files from Boeing as the company refused to pay a ransom. The agencies expect widespread exploitation of the Citrix Bleed vulnerability in unpatched software services across private and public networks.
CVE-2023-46604 (Apache ActiveMQ) Exploited to Infect Systems With Cryptominers and Rootkits
The article describes a campaign in which threat actors exploit the Apache ActiveMQ vulnerability CVE-2023-46604 to infect Linux systems with Kinsing malware (h2miner) and a cryptocurrency miner. The Kinsing malware primarily targets Linux-based systems, exploiting vulnerabilities in web applications or misconfigured container environments to gain entry and spread rapidly across a network. Once the system is infected, a cryptocurrency mining script is deployed, leading to significant damage to the infrastructure and negative system performance. The affected entities are users of certain versions of Apache ActiveMQ.
Attack Signals Possible Return of Genesis Market, Abuses Node.js, and EV Code Signing
Trend Micro discovered that threat actors were installing an old, legitimate Node.js module onto a target’s system, followed by the Lu0Bot malware. The malware is then launched on Node.js, receiving a series of commands from a C&C server via a backdoor. Secondary payloads masquerading as Service Host (svchost) were observed, but not linked to Node.js abuse. The threat actor also used EV code signing certificates for defense evasion, making the malicious files appear legitimate. While the exact initial access method is unknown, evidence suggests potential access via Zoom or compromised Google Collab instances. Google Collab instances are used due to being a great lure when used together with clever search engine optimization schemes such as keywords and unusual fonts.
The Platform Matters: A Comparative Study on Linux and Windows Ransomware Attacks
The article presents a detailed study conducted by Check Point Research on recent ransomware attacks targeting Linux systems and ESXi systems. In the past few years, these types of attacks have increased significantly. The research focuses on understanding the motivations for developing ransomware that targets Linux instead of Windows systems, which have been the primary target historically. The ransomware families studied target Linux heavily utilizing the OpenSSL library along with ChaCha20/RSA and AES/RSA algorithms. Most of the ransomware attacks are focused on organizations and companies rather than general users, with a special interest in ESXi virtualization systems.
Rhysida Ransomware Attacking Windows Machine Through VPN Devices and RDP
The Rhysida ransomware group, operational since May 2023, is attacking Windows machines through VPN devices and RDP. The group predominantly targets the education and manufacturing sectors, with a consistent attack pattern due to similar network setups and limited security in schools. They are globally active but show a particular concentration in the USA, France, Germany, England, and Italy. The attackers use a variety of tools and techniques for credential access, including taskmgr.exe, svchost.exe, and ‘ProcDump’. The ransomware is deployed on systems via RDP sessions, with ‘fury.exe’ used to encrypt user files across multiple systems.
Atomic Stealer distributed to Mac users via fake browser updates
The article describes a cyber-security threat involving the distribution of the Atomic Stealer, also known as AMOS, to Mac OS users through fake browser updates in a campaign called ‘ClearFake’. The AMOS malware was formerly distributed through malicious ads. This marks an expansion of the threat actors’ operations not only in terms of geolocation but also operating system. The malware harvests credentials and files that can be monetized or used for further attacks. ClearFake, which utilizes compromised websites to disseminate fake browser updates, has evolved since its discovery in August, including the use of smart contracts for its redirect mechanism.
eSentire Threat Intelligence Malware Analysis: SolarMarker: To Jupyter and Back
The eSentire Threat Response Unit (TRU) has been monitoring the SolarMarker threat actor(s), also known as Jupyter, since 2021. The actor(s) use .NET to create payloads that steal information, primarily through compromised WordPress websites. The threat actor(s) have been active since 2022, targeting multiple industries including healthcare, power and utilities, transportation, legal, software, and finance. They have modified their techniques over time, such as changing the encryption used in their second-stage PowerShell decryption script and crafting their own websites to host landing pages.
XWorm Malware: Exploring C&C Communication
Any.Run published a detailed analysis of the XWorm malware, a Remote Access Trojan (RAT) with a plugin architecture specifically targeting Windows operating systems. The malware initiates a connection to a remote server, transmitting encrypted data. An in-depth analysis of the communication data reveals that it includes information such as user identifier, operating system details, CPU and GPU info, and antivirus software details. The XWorm server can utilize a variety of plugins on the client, including an info stealer plugin capable of capturing credit card information, harvesting cookies, accessing browser data and history, and more. The malware has been active for a while, as indicated by ANY.RUN’s weekly upload analytics.
Distribution of Malicious LNK File Disguised as Producing Corporate Promotional Materials
AhnLab Security Emergency response Center (ASEC) identified a malicious LNK file being circulated among personnel of financial and blockchain corporations via email and other methods. The threat actors alternate between uploading malicious and legitimate files, causing confusion. The LNK file, disguised as a .docx file, contains obfuscated PowerShell commands that download and execute additional files, some of which collect system information. The campaign also involves the use of BAT scripts, with one particular file designed to encrypt and send strings to a changing URL to avoid detection. The ultimate objective of the threat actor seems to be the execution of a file that could potentially download a variety of malware files.
Social engineering attacks lure Indian users to install Android banking trojans
Microsoft has observed ongoing mobile banking trojan campaigns targeting Indian users with social media messages aimed at stealing user information for financial fraud. Attackers send messages, via platforms like WhatsApp and Telegram, to lure users into installing a malicious app on their mobile device by impersonating legitimate organizations. Once installed, the fraudulent apps extract sensitive information from users. The campaigns have pivoted to sharing malicious APK files directly to mobile users in India. The malware requests permissions for Send_SMS and Receive_SMS, collects incoming SMS messages from the victim’s device, and sends the victim’s messages to the attacker’s C2 server and hard-coded phone number via SMS.
Is this the real life? Is this just fantasy? Caught in a landslide, NoEscape from NCC Group
The article describes a recent incident response engagement involving NoEscape, a Ransomware-as-a-Service group, by NCC Group’s Cyber Incident Response Team. The threat actor exploited a publicly disclosed vulnerability in an externally facing server for initial access and then used vulnerable drivers to disable security controls. NoEscape is financially motivated and uses a double extortion method of ransomware that includes data exfiltration. The threat actor exploited vulnerabilities CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207, known as ProxyShell.
Cryptojacking Attack Campaign Against Apache Web Servers Using Cobalt Strike
AhnLab Security Emergency response Center (ASEC) has been tracking attacks on poorly managed or unpatched web servers, specifically those running Apache. The threat actor installs the XMRig CoinMiner on these servers using Cobalt Strike to control the infected system. This is followed by an attempt to install Gh0st RAT and ultimately a CoinMiner to mine Monero coins. The campaign appears to be financially motivated, aiming to exploit server resources for cryptocurrency mining.
Circumstances of an Attack Exploiting an Asset Management Program (Andariel Group)
The Andariel group, associated with the Lazarus group, has been identified to distribute malware via attacks using an asset management program. The group employs spear phishing, watering hole, or supply chain attacks for initial penetration and has recently been exploiting vulnerabilities in programs such as Log4Shell and Innorix Agent. The targets of these attacks are predominantly South Korean communications companies and semiconductor manufacturers. Several malware strains like TigerRat, NukeSped variants, Black RAT, and Lilith RAT are installed through these attacks. The group also uses poorly managed MS-SQL servers as attack vectors and employs hacking tools for credential theft.
A deep dive into Phobos ransomware, recently deployed by 8Base group
The article describes a campaign conducted by the ransomware group 8Base, which uses a variant of the Phobos ransomware and other publicly available tools to facilitate their operations. The group’s Phobos variants are mainly distributed by SmokeLoader, a backdoor trojan. The ransomware component is embedded in its encrypted payloads which are then decrypted and loaded into the SmokeLoader process’ memory. The analysis of Phobos’ configuration revealed capabilities including a user access control (UAC) bypass technique and reporting victim infections to an external URL. The article also reveals that the same RSA key protected the encryption key in all Phobos samples since 2019.
DarkGate Internals
Sekoia researchers presented an extensive analysis of DarkGate, a malware sold as a service on various cybercrime forums. The malware, developed by RastaFarEye persona, has been used by multiple threat actors such as TA577 and Ducktail. DarkGate is a loader with remote-access tool capabilities which operates covertly, evading detection by antivirus systems. It uses various techniques for data obfuscation, file obfuscation, environment detection, and defense evasion. It also has the ability to escalate privileges, maintain persistence, and establish command and control. The malware poses a significant threat due to its wide range of techniques and functionalities.
Indian Hack-for-Hire Group Targeted U.S., China, and More for Over 10 Years
The Indian group Appin Software Security, also known as Appin Security Group, has been carrying out covert hacking operations since at least 2009. The group is known for conducting hacking operations against high-value individuals, government organizations, and businesses involved in legal disputes. One of their core services was a tool called ‘MyCommando’ that allowed customers to view and download campaign-specific data. The group has targeted countries such as the U.S., China, Myanmar, Pakistan, Kuwait, among others. Appin has also been identified as the entity behind the macOS spyware known as KitM in 2013. Furthermore, the group was also involved in stealing login credentials of Sikhs in India and the U.S.
We all just need to agree that ad blockers are good
The article discusses the role of ad blockers in protecting users from malicious ads that can lead to harmful sites or downloads. Major companies such as Google and Spotify are looking to bypass these ad blockers, potentially exposing users to more threats. Furthermore, Microsoft disclosed three zero-day vulnerabilities, already being exploited in the wild, that could allow attackers to gain system-level privileges. The Royal ransomware group, responsible for infecting more than 350 companies, is suspected of rebranding as ‘BlackSuit’. Additionally, new vulnerabilities in Intel and AMD CPUs could lead to privilege escalation.
Scattered Spider
The article discusses a joint cybersecurity advisory by the FBI and CISA regarding the activities of Scattered Spider, a cybercriminal group known for targeting large companies and their IT help desks. The group primarily engages in data theft for extortion purposes and has recently been observed using BlackCat/ALPHV ransomware. Scattered Spider is skilled in social engineering, using techniques like phishing, push bombing, and SIM swap attacks to acquire credentials and bypass multi-factor authentication. The group also uses legitimate remote access tunneling tools and various malware as part of their tactics.
FBI and CISA Issue Advisory on Rhysida Ransomware
The Rhysida ransomware group, known for its opportunistic approach and ransomware-as-a-service (RaaS) model, has been active since May 2023. It targets various sectors including education, healthcare, and government, and has victimized at least 62 companies. The group uses external remote services for initial access and persistence in target networks and exploits vulnerabilities like Zerologon. It conducts its operations using a variety of tools and malicious executables.
Zero-Day Flaw in Zimbra Email Software Exploited by Four Hacker Groups
Four different groups exploited a zero-day flaw, known as CVE-2023-37580, in the Zimbra Collaboration email software to steal email data, user credentials, and authentication tokens. These attacks were particularly active after the initial fix was made public on GitHub. The first campaign targeted a government organization in Greece using email-stealing malware, while the second threat actor, known as Winter Vivern, targeted government organizations in Moldova and Tunisia. A third unidentified group phished for credentials from a government organization in Vietnam, and a government organization in Pakistan was targeted in the fourth campaign. Google TAG has noted a pattern of threat actors regularly exploiting XSS vulnerabilities in mail servers.
FBI Dismantles IPStorm Botnet After Hacker Pleads Guilty
The US Department of Justice and the FBI have successfully dismantled the IPStorm botnet network following a plea deal with the orchestrator, Sergei Makinin, a Russian-Moldovan national. The malware had been routing malicious traffic through a range of devices globally. Makinin used the network of compromised devices for profit, selling illegitimate access to these proxies and making at least $550,000. The operation to dismantle the IPStorm’s infrastructure involved international law enforcement collaboration. However, the malware remains on many victim devices.
#StopRansomware: Rhysida Ransomware
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have released a joint cybersecurity advisory (CSA) regarding Rhysida ransomware. The threat actor has been targeting the education, healthcare, manufacturing, information technology, and government sectors since May 2023. The ransomware variant uses a Windows 64-bit Portable Executable (PE) or common object file format (COFF) compiled using MinGW via the GNU Compiler Collection (GCC) and encrypts data using a 4096-bit RSA encryption key with a ChaCha20 algorithm. Rhysida actors engage in “double extortion” by demanding a ransom payment to decrypt victim data and threatening to publish the sensitive exfiltrated data unless the ransom is paid. The threat actor operates in a ransomware-as-a-service (RaaS) model.
TA402 Uses Complex IronWind Infection Chains to Target Middle East-Based Government Entities
Proofpoint researchers described a cyber espionage campaign by the threat actor TA402. This actor, also known as Molerats, Gaza Cybergang, Frankenstein, and WIRTE, was observed by Proofpoint researchers between July and October 2023. It used phishing campaigns to deliver an initial access downloader called IronWind. The actor targeted less than five organizations with each campaign, mainly focusing on government entities in the Middle East and North Africa. The actor also made changes to its delivery methods, moving from Dropbox links to XLL and RAR file attachments.
Avast Q3/2023 Threat Report
Avast researchers highlighted in a report an unexpected surge in cyber threats, with a 50% increase in unique blocked attacks despite reduced online activity. The surge was driven by a rise in web-based threats, including social engineering and malvertising. Threat actors are increasingly adopting AI for nefarious activities, such as deepfake financial scams. The report also notes significant developments in botnets, with the FBI’s attempt to dismantle the Qakbot botnet leading to a drop-in activity. However, new strains like DarkGate are emerging. The report also highlights a substantial increase in information stealers and Remote Access Trojans (RATs).
Ducktail fashion week
Securelist presented how Ducktail malware is able to steal Facebook business accounts. The threat actor, presumed to be from Vietnam, used spear-phishing emails with a malicious executable disguised as a PDF file to target marketing professionals. The malware installs a malicious browser extension capable of stealing Facebook business and ads accounts, presumably for sale. The malware also uses obfuscated scripts and communication with a command-and-control server in Vietnam.
Ddostf DDoS Bot Malware Attacking MySQL Servers
The AhnLab Security Emergency Response Center’s (ASEC) analysis team has been monitoring malware distributed to vulnerable MySQL servers. The majority of these malwares are variants of the Gh0st RAT. The ASEC team has recently discovered that the Ddostf DDoS bot is being installed on these vulnerable servers. This bot,first identified in 2016, is capable of conducting DDoS attacks and supports both Windows and Linux environments. Attackers identify potential targets by scanning systems using the 3306/TCP port and then use brute-force or dictionary attacks on poorly managed systems. Unpatched systems with vulnerabilities are also targets for exploitation.
Inside the Mind of a Cyber Attacker: from Malware creation to Data Exfiltration (Part 2)
The article presents a hypothetical scenario in which a cyber attacker uses advanced offensive techniques to bypass security measures and establish a command and control (C2) infrastructure. The attacker utilizes AMSI bypass techniques, sets up a dedicated relay to hide C2 infrastructure, exploits PowerShell Empire malleable profiles, sets up a dedicated payload server using Nginx, and exfiltrates sensitive data to Dropbox. The threat actor in this scenario refuses to be defeated, even after being detected by a vigilant Security Operations Center (SOC). The techniques used by the attacker demonstrate the constant cat-and-mouse game between defenders and attackers in the realm of cybersecurity.
Analysis of Unauthenticated Command Execution Vulnerability in Cisco IOS XE System WebUI
The article discusses two critical CVEs (CVE-2023-20198, CVE-2023-20273) in Cisco IOS XE. The first vulnerability allows command injection due to a flaw in IPv6 address filtering. The second vulnerability allows unauthorized execution of arbitrary Cisco commands due to a configuration error in Nginx. The article also discusses the discovery of a backdoor that allows the execution of arbitrary Linux system commands and patches unauthorized vulnerabilities, making devices with the backdoor resistant to Remote Code Execution (RCE). The backdoor disappears once the device is restarted. The attacker has also updated the backdoor, adding a new authentication mechanism and patching the percentage 404 detection method.
Warning Against Distribution of Malware Impersonating a Public Organization (LNK)
An unidentified threat actor has been distributing malicious HTML files disguised as security emails, specifically targeting individuals in the field of Korean reunification and national security. These files impersonate a public organization and contain a compressed file with a legitimate and a malicious file. The malware breaches user information and downloads additional malware. The C2 format and operation methods are similar to a previously identified threat actor, suggesting the same actor may be responsible. The malware exhibits behaviors such as keylogging, stealing browser account information, and taking screenshots.
Same threats, different ransomware
Sophos discovered the shift of a ransomware affiliate group, TAC5279, from deploying Vice Society ransomware to Rhysida ransomware. The group consistently targets organizations across multiple sectors and regions, with particular emphasis on education and healthcare sectors. Their attack pattern includes establishing a connection to the network through a compromised VPN account without multi-factor authentication, employing various tools and exploiting vulnerabilities for data collection, and performing data exfiltration before deploying the ransomware. Despite the shift in ransomware variants, the group’s core tools, tactics, and procedures remain consistent.
The article discusses a cybercrime campaign targeting the online gaming industry. The threat actors use social engineering tactics through social networks and fake download websites to entice gamers into downloading and executing their malicious code. Once executed, the malware operates silently, stealing personal information, in-game assets, and sensitive credentials. The campaign spreads via Discord messages and involves several information stealer families, including Doenerium and Epsilon Stealer.
TA402 Uses Complex IronWind Infection Chains to Target Middle East-Based Government Entities
The article describes a persistent cyber espionage campaign by the threat actor group TA402, active since 2020. The group uses a complex infection chain to deliver the new initial access downloader called IronWind to target Middle Eastern governments. TA402 has been observed adjusting its delivery methods and continually retooling its attack methods to evade detection. The group has a strong focus on government entities in the Middle East and North Africa, often targeting less than five organizations per campaign.
In-Depth Analysis of July 2023 Exploit Chain Featuring CVE-2023-36884 and CVE-2023-36584
The article describes a campaign in July 2023, attributed to the pro-Russian APT group known as Storm-0978, targeting groups supporting Ukraine’s admission into NATO. The attack starts with a weaponized Microsoft Word document disguised as talking points for attendees of the July 2023 NATO Summit. The attackers exploited the Microsoft Office RCE vulnerability CVE-2023-36884 to infect targets with malware and discovered a new vulnerability for bypassing Microsoft’s Mark-of-the-Web (MotW) security feature, designated as CVE-2023-36584.
Hackers Trick Windows Users With Malicious Ads to Deliver Malware
The article discusses a malicious campaign where threat actors target Windows users with deceptive ads to deploy malware. The actors create near-perfect replicas of software vendor sites and trick users into downloading a malicious CPU-Z installer from a bogus WindowsReport[.The portal ]com. They also use cloaking to evade detection and redirect victims to different domains.
Chinese Hackers Launch Covert Espionage Attacks on 24 Cambodian Organizations
Two Chinese nation-state hacking groups are reportedly targeting 24 Cambodian government organizations as part of a long-term espionage campaign. The attackers are leveraging their strong relations with Cambodia to further their geopolitical goals. The affected entities include several sectors such as defense, election oversight, human rights, finance, commerce, politics, natural resources, and telecommunications. The attackers use a China-linked adversarial infrastructure that masquerades as cloud backup and storage services. Moreover, the threat actors have been primarily active during regular business hours in China. They have also exploited a number of zero-day vulnerabilities.
MOVEit Hackers Turn to SysAid Servers Zero-Day Vulnerability
Cyber Security News published a report regarding a cyber-attack campaign where threat actors, known as Lace Tempest, exploited a zero-day vulnerability (CVE-2023-47426) in SysAid servers, which consists of a path traversal weakness. The attackers deployed Cl0p ransomware on affected systems. Post-exploitation was done by deploying the MeshAgent remote administration tool and GraceWire malware on affected devices. SysAid has released patches to fix these vulnerabilities.
Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology
The Russia-linked threat actor Sandworm targeted a Ukrainian critical infrastructure resulting in power outages. The attack started from Internet-exposed servers which communicate with obsolete micro-SCADA control systems. Attackers downloaded on the victim system an ISO image file containing SCIL commands to affect industrial physical components. Sandworm later conducted a second disruptive event by deploying a new variant of CADDYWIPER in the victim’s IT environment.
New Malvertising Campaign Uses Fake Windows News Portal to Distribute Malicious Installers
Malwarebytes reported a campaign that includes replica websites of a legitimate Windows news portal to distribute a malicious installer for a system profiling tool called CPU-Z. Other targeted utilities include Notepad++, Citrix and VNC Viewer. The fake website tricks users to download an archive containing a malicious Powershell script which further deploys FakeBat and RedLine Stealer.
Hive Ransomware’s Offspring: Hunters International Takes the Stage
Bitdefender described a campaign initiated by a new ransomware group, Hunters International, which emerged after the FBI-led takedown of the Hive ransomware group. Hunters International claimed to have acquired the code and infrastructure from Hive, focusing more on data exfiltration than encryption. The ransomware is rewritten in Rust and can encrypt faster using multithreaded techniques, can exclude certain files and delete backup solutions.
Cerber Ransomware Exploits Atlassian Confluence Vulnerability CVE-2023-22518
Trendmicro described a cyber threat incident involving the Cerber ransomware exploiting CVE-2023-22518 in Atlassian’s Confluence Data Center and Server. The threat actor exploits an Improper authorization vulnerability (CVE-2023-22518) to gain unauthorized access and perform admin privileges. The Cerber ransomware employs this vulnerability in its attack routine, enabling it to reset and create a Confluence instance administrator account.
High Traffic + High Vulnerability = an Attractive Target for Criminals: The Dangers of Viewing Clickbait Sites
The article details a campaign where threat actors are exploiting the vulnerability CVE-2023-3169 and compromising clickbait and ad websites, particularly those using outdated or unpatched software. These websites are targeted due to their potential to reach a large number of victims. The attackers utilize web stack data to find out-of-date software or applications and exploit them accordingly. The article does not mention any specific threat actor or affected regions. It highlights that clickbait and ad sites made up over 30% of the compromised sites detected.
Abusing Active Directory Certificate Services (Part 3)
The article describes an exploitation method by which an attacker could escalate privileges on a target system by leveraging misconfigurations in Active Directory Certificate Services (ADCS). The attacker gains a foothold in the target network, then uses relay attacks to trick a victim machine into authenticating to the attacker-controlled machine. The credential material is then relayed to the Certificate Authority to request a certificate on behalf of the victim. This attack path is made possible by certain vulnerabilities, notably the Web Enrollment feature of ADCS and unpatched systems vulnerable to CVE-2021-369421. The technique discussed is referred to as ESC8.
A new video series, Google Forms spam and the various gray areas of cyber attacks
The article discusses multiple cyber threats including a Middle Eastern threat actor known as Arid Viper spreading spyware globally. Additionally, it mentions scams occurring in the ‘Roblox’ video game. The article further discusses a new spam tactic where attackers are exploiting Google Forms to send spam messages appearing as legitimate Google messages. The article also mentions the use of Cerber ransomware exploiting a vulnerability in the Atlassian Confluence Data Center and Server. The Mozi botnet, previously used for DDoS attacks and data exfiltration, has reportedly gone offline.
Malvertiser copies PC news site to deliver infostealer
The article describes a malvertising campaign where threat actors impersonate software vendors and deceive victims with pages that look like the software vendor’s home page. In a new campaign, a legitimate Windows news portal was copied to distribute a malicious installer for the popular processor tool CPU-Z. The impersonated websites are often visited by system administrators and tech enthusiasts. The attack also targeted other utilities like Notepad++, Citrix, and VNC Viewer. The threat actor uses cloaking to avoid detection and the malvertising domains have been reported to Google for takedown. The payload is a digitally signed MSIX installer containing a malicious PowerShell script.
Chinese APT Targeting Cambodian Government
Chinese Advanced Persistent Threat (APT) groups have been identified as targeting multiple Cambodian government organizations through malicious infrastructure disguised as cloud backup services. The entities targeted are in a range of industries, and this activity has been ongoing for several months, and the data at risk includes financial data, personally identifiable information of citizens, and classified government information. The malicious infrastructure has been observed to use IP filtering and open and close C2 ports depending on the activity times of the threat actor.
Phishing PDF Files Downloading Malicious Packages
The article describes a cyber threat campaign where malicious URLs are distributed via PDF files, often disguised as game downloads or crack program versions. Users who click on the links within these PDF files are redirected to a malicious URL, which downloads an encrypted compressed file. Once the file is decrypted and executed, it disables Windows Defender, steals IP and location information, and downloads additional malware onto the user’s device. This additional malware can range from ransomware to Info stealers.
Jamf Threat Labs Discovers Malware from BlueNoroff
A new malware variant linked to the BlueNoroff APT group has been identified by the Jamf Threat Labs. The group is financially motivated and targets cryptocurrency exchanges, venture capital firms and banks. They often create domains that appear to belong to a legitimate crypto company to blend in with network activity. The malware is written in Objective-C and operates as a simple remote shell that executes shell commands sent from the attacker server. It is likely being used as a later stage to manually run commands after compromising a system. Submissions to VirusTotal from countries such as Japan and the US have been observed.
Active Exploitation of Big-IP and Citrix vulnerabilities observed by Cyble Global Sensor Intelligence Network
The article reports on the exploitation of recently disclosed vulnerabilities in Citrix and F5 systems. The vulnerabilities, initially highlighted by the Cybersecurity and Infrastructure Security Agency (CISA), were actively exploited shortly after the release of public Proof of Concepts (POCs). Both Citrix and F5 are widely used globally, meaning a variety of organizations could be affected. The vulnerabilities allow for system compromise and potential foothold establishment by attackers. The extent of the threat is yet to be fully determined.
Agonizing Serpens (Aka Agrius) Targeting the Israeli Higher Education and Tech Sectors
The Iranian-linked Agonizing Serpens APT group has been targeting the education and technology sectors in Israel with a series of destructive cyberattacks. The campaign began in January 2023 and continued until October 2023. The attackers attempted to steal sensitive data and then deployed wipers to cover their tracks and render the infected endpoints unusable. The group has shown upgraded capabilities and has been investing significant resources to bypass endpoint detection and response (EDR) and other security measures. The Agonizing Serpens APT group is known for its destructive wiper and fake-ransomware attacks.
Distribution of LockBit Ransomware and Vidar Infostealer Disguised as Resumes
The article discusses a campaign where LockBit ransomware and Vidar Infostealer are being distributed through emails disguised as resumes. The ransomware, LockBit 3.0, encrypts files on the user’s PC environment, excluding PE files. The Vidar Infostealer, which is distributed alongside LockBit, connects to a Telegram website for C2 communication and downloads necessary DLL files to perform malicious activities. The information stolen is then transferred to the C2 server. The threat actors seem to be targeting corporations with this scheme.
Unveiling Socks5Systemz: The Rise of a New Proxy Service via PrivateLoader and Amadey
Bitsighted published a report regarding the use of a proxy botnet infrastructure named Socks5Systemz, delivered by PrivateLoader and Amadey loaders. These are often used by threat actors to distribute malware and build botnets. The botnet is not new and has been under the radar since 2016. The research identified several servers associated with the malware operation, a Telegram user who has built a proxy service using this botnet, and approximately 10,000 infected systems worldwide.
WhatsApp spy mod spreads through Telegram, attacks Arabic-speaking users
Securelist presented how attackers have embedded a spy module in popular WhatsApp mods, leading to a cyber espionage campaign. This campaign is conducted by using a trojanized client to send information to the threat actor’s command-and-control (C&C) server. The primary distribution channels for these spy modules are Telegram channels and dubious websites dedicated to WhatsApp modifications. The attack geography includes more than a hundred countries, with the highest attack numbers in Azerbaijan, Saudi Arabia, Yemen, Turkey, and Egypt. The spyware has been active since mid-August 2023.
Warning Against HWP Documents Embedded with Malicious OLE Objects
The AhnLab Security Emergency Response Center (ASEC) discovered malware embedded HWP documents targeting specific sectors, particularly national defense, and the press. The malware is primarily distributed through download URLs or email attachments. The documents have embedded into them either a hidden Microsoft OLE object which redirects a user to a malicious URL or a macro which downloads further malware. The downloaded malware originates from a GitHub repo, and it collects information about the targeted network.
New DarkGate Variant Uses a New Loading Approach
The Netskope Threat Labs team observed a recent distribution of DarkGate loader through malicious PDF files. The attack is organized in several phases: the PDF file downloads CAB and MSI files embedded with dangerous payloads, DLL sideloading malicious DLLs and deploying AutoIt scripts that prepare the DarkGate malware.
DoNot APT expands its arsenal to spy on victim’s VoIP calls
The article describes a cyber espionage campaign conducted by the DoNot APT group. The threat actor has evolved its Android malware capabilities, using a weaponized version of the legitimate ‘QuranApp’, to infiltrate and collect a wide range of sensitive data from victims, including VoIP call recordings and messaging app conversations. The malware is particularly targeting individuals in the sensitive Kashmir region of India. The malware can also download an additional payload at runtime and employs a Firebase Cloud Messaging (FCM) server to receive commands, allowing it to maintain communication with backup servers in case of communication failures with the current server.
Warning Against Infostealer Infections Upon Executing Legitimate EXE Files (DLL Hijacking)
The article describes a cyber threat campaign that uses DLL hijacking to distribute malware. The threat actors are not specified, but they exploit legitimate EXE files to deliver a malicious DLL. When the EXE files are executed, they automatically run the malicious DLL leading to system compromise. Affected entities are not explicitly mentioned, and the campaign seems to be widespread with no specific region targeted. The vulnerability exploited is not a specific CVE, but a technique known as DLL hijacking. The threat actors also conceal their activities by deleting the malicious DLLs after execution.
New Kill Chains Assessments
Endpoint – Malware Emulation: Royal Ransom 12 October 2023
This assessment emulates the activity of the malware sample identified with the SHA256 hash: f484f919ba6e36ff33e4fb391b8859a94d89c172a465964f99d6113b55ced429. Royal ransomware group are backed by threat actors from Conti. They employ a mix of old and new techniques, such as callback phishing and intermittent encryption, to infiltrate victims’ machines and encrypt files. The group initially used BlackCat’s encryptor before developing its own, and it targets multiple corporations. Royal has been particularly prolific since its launch and has targeted various critical infrastructure sectors, such as chemical, communications, manufacturing, defense industrial bases, financial services, and emergency services sectors. Despite warnings from the FBI and CISA, the group continues to adapt, even developing Linux-based variants to expand its range of targets. This assessment emulates the infection and will not execute the actual malware. The emulation binary is generated on-demand, for each assessment run.
The assessment performs the following abridged series of steps:
- It retrieves user account information using ‘net user’ and ‘net localgroup’ commands.
- It disables Windows Defender using ‘Set-MpPreference’ PS cmdlet.
- It leverages PowerSploit to execute ‘Find-LocalAdminAccess’ to identify systems where the current user has local administrator privileges.
- It exfiltrates sensitive data from the system using SharpExfiltrate .NET tool.
- It downloads and executes the emulated malware binary.
- It attempts lateral movement using PsExec.exe tool, based on the intel gathered in steps 1 and 3.
- [CLEANUP] It restores the system to the initial state.
The emulation performs the following abridged series of steps:
- It deletes all Volume Shadow Copies using ‘vssadmin.exe’.
- It extracts information about the current system using ‘GetNativeSystemInfo’ Win32 API functions.
- It creates multiple threads depending on the number of CPU cores, used to encrypt files.
- It enumerates the network shares using ‘NetShareEnum’ Win32 API function.
- It iteratively connects to other hosts in the same network on port 445
- It encrypts local files using AES-256 algorithm, leveraging OpenSSL library.
- It attempts to encrypt files on the network shares. 8. It creates a ransom note file in each folder where files were encrypted.
New Audits
Safe Mode Boot – bcdedit set and Windows Service: Force safeboot with bcdedit set command (Powershell); Technique T1562.009, TACTIC: TA0005
Safe mode may represent a method to bypass antivirus products since a minimal number of critical processes are allowed to run in this mode. This audit recreates an attack scenario in which an attacker has previously gained administrative privileges and uses the native “bcdedit.exe” tool to make the computer go into safe mode at the next restart.
Since endpoint audits should not be too intrusive a restart will never occur.In addition, it recreates scenarios in which attackers spawn their own services, which will start automatically in safe mode, by modifying certain registry keys. For the purposes of emulation, the audit only creates a simple dummy service with no important features.
Safe Mode Boot – New-ItemProperty and Windows Service: Force machine in safeboot using only Windows Registry commands (PowerShell); Technique T1562.009, TACTIC: TA0005
Safe mode may represent a method to bypass antivirus products since a minimal number of critical processes are allowed to run in this mode. This audit creates an alternative method to force a machine into Safe Mode at the next restart, directly manipulating Windows registry keys without using the native “bcdedit.exe” tool which can be easily detected by security products.
Since endpoint audits should not be too intrusive a restart will never occur. In addition, it recreates scenarios in which attackers spawn their own services, which will start automatically in safe mode, by modifying certain registry keys. For the purposes of emulation, the audit only creates a simple dummy service with no important features.
Command and Scripting Interpreter – ‘IEX (Net.WebClient)’: Fileless PowerShell Module Download and Execution with ‘Invoke-Expression’; Technique T1059.001; TACTIC TA0002
Adversaries may use various scripts to obtain information about existing privileged user accounts from the targeted machine. ‘PowerSploit’ is an open-source offensive PowerShell penetration testing tool.
The ‘PowerSploit’ project can be found at https://github.com/PowerShellMafia/PowerSploit under the BSD 3-Clause. This audit uses the function ‘Find-LocalAdminAccess’ from ‘PowerSploit’ in order to identify machines where the current user has local administrator privileges. As an obfuscation, the file name and type of the script is not present in the URL.
Exfiltration Over Web Service – Exfiltration to Cloud Storage: ‘SharpExfiltrate’ – OneDrive (Command Prompt); Technique: T1567.002; TACTIC: TA0010
Rather than using the pre-established C2 channel, adversaries may opt to exfiltrate stolen data to a cloud storage service. This audit simulates the exfiltration of sensitive data to OneDrive using the offensive tool SharpExfiltrate. The ‘PowerSploit’ project can be found at https://github.com/Flangvik/SharpExfiltrate. The credentials provided in the audit are provided for demonstration purposes only, they do not exist.
Keysight is an S&P 500 technology company, we are headquartered in California, and operate in over 100 countries worldwide. We have 20+ years of network and security excellence and our global Application and Threat Intelligence (ATI) Research Center keeps current on the latest threats. By using Threat Simulator, you can pro-actively identify, remediate, and validate security vulnerabilities.
Stay ahead of the curve in the ever-changing world of cybersecurity with Keysight.
Visit our website for more information.