Threat Simulator can help you proactively measure the efficacy of your cyber security controls against tens of thousands of tactics, techniques, and procedures (TTPs), including MITRE ATT&CKĀ®, and measure network, email, and endpoint security posture at the same time.
It provides automated, recurring assessments that are updated daily to keep up with the latest threats allowing for continuous assessments to proactively identify and fix vulnerabilities, minimizing the window of opportunity for nefarious actors.
In May, our global Our Keysight Application and Threat Intelligence (ATI) Research Center created new Threat Campaigns and Audits to keep our customers and partners safe, by simulating the latest attacks and incorporating them into Threat Simulator.
Last month we saw new macOS spyware named Cuckoo, targeting Intel and Arm Macs. The audacity of state-sponsored threat actors continued, with the Iranian APT42 group posing as journalists and infiltrating corporate networks and cloud environments in the West and Middle East.
The US sanctioned the operators of a “free VPN” that routed crime traffic through user PCs. We have seen cybercriminals and nation-state spies targeting home and office routers. Additionally, we have observed a threat group known as Black Basta, a ransomware-as-a-service (RaaS) actor, targeting critical infrastructure sectors globally, including healthcare and public health, across North America, Europe, and Australia.
Read on to learn about these new simulations and how we can assist you in maintaining your safety, no matter where you are in the world.
New Endpoint Audits
Create Account: Cloud Account – AWS CLI (Python) : Create Cloud Account T1136.003
Adversaries may create a cloud account to maintain access to victim systems. Adversaries may create accounts that only have access to specific cloud services, which can reduce the chance of detection. This audit deploys and uses its own portable aws cli binary.
Password Policy Discovery – AWS CLI (Python) : Discover password policy T1201
Adversaries may attempt to access detailed information about the password policy used within an enterprise network or cloud environment. This information may help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy. This audit deploys and uses its own portable aws cli binary.
Cloud Infrastructure Discovery – AWS CLI (Python) : Discover instances and buckets T1580
Adversaries may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence. This audit deploys and uses its own portable aws cli binary.
Permission Groups Discovery: Cloud Groups – AWS CLI (Python) : Discover cloud groups and policies T1069
Attackers may use existing AWS command-line tool to find IAM (Identity and Access Management) user groups and security policies. By finding all existing security policies, attackers may find too permissive rules that they can further exploit.
Account Discovery: Cloud Account – AWS CLI (Python) : Discover cloud users and roles T1087
Attackers may use existing AWS command-line tool to find IAM (Identity and Access Management) users and roles. Such users might have permissive security policies that can be exploited. Since AWS services and third-party entities should not have permanent credentials, security roles are used instead of users since they provide temporal access keys.
Log Enumeration – AWS CLI (Python) : Enumerate system and service logs T1580
Adversaries may enumerate system and service logs to find useful data. The discovery of these logs may help adversaries to get various types of valuable insights, such as authentication records, security or vulnerable software, or hosts within a compromised network. This audit deploys and uses its own portable aws cli binary.
Network audits:
Atlassian Bitbucket Server and Data Center Command Injection CVE 2022-36804
This audit exploits a command injection vulnerability in Atlassian Bitbucket Server and Data Center. The vulnerability is due to improper validation of certain user input fields. A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted request to the target repository to request an archive which injects an argument to run an OS command. Successful exploitation of the vulnerability could lead to arbitrary command execution under the security context of the service.
Atlassian Confluence Server file inclusion CVE 2019-3396
This audit exploits a file inclusion and remote command execution vulnerability in Atlassian Confluence Server. The vulnerability is due to improper sanitization of the “_template” parameter. By successfully exploiting this vulnerability, a remote, unauthenticated attacker could retrieve arbitrary files from the target server and achieve file inclusion or achieve remote command execution by SSTI, inject malicious template and have it executed.
Citrix ShareFile Storage Zones Controller ProcessRawPostedFile Directory Traversal CVE 2023-24489
This audit exploits a directory traversal vulnerability in the Upload module of the Citrix ShareFile Storage Zones Controller. The vulnerability is due to improper validation of user input in the ProcessRawPostedFile function. A remote, unauthenticated attacker could exploit this vulnerability by sending a request with a crafted uploaded request parameter to the target server. Successful exploitation could allow an attacker to save files to an arbitrary file path under the web root directory, which could lead to the execution of arbitrary code.
Oracle Access Manager OpenSSO Agent Insecure Deserialization CVE 2021-35587
This audit exploits an insecure deserialization vulnerability in Oracle Access Manager. The vulnerability is due to insufficient validation of requests sent to the OpenSSO Agent endpoint. A remote, unauthenticated attacker can exploit this vulnerability by sending a crafted request to a vulnerable server. Successful exploitation can result in arbitrary code execution under the security context of the affected server.
Progress WS_FTP Server Ad Hoc Transfer Insecure Deserialization CVE 2023-40044
This audit exploits an insecure deserialization vulnerability in the Ad Hoc Transfer module of WS_FTP Server. The vulnerability is due to improper validation of form field values in upload requests. A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted deserialization gadget in a parameter value in the body of an HTTP POST request to the “/AHT” endpoint. Successfully exploiting this vulnerability could result in arbitrary code execution under the security context of NETWORK SERVICE.
Atlassian Confluence Information Disclosure CVE 2021-26085
This audit exploits an information disclosure vulnerability in Atlassian Confluence. The vulnerability is due to improper path validation. A remote, unauthenticated attacker could exploit this vulnerability by submitting a specially crafted HTTP request which could result in arbitrary file read.
IBM Aspera Faspex Code Execution CVE 2022-47986
This audit exploits a code execution vulnerability in IBM Aspera Faspex. The vulnerability is due to YAML deserialization flaw in Ruby on Rails code. The user-supplied parameter, external_emails, is assigned to the variable ‘enc_emails’ and then passed into YAML.load, which is an unsafe operation. An attacker can exploit this vulnerability by sending a specially crafted obsolete API call. Successful exploitation could result in remote code execution within the service of the target server.
Ruckus Wireless Admin Unauthenticated RCE CVE 2023-25717
This audit exploits a remote code execution vulnerability in Ruckus Wireless routers. The vulnerability is due to insufficient input validation in the ‘/forms/doLogin’ endpoint of the admin web page. A remote unauthenticated attacker can exploit this vulnerability by sending crafted requests to the victim router which results in remote code execution.
Apache Spark Command Injection CVE 2022-33891
This audit exploits a command injection vulnerability in Apache Spark. The vulnerability is due to improper validation of user input. A remote, unauthenticated attacker could exploit this vulnerability by submitting a specially crafted HTTP request which could result in arbitrary command execution in the context of the user running the server.
Ivanti Endpoint Manager Mobile Authentication Bypass CVE 2023-35078
This audit exploits an authentication bypass vulnerability in Ivanti Endpoint Manager Mobile. The vulnerability is due to a logic flaw and allows a remote unauthenticated attacker to access restricted functionality or resources without proper authentication, including creating an administrative account that can make further changes to the target server.
Atlassian Crowd and Crowd Data Center Arbitrary Plugin Install RCE CVE 2019-11580
This audit exploits a vulnerability in Atlassian Crowd and Crowd Data Center due to the pdkinstall development plugin incorrectly enabled in release builds. Attackers who can send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permit remote code execution on systems running a vulnerable version of the application.
WSO2 API Manger Directory Traversal CVE 2022-29464
This audit exploits a directory traversal vulnerability in WSO2 API Manager. The vulnerability is due to improper sanitization for the multipart form field name for the file upload route. A remote, unauthenticated attacker could exploit the vulnerability by sending crafted HTTP requests to a target server. Successful exploitation can result in arbitrary file write in the context of the wso2carbon user.
Zoho ManageEngine Password Manager Pro XMLRPC Insecure Deserialization CVE 2022-35405
This audit exploits a remote code execution vulnerability in Zoho ManageEngine Password Manager Pro. The vulnerability is due to deserialization of untrusted data by the XMLRPC component. A remote attacker can exploit this vulnerability by sending crafted HTTP requests to the target server. Successful exploitation results in remote code execution.
WordPress File Manager connector minimal php Improper Access Control CVE 2020-25213
This audit exploits an improper access control vulnerability in the File Manager plugin for WordPress. The vulnerability arises from inadequate access control for the connector.minimal.php file during file uploads. This allows an unauthenticated attacker to upload arbitrary files, including potentially malicious PHP files, posing a risk of executing arbitrary code. A remote, unauthenticated attacker could exploit this vulnerability by submitting a carefully crafted request to a WordPress server with the File Manager Plugin installed. Successful exploitation could lead to the unauthorized upload of arbitrary files, potentially resulting in the execution of arbitrary code within the security context of the WordPress server.
New Threat Campaigns:
Figure 1: Recent Threat Campaigns available in Threat Simulator
The Overlapping Cyber Strategies of Transparent Tribe and SideCopy Against India:
The SideCopy APT group, operating since 2019, has been actively targeting South Asian regions, focusing mainly on India. The group uses a sophisticated malware campaign, relying on malicious LNK files and a complex chain of infection involving HTAs and loader DLLs. They have been observed targeting university students, and there’s a potential overlap with the Transparent Tribe APT group. The initial infection vector involves spam emails containing links to a malicious website hosting a malicious archive file. Once triggered, the malicious LNK files initiate a sequence of infection steps, leading to the deployment of malware payloads such as Reverse RAT and Action RAT.
Tiny BackDoor Goes Undetected ā Suspected Turla leveraging MSBuild to Evade detection:
Cyble describes a cyber-espionage campaign led by a threat actor believed to be the Turla APT group, which uses MSBuild application to execute in-memory malware. The threat actor uses human rights seminar invitations and public advisories as lures in spam emails to distribute malicious LNK files, which contain embedded PDFs and MSBuild project files. Once the user executes the LNK file, it delivers a stealthy, fileless payload, which acts as a backdoor, enabling the threat actor to take control of the infected system. The campaign targets individuals with an interest in human rights issues, particularly in the Philippines. The attack methodology involves the use of the Microsoft Build Engine (MSBuild) and shows similarities to the previously identified TinyTurla backdoor.
The Rust Revolution: New Embargo Ransomware Steps In:
The threat actor behind the Embargo ransomware connected to ALPHV group, developed in Rust, is using double extortion tactics, where sensitive information is exfiltrated before the data is encrypted. They threaten to publicly release or sell the stolen data if the ransom is not paid, thus pressurizing the victims and also exposing them to potential legal and reputational damage. The leak sites of Embargo and ALPHV ransomware resemble each other, and both ransomware have a similar log generation structure. The leak site of ALPHV was taken down by law enforcement in March 2024. Embargo ransomware has disclosed details of four victims globally to date.
Crimeware report: Acrid, ScarletStealer and Sys01 stealers:
Securelist presented a description of various ‘stealers’, types of malware that extract sensitive information from victims’ systems. The actors behind the campaign have deployed new stealers named Acrid and ScarletStealer, as well as an updated version of Sys01. The Acrid stealer utilizes the ‘Heaven’s Gate’ technique to bypass security controls, while the ScarletStealer downloads additional binaries to carry out its operations. Sys01 tricks users into downloading a malicious ZIP archive disguised as an adult video. The campaign has global reach, with victims identified in numerous countries around the world.
Sharp Dragon Expands Towards Africa and The Caribbean:
The Chinese threat actor, Sharp Dragon, has been expanding its operations to new regions, including Africa and the Caribbean. It uses trusted government entities to infiltrate new ones and establish initial footholds in these regions. The threat actor adopts Cobalt Strike Beacon over custom backdoors. Sharp Dragon exploits 1-day vulnerabilities to compromise infrastructure later used as Command and Control (C2) infrastructure.
Bad Karma, No Justice: Void Manticore Destructive Activities in Israel:
Void Manticore is an Iranian threat actor linked to the Ministry of Intelligence and Security (MOIS). The group conducts destructive attacks and influence operations, using online personas such as ‘Homeland Justice’ for attacks in Albania and ‘Karma’ for attacks in Israel. Void Manticore uses custom wipers for Windows and Linux, and manual deletion of files and shared drives. They are known to collaborate with Scarred Manticore, indicating a systematic handoff of targets between the two groups. Since October 2023, Void Manticore has been actively targeting Israeli organizations with destructive attacks using wipers and ransomware.
Payload Trends in Malicious OneNote Samples:
Unit42 describes a malicious campaign that uses Microsoft OneNote files to deliver payloads. Attackers embed text-based malicious scripts or binary files inside OneNote, taking advantage of the fact that OneNote files can load malicious content if opened. The attack predominantly employs a phishing-like theme, using images to lure users into interacting with the OneNote files. The interaction then executes the embedded malicious payload. The analysis of roughly 6,000 malicious OneNote samples revealed that these files often contain one or more images. The payload types most frequently used include JavaScript, VBScript, PowerShell, and HTA.
Leveraging DNS Tunneling for Tracking and Scanning:
Unit42 describes a case study of new applications of Domain Name System (DNS) tunneling techniques used by threat actors for purposes beyond traditional Command and Control (C2) and Virtual Private Network (VPN) usage. The studied campaigns utilize DNS tunneling for scanning and tracking purposes. In scanning, adversaries use DNS tunneling to scan a victim’s network infrastructure and gather information for future attacks. Adversaries employ DNS tunneling methods to trace the distribution of harmful emails and oversee the usage of Content Delivery Networks (CDN). Three campaigns, TrkCdn, SpamTracker, and SecShow, are analyzed in detail, demonstrating how DNS tunneling can be used for victim activity tracking and network scanning.
Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID ā Elastic Security Labs:
LATRODECTUS is a malware loader that was first discovered in October of 2023 by Walmart researchers and has been gaining popularity among cybercriminals. It is linked to the ICEDID malware due to behavioral and developmental similarities, including a command handler that downloads and executes encrypted payloads. LATRODECTUS offers a range of capabilities that threat actors can utilize to deploy further payloads after initial compromise. In addition, it has multiple modules used to deceive sandbox environments and antivirus products. The malware has been observed in an increasing number of email campaigns since early March 2024. It is also speculated that LATRODECTUS is being actively developed as a possible replacement for ICEDID.
Invisible miners: unveiling GHOSTENGINE’s crypto mining operations ā Elastic Security Labs:
The Elastic Security Labs identified a complex intrusion set, referred to as REF4578, that incorporates several malicious modules and exploits vulnerable drivers to disable security solutions and conduct crypto mining. The malware, known as GHOSTENGINE, also establishes persistence, installs an undocumented backdoor, and executes a crypto miner. The campaign involved a considerable amount of complexity to ensure the installation and persistence of the XMRig miner. It uses a list of DNS servers to get the current DNS resolution for the C2 domain names. The ultimate goal of the REF4578 intrusion set is to gain access to an environment and deploy a persistent Monero crypto miner, XMRig.
Threat actors misusing Quick Assist in social engineering attacks leading to ransomware:
The threat actor group Storm-1811 has been observed conducting social engineering attacks using Microsoft’s Quick Assist tool since mid-April 2024. The group uses vishing (voice phishing) to trick users into providing access to their systems, then deploys malware such as Qakbot, Cobalt Strike, and Black Basta ransomware. The group is financially motivated and uses tactics such as impersonation of IT personnel and email bombing to manipulate targets into providing access.
Analysis: A new ransomware group emerges from the Change Healthcare cyber-attack:
The campaign involves a new threat actor, RansomHub, which emerged after a massive cyber-attack and ransomware incident involving Change Healthcare. The ransomware operation began as an affiliate program on a cybercriminal forum, using malware developed by the group. The attackers compromised the healthcare payment management company using credentials on Citrix remote-access software without multi-factor authentication. The ransomware was deployed nine days later, leading to extensive financial damage and data exfiltration.
Pakistan-linked Hackers Deploy Python, Golang, and Rust Malware on Indian Targets:
The Transparent Tribe, a threat actor with links to Pakistan, has launched a series of cross-platform malware attacks against India’s government, defense, and aerospace sectors. The attacks, which have been happening from late 2023 to April 2024, involve spear-phishing campaigns that exploit popular online services like Discord, Google Drive, Slack, and Telegram. The malware, written in Python, Golang, and Rust, targets three companies in Bengaluru that are crucial stakeholders and clients of India’s Department of Defense Production (DDP). The group is also known to use different malware and experiment with new intrusion methods to evade detection. Notably, the group has started using ISO images to deploy Python-based remote access trojan that uses Telegram for command-and-control purposes. Furthermore, the group has developed a Golang-compiled program capable of finding and exfiltrating files, taking screenshots, uploading and downloading files, and executing commands.
Ongoing Malvertising Campaign leads to Ransomware:
The article reports an ongoing campaign by unidentified threat actors distributing trojanized installers for WinSCP and PuTTY through malicious ads on popular search engines. The users are tricked into clicking on these ads which lead them to typo squatted domains where the malware is hosted. Once downloaded, the trojanized files provide the threat actors with an elevated foothold in the victim’s system. The campaign predominantly targets IT teams who are likely to download these files. In some cases, the malware has led to attempted ransomware deployments.
Hacker free-for-all fights for control of home and office routers everywhere:
Cybercriminals and nation-state spies are cohabiting compromised routers, using them for both financial gain and strategic espionage. These compromised routers are often infiltrated by more than one threat group, leading to a chaotic environment within the routers. A prominent example is the network primarily composed of Ubiquiti’s EdgeRouter devices, which were infected by a Russian-backed group after initial infection by the Moobot botnet malware. The Russian hackers exploited a vulnerability in the malware, turning the botnet into a global cyber espionage platform. Additionally, these devices were used to proxy logins with stolen credentials and to exploit a critical zero-day vulnerability in Microsoft Exchange. The botnet was also used for spamming, phishing, and hosting other malware.
RemcosRAT Distributed Using Steganography – ASEC BLOG:
The AhnLab Security Intelligence Center identified a campaign distributing the RemcosRAT malware using the steganography technique. The attack starts with a Word document using the template injection technique, after which an RTF exploiting a vulnerability in the equation editor is downloaded and executed. The RTF file downloads a VBScript disguised as a ‘.jpg’ from the C2 and another VBScript from a free text uploading service. The VBScript executes a PowerShell script that downloads an image containing Base64 encoded data which is then decoded into a ‘.NET DLL’ and executed. The script downloads an additional file and creates RegAsm.exe as a child process to execute it, resulting in the execution of RemcosRAT.
In the Shadow of Venus: Trinity Ransomware’s Covert Ties:
The threat actors behind Trinity, a new ransomware variant, employ a double extortion strategy, exfiltrating the victim’s data before initiating encryption. The Trinity variant shares similar ransom note format and underlying codebase with 2023Lock, indicating it could be a new variant of 2023Lock. It also bears similarities with Venus ransomware, suggesting a potential common threat actor. Trinity uses the ChaCha20 algorithm for encryption and tags encrypted files with a ‘.trinitylock’ extension. The threat actors utilize both victim support and data leak sites in their operations.
Malware Distributed as Copyright Violation-Related Materials (Beast Ransomware, Vidar Infostealer):
AhnLab presented how Beast ransomware and Vidar stealer are being distributed through emails disguised as copyright violation warnings and resumes. The emails contain external links that download a compressed file, which contains another compressed file that tries to bypass anti-malware products based on compression option settings. Upon decompression, two executable files are revealed that carry the Vidar Infostealer and the Beast ransomware. The Beast ransomware is known to encrypt original files and compress them along with a ransom note. Vidar Infostealer is capable of leaking user information and targets various info such as cookies, AutoFill data, credit card numbers, and even files present on the user’s PC.
#StopRansomware: Black Basta:
CISA and FBI published a statement regarding a threat group known as Black Basta, identified as a ransomware-as-a-service (RaaS) actor. The cybercriminals use spear phishing and known vulnerabilities to gain access, then employ a double-extortion model of encrypting systems and exfiltrating data. They have targeted at least 12 critical infrastructure sectors globally, including Healthcare and Public Health, across North America, Europe, and Australia. The vulnerabilities exploited include ZeroLogon, NoPac, and PrintNightmare. The ransomware was first identified in April 2022, with over 500 organizations impacted as of May 2024.
Fake Antivirus Websites Delivering Windows and Android Malware:
Cybercriminals are using fake antivirus websites that imitate legitimate antivirus solutions from brands like Avast, Bitdefender, and Malwarebytes to spread malware to Windows and Android devices. Users are tricked into downloading malicious software that can steal sensitive information and compromise device security. These websites distribute different types of malware, including the SpyNote trojan, the Lumma information stealer, and the StealC information stealer. There is also a rogue Trellix binary that delivers stealer malware. The distribution methods for these fake websites are unclear but could involve malvertising and search engine optimization poisoning.
From Spam to AsyncRAT: Tracking the Surge in Non-PE Cyber Threats:
McAfee discusses a cyber threat campaign involving AsyncRAT (Asynchronous Remote Access Trojan), a sophisticated malware designed to breach computer systems and steal sensitive data. The malware uses a variety of file types to circumvent antivirus detection methods and spread the infection. The infection chain begins with a spam email containing an HTML page attachment, which triggers the download of a Windows Script File (WSF) and subsequently other files, leading to a process injection. The malware also uses deceptive tactics such as a fake Amazon page to mislead the user. The campaign does not specify the regions affected or any particular vulnerabilities exploited.
US sanctions operators of “free VPN” that routed crime traffic through user PCs:
A VPN-powered botnet was discovered to help criminal mask their illicit activities while infecting residential IP proxies for further attacks. The botnet, which comprised over 19 million residential IP addresses, was created using free VPNs, MaskVPN and DewVPN, which also functioned as a proxy server by covertly turning users’ devices into such. An investigation identified one of the individuals involved, who was also connected to operations of MaskVPN and DewVPN. The botnet was used in numerous fraudulent applications resulting in significant financial loss to the US government and was linked to several bomb threats made across the US.
Iranian hackers pose as journalists to push backdoor malware:
APT42, an Iranian state-sponsored threat actor, is launching social engineering attacks, posing as journalists, and infiltrating corporate networks and cloud environments in the West and Middle East. The attacks, which started in 2015, involve spear-phishing and the use of two custom backdoors, ‘Nicecurl’ and ‘Tamecat’, which allow command execution and data exfiltration. The hackers create fake personas and send emails from domains similar to those of legitimate organizations, tricking victims into clicking on malicious links that lead to fake login pages. Once the victim’s account credentials and multi-factor authentication tokens are stolen, the attackers infiltrate the network, collecting sensitive information. APT42 uses VPNs, domains, and VPS servers to evade detection and attribution.
Tracking Threat Actors Using Images and Artifacts:
VirusTotal discusses a method to track adversary activity in cyber-security by focusing on samples used in the initial stages of a cyber-attack. The technique involves tracking images and artifacts used in delivery and weaponization phases, with a particular focus on suspicious Microsoft Office documents, PDF files, and emails. The researchers examined embedded files within Office documents and found that certain artifacts, such as images, XML files, and styles, can be used to trace malicious actors. The research also shows that automated image analysis can aid in identifying potential victims and other aspects of threat hunting. Additionally, the study found that certain files within office documents, namely styles.xml and [Content_Types].xml, can provide valuable clues for identifying and tracking threat actors.
North Korean Threat Actor Deploys New, Custom Ransomware:
The North Korean threat actor known as Moonstone Sleet has been found to be targeting organizations in the software, IT, education, and defense sectors. Using a combination of unique and previously employed tactics, the group has been involved in espionage and ransomware cyberattacks. The group uses social media apps and developer freelancing programs to deliver malicious versions of PuTTY, an open-source terminal emulator, or malicious npm packages. They also impersonate game developers or create fake companies to convince targets to download malicious games. These activities have been observed since last year, with the group’s most recent activity involving the delivery of the FakePenny ransomware family against a defense technology company.
New ‘Cuckoo’ Persistent macOS Spyware Targeting Intel and Arm Macs:
Kandji released a report regarding a MachOS malware named Cuckoo that establishes system persistence and steals environment information. Once executed, it will spawn various shell processes that will extract data such as iCloud Keychain, Apple Notes, browser-stored credentials and keys for Steam and Discord.
North Korean Hackers Exploit Facebook Messenger in Targeted Malware Campaign:
Genians cybersecurity company presented how a threat actor contacted several victims through fake Facebook accounts and sent them malicious files using Messenger application. The first phase of the attack involves a Microsoft Common Console document disguised as a Word file which connects to the C2 server and downloads various other scripts written in Visual Basic. It accomplishes system persistence and ultimately deploys the ReconShark malware.
Uncovering an undetected KeyPlug implant attacking industries in Italy:
APT41, a cyber threat group known for its cyber espionage and cybercrime campaigns orchestrated an attack which involves the KeyPlug backdoor. They implement complex and versatile operations with a high level of expertise, possibly indicating state support. Their targets include sectors like government, manufacturing, technology, media, education, and gaming. They deploy malware, phishing tactics, exploit zero-day software vulnerabilities, and launch supply chain attacks with the intention of stealing intellectual property, compromising systems, and obtaining sensitive data for strategic or economic gain. Hyperlinks found in the KeyPlug backdoor redirect to various sources discussing the ISOON leaks.
Log4j Campaign Exploited to Deploy XMRig Cryptominer:
The Uptycs Threat Research Team discovered a large-scale operation within the notorious Log4j campaign. The operation involves over 1700 dedicated IPs, and its main goal is to deploy the XMRig cryptominer malware by exploiting the CVE-2021-44228 vulnerability in Apache Log4j 2. The campaign initiates with a carefully crafted HTTP request to a system using Log4j, which results in a network request to an attacker-controlled server. Threat actors like Lazarus, APT28, APT35, and DEV-0401 have exploited these vulnerabilities, deploying various malware strains. The operation involves four sets of Command-and-Control (C2) servers, each managing activities and establishing communication with compromised IPs.
AllaSenha: AllaKore variant leverages Azure cloud C2 to steal banking details in Latin America:
HarfangLab informed that a threat campaign, codenamed TRR240501, involved a malicious payload named ‘AllaSenha’ that was delivered to a computer in Brazil. The payload, aimed at stealing Brazilian bank account credentials, was delivered through an infection chain involving Python scripts and a Delphi-developed loader. The threat actor used Azure cloud for command and control (C2) infrastructure. The infection chain started with a malicious Windows shortcut file disguised as a PDF file and distributed through WebDAV. The threat actor is speculated to have switched to this exact infection chain in March 2024.
zEus Stealer Distributed via Crafted Minecraft Source Pack:
The article details a high-severity threat campaign targeting Microsoft Windows users, primarily game makers and players who download and modify game packages. The attackers employ a variant of the zEus stealer malware, embedded in a crafted Minecraft source pack and distributed via YouTube. The malware gathers sensitive data, blocks analysis attempts, and communicates with a Command-and-Control server. Additionally, it includes features for screen locking, screenshot sending, and chat box creation. The malware also searches for cryptocurrency usage and files with specific keywords related to login mechanisms.
North Korean Hackers Abusing FB and MS Management Console:
The North Korean hacking group Kimsuky has been reported using sophisticated methods involving social media platforms and system management tools for espionage activities. They use Facebook to target individuals involved in North Korean human rights and security affairs, creating fake profiles that mimic South Korean public officials. They build trust with their targets through friend requests and personal messages, eventually sharing malicious links or documents. They also use Microsoft Management Console (MMC) files to execute malicious commands on the victims’ systems. Once the MMC-based malware is successfully deployed, Kimsuky establishes a command and control (C2) channel to manage the compromised systems remotely.
Security Brief: Artificial Sweetener: SugarGh0st RAT Used to Target American Artificial Intelligence Experts:
The UNK_SweetSpecter threat group, deployed a SugarGh0st RAT attack against US organizations involved in artificial intelligence, including academia, private industry, and government service. The attacker used an AI-themed email lure with a zip file attachment that contained a JavaScript dropper and an encrypted binary to deliver the payload. The infection chain was similar to ‘Infection Chain 2’ reported by Cisco Talos. Notable changes included a modified registry key name for persistence, a reduced number of commands the payload could run, and a different C2 server. The campaign targeted less than 10 individuals with direct connections to a single US-based AI organization. The main objective seemed to be obtaining non-public information about generative artificial intelligence.
Security Brief: Millions of Messages Distribute LockBit Black Ransomware:
In April 2024, an unidentified threat actor orchestrated high-volume campaigns using the Phorpiex botnet to deliver LockBit Black ransomware via email. The LockBit Black ransomware used in the campaign was believed to be constructed from a leaked LockBit builder from 2023. The campaign targeted various global organizations with emails containing an executable file that, when opened, initiated a network call to the Phorpiex botnet and downloaded the ransomware payload. The ransomware then stole data, encrypted files, and disrupted services on the affected system. This campaign was significant due to the high volume of messages and the use of ransomware as a first-stage payload.
Mallox affiliate leverages PureCrypter in MS-SQL exploitation campaigns:
The report discusses a cyber campaign by the Mallox ransomware operation that exploits vulnerable Microsoft SQL (MS-SQL) servers. The threat actor uses brute-force tactics to gain initial access and deploys the Mallox ransomware via PureCrypter through several MS-SQL exploitation techniques. They target servers globally, using the Ransomware-as-a-Service (RaaS) model and double extortion technique. They also make use of the hosting provider XHost Internet Solution. Two distinct operational methods are observed – one involving discreet targeting of vulnerable servers for lower revenues, and another involving broader compromise of information systems for higher income.
ViperSoftX Uses Deep Learning-based Tesseract to Exfiltrate Information:
The article describes a cyberattack campaign utilizing the ViperSoftX malware strain, which is known to control infected systems and steal user information. The malware is typically disguised as cracks or keygens for legitimate software and installs additional malware on infected systems. The latest version of ViperSoftX uses the open-source OCR engine Tesseract to extract text from users’ image files, with a focus on images containing passwords or cryptocurrency wallet addresses. It also installs additional malware strains, such as Quasar RAT and TesseractStealer. The malware’s distribution has been increasing notably, with attackers particularly targeting users who store cryptocurrency wallet address or password information in image files.
Distribution of DanaBot Malware via Word Files Detected by AhnLab EDR:
The article describes a cyber-attack campaign that primarily exploits emails with documents containing external links to spread the DanaBot malware. The malicious documents are sophisticatedly disguised as job application forms, which when opened, trigger a download of additional malicious documents leading to the installation of the DanaBot malware. The malware has the ability to steal data from the infected PC, take screenshots, and collect browser account credentials. The attacker uses the external link approach to evade detection of the malicious macro in the email attachment.
LNK File Disguised as Certificate Distributing RokRAT Malware – ASEC BLOG:
The article describes a cyber threat campaign that uses LNK files disguised as certificates to distribute RokRAT malware. The threat actor’s main target is South Korean users, specifically those related to North Korea. The LNK files contain a command to execute PowerShell via CMD and include legitimate document files, script code, and malicious PE data. Once the LNK file is executed, it runs PowerShell commands that create and execute a legitimate document file and subsequently creates three files that execute the RokRAT malware. This backdoor-type malware is capable of utilizing cloud APIs to collect user information and perform various malicious behaviors at the threat actor’s command.
Analysis of TargetCompany’s Attacks Against MS-SQL Servers (Mallox, BlueSky Ransomware):
The TargetCompany ransomware group has been identified as the perpetrator of an ongoing series of attacks targeting poorly managed MS-SQL servers. The attacks involve the installation of the Mallox ransomware, with the group using a combination of brute force and dictionary attacks to gain access. Once access is achieved, the Remcos RAT is installed, which is then used to install additional malware, including the Mallox ransomware. The group has also been linked to previous attacks involving the Tor2Mine CoinMiner and BlueSky ransomware.
Graph: Growing number of threats leveraging Microsoft API:
The article reports on a series of attacks leveraging the Microsoft Graph API to facilitate command-and-control (C&C) communications. The technique was notably used in an attack in Ukraine involving a malware named BirdyClient. The malware uses the Graph API to connect to Microsoft OneDrive and employ it as a C&C server mechanism. This tactic has also been adopted by other groups, including the North Korea-linked Vedalia espionage group and the Russian Swallowtail espionage group. As a result, several governments in Europe and Asia have been targeted. The main exploit used in these attacks is spear-phishing emails delivering Excel downloaders containing a remote code execution vulnerability (CVE-2021-40444).
Springtail: New Linux Backdoor Added to Toolkit:
The North Korean Springtail espionage group, also known as Kimsuky, has developed a new Linux backdoor linked to malware used in a recent campaign against South Korean organizations. The group initially specialized in attacks on the South Korean public sector and has been known to exploit improperly configured DNS Domain-based Message Authentication, Reporting, and Conformance (DMARC) record policies. In a recent campaign, they delivered a new malware family named Troll Stealer using Trojanized software installation packages. This malware can steal a range of information from infected computers. The campaign also involved the distribution of a Linux version of this malware family, called Linux.Gomir, which shares code with the Windows Go-based backdoor GoBear.
Our Threat Campaigns are carefully crafted to replicate real-world scenarios, allowing you to test your controls manually or automatically. By doing so, you can ensure that your security posture is armed with identifiable Indicators of Compromise (IOC). Our Threat Campaigns are now enriched with behavioral audits, based on the analysis of the malicious files associated with a specific threat.
Stay ahead of the curve in the ever-changing world of cybersecurity with Keysight.
Visit our website for more information.