New Immediate Threats!

Every week new cyber threats are announced in the world. As soon as a threat is known, the Cymulate Research Lab analyzes it, copies it and removes the sting. This de-weaponized threat is available within 48 hours to offensively test the resilience of security systems. This way you immediately know whether your security measures are still adequate and which rules you should apply if necessary.

New Immediate Threats is part of the Cymulate platform.

Would you like to know more, get a demo, or a try-out? Send your question to udo.messack@cert2connect.com

Below you can see the Immediate Threats of the past few weeks.

NEW IMMEDIATE THREATS!

Week 45
- Russian Hackers Attacking Ukraine Military With Malware Via Telegram
  Russian hackers identified as UNC5812 are targeting the Ukrainian military through a sophisticated cyber operation. The attackers use a deceptive Telegram channel and website posing as a civil defense service to distribute malware for both Windows and Android devices. The Windows attack deploys Pronsis Loader which installs SUNSPINNER (a decoy mapping application) and PURESTEALER (an information-stealing malware). Android users are targeted with CRAXSRAT a commercial backdoor malware. The operation spreads through promoted posts in legitimate Ukrainian Telegram channels and employs social engineering tactics. The campaign also includes an influence operation sharing anti-mobilization content across pro-Russian social media networks. This cyber-espionage effort aims to exploit recent changes in Ukraines mobilization laws and the introduction of digital military IDs.
  
  See the solution
- Analyzing APT37 Groups Covert Cyber Reconnaissance Activities
  "The state-sponsored threat group APT37 is conducting cyber espionage campaigns against South Korea specifically targeting North Korean human rights groups defectors journalists and experts in unification defense and foreign affairs. The group delivers the RoKRAT malware through malicious shortcut (.lnk) files attached to phishing emails.
  See the solution
- ToxicPanda a new banking trojan from Asia hit Europe and LATAM
  A new Android banking Trojan called ToxicPanda has emerged targeting Europe and Latin America. Originating from Chinese-speaking threat actors it has infected over 1500 devices across Italy Portugal Spain and other countries. ToxicPanda exploits accessibility services for account takeovers and on-device fraud. It can intercept OTPs remotely control devices and collect sensitive data. The malware uses AES encryption for C2 communication and has a sophisticated control panel. While less advanced than some trojans ToxicPandas expansion into new regions marks a significant shift in the threat landscape.
  
  See the solution
- India Cert Alert - RansomHub Ransomware
  It has been reported that RansomHub ransomware is aggressively targeting enterprises with double extortion attacks causing data exfiltration and encryption. RansomHub operating as a Ransomware-as-a-Service (RaaS) is believed to be a rebranded version of Knight/Cyclops ransomware. The group focuses on the systems based on Windows Linux ESXi NAS and SFTP servers for attacks.
  
  See the solution
- India Cert Alert - Makop Ransomware
  It has been reported that Makop ransomware is actively targeting organisations including critical sectors. Makop ransomware encrypts the files on the victims systems and asks for ransom payment in bitcoin. Makop is an offshoot of the PHOBOS ransomware variant and operates under an affiliate structure.
  
  See the solution
- Cert IL Alert - Beaver Tail
  """BeaverTail"" attributed to a North Korean APT group named
  See the solution
- BlueNoroff Utilizes Fake Crypto News To Lure Victims Into Multi-Stage Phishing Attacks
  "BlueNoroff a financially motivated APT linked to North Korea launched a phishing campaign called ""Hidden Risk"" in July 2024 targeting cryptocurrency businesses.
  See the solution
- G700 The Next Generation of Craxs RAT
  G700 RAT an advanced variant of Craxs RAT targets Android devices and cryptocurrency applications. It employs sophisticated techniques like privilege escalation phishing and malicious APK distribution to infiltrate devices. The malware bypasses authentication captures sensitive data and manipulates legitimate app functions allowing attackers to perform illicit actions undetected. Developed in C and Java it exploits mobile app security gaps intercepts SMS messages abuses Android permissions and hijacks crypto transactions. G700 RAT uses persistence and obfuscation techniques including Base64 encoding and APK encryption to evade detection. Distributed through darkweb forums and Telegram channels it poses a growing threat to device security especially in cryptocurrency and financial environments.
  
  See the solution
Week 44
- Inside the Open Directory of the You Dun Threat Group
  Analysis of an open directory found a Chinese speaking threat actors toolkit and history of activity. The threat actor displayed extensive scanning and exploitation using WebLogicScan Vulmap and Xray targeting organizations in South Korea China Thailand Taiwan and Iran. The Viper C2 framework was present as well as a Cobalt Strike kit which included TaoWu and Ladon extensions. The Leaked LockBit 3 builder was used to create a LockBit payload with a custom ransom note that included reference to a Telegram group which we investigated further in the report.
  
  See the solution
- Cert IL Alert - Impersonation Of A Message Sent By The Directorate - update
  The National Cyber Directorate recently reported an email impersonating a message sent by the directorate. The purpose of the message is to spread fear and panic among the public.
  
  See the solution
- Play Ransomware Engagement
  Unit 42 has identified Jumpy Pisces a North Korean state-sponsored threat group as a key player in a recent ransomware incident. The group appears to be collaborating with the Play ransomware group marking a shift in their tactics. This is the first observed instance of Jumpy Pisces using existing ransomware infrastructure potentially acting as an initial access broker or an affiliate. The attack timeline spans from May to September 2024 involving initial access through a compromised user account lateral movement and persistence using tools like Sliver and DTrack. The incident culminated in the deployment of Play ransomware in early September. This collaboration signals deeper involvement of North Korean threat actors in the broader ransomware landscape potentially leading to more widespread and damaging attacks globally.
  
  See the solution
- HiveOS Targeted For Mining Ravencoin
  A recent cyberattack targeted HiveOS a Linux-based operating system used for managing cryptocurrency mining rigs. The attackers exploited weak SSH credentials to gain unauthorized access. They then executed a series of commands to establish a backdoor named autofan and set up a mining configuration to divert mining resources to their own Ravencoin wallet. Initial access was gained by brute-forcing SSH then implemented the Linux backdoor for remote control and further exploitation of mining-related activities.
  
  See the solution
- Cert IL Alert - Shinra Ransomware
  "On May 2024 the INCD has received a report of a ransomware attack against an Israeli victim of a ransomware that identifies as ""SHINRA"". Through independent research and OSINT verification the INCD assesses that the ransomware is a part of the Proton ransomware family known to operate since early 2023 with probable Iranian origins."
  
  See the solution
- Infiltrating the Cicada3301 Ransomware-as-a-Service Group
  This analysis provides an in-depth look into the operations of the Cicada3301 Ransomware-as-a-Service (RaaS) group. It details the workflow of their affiliates within the panel and examines the multi-platform capabilities of their ransomware encompassing Windows Linux ESXi and even uncommon architectures like PowerPC. The group has swiftly targeted numerous organizations across critical sectors within just a few months with a significant focus on the United States and the United Kingdom. Their sophisticated affiliate program recruits penetration testers and access brokers offering commissions and a feature-rich web panel. The ransomware employs advanced encryption techniques and aggressive tactics to maximize disruption making it a formidable threat.
  
  See the solution
- ClickFix tactic The Phantom Meet
  This analysis explores the ClickFix social engineering tactic that emerged in 2024 focusing on a cluster impersonating Google Meet pages to distribute malware. The tactic tricks users into running malicious code by displaying fake error messages. The investigated cluster targets both Windows and macOS systems spreading infostealers like Stealc Rhadamanthys and AMOS Stealer. The operation is linked to cybercrime groups Slavic Nation Empire and Scamquerteo sub-teams of larger cryptocurrency scam organizations. The report details the infection chain infrastructure and provides insights into the broader malware distribution ecosystem associated with these threat actors.
  
  See the solution
- LUNAR SPIDER Enabling Ransomware Attacks on Financial Sector with Brute Ratel C4 and Latrodectus
  LUNAR SPIDER a Russian-speaking financially motivated threat group has resumed operations following law enforcement disruptions. Theyve shifted from using IcedID to leveraging Latrodectus and Brute Ratel C4 malware targeting financial services through SEO poisoning malvertising campaigns. The group maintains affiliations with ransomware operators like ALPHV/BlackCat sharing infrastructure and tools. LUNAR SPIDERs adaptability is evident in their use of over 200 malicious infrastructures across different malware families. Their latest campaign employed obfuscated JavaScript to deliver Brute Ratel C4 establishing persistence and command-and-control communication.
  
  See the solution
Week 43
- Lynx Ransomware
  Lynx ransomware is a newly emerged and sophisticated malware threat that has been active since mid-2024. Lynx ransomware has claimed over 20 victims across a range of industries. Once it infiltrates a system, it encrypts critical files, appending a ?.lynx? extension, and deletes backup files like shadow copies to hinder recovery.
  
  See the solution
- UAT-5647 targets Ukrainian and Polish entities with RomCom malware variants
  "Cisco Talos has observed a new wave of attacks active since at least late 2023, from a Russian speaking group we track as ""UAT-5647"", against Ukrainian government entities and unknown Polish entities. UAT-5647 is also known as RomCom and is widely attributed to Russian speaking threat actors in open-source reporting. The latest series of attacks deploys an updated version of the RomCom malware we track as ""SingleCamper"". This version is loaded directly from registry into memory and uses loopback address to communicate with its loader. UAT-5647 has also evolved their tooling to include four distinct malware families: two downloaders Cisco track as RustClaw and MeltingClaw
  See the solution
- Bumblebee Loader Discovered With New Infection Chain
  Bumblebee is a sophisticated downloader malware used by cybercriminals to access corporate networks and deploy payloads like Cobalt Strike and ransomware. First identified by Google in 2022 it resurfaced in 2024 following Europols Operation Endgame which targeted major malware botnets. Bumblebee infections typically start via phishing emails containing ZIP files with LNK files that execute a chain of events to load the malware into memory without writing to disk. The infection process uses MSI files and PowerShell commands to download and install the final payload stealthily avoiding detection by bypassing process creation. The malware uses RC4 encryption for configuration with hardcoded keys.
  
  See the solution
- Vietnamese Threat Actors Multi-Layered Strategy on Digital Marketing Professionals
  Cyble has uncovered a sophisticated multi-stage malware attack attributed to a Vietnamese threat actor targeting job seekers and digital marketing professionals as well as deploying Quasar RAT to gain full system control.
  
  See the solution
- Silent Threat Red Team Tool EDRSilencer Disrupting Endpoint Security Solutions
  EDRSilencer a red team tool designed to interfere with endpoint detection and response (EDR) solutions has been discovered being abused by threat actors. It leverages the Windows Filtering Platform to block EDR traffic concealing malicious activity. The tool dynamically identifies running EDR processes and creates filters to block their outbound communication preventing telemetry and alerts from reaching management consoles. During testing it effectively disrupted various EDR products including those not in its hardcoded list. This tool represents a significant shift in tactics enhancing the stealth of malicious activities and increasing the potential for successful attacks. Organizations must adapt their security posture to counteract these sophisticated evasion techniques.
  
  See the solution
- Threat actor abuses Gophish to deliver new PowerRAT and DCRAT
  Cisco Talos recently discovered a phishing campaign using an open-source phishing toolkit called Gophish by an unknown threat actor. The campaign involves modular infection chains that are either Maldoc or HTML-based infections and require the victims intervention to trigger the infection chain. Talos discovered an undocumented PowerShell RAT were calling PowerRAT as one of the payloads and another infamous Remote Access Tool (RAT) DCRAT. Cisco found a few placeholders for base64 encoded PowerShell scripts in the PowerRAT indicating that the threat actor is actively developing their tools.
  
  See the solution
- IcePeony with the 996 work culture
  IcePeony is an unknown attack group. Our research shows that they have been active since at least 2023. They mainly target Asian countries such as India and Vietnam. In the log files we analyzed there were over 200 attempts to attack various government websites in India. They use SQL injection attacks on public web servers. If they find a vulnerability they install a webshell or malware. Ultimately their goal is to steal credentials.
  
  See the solution
- Cert IL Alert - Impersonation Of A Message, Sent By The Directorate
  The National Cyber Directorate recently reported an email impersonating a message sent by the directorate. The purpose of the message is to spread fear and panic among the public.
  
  See the solution
- US Cert Alert - Iranian Cyber Actors Compromise Critical Infrastructure Organizations CISA AA24-290A
  The FBI CISA NSA CSE AFP and ASDs ACSC issued a joint cybersecurity advisory warning about Iranian cyber actors targeting critical infrastructure sectors including healthcare government IT engineering and energy. Since October 2023 the actors have used brute force techniques like password spraying and multifactor authentication (MFA) push bombing to compromise accounts and modify MFA registrations for persistent access. They gather credentials and network information from compromised systems likely selling this data to cybercriminals for further malicious use.
  
  See the solution
- The Beast Ransomware-as-a-Service Platform Continues To Evolve
  "The Beast Ransomware-as-a-Service (RaaS) platform active since 2022 allows affiliates to create ransomware for Windows Linux and ESXi systems with customizable features.
  See the solution
Week 42
- Analyzing Recent Cyber Attacks in the United States Coinciding with Columbus Day Celebration
  "The United States has experienced a significant increase in cyber attacks from June to October 2024 with over 800 organizations affected by ransomware across various sectors. Play RansomHub Lockbit Qilin and Meow have emerged as the most active ransomware groups. Notable incidents include the Rhysida ransomware attack on Columbus and data breaches impacting Virginias Department of Elections and Healthcare.gov. Chinas ""Salt Typhoon"" espionage campaign is targeting U.S. ISPs while hacktivist groups supporting pro-Russian and pro-Palestinian causes have intensified their activities. The cyber threats have led to identity theft financial fraud operational disruptions and national security risks. Recommendations include enhancing security protocols conducting regular audits providing employee training and implementing advanced threat monitoring to protect critical infrastructure and maintain public trust."
  
  See the solution
Week 41
- Threat Actors Target Unpatched Linux Server Vulnerabilities With Malware Dubbed PERFCTL
  "A Linux malware dubbed ""perfctl"" was identified exploiting over 20000 types of misconfigurations to target Linux servers worldwide. Once compromised the malware remains dormant until the server is idle employing rootkits to conceal its presence and using tactics to persist undetected. It communicates internally via Unix sockets and externally via TOR and it deletes its binaries post-execution to avoid detection. Perfctls attack flow includes exploiting the Polkit vulnerability CVE-2021-4043 and/or RocketMQ vulnerability CVE-2023-33246 for privilege escalation initial access and deploying cryptominers to hijack resources."
  
  See the solution
- Cert IL Alert - Muddy Water
  Recently the Israel National Cyber Directorate identified an active phishing campaign within the Israeli cyberspace. The campaign is being carried out extensively across all sectors of the economy. The Israel National Cyber Directorate attributes this campaign to the Iranian threat group MuddyWater based on familiarity with the groups infrastructure and its typical tactics techniques and procedures (TTPs)
  
  See the solution
- Exploring GenAI in Cybersecurity Gemini for Malware Analysis
  This analysis explores the application of Generative AI specifically Googles Gemini Advanced in malware analysis. The experiment focuses on analyzing executable files particularly a RisePro Stealer sample. The methodology involves decompiling the malware using Ghidra and IDA Pro then using specific prompts with Gemini to analyze the code. The process aims to determine the files verdict understand its behavior and identify Indicators of Compromise (IOCs). While Gemini proves useful in providing insights and aiding analysis challenges such as handling large codebases and obfuscated code are noted. The study concludes that Gen AI can be a powerful tool in malware analysis when used in conjunction with traditional reverse engineering tools but emphasizes the need for human expertise in interpreting results.
  
  See the solution
- SharpRhino New Hunters International RAT identified by Quorum Cyber
  Researchers at Quorum Cyber identified a new Remote Access Trojan (RAT) named SharpRhino utilized by the threat actor group Hunters International.
  
  See the solution
Week 40
- DCRAT Employs HTML Smuggling To Target Users In Recent Campaign
  DCRat (aka Dark Crystal RAT) is a modular RAT that has been available since at least 2018. The malwares capabilities include executing shell commands stealing credentials and logging keystrokes from the infected system. It has historically been delivered via compromised websites phishing or dropped by other malicious files. Recently DCRat was observed using HTML smuggling for the first time this method allows the malware to attempt to bypass network defenses by embedding or retrieving payloads via obfuscated HTML files. The recent campaign was seen delivering a password-protected archive containing a self-extracting executable which were packed with tools like .NET Reactor ENIGMA or VMProtect. Upon successful extraction additional malicious payloads are automatically executed allowing the attacker to have evaded detection.
  
  See the solution
- Kofurlak Ransomware
  New ransomware family is based on leaked LockBit source code
  
  See the solution
- New China-Linked Group CeranaKeeper Targeted Thailand Government Entities With Custom Malware in Data Theft Campaigns
  New China-Linked Group CeranaKeeper Targeted Thailand Government Entities With Custom Malware in Data Theft Campaigns. CeranaKeeper a China-linked threat actor has been associated with data exfiltration campaigns targeting government entities in Thailand
  
  See the solution
- A Measure of Motive How Attackers Weaponize Digital Analytics Tools
  Threat actors are repurposing digital analytics and advertising tools to evade detection and enhance their malicious campaigns. The report explores how link shorteners IP geolocation utilities CAPTCHA systems and advertising intelligence platforms are being weaponized. It provides insights into the tactics used by attackers and offers detection and mitigation strategies for defenders. The analysis covers specific examples of how these tools are exploited including the use of bit.ly for tracking phishing campaigns IP geolocation for targeted attacks CAPTCHA for evading security scans and competitive ad intelligence for crafting malvertising campaigns.
  
  See the solution
Week 39
- New Medusa malware variants target Android users in seven countries
  Cleafys threat intelligence team has identified the resurgence of the Medusa banking trojan for Android targeting countries including France Italy the United States Canada Spain the United Kingdom and Turkey.
  
  See the solution
- Kryptina RaaS And The Mallox Ransomware Connection
  Kryptina initially a free tool on public forums has evolved into a key component in enterprise attacks particularly by the Mallox ransomware group. In May 2024 a Mallox affiliate leaked data revealing that their Linux ransomware was built on a modified version of Kryptina with only superficial changes to the source code and branding. This case highlights the commoditization of ransomware tools making malware tracking more difficult as affiliates mix different codebases to create new variants.
  
  See the solution
- How Ransomhub Ransomware Uses EDRKillShifter to Disable EDR and Antivirus Protections
  The RansomHub ransomware attributed to a group tracked as Water Bakunawa employs sophisticated anti-EDR techniques to evade security solutions. Its attack chain includes exploiting vulnerabilities like Zerologon using EDRKillShifter to disable endpoint protection and employing various evasion scripts. The ransomware targets multiple industries and critical infrastructure sectors using spear-phishing for initial access. It utilizes tools like NetScan for network reconnaissance and AnyDesk for command and control. The attackers exfiltrate sensitive data using rclone before encrypting files and demanding ransom. The evolving tactics of RansomHub highlight the need for advanced multi-layered security strategies to protect against modern ransomware threats.
  
  See the solution
- Symantec RansomHub - Recent Indicators of Compromise
  "Since first emerging in February 2024 the RansomHub ransomware operation has continued to gain momentum quickly becoming one of the largest ransomware groups currently operating RansomHub is run as a ransomware-as-a-service (RaaS) operation and as such is used by multiple actors employing differing tactics techniques and
  See the solution
- Kimsuky A Gift That Keeps on Giving
  This analysis details a sophisticated cyber attack attributed to the North Korean-linked Kimsuky APT group. The attack begins with an LNK file leading to the execution of obfuscated VBS scripts. These scripts create scheduled tasks modify registry keys for persistence and establish communication with a command and control (C2) server. The malware employs various evasion techniques including Base64 encoding and Caesar Cipher obfuscation. The ultimate goal appears to be maintaining long-term access to the victims machine for espionage activities. The report also includes a personal anecdote of the analysts brief interaction with the C2 server receiving a single command after hours of waiting.
  
  See the solution
- SloppyLemming Operations Target Entities Across South Asia
  "Between late 2022 and 2024 the threat actor the threat actor identified as SloppyLemming (aka Fishing Elephant) has targeted various South and East Asian countries such as Pakistan using cloud service providers for credential harvesting malware delivery and C2 infrastructure. They target government defense telecommunications and energy sectors and had been seen extending their reach beyond Pakistan to include Bangladesh Sri Lanka and China. The phishing campaigns utilize the custom-built tool CloudPhish and focuses on stealing credentials and emails.
  See the solution
Week 38
- Targeted Iranian Attacks Against Iraqi Government Infrastructure
  Check Point Research uncovered a new malware campaign targeting Iraqi government entities employing custom tools named Veaty and Spearal. The attack utilizes various techniques including passive IIS backdoors DNS tunneling and C2 communication via compromised email accounts. The malware shows connections to previously known APT34 malware families like Karkoff Saitama and IIS Group 2 which are associated with Iranian intelligence services. The campaign features unique command and control mechanisms and tailored infrastructure for specific targets. The initial infection vector likely involved social engineering with malware disguised as document attachments. The actors demonstrated sophisticated techniques to evade detection and maintain persistence within compromised networks.
  
  See the solution
- DragonRank a Chinese-speaking SEO manipulator service provider
  Cisco Talos is disclosing a new threat called DragonRank that primarily targets countries in Asia and a few in Europe operating PlugX and BadIIS for search engine optimization (SEO) rank manipulation.
  
  See the solution
- Chinese APT abuses MSC files with GrimResource vulnerability
  A Chinese Advanced Persistent Threat (APT) group has been exploiting MSC files using a new diskless shellcode technique. The campaign primarily targets government agencies and critical infrastructure in Southeast Asia focusing on the Philippines Vietnam and Taiwan. The attack chain involves downloading and executing malicious files including a 64-bit shellcode and the Marte Beacon with CobaltStrike. The groups modus operandi reflects techniques of Chinese origin APTs operating Monday to Friday during hours compatible with Chinese time zones. While precise attribution is not possible it could be a subgroup of APT41. The campaigns have evolved since August 2nd incorporating a new module in the infection chain. The threat actor uses various decoys and targets both Windows and Linux systems.
  
  See the solution
- New ransomware based on Hive source code
  Hunters International ransomware shares many similarities with Hive ransomware yet it is not a rebrand as threat actors said. After the FBI defaced the Hive ransomware leak site Hunters International sold older versions of their source code written in C and Golang as well as their websiteAccording to provided sources they took Hive encryption logic and fixed several issues that sometimes prevented file decryption. Similar to Hive Hunters International works as ransomware as a service (RaaS) and besides encryption it also exfiltrates victim data.
  
  See the solution
Week 37
- Tropic Trooper spies on government entities in the Middle East
  Tropic Trooper a Chinese-speaking APT group active since 2011 has expanded its operations to target government entities in the Middle East. The group deployed a new variant of the China Chopper web shell on a compromised Umbraco CMS server along with other post-exploitation tools and backdoor implants. The attackers used DLL search-order hijacking to load malicious payloads including a loader called Crowdoor. The campaign focused on cyber espionage targeting systems related to human rights studies in the region. This marks a strategic shift for Tropic Trooper previously known for targeting Southeast Asian countries.
  
  See the solution
- Threat Assessment North Korean Threat Groups
  This assessment evaluates several North Korean threat groups operating under the Reconnaissance General Bureau. It describes their organizational structure objectives and the diverse malware families employed in their recent campaigns targeting various industries worldwide. The analysis covers 10 malware samples across Windows macOS and Linux systems providing technical insights into their functionality and Palo Alto Networks Cortex XDRs capability to detect and mitigate these threats.
  
  See the solution
- Chinese APT Abuses VSCode to Target Government in Asia
  The report details a campaign by the Chinese advanced persistent threat (APT) group Stately Taurus which carried out cyberespionage operations against government entities in Southeast Asia. The group employed a novel technique that leveraged the reverse shell feature of Visual Studio Code to gain initial access and deliver additional malware payloads. This represents the first observed instance of threat actors exploiting this vulnerability. The campaign exhibits strong connections to a previous Stately Taurus operation through shared tactics techniques procedures (TTPs) timelines and victimology. Furthermore the report examines a potential link between the Stately Taurus activity and a separate cluster involving the ShadowPad backdoor within the same targeted environment.
  
  See the solution
- APT Lazarus Eager Crypto Beavers Video calls and Games
  Group-ib explored the growing threats posed by the Lazarus Groups financially-driven campaign against developers. Group-ib examined their recent Python scripts including the CivetQ and BeaverTail malware variants along with their updated versions in Windows and Python releases. Additionally they analyzed their tactics techniques and indicators of compromise.
  
  See the solution
Week 36
- Latrodectus Rapid Evolution Continues With Latest New Payload Features
  This report discusses the latest updates to the Latrodectus malware including a different string deobfuscation approach a new C2 endpoint and two new backdoor commands. It provides an in-depth analysis of the new version 1.4 focusing on the new features added or updated in this variant. The report examines the obfuscation techniques used the deobfuscation process the C2 communication and the new commands introduced.
  
  See the solution
- Threat actors using MacroPack to deploy Brute Ratel Havoc and PhantomCore payloads
  Multiple Microsoft Office documents generated by the MacroPack framework have been discovered likely used by malicious actors to deploy various payloads. These documents uploaded to VirusTotal between May and July 2024 originated from different countries including China Pakistan Russia and the U.S. The payloads include Havoc and Brute Ratel post-exploitation frameworks as well as a new variant of the PhantomCore remote access trojan. The MacroPack-generated code employs various obfuscation techniques to evade detection. The documents feature different lures ranging from generic instructions to military-themed content. While the specific threat actors remain unidentified the analysis reveals distinct clusters based on lure themes payload types and command and control infrastructure.
  
  See the solution
- State-backed attackers and commercial surveillance vendors repeatedly use the same exploits
  Googles Threat Analysis Group (TAG) uncovered in-the-wild exploit campaigns targeting Mongolian government websites between November 2023 and July 2024. TAG attributes the attack to the Russian government-backed actor APT29 tracked by Microsoft as Midnight Blizzard. The attackers utilized exploits similar to those used by commercial surveillance vendors Intellexa and NSO Group.
  
  See the solution
- Emansrepo Stealer Multi-Vector Attack Chains
  A Python infostealer named Emansrepo has been observed since November 2023 distributed via phishing emails containing fake purchase orders and invoices. The malware steals browser data credit card information and files sending them to the attackers email. The attack chain has evolved becoming more complex with multiple stages before downloading Emansrepo. Three main attack chains are described involving HTML files AutoIt scripts and PowerShell commands. The stealers behavior is divided into three parts targeting different types of data. A new related campaign using Remcos malware has also been identified. The attackers continuously evolve their methods emphasizing the importance of cybersecurity awareness for organizations.
  
  See the solution
- Toneshell Backdoor Used to Target Attendees of the IISS Defence Summit
  A cyber espionage campaign using the ToneShell backdoor associated with Mustang Panda has been detected targeting attendees of the 2024 IISS Defence Summit in Prague. The attack utilizes a malicious PIF file masquerading as summit documents which drops SFFWallpaperCore.exe and libemb.dll. The malware establishes persistence through registry run keys and scheduled tasks communicating with a C2 server in Hong Kong using raw TCP mimicking TLS. The campaign highlights the intersection of cyber espionage and international strategy aiming to infiltrate sensitive defense discussions. Analysis revealed connections to previously reported APT-Q-27 activities and potential links to other infrastructure through shared RDP certificates.
  
  See the solution
- US Cert Alert - Russian Military Target US and Global Critical Infrastructure
  The Federal Bureau of Investigation (FBI) Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA) assess that cyber actors affiliated with the Russian General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155) are responsible for computer network operations against global targets for the purposes of espionage sabotage and reputational harm since at least 2020. GRU Unit 29155 cyber actors began deploying the destructive WhisperGate malware against multiple Ukrainian victim organizations as early as January 13 2022. These cyber actors are separate from other known and more established GRU-affiliated cyber groups such as Unit 26165 and Unit 74455.
  
  See the solution
- Threat Actors Target the Middle East Using Fake Palo Alto GlobalProtect Tool
  Cybercriminals are employing a sophisticated two-stage malware campaign masquerading as the Palo Alto GlobalProtect tool to infiltrate systems in the Middle East region. The malware leverages a complex command-and-control infrastructure involving newly registered domains designed to resemble legitimate VPN portals. It utilizes the Interactsh project for beaconing and maintains stealth through encryption and sandbox evasion techniques enabling remote code execution payload deployment and data exfiltration on compromised hosts.
  
  See the solution
Week 35
- HZ Rat backdoor for macOS harvests data from WeChat and DingTalk
  A version of the HZ Rat backdoor targeting users of Chinas WeChat and DingTalk was uploaded to VirusTotal in July 2023 and was not detected by any vendor research by Kaspersky suggests.
  
  See the solution
- BORN Group Supply Chain Breach In-Depth Analysis of Jenkins Exploitation
  This analysis examines a substantial supply chain assault on the IT service provider BORN Group. The cybercriminal Intelbroker leveraged a vulnerability (CVE-2024-23897) to breach BORN Groups infrastructure leading to the exfiltration of sensitive information from various clients. Furthermore Intelbroker claims to have compromised a database exposing approximately 196000 individuals personal details as part of this supply chain incident.
  
  See the solution
- Exposed and Encrypted Inside a Mallox Ransomware Attack
  Trustwave recently investigated an unauthorized access incident within a clients cloud-based environment that led to a Mallox ransomware attack.
  
  See the solution
Week 34
- GreenCharlie Infrastructure Linked to US Political Campaign Targeting
  An analysis by Insikt Group revealed a significant surge in cyber threat activities from GreenCharlie an Iran-linked group associated with Mint Sandstorm Charming Kitten and APT42. The group persistently targets US political and governmental entities through sophisticated phishing operations involving malware like GORBLE and POWERSTAR. Their infrastructure employs dynamic DNS providers and deceptive domain themes to facilitate phishing attacks. Recorded Futures Network Intelligence identified Iran-based IP addresses communicating with GreenCharlies infrastructure further suggesting Iranian involvement in these operations.
  
  See the solution
- Charming Kitten Replaces Bellaciao Malware With Cyclops
  The Charming Kitten threat group (APT35) was found using the Cyclops backdoor against targets in the Middle East in 2024. Cyclops, written in Go, enables the execution of arbitrary commands on a target's system and allows lateral movement within the network. The malware is controlled via an HTTP REST API accessed through an SSH tunnel. Cyclops appears to be a successor to the BellaCiao malware, sharing similar TTPs and targets. It uses the go-svc library to run as a service on Windows, likely for persistence.
  
  See the solution
- Phishing Campaign Alert by CERT IL
  "The National Cyber Directorate has reported an active phishing campaign in Israel. A file containing identifiers is attached to this alert. It is recommended to monitor them in all relevant organizational security systems. Details The campaign is managed using an email campaign management software called YAMM by a French company named Talarian. The software operates and is integrated with Google Cloud services. The email message includes text that impersonates an urgent message from well-known organizations in Israel claiming a copyright violation by the recipient. To prove the violation the recipient is asked to download a file (a RAR archive containing images that allegedly violate copyrights) from a link pointing to the appspot.com service and then via a URL shortening service to Dropbox. Downloading and running the file will install a known malware called RHADAMANTHYS stealer. Mitigation Measures A file containing identifiers is attached to this alert. It is recommended to monitor them in all relevant organizational security systems. It is recommended to suspect emails with links containing the string ""/-dot-yamm-track.appspot.com"". While this is not a unique identifier as legitimate emails may also come from this system it is suspicious under the circumstances of the current campaign especially if the email concerns copyright infringement. It is recommended to inform all users about the campaign and remind them not to open suspicious links and attachments."
  
  See the solution
- Stargazers Ghost Network
  Check Point Research identified a sophisticated network of GitHub accounts distributing malware through malicious repositories. The Stargazers Ghost Network consists of different types of accounts performing various actions like starring forking and subscribing to give an appearance of legitimacy. This network functions as a Distribution as a Service (DaaS) allowing threat actors to share malicious content. The operator tracked as Stargazer Goblin provides and maintains the network distributing malware families like Atlantida Stealer Rhadamanthys Lumma Stealer and RedLine. With over 3000 active Ghost accounts the network has earned an estimated $100000 since its inception in August 2022. This new era of malware distribution utilizes ghost accounts across platforms potentially employing AI for targeted campaigns.
  
  See the solution
- Threat Actor Leverages Cronus Ransomware And Lures Victims With Fake PayPal Documents
  An unidentified adversary had launched a sophisticated multi-stage campaign for deploying a file-less Cronus ransomware via PowerShell to target potential victims. This group achieved initial access through a malicious lure document deployed via a phishing campaign embedded with VBA macros and subsequently drops a PowerShell loader for subsequently deploying Cronus ransomware using reflective DLL loading. Threat actor establishes persistence onto infected systems via Startup folder and aims to evade detection through various techniques such as command obfuscation reflective DLL loading Process Injection obfuscation with junk code. This ransomware is packed with .Net reactor for performing various action on objectives after establishing foothold onto compromised systems like changing wallpaper encrypting specific files and terminating processes. It enumerates clipboard contents to replace it with adversarys BTC wallet address and subsequently drops a ransom note for demanding payment for decryption keys.
  
  See the solution
- Cheana Stealer Targets VPN Users
  "Researchers discovered a phishing website targeting individuals downloading VPN applications for Windows Linux and macOS. The site mimics the legitimate ""WarpVPN"" service and offers detailed installation instructions for each platform. The threat actor has created distinct stealer binaries for each operating system known as the Cheana Stealer which extracts sensitive data from victims machines. It targets cryptocurrency browser extensions standalone crypto wallets stored browser passwords login data cookies SSH keys macOS passwords and Keychain data."
  
  See the solution
Week 33
- Threat Actors Leverage Leaked Ransomware Source Code To Offer DeathGrip RaaS
  DeathGrip Ransomware As A Service (RaaS) started offering services in June of 2024 providing ransomware builder tools to its subscribers even those with less technical skills. DeathGrip is advertises on platforms like Telegram where criminals can easily access the tools needed to carry out these attacks. The developers behind DeathGrip have leveraged leaked source code from other ransomware variants including LockBit 3.0 and Yashma/Chaos ransomware families. Just like the variants they are sourced from once the ransomware is activated it locks the victims files and demands a payment to unlock them. RaaS offering such as DeathGrip are concerning as they allow anyone willing to pay the opportunity to target users and organizations without requiring the skills to develop their own ransomware.
  
  See the solution
- Ande Loader Leads to 0bj3ctivity Stealer Infection
  In July 2024 eSentires Threat Response Unit observed a phishing attack leading to a 0bj3ctivity Stealer malware infection. The attack involved a malicious JavaScript file that retrieved and executed Ande Loader and the 0bj3ctivity Stealer. Ande Loader created persistence downloaded additional payloads and performed process injection. The 0bj3ctivity Stealer exfiltrated data from various browsers and messengers to Telegram servers or SMTP including credentials credit card information and system details. The attack utilized obfuscation anti-analysis techniques and a multi-stage delivery mechanism to evade detection.
  
  See the solution
- Major Payment Disruption Ransomware Strikes Indian Banking Infrastructure
  Researchers at CloudSEKs Threat Research and Information Analytics Division have uncovered a significant ransomware attack targeting Indias banking ecosystem impacting banks and payment providers.
  
  See the solution
- A Dive into Earth Bakus Latest Campaign
  TrendMicro released a report on the expanded activities of Earth Baku an advanced persistent threat (APT) group associated with APT41. APT41 is tracked by Microsoft as Brass Typhoon.
  
  See the solution
Week 32
- Likely compromise of Taiwanese government-affiliated research institute with ShadowPad and Cobalt Strike
  A government-affiliated Taiwanese research institute specializing in computing technologies experienced a cyber intrusion likely carried out by the Chinese hacking group APT41. The attackers employed ShadowPad malware Cobalt Strike and custom tools exploiting vulnerabilities like CVE-2018-0824 for privilege escalation. They gathered information deployed backdoors harvested credentials and exfiltrated data. Evidence suggests the threat actor spoke Chinese and followed open-source anti-detection techniques.
  
  See the solution
- North Korean Hacking Groups Stealing Construction and Machinery Sector Technologies A Warning
  South Koreas cybersecurity community consisting of the National Intelligence Service Prosecution Service Police Agency Defense Security Command and Cyber Command among others warns of the risks posed by North Korean hacking groups cyber attacks targeting the domestic construction and machinery sectors. The report highlights the attack strategies techniques procedures (TTPs) and indicators of compromise (IoCs) employed by these North Korean groups. As North Korea accelerates its regional development initiatives its party military and government entities as well as hacking groups are intensifying efforts to obtain unauthorized access to South Koreas construction machinery and urban development data to aid in industrial plant construction and local development plans.
  
  See the solution
Week 31
- Introducing Gh0stGambit A Dropper for Deploying Gh0st RAT
  This analysis examines a recent malware campaign involving a dropper dubbed Gh0stGambit which is employed to retrieve and execute encrypted payloads specifically a variant of the notorious Gh0st Remote Access Trojan (RAT). The report details the multi-stage infection process including the use of deceptive Chrome installer lures the droppers evasive techniques and the capabilities of the delivered Gh0st RAT variant. The malware exhibits advanced functionality such as rootkit components keylogging process termination and data exfiltration. The investigation concludes that the campaign primarily targets Chinese-speaking users based on the use of Chinese web lures and the malwares ability to gather information from Chinese applications.
  
  See the solution
- Unknown PowerShell Backdoor Connected To ZLoader
  While investigating a new variant of Zloader/SilentNight researchers at Walmart identified an unknown Powershell backdoor packed using AgileDotNet. The backdoor is designed for reconnaissance and deploying additional malware including Zloader. It conducts system checks and if these checks fail it uninstalls itself and deletes previous data. If the checks pass it writes a VB downloader to the disk which executes a hardcoded curl command to download and run files from an encoded URL. For persistence it creates a scheduled task and a registry Run key. The malware then collects encodes encrypts and exfiltrates system information to command and control servers.
  
  See the solution
- US Cert Alert - North Korea Cyber Group Conducts Global Espionage Campaign to Advance Regimes Military and Nuclear Programs
  The U.S. Federal Bureau of Investigation (FBI) and the following authoring partners are releasing this Cybersecurity Advisory to highlight cyber espionage activity associated with the Democratic People?s Republic of Korea (DPRK)?s Reconnaissance General Bureau (RGB) 3rd Bureau based in Pyongyang and Sinuiju.
  
  See the solution
- GXC Team Unmasked The cybercriminal group targeting Spanish bank users with AI-powered phishing tools and Android malware
  Group-IB discovered a Spanish-speaking criminal group GXC Team offering a sophisticated AI-powered phishing-as-a-service platform targeting Spanish bank customers. The group specialized in developing phishing kits Android malware and AI-powered scam tools. Their malicious Android app disguised as a banking application was designed to intercept OTP codes affecting users of over 36 Spanish banks and 30 institutions worldwide. Despite not being highly sophisticated GXC Teams innovative features such as bundling phishing kits with the Android malware and an AI-powered voice caller made them a severe threat to banking security in Spain.
  
  See the solution
- Fighting Ursa APT28 Entices Victims With Car For Sale Lures
  A Russian threat actor known as Fighting Ursa (also known as APT28 Fancy Bear and Sofacy) launched a campaign in March 2024 targeting diplomats using a car-for-sale lure to distribute the HeadLace backdoor malware.
  
  See the solution
Week 30
- Likely eCrime Actor Uses Filenames Capitalizing on 19 July 2024 Falcon Sensor Content Issues in Operation Targeting LATAM-Based CrowdStrike Customers
  On 19 July 2024 an issue present in a single content update for CrowdStrikes Falcon Sensor impacting Windows operating systems was identified and a fix was deployed.1 CrowdStrike Intelligence has since observed threat actors leveraging the event to distribute a malicious ZIP archive named crowdstrike-hotfix.zip. The ZIP archive contains a HijackLoader payload that when executed loads RemCos
  
  See the solution
- HotPage Story of a signed vulnerable ad-injecting driver
  This report investigates a sophisticated Chinese browser injector called HotPage capable of injecting code into remote processes and intercepting network traffic to modify requested web pages redirect users or open new tabs based on rules. Despite claims of being a security solution HotPage leverages vulnerabilities to perform malicious ad injection. The driver signed by Microsoft leaves systems open to privilege escalation attacks due to improper access controls. The analysis uncovers the malwares components techniques and the mysterious company behind it.
  
  See the solution
- WhiteSnake Stealer Delivered In A Multi-Stage Phishing Campaign
  A recent multi-staged phishing campaign disguised as tax invoices dropped the WhiteSnake malware on unsuspecting recipient machines. The initial stage employed a Windows batch script that deployed a PowerShell dropper which further decrypts and executes two payloads. The payloads included an AMSI bypass and the WhiteSnake loader which then decrypted and ran the WhiteSnake stealer malware. Once executed the stealer can detect sandbox environments setting persistence through task scheduling and various exfiltration techniques including Telegram and attacker controlled C2 servers. Other features include keylogging webcam and audio recording as well as cryptojacking.
  
  See the solution
- Cert IL Alert - More MuddyWater IOCs
  "Recently the National Cyber Directorate detected an active campaign in the Israeli domain.
  See the solution
- Daggerfly Espionage Group Makes Major Update to Toolset
  An advanced persistent threat (APT) group known as Daggerfly or Evasive Panda has significantly updated its malware arsenal. The group has introduced new versions of its modular backdoor framework MgBot for multiple platforms including Windows Linux macOS and Android. Symantec researchers have also attributed the previously documented Macma macOS backdoor to Daggerfly based on shared code and infrastructure. Additionally a new Windows backdoor named Suzafk has been identified as part of Daggerflys toolkit. Recent attacks targeting organizations in Taiwan a US NGO based in China and telecoms operators in Africa demonstrate the groups continued espionage activities.
  
  See the solution
- UAC-0063 attacks research institutions in Ukraine HATVIBE CHERRYSPY CVE-2024-23692
  The Computer Emergency Response Team of Ukraine (CERT-UA) reported on an attack by UAC-0063 targeting a research institution in Ukraine in July 2024.
  
  See the solution
- Ports And Maritime Facilities Targeted By SideWinder APT Group
  A recent campaign targeting ports and maritime facilities in the Indian Ocean and Mediterranean Sea was launched by The SideWinder APT group. Using upgraded infrastructure and different tactics SideWinder employed phishing emails with highly specific themes that duplicated logos to deliver malicious documents and obfuscated JavaScript code. The campaign targeted Pakistan Egypt Sri Lanka Bangladesh Myanmar Nepal and the Maldives for espionage and intelligence gathering purposes. The attackers exploited a known vulnerability CVE-2017-0199 in Microsoft Office to gain initial access via remote template injection. They then used shellcode to ensure the system was an actual machine and not a virtual machine before deploying their actual payloads. SideWinder then made use of Tor nodes and domain structures to aid in obfuscation and persistence.
  
  See the solution
- Cert IL Alert - Phishing Campaign Following CrowdStrike Glitch
  Following the glitch in CrowdStrike software the National Cyber Directorate has reported a phishing campaign attempting to impersonate the company.
  
  See the solution
Week 29
- Increase In The Exploitation Of Microsoft SmartScreen Vulnerability CVE-2024-21412
  Cyble analyzes an ongoing campaign exploiting a Microsoft SmartScreen vulnerability to deliver stealers through spam emails. The campaign employs lures related to healthcare transportation and tax notices to trick users into downloading malicious payloads. It utilizes techniques like DLL sideloading and IDATLoader to inject the final payload. The malicious activity culminates in the deployment of Lumma and Meduza Stealer for data theft.
  
  See the solution
- More Akira-related IOCs are spotted in the wild
  Akira ransomware operations are attributed to unidentified cybercriminal groups employing advanced TTPs with observed shifts in strategies and tools used over time.
  
  See the solution
- MuddyWater APT Group Releases BugSleep Backdoor Across The Middle East
  MuddyWater an Iranian threat group affiliated with the Ministry of Intelligence and Security (MOIS) has ramped up its activities in Israel since the Israel-Hamas war began in October 2023. This activity is also observed against targets in Saudi Arabia Turkey Azerbaijan India and Portugal. MuddyWater uses phishing campaigns sent from compromised organizational email accounts typically leading to the deployment of legitimate Remote Management Tools (RMM) like Atera Agent and Screen Connect. Recently their campaigns have introduced BugSleep a new custom backdoor designed to execute commands and transfer files between compromised machines and the C2 server. BugSleep is still in development with ongoing improvements and bug fixes by the threat actors.
  
  See the solution
- BianLian Ransomware Group Continues To Adapt
  The BianLian ransomware group one of the top three most active ransomware groups alongside Lockbit3 and Alphv has shown continuous evolution and adaptability. They have significantly impacted various sectors notably legal services healthcare engineering/construction accounting services and logistics and transportation. BianLians prominence highlights the dynamic nature of the threat landscape. Their ability to adapt tactics develop new tools and exploit emerging vulnerabilities underscores the need for constant vigilance and proactive defense measures. Using Golang BianLian has created versatile tools that operate across different operating systems. Understanding their techniques and implementing robust defenses can help organizations better prepare for and mitigate ransomware attacks.
  
  See the solution
- Cert IL Alert - active phishing campaign in Israel
  Recently the National Cyber Directorate reported an active phishing campaign in Israel.
  
  See the solution
- US Cert Alert - Peoples Republic of China PRC Ministry of State Security APT40 Tradecraft in Action
  This advisory outlines the tactics techniques and procedures employed by the state-sponsored cyber group APT40 also known as Kryptonite Panda GINGHAM TYPHOON Leviathan and Bronze Mohawk. The group believed to be associated with the Peoples Republic of Chinas Ministry of State Security has repeatedly targeted networks in various countries including Australia and the United States. The report provides details on the groups methods for initial access execution persistence privilege escalation defense evasion credential access discovery lateral movement collection exfiltration and command and control. It highlights the groups ability to rapidly exploit new vulnerabilities and compromised devices as operational infrastructure.
  
  See the solution
- APT41 Adds New Malware To Compromise Entities Across Multiple Sectors
  Mandiant discovered an APT41 intrusion where the threat actor used ANTSWORD and BLUEBEAM web shells for persistence on a Tomcat Apache Manager server active since at least 2023. APT41 used these web shells to execute certutil.exe to download the DUSTPAN dropper which stealthily loaded a Cobalt Strike beacon. As the intrusion progressed APT41 escalated their tactics by deploying the DUSTTRAP dropper. DUSTTRAP would decrypt and execute a malicious payload in memory minimizing forensic traces. The payload established communication with either APT41-controlled infrastructure or compromised Google Workspace accounts. These accounts were remediated to prevent further unauthorized access. Additionally APT41 used two legitimate tools SQLULDR2 to export data from Oracle databases and PINEGROVE to efficiently exfiltrate large volumes of sensitive data.
  
  See the solution
- ShadowRoot Ransomware Targeting Turkish Businesses
  An analysis reveals a basic ransomware campaign targeting Turkish enterprises. The attack commences with a malicious PDF attachment delivered via email containing a link that downloads an executable payload. This executable then drops further components including a .NET binary obfuscated with dotnet confuser. The malware recursively encrypts files with the .shadowroot extension and communicates with a Russian SMTP server. While exhibiting fundamental functionality this campaign appears to be the work of an inexperienced actor aiming to extort victims through ransom demands.
  
  See the solution
Week 28
- Silver Fox Threat Group Attack Activities
  The Silver Fox threat group has been found conducting an attack campaign using phishing websites to impersonate employees of critical national institutions and cybersecurity companies in China. They employed a downloader trojan payloads obfuscated with VMProtect and disguised as the Google Chrome browser along with obfuscated PowerShell commands.
  
  See the solution
- GrimResource - Microsoft Management Console for initial access and evasion
  A novel in-the-wild code execution technique leveraging Microsoft Management Console files (MSC) has been identified by Elastic Security researchers and was first spotted in the wild in June 2016 and is currently being investigated by VirusTotal.
  
  See the solution
- Mallox Ransomware Linux Variant Decryptor Found
  The report analyzes the Mallox ransomware which has been active since mid-2021 and focuses on multi-extortion by encrypting victims data and threatening to post it on public TOR sites. Initially targeting Windows systems Mallox has now developed Linux variants using custom Python scripts for payload delivery and data exfiltration. The analysis reveals a Flask-based web panel for creating Linux ransomware builds with capabilities like user authentication build management and admin functions. The encryptor uses AES-256-CBC encryption with a specific key and IV appends the .lmallox extension to encrypted files and drops a ransom note. The report also includes decryptors for various build IDs and covers Uptycs XDR detection capabilities and indicators of compromise.
  
  See the solution
- Mekotio Banking Trojan Threatens Financial Systems in Latin America
  The Mekotio banking trojan active since 2015 primarily targets Latin American countries to steal sensitive banking credentials through phishing emails containing malicious links or attachments. Upon execution it gathers system information connects to a command-and-control server and performs credential theft information gathering and employs persistence mechanisms. The stolen data is sent back to the server for fraudulent activities. Users and organizations should follow security best practices to mitigate this threat.
  
  See the solution
- Turla A Master of Deception
  This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites PowerShell scripts and MSBuild to deploy the payload which employs various evasion techniques like disabling security features memory patching and AMSI bypass. The malware establishes communication with its command and control servers and is capable of executing additional PowerShell scripts. The analysis also provides insights into the malwares capabilities including its anti-detection mechanisms and ability to report information back to its operators.
  
  See the solution
- Turning Jenkins Into a Cryptomining Machine From an Attackers Perspective
  This report analyzes how threat actors can exploit misconfigured Jenkins servers to execute malicious Groovy scripts leading to activities like deploying cryptocurrency miners. Misconfigurations exposing the /script endpoint allow remote code execution enabling attackers to run scripts that download and execute miner binaries while maintaining persistence through cron jobs and systemd utilities.
  
  See the solution
- Dissecting GootLoader With Nodejs
  This article demonstrates how to circumvent anti-analysis techniques employed by GootLoader malware while utilizing Node.js debugging in Visual Studio Code. GootLoader JavaScript files employ an evasion technique that can pose a formidable challenge for sandboxes attempting to analyze the malware. The malware creators leveraged time-consuming loops with arrays of functions to deliberately delay the execution of malicious code effectively implementing a sleep period to obfuscate GootLoaders malicious nature. Through continuous collaboration and knowledge sharing we can enhance our ability to detect analyze and develop effective countermeasures against such malicious software.
  
  See the solution
- Resurrecting Internet Explorer Threat Actors Using Zero-day Tricks in Internet Shortcut File to Lure Victims CVE-2024-38112
  Check Point Research discovered threat actors leveraging novel techniques to execute malicious code on Windows systems by exploiting Internet Explorers vulnerabilities. The attackers utilized specially crafted .url files that when opened would launch IE and visit attacker-controlled URLs. Additionally they employed a trick to hide the .hta extension tricking victims into executing malicious code disguised as a PDF file. This campaign has been active since January 2023 targeting various industries and utilizing multiple MITRE ATT&CK techniques.
  
  See the solution
Week 27
- New Threat A Deep Dive Into the Zergeca Botnet
  An analysis of a newly discovered botnet named Zergeca implemented in Go language with capabilities for DDoS attacks proxying scanning self-upgrading persistence file transfer reverse shell and collecting sensitive device information. The report delves into the botnets unique features including its multi-DNS resolution methods encrypted communication protocol and connection to a previously used IP address associated with Mirai botnets. The analysis covers sample detection infrastructure details reverse engineering findings and provides insights into the authors techniques and expertise.
  
  See the solution
- RisePro Information Stealer
  RisePro is a multifunctional information-stealer often sold on underground forums as part of a Malware-as-a-Service (MaaS) offering. RisePro has no specific infection vector and can be dropped onto a victims device in a plethora of ways often relying on malicious links and lures to gain an initial foothold. In the past it has been deployed by PrivateLoader a pay-per-install (PPI) malware often utilized by other threat actors as a malware distribution service allowing threats like RisePro to be deployed onto unsuspecting victim devices.
  
  See the solution
- New Ransomware Operator Volcano Demon Serving Up LukaLocker
  A cybersecurity firm has encountered a new ransomware organization dubbed Volcano Demon responsible for recent attacks involving an encryptor called LukaLocker. The malware encrypts victims files with the .nba extension and was successful in compromising Windows workstations and servers after harvesting administrative credentials. Prior to encryption data was exfiltrated for double extortion techniques. The threat actors utilize phone calls with a threatening tone to extort and negotiate ransom payments.
  
  See the solution
- Supply Chain Compromise Leads to Trojanized Installers
  Rapid7 discovered that installers for Notezilla RecentX and Copywhiz hosted on conceptworld[.]com were trojanized to execute information-stealing malware. The malware can steal browser credentials crypto wallet info clipboard data and keystrokes as well as download additional payloads. Rapid7 disclosed the issue to Conceptworld who promptly removed the malicious installers.
  
  See the solution
- Unfurling Hemlock Threat group uses cluster bomb campaigns
  A threat actor dubbed Unfurling Hemlock has been observed distributing hundreds of thousands of malware samples in a campaign lasting several months. The malware is distributed using a cluster bomb technique where each sample contains multiple stages of nested executable files each containing additional malware payloads. The distributed malware includes stealers like Redline RisePro and Mystic Stealer as well as loaders like Amadey and SmokeLoader. The campaign appears financially motivated and targets victims globally with no specific industry focus. The actor is suspected to be Eastern European based on language artifacts and hosting infrastructure.
  
  See the solution
- Cert IL Alert - TellYouThePass activity
  According to information from the National Cyber Directorate the actors behind the ransomware known as TellYouThePass are significantly exploiting the CVE-2024-4577 vulnerability in PHP servers running on the Windows operating system.
  
  See the solution
- Cert IL Alert - Change in Activity of Cl0p Group
  According to information from the National Cyber Directorate the Cl0p crime group (also known as Graceful Spider Lace Tempest UNC4857 FIN11 TA505) has resumed using encryption in ransomware attacks in addition to stealing information from its victims.
  
  See the solution
- Threat Actors Continue To Take Advantage Of LockBit Ransomware Builders
  Threat actors are exploiting LockBit ransomware builders to create custom malware for cyberattacks and extortion. Some of these actors identify themselves while others remain anonymous. Ransom demands range from a few hundred to thousands of dollars. Emerging variants such as Brain Cipher Ransomware and Nullbudge Lock provide links to Tor-accessible web interfaces for negotiations. Brain Cipher Ransomware though basic suggests a backend system for managing negotiations and payments and has already targeted high-profile victims with six-figure ransom demands. Other variants include DragonForce discovered at the end of 2023 which supports communication through Tox or a web interface and SenSayQ which uses email and its own web interface.
  
  See the solution
- Attackers Exploit CVE-2021-40444 To Infiltrate Systems With MerkSpy
  "MerkSpy is spyware targeting Microsoft Windows designed to secretly monitor activities capture sensitive information and maintain persistence. It disguises itself as a legitimate Google update file and is protected with VMProtect. Attackers exploit the CVE-2021-40444 vulnerability in Microsoft Office using deceptive Microsoft Word documents posing as job descriptions. These documents execute malicious code downloading the ""olerender.html"" payload from a remote server. The payloads shellcode acts as a downloader fetching the core spyware ""GoogleUpdate"" file. This file deeply encoded to evade detection is decoded and executed to inject MerkSpy into system processes. MerkSpy achieves persistence by adding a registry entry for GoogleUpdate.exe ensuring it runs at startup. It captures screenshots logs keystrokes retrieves Chrome login credentials and accesses the MetaMask extension then uploads the collected data to the attackers server."
  
  See the solution
- Regresshion CVE-2024-6387 A Targeted Exploit In The Wild
  A critical security flaw known as regression and cataloged under CVE-2024-6387 has been identified in OpenSSH just a few days ago. This vulnerability allows an unauthenticated attacker to execute arbitrary code and potentially obtain root access on the compromised system.
  
  See the solution
Week 26
- Chamelgang Friends Cyberespionage Groups Attacking Critical Infrastructure with Ransomware
  In collaboration with Recorded Future SentinelLabs has been tracking two distinct activity clusters targeting government and critical infrastructure sectors globally between 2021 and 2023.
  
  See the solution
- Attackers Exploiting Public Cobalt Strike Profiles
  This report discusses recent findings of malicious Cobalt Strike infrastructure and malicious Cobalt Strike samples that leverage publicly available Malleable C2 profiles for evasion. Despite its defensive cybersecurity use threat actors continue exploiting Cobalt Strikes malleable and evasive nature posing a significant threat. Palo Alto Networks solutions can help identify and mitigate Cobalt Strike activity across various platforms. The analysis also emphasizes the adaptability of attackers in modifying public profiles to evade detection highlighting the arms race against evolving threats.
  
  See the solution
- Ransomware Attackers May Have Used Privilege Escalation Vulnerability as Zero-day
  Recent analysis by a cybersecurity firm suggests that a ransomware group might have exploited a Windows privilege escalation vulnerability CVE-2024-26169 before it was patched. The vulnerability which was addressed in March 2024 could allow attackers to elevate their privileges. Evidence from an exploit tool deployed in attempted attacks resembles tactics used by the Cardinal cybercrime group known for operating the Black Basta ransomware. The tools compilation timestamps predate the vulnerabilitys patching indicating it was potentially leveraged as a zero-day.
  
  See the solution
- Boolka Threat Actor Using Formstealing JavaScript To Capture Sensitive Data
  Researchers have identified a landing page designed to distribute the BManager modular trojan created by a threat actor known as Boolka. Over the past three years Boolka has been infecting vulnerable websites with malicious JavaScript that intercept data entered on these websites. When a user visits an infected site the script is downloaded and executed performing two main actions notifying Boolkas server of its execution and collecting user input from the website. The script monitors user interactions captures and encodes input data from forms into session storage and sends this data in Base64 format back to Boolkas server. This suggests that the script is designed for data exfiltration potentially capturing sensitive information such as usernames and passwords.
  
  See the solution
- Uncovering UNC3886 Espionage Operations
  Researchers have detailed the activities of the UNC3886 group which compromised guest virtual machines to access critical systems. The group used rootkits like REPTILE and MEDUSA for persistence deployed malware that used trusted third-party services (e.g. GitHub Google Drive) for command and control (C2) and utilized Secure Shell (SSH) backdoors to collect credentials. They exploited zero-day vulnerabilities to access vCenter servers and ESXi servers gaining control of guest VMs. UNC3886 used malware including MOPSLED and RIFLESPINE and relied on valid credentials for lateral movement. They also deployed backdoors such as VIRTUALSHINE VIRTUALPIE and VIRTUALSPHERE to facilitate communication and command execution between guest and host systems.
  
  See the solution
- Rejetto HTTP File Server Exploited To Drop Malware CVE-2024-23692
  Attackers have been found exploiting CVE-2024-23692 a template injection vulnerability in the Rejetto HTTP File Server software. This vulnerability enables remote unauthenticated attackers to execute arbitrary commands on the affected system via specially crafted HTTP requests. Following the public disclosure of the vulnerability a proof-of-concept (PoC) was also released. After initial infiltration the attackers gathered system information using commands such as whoami and arp. Subsequently they created hidden backdoor accounts to facilitate malware installation and remote desktop access. In many instances the HTTP File Server (HFS) was terminated by the attackers to prevent exploitation by others. Based on the malware and commands employed it is believed that most of these attacks were carried out by Chinese-speaking threat actors. Successful infections resulted in systems being compromised with various malware including XMRig XenoRAT Gh0stRAT PlugX Cobalt Strike Netcat and GoThief.
  
  See the solution
- Supposed Grasshopper operators impersonate Israeli government and private companies to deploy open-source malware
  A long-running campaign was identified involving malicious actors impersonating Israeli entities and private companies. The operators delivered payloads through crafted WordPress sites employing a mix of custom code and open-source malware like Donut and Sliver. While the motivations remain unclear the activities illustrate the challenges of distinguishing legitimate penetration testing from malicious operations especially when targeting government bodies. The investigation highlights the increasing adoption of publicly available attack tools and the need for greater transparency in the cybersecurity industry.
  
  See the solution
Week 25
- Cert IL Alert - GhostLocker latest activity
  GhostLocker is a ransomware strain written in Python compiled by an open-source project named Nuitka. The malware targets Windows devices and encrypts files under a specific and configurable directory path. Once running the malware Nuitka drops a .EXE file and multiple .PYD files in TEMP directory. The .EXE file contains the original malwares source code in Python encoded in base64 for obfuscation.
  
  See the solution
- Hackers use F5 BIG-IP Malware to Stealthily Steal Data for Years
  Sygnia analysts found that the Chinese cyberespionage group Velvet Ant utilized custom malware on F5 BIG-IP appliances to establish multiple footholds within the victims network.
  
  See the solution
- North Korean based backdoor packs a punch
  This report analyzes a new threat campaign discovered in late May featuring multiple layers and ultimately delivering a previously undocumented backdoor. The campaign specifically targets Aerospace and Defense companies sectors of particular interest to North Korean threat groups. The backdoors analyzed are simple yet powerful tools with various obfuscation techniques and capabilities like reconnaissance data collection and remote control. While attribution is made with low confidence to the Kimsuky threat group there are indications of multiple developers potentially involved including the possible outsourcing of some malware creation capabilities.
  
  See the solution
- DarkGate v6
  DarkGate version 6 received the biggest update since version 4, the main code has been modified, including the configuration, evasion techniques, and supported commands.
  
  See the solution
Week 24
- Technical Analysis Of The SynapseCrypter Ransomware-As-A-Service
  A recently identified ransomware SynapseCrypter which emerged in early 2024 is distributed via Ransomware-as-a-Service (RaaS) on the the Russian dark web forum RAMP. The SynapseCrypter.exe payload is capable of rapid encryption using multiple encryption modes performs NTFS searches and privilege escalation via access token manipulation. It avoids encrypting systems in Iran suggesting possible affiliations with Iran-sympathizer groups. Synapse uses a custom encryption algorithm like Babuk Ransomware and appears to have borrowed features from the Lambda ransomware family hinting at reused code and connections with other ransomware as a service groups or developers. The ransomware checks system time zones and languages to ensure Iranian systems are excluded employs NTFS search and deletes shadow copies before encryption. Encrypted telemetry is sent to designated C2 IPs the malware is also capable of performing network scanning and replication.
  
  See the solution
- RansomHub Ransomware Exploits Zerologon Vulnerability To Encrypt Files
  RansomHub a new and rapidly growing Ransomware-as-a-Service (RaaS) is likely an updated version of the older Knight ransomware. Analysis revealed significant similarities between the two suggesting RansomHub originated from Knight. Despite this it is unlikely that Knights original creators are behind RansomHub. Knights source code originally known as Cyclops was sold on underground forums in February 2024 after its developers shut down their operation potentially allowing others to update and launch it as RansomHub. Both RansomHub and Knight are written in Go and most variants are obfuscated with Gobfuscate except for some early Knight versions. The code overlap is substantial making differentiation difficult without checking the embedded link to the data leak site. Both have nearly identical command-line help menus with RansomHub adding only a sleep command.
  
  See the solution
- DarkPeony Carries Out Operation Control Plug
  The DarkPeony threat actor executed Operation ControlPlug against military and government agencies in Myanmar the Philippines Mongolia and Serbia. The campaign began with MSC files which when opened displayed a screen prompting users to click a link that executed a PowerShell script. This script remotely downloaded and executed an MSI file containing an EXE DLL and DAT file. The EXE file though legitimate facilitated DLL side-loading which loaded the DLL file to decode and execute the DAT file ultimately running PlugX. MSC files used with Microsoft Management Console exploited their Console Taskpad feature to execute arbitrary commands deceiving users into triggering the PowerShell script. Websites distributing the MSI files used Cloudflare to control access obstructing researchers while targeting specific organizations.
  
  See the solution
- Dissecting SSLoad Malware A Comprehensive Technical Analysis
  This in-depth analysis explores the intricate inner workings of SSLoad a stealthy and adaptable malware known for its sophisticated delivery methods and evasion techniques. The comprehensive investigation unravels the malwares multistage infection chain dissecting the various loaders decryption algorithms and payloads employed across different campaigns. The analysis highlights SSLoads ability to gather reconnaissance evade detection and deploy additional malicious components underscoring its versatility and ever-evolving nature.
  
  See the solution
- Cert IL Alert - Phishing campaign by Muddy Water
  Recently the National Cyber Directorate detected an active phishing campaign in the Israeli domain. The campaign is operating extensively across all sectors. The National Cyber Directorate attributes this campaign to the Iranian attack group MuddyWater based on familiarity with the groups infrastructure and TTPs (Tactics Techniques and Procedures).
  
  See the solution
- PHP Vulnerability CVE-2024-4577 Weaponized To Distribute TellYouThePass Ransomware
  "Researchers have identified threat actors exploiting a PHP vulnerability (CVE-2024-4577) to spread TellYouThePass ransomware variants. The attackers utilize this exploit to run arbitrary PHP code leveraging the ""system"" function to execute an HTML application file hosted on their server via the mshta.exe binary which can execute remote payloads on Windows systems. This approach reflects a ""living off the land"" technique. TellYouThePass ransomware active since 2019 has evolved and now often appears as .NET samples delivered through HTML applications. The initial infection uses an HTA file containing malicious VBScript with a base64 encoded binary loaded into memory during runtime. Upon execution the malware sends an HTTP request to its command-and-control (C2) server disguised as a CSS resource request to avoid detection. The malware then enumerates directories kills processes generates encryption keys and encrypts files with specific extensions. Finally it places a ReadMe message in the web root directory to inform victims."
  
  See the solution
Week 23
- Commando Cat A Novel Cryptojacking Attack Abusing Docker Remote API Servers
  This report details a cryptojacking campaign exploiting exposed Docker remote API servers. Threat actors employ the cmd.cat/chattr Docker image for initial access utilizing techniques like chroot and volume binding to break out of the container and access host systems. They deploy cryptocurrency miners and establish command and control infrastructure. The analysis provides indicators of compromise recommended mitigations and relevant MITRE ATT&CK techniques.
  
  See the solution
- Operation Crimson Palace
  Sophos Managed Detection and Response initiated a threat hunt across customers after detecting abuse of a vulnerable VMware executable. The hunt uncovered a complex persistent cyberespionage campaign by Chinese state-sponsored actors targeting a high-profile government organization in Southeast Asia. Three distinct clusters of intrusion activity designated Alpha Bravo and Charlie were identified operating from at least March to December 2023. This report provides an in-depth technical analysis of the tactics techniques and procedures used by each cluster including credential access lateral movement persistence mechanisms command and control infrastructure defense evasion tactics and data exfiltration methods. It also details previous compromises observed within the same organization dating back to early 2022.
  
  See the solution
- MidnightEclipse Post-Exploitation Activity Related to CVE-2024-3400
  A critical command injection vulnerability in Palo Alto Networks PAN-OS software enables an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. The vulnerability assigned CVE-2024-3400 has a CVSS score of 10.0.
  
  See the solution
- ESXi Environments The Target Of TargetCompanys Linux Variant
  "The TargetCompany ransomware group has introduced a new Linux variant that employs a custom shell script for payload delivery and execution a first for this ransomware. This variant exfiltrates victim information to two servers and checks for VMWare ESXi environments to maximize disruption and ransom potential. The ransomware targets ESXi servers by encrypting files and appending a "".locked"" extension then dropping a ransom note. Discovered in June 2021 and known as ""Water Gatpanapun"" TargetCompanys activities are most prevalent in Taiwan India Thailand and South Korea. The group uses sophisticated techniques like PowerShell scripts to bypass security defenses and FUD obfuscator packers. The new Linux variant marks an evolution in their strategy aiming to exploit critical Linux environments. An affiliate named ""vampire"" has been linked to broader campaigns targeting large IT systems with high ransom demands."
  
  See the solution
- Operation Crimson Palace Targets The Southeast Asian Government Sector
  "Researchers have uncovered a complex long-running Chinese state-sponsored cyberespionage operation named ""Crimson Palace"" targeting a high-profile government organization in Southeast Asia. This operation utilized tools and infrastructure linked to several known Chinese threat actors including BackdoorDiplomacy REF5961 Worok TA428 Unfading Sea Haze and APT41 subgroup Earth Longzhi. The campaign aimed to maintain access to the target network for cyberespionage supporting Chinese state interests by accessing critical IT systems performing user reconnaissance collecting sensitive military and technical information and deploying various malware implants for command-and-control communications. The operation employed multiple malware families such as CCoreDoor PocoProxy EagerBee Nupakage Merlin C2 Agent Cobalt Strike Phant mNet RudeBird and PowHeartBeat. Over 15 distinct DLL sideloading scenarios were used often exploiting Windows Services legitimate Microsoft binaries and antivirus (AV) vendor software. The threat actors used numerous evasion techniques including overwriting ntdll.dll in memory to bypass the Sophos AV agent abusing AV software for sideloading and experimenting with various methods to execute their payloads efficiently and evasively."
  
  See the solution
- Ukraine Attack Campaign Uses Signal Messenger To Deliver DarkCrystal RAT
  A phishing campaign was discovered using Signal messenger to infect devices in Ukraine with DarkCrystal RAT. Sectors targeted include civil servants the military and representatives of defense enterprises. Users were contacted through the messaging app with a malicious RAR file that included VBScript and batch files used to carry out the infection process.
  
  See the solution
- Decoding Water Sigbins Latest Obfuscation Tricks
  The China-based threat group Water Sigbin known for deploying cryptocurrency-mining malware exhibited new techniques to evade detection. It exploited CVE-2017-3506 and CVE-2023-21839 to deploy a PowerShell script executing a miner. The script utilized complex encoding environment variables to hide malicious code and fileless execution through .NET reflection. These evolving tactics underscore the necessity for robust cybersecurity measures like patch management and incident response plans.
  
  See the solution
Week 22
- Updated IOCs on AllaSenha - Malware Aims At Stealing Brazilian Bank Account Credentials
  "Researchers have identified a malicious payload called ""AllaSenha"" targeting Brazilian bank accounts. Delivered via a complex infection chain involving Python scripts and a Delphi-developed loader AllaSenha aims to steal banking credentials and uses Azure cloud for command and control. It is a custom variant of the AllaKore RAT often used against Latin American users. The attack begins with phishing emails containing malicious links to payloads hosted on cloud services. When a user clicks a link they are shown a Windows Explorer window displaying files at a remote WebDAV path tricking them into executing a malicious LNK file. This LNK file opens a fake PDF and triggers the download and execution of a launcher leading to the installation of AllaSenha which then exfiltrates banking credentials."
  
  See the solution
- THREAT ALERT The XZ Backdoor - Supply Chaining Into Your SSH
  Cybereason has issued a Threat Alert about a backdoor discovered in XZ Utils versions 5.6.0 and 5.6.1 affecting Linux operating systems. XZ Utils a compression library used across various Linux distributions was compromised in a supply chain attack targeting SSH protocol integrity.
  
  See the solution
- Justice AV Solutions Viewer Software Used In Apparent Supply Chain Attack CVE-2024-4978
  Justice AV Solutions (JAVS) is a U.S.-based company that provides digital audio-visual recording solutions for various environments including courtrooms and correctional facilities with over 10000 installations globally. Rapid7 identified a significant security risk with JAVS Viewer v8.3.7 which contains a backdoored installer that can give attackers full control over systems. Users with this version should immediately re-image affected systems reset credentials and upgrade to version 8.3.8 or higher. The issue came to light during an investigation initiated by Rapid7 on May 10 2024. The investigation revealed that the malware infection originated from a file named JAVS Viewer Setup 8.3.7.250-1.exe downloaded from the official JAVS site on March 5th. This installer was signed with an unusual Authenticode signature and included the binary fffmpeg.exe which executed encoded PowerShell scripts indicating a backdoor.
  
  See the solution
- Transparent Tribe Targets Indian Government Defense and Aerospace Sectors Leveraging Cross-Platform Programming Languages
  As part of our continuous hunting efforts across the Asia-Pacific region BlackBerry discovered Pakistani-based advanced persistent threat group Transparent Tribe (APT36) targeting the government defense and aerospace sectors of India.
  
  See the solution
- Allasenha Allakore Variant Leverages Azure Cloud C2 To Steal Banking Details In Latin America
  Earlier in May analysts spotted a malicious payload which was tentatively delivered to a computer in Brazil via an intricate infection chain involving Python scripts and a Delphi-developed loader. The final malicious payload that analysts named AllaSenha is specifically aimed at stealing credentials that are required to access Brazilian bank accounts leverages Azure cloud as command and control (C2) infrastructure and is another custom variant of AllaKore1 an infamous open-source RAT which is frequently leveraged to target users in Latin America.
  
  See the solution
- ShrinkLocker Turning BitLocker into ransomware
  The attackers were able to deploy and run an advanced VBS script that took advantage of BitLocker for unauthorized file encryption. We spotted this script and its modified versions in Mexico Indonesia and Jordan. In the sections below we analyze in detail the malicious code obtained during our incident response effort and provide tips for mitigating this kind of threat.
  
  See the solution
- The Overlapping Cyber Strategies Of Transparent Tribe And SideCopy Against India
  CRILs analysis revealed SideCopy APT groups sophisticated malware campaign employing malicious LNK files and a complex infection chain involving HTAs and loader DLLs to deploy malware like ReverseRAT and Action RAT. SideCopy targets Indian universities and government entities suggesting potential overlap with Transparent Tribes tactics. The campaign leverages spam emails with malicious links to initiate infections and establish backdoor access for data exfiltration and remote control of victim systems. SideCopy demonstrates evolving techniques demanding heightened cybersecurity vigilance to defend against persistent threats.
  
  See the solution
- A Catalog of Hazardous AV Sites A Tale of Malware Hosting
  In mid-April 2024 Trellix Advanced Research Center team members observed multiple fake AV sites hosting highly sophisticated malicious files such as APK EXE and Inno setup installer that includes Spy and Stealer capabilities.
  
  See the solution
- Exploring the Metamorfo Banking Trojan
  Forcepoint reports on Metamorfo Banking Trojan also known as Casbaneiro that is a banking trojan that targets North and South America.
  
  See the solution
Week 21
- Chinese hackers hide on military and govt networks for 6 years
  "A previously unknown threat actor Bitdefender Labs designated as ""Unfading Sea Haze"" has been targeting military and government entities in the South China Sea region since 2018 undetected until recently. Bitdefender researchers link its operations to Chinese geopolitical interests."
  
  See the solution
- Embargo Ransomware Threatens Data Leak If Ransom Not Paid
  Embargo is ransomware written in Rust that encrypts files using ChaCha20 and Curve25519 algorithms adding the .564ba1 extension to encrypted files. It threatens to leak data and notify various parties if the ransom is not paid. Researchers noticed similarities between Embargo and ALPHV (Blackcat) ransomware particularly in their user interfaces and the structure and syntax of their Rust binaries used for generating log files. Although ALPHV has more capabilities it is suspected that Embargo may be a rewritten version of ALPHV.
  
  See the solution
- Crimeware report Acrid ScarletStealer and Sys01 stealers
  This analysis delves into three distinct stealers Acrid ScarletStealer and Sys01. Acrid is a new stealer found in December employing the Heavens Gate technique to bypass security controls. ScarletStealer downloads additional executables and Chrome extensions to facilitate data theft. Sys01 also known as Album Stealer or S1deload Stealer tricks users into downloading malicious ZIP archives disguised as adult videos ultimately executing a payload called Newb with backdoor capabilities. The report underscores the persistent threat posed by stealers and the need for robust cybersecurity measures.
  
  See the solution
- American Artificial Intelligence Experts Targeted With SugarGh0st RAT
  Researchers uncovered a SugarGh0st RAT campaign aimed at US organizations involved in artificial intelligence across academia private industry and government sectors. The attacker used a free email account to send an AI-themed lure prompting recipients to open a zip file attachment. This attachment contained an LNK shortcut file which deployed a JavaScript dropper. Inside this dropper were a decoy document an ActiveX tool exploited for sideloading and an encrypted binary all encoded in base64. While the decoy document distracted the recipient the JavaScript dropper installed a library enabling Windows APIs to be run directly from JavaScript. This allowed subsequent JavaScript to execute a multi-stage shellcode derived from DllToShellCode which XOR decrypted and decompressed the SugarGh0st payload.
  
  See the solution
- Analysis of APT attack cases targeting domestic companies using Dora RAT Andariel Group
  AhnLab Security Intelligence Center (ASEC) recently confirmed that the Andariel group carried out APT attacks on domestic companies and institutions. The targeted organizations included manufacturing companies construction firms and educational institutions.The attackers employed backdoors keyloggers infostealers and proxy tools to control the infected systems and steal data. In this attack malicious codes previously associated with the Andariel group were identified such as Nestdoor a backdoor malware. Additionally web shells were detected. Although not identical the proxy tool used in past Lazarus group attacks was also employed in this incident.
  
  See the solution
- Spring Cleaning with LATRODECTUS A Potential Replacement for ICEDID
  LATRODECTUS is a malware loader gaining popularity among cybercriminals with strong connections to the ICEDID malware family. It offers standard capabilities for deploying payloads and conducting post-exploitation activities. Initially discovered by Walmart researchers in 2023 it continues evolving with new features like process discovery and desktop file listing. LATRODECTUS shares infrastructure and techniques with ICEDID operators suggesting it may be a potential replacement. Elastic Security provides robust detection capabilities through memory signatures behavioral rules and hunting opportunities to respond to threats like LATRODECTUS.
  
  See the solution
Week 20
- Redline Stealer A Novel Approach
  A new packed variant of the Redline Stealer trojan was observed spreading in the wild. It uses Lua bytecode and advanced techniques to evade detection infect systems and exfiltrate sensitive user data. The malware leverages GitHub for distribution and abuses Windows components for stealthy persistence. It gathers system info and communicates with a remote C2 server to receive commands and exfiltrate data.Detailed analysis revealed the inner workings of the malware its obfuscation methods and novel techniques.
  
  See the solution
- ViperSoftX Uses Deep Learning-based Tesseract to Exfiltrate Information
  This analysis focuses on the recent activities of the ViperSoftX malware strain which controls infected systems and steals user information. The malware is known to install additional malware payloads including Quasar RAT and a new infostealer called TesseractStealer. TesseractStealer utilizes the open-source Tesseract OCR engine to extract text from image files and specifically targets passwords cryptocurrency wallet addresses and related information within those images for exfiltration to attacker-controlled servers.
  
  See the solution
- Qilin Ransomware as a service
  Qilin operates as an affiliate program for Ransomware-as-a-Service employing a Rust-based ransomware to target victims. Qilin ransomware attacks are often tailored for each victim to maximize their impact utilizing tactics like altering filename extensions of encrypted files and terminating specific processes and services. The Rust variant is particularly effective for ransomware attacks due to its evasion-prone and hard-to-decipher characteristics making it easier to customize malware for Windows Linux and other operating systems. Importantly the Qilin ransomware group can generate samples for both Windows and ESXi versions
  
  See the solution
- US Cert Alert - Black Basta Cybersecurity Advisory AA24-131A
  A Cybersecurity Advisory (CSA) released by the FBI CISA HHS and MS-ISAC details the Black Basta ransomware variant. The ransomware is operated as a ransomware-as-a-service which has impacted over 500 organizations globally. Impacted sectors have included critical infrastructure and healthcare. The ransomware variant was identified in the first half of 2022 Black Basta uses techniques like phishing and exploiting public facing vulnerabilities to gain access to target environments before employing double-extortion tactic by encrypting data and threatening to release it publicly unless a ransom is demands ar met. The joint advisory details tactics techniques and procedures (TTPs) indicators of compromise (IOCs) as well as third party tools commodity tools and legitimate native utilities used by the RaaS.
  
  See the solution
- Rust Shellcode Loader Uses GoTo Meeting To Load Remcos RAT
  An unidentified threat actor used a new cyber kill chain to distribute the Remcos RAT using a Rust shellcode loader exploiting the GoToMeeting web conferencing software. Suspected to have started with phishing enticing victims with various themes the chain begins with myrecentfiles.lnk which opens a decoy PDF file (MLD.pdf) and triggers the execution of winsys.odt loading g2m.dll. This DLL loads the data.bin shellcode to deploy Remcos RAT. The group establishes persistence through the startup folder and employs DLL side-loading for evasion. Another malicious kill chain was discovered also using GoToMeeting leveraging PowerShell and creating persistence through RunBatchFile.lnk in the startup folder.
  
  See the solution
- Malware XMRig OrcusRAT etc disguised as MS Office crack
  The report details an ongoing malware campaign targeting South Korean users which disguises malicious payloads as cracked versions of Microsoft Office and other popular software. The attackers are distributing a variety of malware including downloaders coin miners remote access tools (RATs) proxies and anti-antivirus components. These are installed persistently through scheduled tasks and utilise encoded PowerShell commands for updates. The primary malware families identified include Orcus RAT for system control XMRig cryptominer 3Proxy for creating a proxy network and components to evade security products.
  
  See the solution
Week 19
- North Korean Hackers Abusing Facebook MS Management Console
  The North Korean hacking group Kimsuky has been observed using sophisticated methods to conduct espionage activities including the exploitation of social media platforms and system management tools.Microsoft tracks Kimsuky as Emerald Sleet.
  
  See the solution
- macOS Cuckoo Stealer Ensuring Detection and Defense as New Samples Rapidly Emerge
  This analysis discusses the emergence of a new macOS malware family called Cuckoo Stealer which acts as an infostealer and spyware. It describes Cuckoo Stealers main features logic and provides indicators of compromise to assist threat hunters and defenders. The malware employs techniques like obfuscation scraping admin passwords and installing persistence mechanisms. Although attempts were made to conceal its behavior analysis reveals similarities with other recent infostealers targeting macOS devices. SentinelOnes Singularity XDR platform detects and prevents the execution of Cuckoo Stealer protecting customers from this emerging threat.
  
  See the solution
- APT28 campaign against Polish government institutions
  The CERT Polska team is investigating a large-scale malware campaign carried out by the Russian intelligence group APT28 which has been targeting Polish government institutions in the past year and is believed to be linked to the GRU.
  
  See the solution
- FIN7 Abuses Malicious MSIX Packages To Deliver NetSupport RAT
  FIN7 is a Russian financially motivated advanced persistent threat (APT) that has been active since 2013 and extensively targets multiple sectors primarily within the United States. The threat actor has been continuously registering malicious typo-squatting domains that can subsequently be utilized in SEO poisoning or spear-phishing campaigns to lure victims into downloading malicious MSIX binaries. Successful infections result in systems infected with variants from the NetSupport RAT family.
  
  See the solution
- Uncharmed Untangling Irans APT42 Operations
  Mandiant discusses the activities of APT42 a state-sponsored Iranian cyber espionage actor targeting Western and Middle Eastern NGOs media organizations academia legal services and activists. APT42s activities overlap with Microsofts tracking of Mint Sandstorm.
  
  See the solution
- macOS Adload Pivots Just Days After Apples XProtect Clampdown
  The report analyzes a new variant of the Adload adware that evades Apples recent XProtect malware signature updates. Despite Apple adding 74 new rules targeting Adload in XProtect version 2192 the adware authors have rapidly modified their code to bypass these detections The report examines a specific 4.55MB Intel x86_64 dropper sample that employs Go language components and connects to hardcoded domains for retrieving next-stage payloads. While undetected by most antivirus engines on VirusTotal SentinelOnes multi-engine platform effectively identifies and blocks this Adload variant.
  
  See the solution
- Pakistani APTs Escalate Attacks on Indian Government
  Recent cyberattacks by Pakistan-linked advanced persistent threat (APT) groups like SideCopy and Transparent Tribe (APT36) have intensified against Indian government entities. Seqrite Labs discovered multiple campaigns deploying malware such as AllaKore RAT and Crimson RAT often using compromised domains and spear-phishing emails with malicious attachments. The analysis establishes connections between the APT groups based on their infrastructure code overlaps and targeting highlighting the persistent threats faced by Indian organizations.
  
  See the solution
- Threat Actors Attacking MS-SQL Servers to Deploy Ransomware
  Cybersecurity professionals at GBHackers have discovered a series of cyberattacks targeting poorly managed Microsoft SQL (MS-SQL) servers to install Mallox Ransomware on systems.
  
  See the solution
Week 18
- From IcedID to Dagon Locker Ransomware in 29 Days
  This intrusion started in August 2023 with a phishing campaign that distributed IcedID malware. The phishing operation utilized the Prometheus Traffic Direction System (TDS) to deliver the malware and victims were directed to a fraudulent website mimicking an Azure download portal.
  
  See the solution
- Uncorking Old Wine Zero-Day from 2017 Loader in Unholy Alliance
  An analysis uncovered a suspected malicious campaign targeting entities in Ukraine. The attack employed an old vulnerability from 2017 CVE-2017-8570 as the initial entry vector. The operation utilized a customized loader to deliver the Cobalt Strike Beacon payload. While the specific threat actor behind this activity could not be conclusively determined the campaign exhibited sophisticated techniques to evade detection and hinder analysis efforts.
  
  See the solution
- Ransomware Roundup - KageNoHitobito and DoNex
  Fortiguard Labs Threat Research provides insights into the KageNoHitobito and DoNex ransomware variants. KageNoHitobito emerged in late March 2024 and encrypts victims files while DoNex is a financially motivated ransomware group that encrypts files on local drives and network shares. The initial infiltration methods used by the threat actors are unspecified.
  
  See the solution
- Pakistani APTs Escalate Attacks on Indian Government
  Recent cyberattacks by Pakistan-linked advanced persistent threat (APT) groups like SideCopy and Transparent Tribe (APT36) have intensified against Indian government entities. Seqrite Labs discovered multiple campaigns deploying malware such as AllaKore RAT and Crimson RAT often using compromised domains and spear-phishing emails with malicious attachments. The analysis establishes connections between the APT groups based on their infrastructure code overlaps and targeting highlighting the persistent threats faced by Indian organizations.
  
  See the solution
- Hijacking The eScan Antivirus Update Mechanism To Drop Malware
  GuptiMiner is a sophisticated malware that exploits vulnerabilities in the update mechanism of eScan an Indian antivirus vendor using a man-in-the-middle attack. The attack begins with eScan requesting an update intercepted by a MitM attacker who replaces the update with a malicious package. When eScan unpacks and loads the package a DLL is sideloaded enabling further malicious actions. GuptiMiner employs various techniques including DNS requests to attackers servers sideloading payload extraction from images and signing payloads with trusted root certificates. Its main goal is to distribute backdoors within corporate networks and it also installs XMRig to mine cryptocurrency on infected devices.
  
  See the solution
- The Defense Forces Of Ukraine Targeted With Malicious File Through Signal CERT-UA9522
  "CERT-UA reported an attempted malware attack on a Defense Forces of Ukraine representatives computer. An unidentified person sent a file named ""Support.rar"" via the Signal messenger pretending it was necessary for a UN Peace Support Operations job application. The archive contains an exploit for a WinRAR software vulnerability (CVE-2023-38831). If opened it executes a CMD file (""support.pdf.cmd"") which opens a decoy document and launches PowerShell scripts classified as the CookBox malware."
  
  See the solution
- Government Entities In The Middle East Targeted With DuneQuixote Dropper And CR4T Malware
  A malware campaign dubbed DuneQuixote was detected primarily targeting Middle Eastern governments. The campaign used a total of over 30 dropper samples which included a tainted installer that mimicked legitimate software named Total Commander to deploy a backdoor malware known as CR4T.Analysis of the initial droppers revealed that is was developed in C/C++ without using the Standard Template Library (STL) and pure Assembler. Upon execution a series of decoy dynamic API call resolutions were used to disguise activities before some unique techniques designed to prevent exposure of the C2 by automated malware analysis tools were used to decrypt the C2 addresses and further hinder analysis. The second installer dropper analyzed was a Total Commander imposter which incorporated other evasion techniques like system checks against debugging and system monitoring tools as well as the adaptability to be reactive to system conditions like RAM and disk space. Lastly an in memory only CR4T implant was analyzed which was designed to grant attackers access to a console window for command line execution on the victims machine the CR4T implant is written in both a C/C++ and Golang version. Upon execution the malware initiates cmd.exe in a hidden window and establishes two named pipes that allow inter-process communication the malware collects system info and remains idle until upload of data is requested or encoded commands are received.
  
  See the solution
- The DragonForce Ransomware Connection To LockBit Black
  Researchers have identified a connection between DragonForce ransomware and LockBit Black ransomware. The DragonForce ransomware binary appears to be based on LockBit Black suggesting that the threat actors behind DragonForce used a leaked builder of LockBit Black ransomware to generate their binary. This connection was discovered after a user shared the download link for the LockBit ransomware builder on Twitter in September 2022. DragonForce ransomware which surfaced in November 2023 uses double extortion tactics exfiltrating data before encryption and then leaking the data if ransom demands are not met. The ransomware operations began with the public disclosure of victim details on a cybercrime forum and their leak site with over 25 victims worldwide disclosed to date. The discovery of DragonForce ransomware and its links to the leaked builder of LockBit Black ransomware highlights the growing threat posed by the abuse of leaked malware-building tools in cyberattacks.
  
  See the solution
Week 17
- Ransomware Dissecting the three heads
  This analysis delves into the intricacies of the Cerber ransomware focusing on its Linux variant. It dissects the malwares initial access vector exploiting CVE-2023-22518 in Confluence and examines its three highly obfuscated C++ payloads a stager for further payloads a log checker and the encryptor responsible for encrypting files. The report provides detailed insights into the functionality and behavior of each component including the encryption process communication with the C2 server and the ransom note left behind.
  
  See the solution
- MuddyWater campaign abusing Atera Agents
  This report details an active campaign by the Iranian state-sponsored threat actor MuddyWater which has been using the legitimate remote monitoring and management tool Atera Agent as a first-stage payload in its attacks since late 2023. The threat actor has exploited Ateras free trial offer registering agents with various compromised email accounts and distributing installers through spearphishing emails. The report provides an overview of MuddyWaters tactics techniques and procedures including the infection chain spearphishing lures and the misuse of Ateras capabilities.
  
  See the solution
- Threat Group Targets the US Automotive Industry
  BlackBerry analysts uncovered an attack on a major U.S. automotive manufacturer by the financially motivated threat group FIN7. The group deployed phishing emails with malicious links to deliver the well-known Anunak backdoor and leveraged living-off-the-land binaries scripts and libraries for initial access. Evidence suggests this was part of a broader FIN7 campaign targeting entities with large potential ransom payouts.
  
  See the solution
- DuneQuixote campaign targets Middle Eastern entities with malware
  In this analysis we uncover a malicious campaign dubbed DuneQuixote that employs droppers disguised as the legitimate Total Commander installer to deliver a backdoor implant called CR4T. This implant available in both C/C++ and Golang versions grants attackers access to compromised systems enabling command execution file management and persistence through scheduled tasks. The campaign exhibits advanced evasion techniques including anti-analysis checks memory-only payloads and unique infrastructure designed for stealth. The primary targets appear to be government entities in the Middle East region
  
  See the solution
- US Cert Alert - Akira Ransomware
  The CISA cybersecurity and Infrastructure Security Agency (CISA) is working with the European Union to prevent the release of the Akira ransomware a type of ransomware that locks people out of their computers and demands a ransom.
  
  See the solution
- Latrodectus This Spider Bytes Like Ice
  Team CYMRU partnered with Proofpoints Threat Research team in a collaborative effort to provide a comprehensive overview of the Latrodectus loader malware.
  
  See the solution
- Virus causes Ukrainian users to upload confidential documents to VirusTotal
  A rare multi-module virus called OfflRouter has been infecting Word documents in Ukraine since 2015. The virus consists of a VBA macro and a .NET executable module that infects documents using Office Interop classes. It causes potentially confidential documents from Ukrainian organizations to be uploaded to public repositories. The virus is likely the work of an inexperienced but inventive developer and has remained confined to Ukraine due to design choices and coding mistakes.
  
  See the solution
- SEXi ransomware
  SEXi malicious group aims encrypt the companys VMware ESXi servers which host virtual private servers for their clients as well as the backups putting a significant portion of hosted websites and services out of commission.
  
  See the solution
- macOS Users The Focus Of Ongoing Infostealer Attacks
  Over the past year the macOS environment has experienced a surge in infostealer attacks particularly targeting individuals in the crypto industry to harvest credentials and data from various crypto wallets. Jamf Threat Labs highlights the evolution of these attacks with two recent examples the spread of Atomic Stealer via sponsored Google Ads for Arc Browser leading to malicious sites and the Meethub attack where scammers posing as individuals interested in professional engagements lure victims into downloading a compromised application. Both attacks employ sophisticated tactics to bypass security measures and persuade users to unwittingly provide their macOS login passwords facilitating the theft of keychain data browser login information credit card details and crypto wallet data. These attacks underscore the importance of vigilance among macOS users especially those involved with cryptocurrency as social engineering and direct outreach by scammers become increasingly prevalent on this platform.
  
  See the solution
- Further Analysis of the backdoor in XZ
  The report provides an in-depth analysis of a sophisticated multi-stage backdoor implanted in the XZ compression utility a critical component integrated into many Linux distributions. The attackers employed advanced techniques including modifying the build infrastructure and hiding malicious scripts within test files ultimately introducing a remote code execution capability targeting sshd processes. The backdoor exhibited remarkable stealth and utilized intricate methods to evade detection underscoring the severity of this supply chain compromise.
  
  See the solution
Week 16
- TA547 Targets German Organizations With Rhadamanthys Stealer
  Cyber threat actor TA547 was discovered targeting German organizations with an email campaign delivering Rhadamanthys malware. This is the first time TA547 has been observed using Rhadamanthys an information stealer used by multiple cybercriminals. The emails impersonated the German retail company Metro and targeted various industries in Germany. The emails contained a password-protected ZIP file which when executed triggered a PowerShell script that decoded the Rhadamanthys executable file and executed the malicious code in memory Interestingly the PowerShell script used to load Rhadamanthys contained characteristics suggesting it was generated by a large language model (LLM) indicating that TA547 may have used an LLM-enabled tool to write the script or copied it from another source.
  
  See the solution
- Analysis of the APT31 indictment
  The U.S. Department of Justice released an indictment of seven hackers associated with APT31 a hacking group supporting Chinas Ministry of State Security active for 14 years. The indictment reveals APT31 tradecraft including front companies malware like RAWDOOR two-phase attacks via email tracking then exploitation compromising subsidiaries for access and quickly shifting targets based on political events.
  
  See the solution
- Renewed Espionage Campaign Targets Southern Asia Possibly India
  This report analyzes the resurgence of the LightSpy mobile espionage campaign targeting individuals in Southern Asia likely India. LightSpy is an advanced iOS implant with comprehensive surveillance capabilities including data exfiltration audio recording and potential device control. Evidence suggests the threat actors are Chinese speakers raising concerns about potential state-sponsored activity. The campaign employs sophisticated techniques like certificate pinning to evade detection.
  
  See the solution
- Tax Themed Threat Delivers XWorm RAT
  Researchers uncovered a tax-themed phishing campaign deploying XWorm as its ultimate payload. The attack involved downloading a malicious JavaScript file from a compromised website which fetched a PowerShell script. This script terminated processes opened a decoy PDF file injected the final payload into Msbuild.exe and RegSvcs.exe processes and added exclusions to Windows Defender. It established persistence via scheduled tasks and registry keys and disabled the Windows firewall for evasion. The final payload XWorm v5.2 is a Remote Access Trojan (RAT) which can be used for a range of malicious activity by the threat actor.
  
  See the solution
- XZ Utils SSHd Backdoor CVE-2024-3094
  In March 2024 details emerged regarding CVE-2024-3094 a vulnerability affecting the xz compression libraries in Linux distributions. The backdoor code was distributed to rolling distributions but specifically targeted systems like Debian and Fedora that patch their SSH daemon with liblzma. The initial compromise (version 5.6.0) allowed the injection of the backdoor into Debian and Fedora distributions. In the subsequent version (5.6.1) the attacker introduced more sophistication by enabling the execution of additional shell scripts during the build phase using binary test blobs. This was likely aimed at making future updates to the backdoor less conspicuous. The injection of malicious shell scripts occurs during the configure command execution modifying the Makefile to build and replace object files with infected counterparts. While the backdoors functionality remains consistent across both versions the methods for injecting and replacing object files differ providing insights into the actors motivations and long-term plans.
  
  See the solution
- Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect CVE-2024-3400
  This report details the discovery and exploitation of a critical zero-day vulnerability (CVE-2024-3400) in Palo Alto Networks GlobalProtect firewall appliances allowing remote code execution. The threat actor tracked as UTA0218 exploited this flaw to compromise devices exfiltrate data and move laterally within victims networks. The report analyzes the UPSTYLE backdoor used post-exploitation activities infrastructure detection methods and response recommendations.
  
  See the solution
- Smoke and mirrors A strange signed backdoor
  Sophos X-Ops discovered a curious backdoored and signed executable masquerading as something else. The file was bundled with LaiXi Android Screen Mirroring software. Technical analysis revealed it installs a service called CatalogWatcher and embeds a tiny proxy server likely to monitor and intercept traffic. Variants were found dating back to early 2023 some signed with valid Microsoft certificates. Sophos and Microsoft worked together to revoke the certificates used.
  
  See the solution
Week 15
- Cert IL Alert - Muddy Water continues its campaign
  Recently the National Cyber Directorate identified an active phishing campaign in the Israeli space. The campaign operates extensively across all sectors of the economy. The National Cyber Directorate associates this campaign with the Iranian attack group MuddyWater based on familiarity with the groups infrastructure and its typical Tactics Techniques and Procedures (TTPs). It is recommended to monitor them in all relevant organizational security systems. This alert follows a previous alert about another phishing campaign by the group that was identified.
  
  See the solution
- Cert IL Alert - Black Shadow
  The Iranian attack group Black Shadow active in Israel against various sectors. The group also known as Agrius and Team Malek operates on behalf of the Iranian Ministry of Intelligence and is responsible for a series of cyber attacks against Israeli organizations.
  
  See the solution
- ScrubCrypt Deploys VenomRAT with an Arsenal of Plugins
  The article from FortiGuard Labs Threat Research uncovers a recent threat actors distribution of VenomRAT and other plugins through a phishing email containing malicious Scalable Vector Graphics (SVG) files.
  
  See the solution
- MuddyWater APT Adds DarkBeatC2 Framework Into Its Arsenal
  "MuddyWater is an Iranian state-sponsored cyber threat group identified in 2017. It primarily targets Israeli organizations to gather valuable intelligence. The group employs spear phishing emails from compromised accounts and social engineering tactics for initial access. Once inside they collect sensitive data from multiple sources and use Atera for remote access. MuddyWater has used different command-and-control frameworks like SimpleHarm PhonyC2 and MuddyC2Go in the past. Recently theyve been found using a new framework called ""DarkBeatC2"" in their attacks."
  
  See the solution
- SYNC-SCHEDULER A DEDICATED DOCUMENT STEALER
  This in-depth examination focuses on Sync-Scheduler stealer a malware that targets documents with anti-analysis capabilities. The report explores evasion tactics employed by threat actors illuminating procedures for crafting resilient malware payloads. It emphasizes the adaptive nature of these threats highlighting the importance of enhanced security protocols and user vigilance to mitigate associated risks.
  
  See the solution
Week 14
- Microsoft OneNote Files Used To Drop Nokoyawa Ransomware
  In early 2023 an intrusion occurred through a phishing campaign distributing emails with malicious OneNote attachments. Opening these triggered execution of a cmd file launching PowerShell to download an IcedID DLL disguised as image files. A scheduled task ensured persistence. After 21 days of limited activity IcedID malware was discovered using Microsoft tools. On day 33 Cobalt Strike beacons were launched initiating Active Directory discovery and AnyDesk installation. The threat actor accessed LSASS for reconnaissance utilized various tools including Task Manager and SoftPerfect Network Scanner and began lateral movement. They executed ransomware on critical servers exfiltrated data and covered their tracks. The attack lasted 812 hours over 34 days.
  
  See the solution
- Malware Spotlight Linodas aka DinodasRAT for Linux
  A Chinese-nexus cyber espionage threat actor is focusing on Southeast Asia Africa and South America aligning with insights on threat actor Earth Krahang. The actor uses a cross-platform backdoor DinodasRAT aka XDealer linking it to Chinese actor LuoYu. While the Windows version is analyzed the Linux version is not. Here we analyze Linux version 11 of DinodasRAT called Linodas. It adds Linux-specific capabilities like reverse shells and logs monitoring. The latest version hides malware via a module proxying/modifying system binaries. Linodas shows continued targeting of Linux servers as pivot points in networks.
  
  See the solution
- APT29 Uses WINELOADER to Target German Political Parties
  In late February APT29 used a new backdoor variant publicly tracked as WINELOADER to target German political parties with a CDU-themed lure. This is the first time the APT29 cluster has been observed targeting political parties indicating a possible area of emerging operational focus beyond the typical targeting of diplomatic missions. This activity presents a broad threat to European and other Western political parties from across the political spectrum.
  
  See the solution
- APT37 Utilizes RokRAT In Fileless Attacks
  APT37 also known as Konni Thallium and InkySquid was discovered targeting entities in South Korea with the RokRAT cloud-based remote access tool. Initial access was carried out through spearphishing emails with a malicious ZIP file disguised as belonging to a North Korea-related research field. The threat actor leveraged DropBox cloud storage to host the malicious files. Multiple PowerShell commands along with LNK files were used to carry out the infection process. RokRAT has been leveraged by APT37 since at least 2017 and can be used to collect and exfiltrate sensitive information and download additional malicious files to infected systems.
  
  See the solution
- ShadowRay First Known Attack Campaign Targeting AI Workloads Actively Exploited in the Wild
  Analysts from Oligo an Israeli security research company have identified an ongoing active attack campaign targeting a critical vulnerability in the Ray open-source AI framework.
  
  See the solution
- Drive-By Infections Lead to IDAT Loader And SecTop RAT Payloads
  The IDAT Loader a malware loader that searches PNG files to retrieve payload instructions is being linked to financially motivated groups and has typically been distributed via FakeUpdates. A recent incident saw it being deployed alongside the BruteRatel C4 framework following opportunistic infections obtained through malvertising and drive-by downloads. The malware is triggered by downloading an application which leads to the IDAT Loader execution that kicks off a series of events such as the binary analyzing the environment to evade analysis decrypting URLs downloading encoded data and executes further payloads. The IDAT Loader communicates with specified IP addresses and post-exploitation executes another version of IDAT Loader and drops a legitimate executable Rvm.exe. The loader proceeds to load tampered DLLs that contain IDAT Loader code before the final payload SecTop RAT is deployed.
  
  See the solution
Week 13
- Suspected Chinese APT Groups Conduct Cyber Espionage Operations Against ASEAN Entities
  Researchers have identified two Chinese advanced persistent threat (APT) groups engaged in cyberespionage against entities and member countries associated with the Association of Southeast Asian Nations (ASEAN). The first group known as Stately Taurus (aka Mustang Panda) developed two malware packages aimed at organizations in Myanmar the Philippines Japan and Singapore. These attacks coincided with the ASEAN-Australia Special Summit held from March 4-6 2024. The second unnamed Chinese APT group targeted an ASEAN-affiliated entity and has focused on government entities in Southeast Asian countries such as Cambodia Laos and Singapore.
  
  See the solution
- Agenda Ransomware Propagates To vCenters And ESXi Servers
  The Agenda ransomware known as Qilin and Water Galura has been active since 2022 targeting victims globally with the United States Argentina Australia and Thailand being key targets according to leak site data. It has affected various industries including finance law healthcare construction and technology. A new version of the malware utilizes Remote Monitoring and Management (RMM) tools and Cobalt Strike for deployment. It spreads via PsExec SSH and exploits vulnerable SYS drivers like YDark and Spyboys Terminator for evasion. Additionally it can print ransom notes on connected printers using PowerShell commands.
  
  See the solution
- Initial Access Brokers Exploit F5 BIG-IP And ScreenConnect Vulnerabilities
  "UNC5174 a threat actor believed to operate on behalf of the Peoples Republic of China has been observed engaging in cyberattacks using a combination of custom tools and the Supershell framework. These attacks targeted vulnerabilities such as CVE-2023-46747 in F5 BIG-IP Traffic Management User Interface and CVE-2024-1709 in Connectwise ScreenConnect.UNC5174 possibly operating under the persona ""Uteus"" has transitioned from hacktivism to contracting for Chinas Ministry of State Security (MSS). They have been seen attempting to sell access to compromised systems including those belonging to U.S. defense contractors UK government entities and institutions in Asia. In February 2024 UNC5174 exploited CVE-2024-1709 to compromise numerous institutions primarily in the U.S. and Canada utilizing various malicious tools like SnowLight downloader GoHeavy and Supershell."
  
  See the solution
- The Updated APT Playbook Tales from the Kimsuky threat actor group
  The Kimsuky threat actor group also known as Black Banshee or Thallium originates from North Korea and has been active since at least 2012 Kimsuky focuses primarily on intelligence gathering. Researchers believe Kimsuky is using CHM files which are delivered in several ways as part of an ISO|VHD|ZIP or RAR file. The reason they would use this approach is that such containers have the ability to pass the first line of defense and then the CHM file will be executed.
  
  See the solution
- StrelaStealer
  StrelaStealer malware steals email login data from well-known email clients and sends them back to the attackers C2 server. Upon a successful attack the threat actor would gain access to the victims email login information which they can then use to perform further attacks.
  
  See the solution
- Googles Advertising Tracking Function Abused To Drop Rhadamanthys Malware
  Researchers have identified a new malicious code distribution method that exploits Googles ad tracking feature. The attackers disguise the malicious downloader as installation programs for widely used groupware like Notion and Slack. The attackers use Googles ad tracking feature to make it appear as if users are accessing a legitimate site. The malware is primarily distributed in the form of Inno Setup or NSIS (Nullsoft Scriptable Install System) installers. The Rhadamanthys information stealer payload injects itself into legitimate Windows files in the %system32% directory making it difficult for users to detect its operation.
  
  See the solution
- Beware of the Messengers Exploiting ActiveMQ Vulnerability
  Cybereason Security Services has issued a Threat Analysis Report on an incident involving a Linux server that saw malicious shell executions from a Java process running Apache ActiveMQ.
  
  See the solution
- New Sysrv Botnet Variant Makes Use of Google Subdomain to Spread XMRig Miner
  A new variant of the Sysrv botnet was observed exploiting vulnerabilities in Apache Struts and Atlassian Confluence to spread an XMRig cryptominer payload. The malware made use of a compromised Malaysian academic website and Google subdomain to distribute malicious files. Enhancements include obfuscation and architecture preparation functions. The malware connects to MoneroOcean mining pool endpoints and mines to a specific wallet. Defenders should block suspicious outbound connections and inspect seemingly legitimate sites for malicious files.
  
  See the solution
- New Details on TinyTurlas Post-Compromise Activity Reveal Full Kill Chain
  Cisco Talos and CERT.NGO have provided updates on an ongoing campaign by the Russian espionage group Turla (tracked by Microsoft as Secret Blizzard).
  
  See the solution
- TeamCity Vulnerabilities Exploited To Perform A Variety Of Malicious Operations
  JetBrains disclosed two critical vulnerabilities CVE-2024-27198 and CVE-2024-27199 in the TeamCity On-Premises platform on March 4 2024. These vulnerabilities allow attackers to bypass authentication and gain administrative control leading to the deployment of malicious activities such as ransomware cryptocurrency miners Cobalt Strike beacons backdoors and domain discovery and persistence commands. Public proof-of-concept exploits are already circulating increasing the risk of widespread exploitation. The urgency of addressing these vulnerabilities is highlighted by the active exploitation observed through telemetry and the inclusion of CVE-2024-27198 in the CISAs Known Exploited Vulnerabilities catalog. Organizations using affected TeamCity servers are advised to update their software promptly to protect their data and systems. Rapid7s analysis reveals the potential for unauthenticated attackers to achieve remote code execution and directory traversal emphasizing the critical nature of these security flaws and the importance of swift remediation efforts to prevent ransomware attacks and other security breaches.
  
  See the solution
Week 12
- FluffyWolf Campaign Targets Corporate Infrastructure For Operations
  A cluster of nefarious activity was identified and is being called Fluffy Wolf. The operators of the campaign primarily use phishing emails with password-protected archives that contain executables disguised as reports to infiltrate systems. When opened the archive and attachments allow the threat actors to spread tools like Remote Utilities Meta Stealer WarZone RAT and XMRig miner enabling remote access data theft and crypto mining as well as leveraging both legitimate software and malware-as-a-service to carry out attacks.
  
  See the solution
- Linux x86 Network Devices The Target Of AcidPour Data Wiper
  AcidPour malware a variant of AcidRain has been detected targeting Linux x86 IoT and networking devices.It features data wiping capabilities and shares similarities with AcidRain including targeting specific directories common in embedded Linux distributions. About 30% of their codebase overlaps. AcidPour employs input/output control (IOCTL)-based wiping logic similar to VPNFilters dstr plugin and AcidRain suggesting a continuation or adaptation of known malicious techniques. The malware references /dev/ubiXX indicating a focus on embedded systems using flash memory and /dev/dm-XX associated with Logical Volume Management (LVM) which is commonly used in Network Attached Storage devices like QNAP and Synology for managing RAID arrays.
  
  See the solution
- Konni Group Targets Bitcoin Traders With Phishing Campaign
  The Konni threat group also known as APT37 and Red Eyes launched a malicious phishing campaign targeting Bitcoin traders. They gained initial access using a zip file containing a malicious LNK file and a decoy PDF file. The group utilized multiple BAT files and obfuscated PowerShell commands to establish persistence through a registry Run key download more malicious files delete files compress files and collect and send sensitive information to command and control servers.
  
  See the solution
- US Cert Alert - ALPHV Blackcat
  FBI CISA and HHS encourage critical infrastructure organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ALPHV Blackcat ransomware and data extortion incidents.
  
  See the solution
- Inside the Rabbit Hole BunnyLoader 30 Unveiled
  This article focuses on the newly released BunnyLoader 3.0 malware its capabilities and historically observed infrastructure. BunnyLoader is dynamically developing malware that can steal information credentials cryptocurrency and deliver additional malware. The threat actor frequently changes tactics to evade detection and undermine analysis. On Feb 11 2024 the threat actor announced BunnyLoader 3.0 with claimed enhancements. Samples show major changes like modularization and updated C2 communication. Revealing evolving tactics empowers defense against this threat.
  
  See the solution
- Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns
  A recent report details that the threat actor group ITG05 has been conducting phishing campaigns targeting entities in Europe the Caucasus Central Asia and the Americas since late 2023. The group has introduced new techniques like search-ms protocol abuse and WebDAV servers to deploy backdoors like MASEPIE and OCEANMAP. ITG05 continues evolving tactics to steal sensitive data.
  
  See the solution
- Cert IL Alert - Numerous groups of malicious actors are active in Israel
  The National Cyber Directorate recently reported on the activities of several state-sponsored attack groups in the Israeli cyber space. These groups primarily target organizations in the academia local government and MSP companies sectors.
  
  See the solution
- Blind Eagles North American Journey
  The eSentire Threat Response Unit (TRU) recently observed the Blind Eagle threat actor targeting the manufacturing industry in North America. The actor used phishing emails containing malicious VBS files that delivered the Ande Loader which then deployed Remcos RAT and NjRAT payloads. Technical analysis shows Blind Eagle leveraging crypters developed by threat actors known as Roda and Pjoao1578. The campaign targeted Spanish-speaking users at manufacturing companies. eSentire recommends implementing EDR solutions and security awareness training to help defend against Blind Eagle.
  
  See the solution
- Multistage RA World Ransomware Uses Anti-AV Tactics Exploits GPO
  The Trend Micro threat hunting team discovered a multistage RA World ransomware attack targeting healthcare organizations in Latin America. The attack involved components designed to maximize impact by compromising systems across the network via compromised domain controllers and Group Policy exploitation.
  
  See the solution
Week 11
- BIPClip Campaign Steals BIP39 Mnemonic Phrases
  Researchers have uncovered a new malicious campaign involving seven different open-source packages across 19 versions on the Python Package Index PyPI) with the earliest dating back to December 2022. The campaign dubbed BIPClip aims to steal mnemonic phrases used for recovering crypto wallets highlighting the ongoing targeting of cryptocurrency in supply chain attacks. This campaign demonstrates the lengths to which threat actors go to disguise their malicious activities utilizing tactics like malicious file dependencies and name squatting. Targets include developers involved in cryptocurrency wallet generation and security particularly those implementing Bitcoin Improvement Proposal 39 (BIP39) which simplifies wallet seed generation using mnemonic phrases for easier recall.
  
  See the solution
- Infected text editors target Chinese users
  A recent campaign distributed infected versions of popular text editors for Linux and MacOS in advertisements and search results on a major Chinese search engine. The infected applications contained a backdoor that connected to a command and control server.
  
  See the solution
- Infostealer Disguised as Adobe Reader Installer
  A sophisticated malware campaign has been uncovered in which threat actors are tricking users into downloading malware disguised as an Adobe Reader installer. The malware prompts users to download a fake PDF file that claims Adobe Reader is required leading to the download of an executable masquerading as the Reader installer. This executable employs various techniques like DLL hijacking and UAC bypass to evade detection collect system information and exfiltrate data to attacker-controlled servers.
  
  See the solution
- HijackLoader Expands Techniques to Improve Defense Evasion
  A recent variant of the HijackLoader malware employs sophisticated techniques like process hollowing and doppelgnging to enhance its complexity and evade detection. It uses multiple stages and shellcode injection to deploy Cobalt Strike.
  
  See the solution
- Earth Preta launches new campaign and uses DOPLUGS to target Asia
  A threat actor group called Earth Preta has been running a campaign targeting Asia using a malware called DOPLUGS to infect victims via phishing emails. DOPLUGS serves as a downloader to retrieve a more advanced PlugX malware strain. The campaign has focused on government entities in Taiwan Vietnam Malaysia and other Asian countries. DOPLUGS has constantly evolved since 2022 integrating features like the KillSomeOne USB worm module.
  
  See the solution
- VCURMS and STRRAT Remote Access Trojans Delivered Through Phishing Emails
  Researchers discovered a phishing campaign distributing a malicious Java downloader aiming to disseminate new VCURMS and STRRAT remote access trojans (RATs). The attackers utilized public services like Amazon Web Services (AWS) and GitHub to store malware and employed a commercial protector to evade detection. They utilized email for command and control with the recipient endpoint using Proton Mail for privacy protection. Phishing emails targeted staff claiming a pending payment and urging them to verify payment details by clicking a button which triggers the download of a harmful JAR file from AWS. The downloaded files were disguised as typical phishing attachments with spoofed names to lure recipients into opening them.
  
  See the solution
- Magnet Goblin Utilizes 1-Day Vulnerabilities To Gain Initial Access
  Magnet Goblin is a financially motivated threat actor well-known for swiftly exploiting 1-day vulnerabilities to gain initial access via edge devices and public-facing services for distributing sophisticated malware onto compromised victim systems since January 2022. This group methodically leveraged unpatched vulnerabilities via a range of methods to Ivanti Connect Secure VPN Magento Qlik Sense and Apache ActiveMQ servers to gain initial access and deploy malicious tools such as Nerbian RAT MiniNerbian RAT and the WarpWire credential stealer. The threat actor gathered lucrative information from compromised systems and deployed various legitimate tools such as AnyDesk Ligolo and ScreenConnect. The classified information was exfiltrated to adversarial command and control servers.
  
  See the solution
- Distribution of MSIX Malware Disguised as Notion Installer
  A new MSIX malware disguised as the Notion installer is being distributed through a website that looks similar to the actual Notion homepage.
  
  See the solution
- SapphireStealer Distributed Through A Fake Russian Government Website
  Researchers discovered an executable file obtained from a deceptive URL posing as a fake Russian government site potentially spread through spam emails. This file identified as SapphireStealer masquerades as a PDF document to trick users. Upon execution it drops and displays a fake PDF while secretly collecting sensitive information like browser credentials and network cookies. The pilfered data is then sent to a command-and-control server in a compressed ZIP file.
  
  See the solution
- Fenix Botnet Targeting LATAM Users
  Researchers have uncovered a cyber campaign targeting Latin American users where victims are tricked into downloading a malicious zip file disguised as a legitimate tool from a fake website posing as the Government of Mexico. Once executed the payload installs a Remote Access Trojan (RAT) with infostealing capabilities and adds the compromised device to a botnet. This campaign is notable for its targeting of specific Latin American financial institutions with the RAT designed to intercept and steal banking credentials posing a significant threat to both individuals and corporations. The infection begins when users visit the deceptive webpage.
  
  See the solution
- Unveiling Earth Kapre aka RedCurls Cyberespionage Tactics
  Trend Micro MDR team investigated and successfully uncovered the intrusion sets employed by Earth Kapre in a recent incident.
  
  See the solution
- Cert IL Alert - Muddy Water campaign in Israel
  In March 2024 the National Cyber Directorate identified an active phishing campaign within the Israeli domain. It is assessed that the campaign is primarily aimed against government sectors and local authorities. The directorate attributes this campaign to the Iranian hacking group MuddyWater based on familiarity with the groups infrastructure and their typical Tactics Techniques and Procedures (TTPs).
  
  See the solution
- Evasive Panda leverages Monlam Festival to target Tibetans
  ESET researchers discovered a cyberespionage campaign that targeted Tibetans through a watering hole attack on a website related to the Monlam Festival in India and through a supply chain compromise of Tibetan language software. The attackers used malicious downloaders and backdoors like MgBot and Nightdoor to compromise website visitors and software users. The campaign aimed to steal data from targets in India Taiwan Hong Kong Australia and the US.
  
  See the solution
- Magnet Goblin Targets Publicly Facing Servers Using 1-Day Vulnerabilities
  Check Point reports Magnet Goblin is a financially motivated threat actor that quickly adopts and leverages 1-day vulnerabilities in public-facing services as an initial infection vector. At least in one case of Ivanti Connect Secure VPN (CVE-2024-21887) the exploit entered the groups arsenal as fast as within 1 day after a POC for it was published.
  
  See the solution
Week 10
- Linux Malware Campaign Targets Docker Hadoop Redis And Confluence
  Researchers have uncovered a new malware campaign targeting misconfigured servers running Apache Hadoop YARN Docker Confluence and Redis. This campaign employs several previously unreported payloads including four Golang binaries to automate the discovery and infection of hosts with the targeted services. Attackers utilize these tools to exploit common misconfigurations and n-day vulnerabilities enabling Remote Code Execution (RCE) attacks and the infection of new hosts After gaining initial access the attackers deploy shell scripts and Linux attack techniques to install a cryptocurrency miner establish a reverse shell and maintain persistent access to compromised hosts.
  
  See the solution
- TA4903 Actor Spoofs US Government Small Businesses in Phishing BEC Bids
  TA4903 is a financially motivated cybercriminal threat actor that targets organizations in the U.S. with high-volume email campaigns to steal corporate credentials and conduct follow-on business email compromise. The actor frequently registers new domains related to government entities and private organizations to use in credential phishing.
  
  See the solution
- TA577s Unusual Attack Chain Leads to NTLM Data Theft
  Proofpoint identified notable cybercriminal threat actor TA577 using a new attack chain to demonstrate an uncommonly observed objective stealing NT LAN Manager (NTLM) authentication information. This activity can be used for sensitive information gathering purposes and to enable follow-on activity.
  
  See the solution
- GhostSecs joint ransomware operation and evolution of their arsenal
  Cisco Talos observed a surge in GhostSec a hacking groups malicious activities since this past year. GhostSec has evolved with a new GhostLocker 2.0 ransomware a Golang variant of the GhostLocker ransomware. The GhostSec and Stormous ransomware groups are jointly conducting double extortion ransomware attacks on various business verticals in multiple countries. GhostLocker and Stormous ransomware have started a new ransomware-as-a-service (RaaS) program STMX_GhostLocker providing various options for their affiliates.
  
  See the solution
- A novel backdoor tailored for covert access over the roaming exchange
  GTPDOOR is Linux malware that communicates C2 traffic over GTP-C signalling messages blending in with normal telco traffic. It can execute commands sent in GTP echo requests and probe hosts covertly via TCP packets. Versions target x86 and i386 architectures.
  
  See the solution
- One year later Rhadamanthys is still dropped via malvertising
  A recent malvertising campaign is distributing the Rhadamanthys infostealer by impersonating popular software brands in search ads. Clicking the fake ads leads to decoy sites where users are tricked into downloading malware droppers which retrieve the final payload from a pastebin site.
  
  See the solution
- Bifrost RAT Adds Innovative Technique To Evade Detection
  A new Linux variant of the Bifrost remote access Trojan (RAT) has emerged utilizing a deceptive domain download.vmfare[.]com to avoid detection.This domain imitates the legitimate VMware domain enabling the malware to bypass security measures and compromise targeted systems. Bifrost initially identified in 2004 allows attackers to gather sensitive information such as hostname and IP address. Once installed the malware collects user data and transmits it to the attackers server using RC4 encryption. Additionally research has uncovered that the malicious IP address hosts an ARM version of Bifrost suggesting an expansion of the attackers target scope to ARM-based devices which are becoming increasingly prevalent. This trend indicates a likelihood of cybercriminals incorporating ARM-based malware into their tactics.
  
  See the solution
- Ransomware Roundup Abyss Locker
  Despite being first submitted to a publicly available file scanning service in July 2023 the earliest variant of the Abyss Locker ransomware may have originated even earlier due to its foundation on the HelloKitty ransomware source code.
  
  See the solution
- StopRansomware Phobos Ransomware CISA AA24-060A
  The FBI CISA and MS-ISAC have jointly released a Cybersecurity Advisory to share information on the Phobos ransomware variants observed as recently as February 2024. Phobos operates as a ransomware-as-a-service (RaaS) model and is likely connected to multiple variants like Elking Eight Devos Backmydata and Faust ransomware. It utilizes various open source tools such as Smokeloader Cobalt Strike and Bloodhound. Phobos actors gain initial access through phishing campaigns or by exploiting vulnerable Remote Desktop Protocol ports. They deploy hidden payloads modify firewall configurations and establish persistence using Windows Startup folders and Run Registry Keys. Additionally they employ tools like Mimikatz and NirSoft for credential enumeration and WinSCP and Mega.io for file exfiltration. Phobos encrypts user files deletes volume shadow copies and encrypts all connected logical drives. Each Phobos executable has unique identifiers and a ransom note embedded within.
  
  See the solution
- Joint Cybersecurity Advisory - Russian Threat Actors Using Compromised Routers For Cyber Operations
  The Joint Cybersecurity Advisory issued on February 27 2024 highlights the use of compromised Ubiquiti EdgeRouters by Russian state-sponsored cyber actors specifically the GRU unit APT28 (aka Fancy Bear Forest Blizzard) to conduct malicious cyber operations globally. These operations include harvesting credentials collecting NTLMv2 digests proxying network traffic and hosting spear-phishing landing pages as well as custom tools. While efforts have been made to disrupt these activities owners of impacted devices are being advised to take actions to remediate the threat including performing a hardware factory reset upgrading firmware changing default credentials and implementing strategic firewall rules.
  
  See the solution
Week 9
- Suspected Iranian Threat Actor UNC1549 Targets Israeli and Middle East Aerospace and Defense Sectors
  This blog details suspected Iranian espionage activity since June 2022 targeting aerospace aviation and defense entities in Israel UAE and potentially Turkey India and Albania. The campaign involves social engineering to deploy two backdoors MINIBIKE and MINIBUS and extensive use of Azure infrastructure for command and control. The activity shows potential links to Iranian actor UNC1549 which overlaps with IRGC-affiliated Tortoiseshell. The targeting focuses on sectors of strategic interest to Iran and the evasion tactics aim to mask the malicious operations.
  
  See the solution
- Ivanti Connect Secure Vulnerabilities Targeted By UNC5325
  UNC5325 a suspected threat actor with ties to China has been observed exploiting vulnerabilities in Ivanti Connect Secure appliances. They employ living-off-the-land (LotL) techniques for stealth and backdoors for persistence across system changes. UNC5325 targeted Ivanti Connect Secure appliances with CVE-2024-21893 as early as Jan. 19 2024 exploiting a server-side request forgery (SSRF) flaw in the SAML component. Subsequently they combined this with command injection vulnerabilities from CVE-2024-21887. Some instances involved using public services like Interactsh to confirm the vulnerability. Upon identifying vulnerable targets UNC5325 executed follow-up commands for reconnaissance and occasionally establishing a reverse shell.
  
  See the solution
- Gootloader Drops Cobalt Strike Beacon Through SEO Poisoning
  In February 2023 a security breach was identified where a user inadvertently downloaded and executed a file from a search result poisoned by SEO tactics resulting in a Gootloader infection. Subsequently Gootloader facilitated the deployment of a Cobalt Strike beacon payload into the hosts registry which was then executed in memory approximately nine hours later. The threat actor utilized SystemBC to tunnel RDP access into the network leading to compromises of domain controllers backup servers and other critical systems. The threat actor interactively reviewed sensitive files using RDP but it remains uncertain if any data was exfiltrated.
  
  See the solution
- Threat Actors Target The Travel Industry And Deliver AgentTesla To Travelers
  A recent malware campaign impersonating Booking.com was seen distributing a malicious email attachment to deliver a remote access trojan. The malicious PDF file masqueraded as a refund statement that lead to a chain of malicious activities using embedded scripts and URLs that were planted to download additional stages of the attack. Recipients were greeted a fake pop-up containing embedded code that prompted users to initiate the download process which included an obfuscated JavaScript and a PowerShell script The PowerShell script used evasion techniques disabled security features modified the system registry and ultimately downloaded and executed a .DLL file associated with the AgentTesla. This malware was used to perform process injection and data exfiltration targeting personal and system information that was sent to attackers private Telegram channel.
  
  See the solution
- ConnectWise ScreenConnect attacks deliver malware
  Sophos X-Ops is tracking a developing wave of vulnerability exploitation targeting unpatched ConnectWise ScreenConnect installations.
  
  See the solution
- Nood RAT Used In Attacks Against Linux Targets
  Nood RAT a variant of the Gh0st RAT malware targeting Windows systems has been active in attacks since around 2018. It disguises itself by changing its process name and encrypts its configuration and communication using the RC4 algorithm. This encryption includes using a unique key based on the current time making network-based detection challenging. The malware enables attackers to execute remote commands manage files establish Socks proxies and perform port forwarding facilitating data theft and lateral movement within compromised networks.
  
  See the solution
- Analyzing The Migo Redis Miner System Weakening Techniques
  "Researchers have identified a malware campaign targeting Redis servers for initial access. Unlike previous exploits focusing on Linux and cloud environments this campaign employs novel techniques directly against the Redis data store. Named ""Migo"" by its developers the malware aims to hijack Redis servers to mine cryptocurrency on the underlying Linux host. It utilizes specific commands to weaken Redis and execute a cryptojacking attack. Migo is distributed as a Golang ELF binary with compile-time obfuscation and the ability to persist on Linux hosts. Additionally it deploys a modified version of a popular user-mode rootkit to conceal processes and on-disk artifacts."
  
  See the solution
- Attackers leverage PyPI to sideload malicious DLLs
  ReversingLabs researchers discovered two malicious Python packages on PyPI that employed DLL sideloading to execute malicious payloads. Further investigation revealed connections to a larger campaign abusing open-source infrastructure.
  
  See the solution
- Lazarus APT Group Spreads Comebacker Malware Through PyPI
  "The Lazarus attack group has distributed malicious Python packages on PyPI the official Python package repository. These packages have names resembling legitimate packages like ""pycrypto"" often exploiting typos made by users during package installations to deploy malware. Successful installations led to systems being infected with the Comebacker downloader. Rundll32 was employed to load the downloader into memory. Once activated Comebacker initiates an HTTP POST request to the command-and-control (C2) server receiving a Windows executable file in response."
  
  See the solution
Week 8
- Pelmeni Wrapper New Wrapper of Kazuar Turla Backdoor
  A new malware sample used in targeted campaigns by the Turla APT group has been analyzed.The malware employs a new wrapper dubbed Pelmeni to deploy the Kazuar backdoor. Differences in exfiltration methods and logging from previous versions of Kazuar were identified.
  
  See the solution
- Lazarus APT Group Carries Out Attacks Against Defense Sector
  The Bundesamt fr Verfassungsschutz (BfV) of Germany and the National Intelligence Service (NIS) of South Korea issued a Joint Cyber Security Advisory regarding cyber campaigns conducted by North Korean cyber actors targeting the defense sector. The Lazarus APT group executed supply-chain and phishing attacks employing open-source tools like curl Ngrok and tcpdump. A web shell was deployed for network access and stolen information from repositories was obfuscated and sent to command and control servers.
  
  See the solution
- Abuse of Google Cloud Run in LATAM-focused malware campaigns
  Since September 2023 Cisco Talo has observed a significant increase in the volume of malicious emails leveraging the Google Cloud Run service to infect potential victims with banking trojans. The infection chains associated with these malware families feature the use of malicious Microsoft Installers that function as droppers or downloaders for the final malware payload. We have observed evidence that the distribution campaigns for these malware families are related with Astaroth and Mekotio being distributed under the same Google Cloud Project.
  
  See the solution
- Technical Analysis of DarkVNC
  DarkVNC is a hidden utility based on VNC technology used for stealthy remote access. It was advertised in 2016 and received updates until 2017. DarkVNC has been used by threat actors associated with IcedID and SolarMarker campaigns. This analysis focuses on a DarkVNC sample that uses vncdll64.dll for exporting functions. It generates a unique ID to send to the C2 server along with system info. DarkVNC can search for and manipulate windows related to the desktop environment. It can also control the state of devices like keyboard and mouse and block user input. The malware gathers details on the Chrome browser install and runs cmd prompts. Detection and prevention controls like EDR solutions and training programs are recommended.
  
  See the solution
- Zardoor Backdoor Discovered In A Campaign Targeting An Islamic Organization Since 2021
  An espionage campaign believed to be active since March 2021 was identified targeting an Islamic non-profit organization along with a malware called Zardoor. The threat actor uses custom backdoors and modified reverse proxy tools to evade detection as well as employ living-off-the-land binaries (LoLBins) to carry out automated tasks like C2 communication and establishing and maintaining persistence. The Zardoor malware is deployed through a multi-stage process using a dropper and a loader that are additionally responsible for ensuring persistence via scheduled tasks and utilizing reverse proxy tools like Fast Reverse Proxy (FRP) to bypass security measures and set communication with the C2 server. Zardoors functionalities extend to gaining remote system access execution of additional payloads and execution of shellcode. To date one victim has been identified however prolonged undetected access suggests that there may be more victims.
  
  See the solution
- TinyTurla Next Generation - Turla APT spies on Polish NGOs
  Cisco Talos has identified a new backdoor authored and operated by the Turla APT group a Russian cyber espionage threat actor. This backdoor called TinyTurla-NG is similar to Turlas previous implant TinyTurla in coding style and functionality. TinyTurla-NG was seen targeting a Polish non-governmental organization working on improving Polish democracy and supporting Ukraine. The backdoor deployed PowerShell scripts called TurlaPower-NG to exfiltrate key material used to secure password databases indicating an effort to steal login credentials.
  
  See the solution
- RansomHouse am See
  Ransomhouse deploys a custom ransomware called Mario likely derived from leaked Babuk source code. Mario specifically targets ESXi hypervisors encrypting virtual machines to extort victims. The group uses a specialized tool named MrAgent to automate Marios mass deployment across large ESXi environments. MrAgent provides remote access to compromise hypervisors disable security controls and operate ransomware execution. MrAgents automation enables rapid encryption of hundreds of virtual machines. The tool gathers detailed hypervisor environment information to maximize damage. Ransomhouse can remotely configure MrAgent tracking ransomware deployment progress across infected hosts.
  
  See the solution
- Fileless Revenge RAT Malware
  AhnLab SEcurity intelligence Center (ASEC) recently discovered the distribution of Revenge RAT malware that had been developed based on legitimate tools. It appears that the attackers have used tools such as smtp-validator and Email To Sms. At the time of execution the malware creates and runs both a legitimate tool and a malicious file making it difficult for users to realize that a malicious activity has occurred.
  
  See the solution
- Alpha Ransomware Emerges From NetWalker Ashes
  Alpha ransomware first appeared in February 2023 and has strong similarities to the now-defunct NetWalker ransomware. Analysis shows code overlap between Alpha and NetWalker payloads. Both use a PowerShell-based loader and have similar execution flows process/service killing logic and configuration details. After initially maintaining a low profile Alpha recently began scaling up attacks and launching a data leak site.
  
  See the solution
- RCE to Sliver IR Tales from the Field
  Rapid7 Incident Response was engaged to investigate unauthorized access to two publicly-facing Confluence servers exploited via CVE-2023-22527. Cryptomining software and a Sliver C2 payload were identified. Sliver was used to action further objectives like Kerbrute enumeration and scanning. Rapid7 performed analysis to extract IOCs and implemented containment.
  
  See the solution
Week 7
- CVE-2024-21412 Water Hydra Targets Traders With Microsoft Defender SmartScreen Zero-Day
  The APT group Water Hydra has been exploiting the Microsoft Defender SmartScreen vulnerability (CVE-2024-21412) in its campaigns targeting financial market traders. This vulnerability which has now been patched by Microsoft was discovered and disclosed by the Trend Micro Zero Day Initiative.
  
  See the solution
- The DEvolution of Pikabot
  Pikabot is a malware loader that was first observed in early 2023 and became very active following the takedown of Qakbot in August 2023. In December 2023 Pikabot activity ceased possibly as a result of a new version of Qakbot that emerged. In February 2024 a new version of Pikabot was released with significant changes. The malware continues to pose a significant cyber threat and is in constant development although the developers have decreased the complexity level of Pikabots code by removing advanced obfuscation features.
  
  See the solution
- Financially Motivated Threat Actors Enter Through The DarkGate
  After the FBI disrupted Qakbot DarkGate loader distribution spiked targeting the financial sector in Europe and the US linked to cybercrime groups like TA577 and Ransomware-as-a-Service entities such as BianLian and Black Basta.DarkGate is often used as an initial access vector allowing threat actors to deploy additional payloads including information stealers and ransomware. DarkGate uses phishing and shares traits with IcedID hinting at possible collusion or shared methods among cyber criminals. It employs various tactics to avoid detection and maintain persistence including an internal payload crypter privilege escalation antivirus evasion and a rootkit module. Recent developments in the malware make use of malicious DNS TXT records for payload delivery and the abuse of Googles DoubleClick service to bypass security measures and version 6.1.6 introduced DLL side-loading to avoid detection.
  
  See the solution
- The Return Of BumbleBee Malware
  "Bumblebee malware reappeared in the cyber threat landscape on February 8 2024 following a four-month hiatus. This sophisticated downloader has been favored by multiple cybercriminal groups since its debut in March 2022 until October 2023. In the latest campaign thousands of emails targeted US organizations with the subject ""Voicemail February"" containing OneDrive URLs leading to Word documents posing as files from the consumer electronics company Humane. These documents such as ""ReleaseEvans96.docm"" utilized VBA macro-enabled scripts to execute multiple PowerShell commands. This use of VBA macro-enabled documents is noteworthy as it deviates from the trend of cybercriminals moving away from them especially in attacks aiming to facilitate initial access for subsequent ransomware operations."
  
  See the solution
- CharmingCypress Innovating Persistence
  This blog post describes targeted campaigns by the threat actor CharmingCypress that reveal a high level of effort dedicated to support their spear-phishing operations. CharmingCypress is highly committed to conducting surveillance on targets to determine how to manipulate them and deploy malware. The post documents new malware families associated with CharmingCypress campaigns in 2023-2024 including POWERLESS BASICSTAR and malware-laden VPN applications used to distribute NOKNOK and POWERLESS.
  
  See the solution
- Unmasking a Financial Services Intrusion REF0657
  Elastic Security Labs details an intrusion leveraging open-source tooling and different post-exploitation techniques targeting the financial services industry in South Asia.
  
  See the solution
- Cert IL Alert - An active phishing campaign is utilizing the AsyncRAT malware
  The National Cyber Directorate has identified an active phishing campaign in Israel that employs the AsyncRAT malware. This campaign utilizes email messages that impersonate legitimate communications from Israel Post or the DHL delivery service.
  
  See the solution
- Threat Actors Have Been Seen Exploiting Vulnerability CVE-2023-22527 To Deploy C3RB3R Ransomware
  Exploitation of a vulnerability in Confluence Server CVE-2023-22527 is leading to deployment of C3RB3R ransomware as well as other payloads. The vulnerability was disclosed by Atlassian in January of 2024. Following disclosure of exploit code multiple IP addresses were seen exploiting vulnerable systems. Payloads dropped included C3RB3R ransomware Sliver implant XorDDoS trojan and cryptocurrency mining malware. Due to availability of the exploit code its believed multiple threat actors have been exploiting the vulnerability. Although request content isnt logged by default signs of exploitation include POST requests to /template/aui/text-inline.vm.
  
  See the solution
- SolarMarker Infections Are On The Rise
  An unidentified threat actor targeted multiple industries including insurance manufacturing software construction real estate utilities and legal sectors. They utilized Inno Setup and PS2EXE tools to create malicious payloads employing a PowerShell script to corrupt PDF files leading to errors upon opening. The malware incorporated defensive evasion techniques by including junk instructions. Following successful compromises secondary malicious payloads such as info-stealers and hVNC were loaded onto the compromised systems.
  
  See the solution
- Coyote Banking Trojan Abuses The Squirrel Installer
  The Coyote banking Trojan targets users of over 60 banking institutions primarily in Brazil. It spreads via the Squirrel installer employing NodeJS and Nim to execute its infection. After installation it runs a NodeJS application compiled with Electron which executes obfuscated JavaScript code to copy executables to a designated folder and launch them. Coyote uses DLL sideloading for loading and persists through Windows logon scripts It lacks code obfuscation but employs AES encryption for string obfuscation. The Trojans objective is typical of banking malware monitoring applications for banking activity capturing keystrokes and screenshots terminating processes and potentially shutting down infected devices.
  
  See the solution
- A Python MP3 Player with Builtin Keylogger Capability
  A recently discovered Python script includes a graphical user interface mimicking an MP3 player but also contains a keylogger that sends all keystrokes to a command and control server. This demonstrates the power of keyloggers to capture sensitive information like passwords even when robust passwords are used.
  
  See the solution
- Attackers Are Hiding Malware in fake Browser Updates
  Attackers Are Hiding Malware in fake Browser Updates
  
  See the solution
- THREAT ALERT Ivanti Connect Secure VPN Zero-Day Exploitation
  Ivanti VPN appliances have been exploited through two critical vulnerabilities CVE-2023-46805 and CVE-2024-21887 which were not patched at the time of disclosure.
  
  See the solution
Week 6
- RedCurl cyber spies aim for Australia Singapore and Hong Kong
  RedCurl a Russian-speaking group have been ramping up attacks outside of Russia since October 2023. New attacks have been observed in Australia Singapore and Hong Kong.
  
  See the solution
Week 5
- PRC State-Sponsored Actors Compromise and Gain Access to US Critical Infrastructure
  This report provides analysis of three files obtained from critical infrastructure compromised by Chinese state-sponsored threat actor Volt Typhoon. The files enable command-and-control and discovery capabilities. Volt Typhoon is known to target US critical infrastructure. The report provides technical analysis of the files including tags relationships between files and command-and-control infrastructure and recommendations for defense.
  
  See the solution
- Exploring the Not So Secret Code of Black Hunt Ransomware
  A recent analysis by cybersecurity researchers examined the capabilities and risks of the Black Hunt ransomware variant. The malware shares code similarities with Lockbit and uses techniques akin to REvil ransomware. The analysis found Black Hunt manipulates access tokens disables security tools spreads via network shares and encrypts files. It also detected notable features like whitelisting certain languages utilizing Safe Mode and more.
  
  See the solution
- APT-K-47 group uses new malware tools to launch data theft attacks
  The APT-K-47 group deployed new and previously undisclosed malware tools including WalkerShell DemoTrySpy NixBackdoor and Nimbo-C2 to compromise targets and steal sensitive data. After gaining initial access the attackers downloaded additional payloads like ORPCBackdoor to establish persistence. The campaign targeted organizations in countries like Russia Pakistan Bangladesh and the United States across multiple industries. The attackers were able to traverse file systems to exfiltrate documents of interest and steal browser passwords. The report examines the new malware tools in detail including their capabilities and role in the attack chain.
  
  See the solution
- Buzzing On Christmas Eve Trigona Ransomware In 3 Hours
  Researchers discovered a cyberattack incident where Trigona ransomware was deployed within 3 hours of initial access. The intrusion began with the threat actor gaining access to an exposed RDP host using legitimate credentials for the default Administrator account. They deployed a toolkit including batch scripts and the SoftPerfect Netscan tool for network reconnaissance. The threat actor identified network shares explored documents and initiated lateral movement by establishing an RDP connection to a file server. Then they copied their toolkit to the server staged Rclone disabled Windows Defender and exfiltrated data to Mega. Then the actor accessed file share servers disabled Windows Defender and staged the ransomware payload on each of the hosts they had access to. After that the Trigona payload was executed propagating itself across the network via the SMB protocol.
  
  See the solution
- CrackedCantil Malware Work Together
  AnyRun researchers dive into a recent case of something they call a malware symphony. Its a way to describe how different types of malware can work together sort of like instruments in an orchestra.
  
  See the solution
- Disclosing The Intricacies Of DiceLoader Malware
  DiceLoader also known as Lizar and Tirion is loader malware associated with the FIN7 threat group. It serves to load additional malicious software including remote access trojans. FIN7 active since 2015 operates like a corporate business with Russian-speaking members concealing its activities behind front companies. It targets multiple sectors including retail and hospitality across regions such as the United States the United Kingdom Australia and France. DiceLoader a small-sized malware in FIN7s arsenal uses various internal structures to hinder analysis and is dropped by a PowerShell script. Its operations involve obfuscation reflective code loading dynamic API resolution and non-standard encoding.
  
  See the solution
- Smargaft Harnesses EtherHiding for Stealthy C2 Hosting
  Smargaft uses the Binance Smart Chain to host commands and control(C2) server and it spreads through Shell scripts to keep itself going. Because of its smart use of contracts and Gafgyts methods weve decided to call it Smargaft. It mainly does DDoS attacks runs system commands and lets users connect anonymously using socks5 proxy.
  
  See the solution
Week 4
- Another Phobos Ransomware Variant Launches Attack
  A new variant of the Phobos ransomware has been launched by attackers using the Gitea service to store files encoded in Base64 according to FortiGuard Labs.
  
  See the solution
- The Endless Struggle Against APT10 Insights from LODEINFO
  The latest version of the LODEINFO malware has been discovered in 2023 and it is believed to have been updated with new features as well as changes to the anti-analysis techniques.
  See the solution

View more Back to top