This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2024-05-29T00:11:21+00:00 www.secnews.physaphae.fr RiskIQ - cyber risk firms (now microsoft) #### Targeted Geolocations - Mexico - Indonesia - Jordan ## Snapshot Researchers at Kapersky identified an incident where attackers deployed and an advanced Visual Basic Script (VBScript) that took advantage of BitLocker for unauthorized file encryption. ## Description BitLocker was originally designed to protect data from being stolen or exposed when devices are lost, stolen, or improperly disposed of. However, attackers have discovered how to exploit this feature for malicious purposes. Kapersky researchers have detected this script and its modified versions in Mexico, Indonesia, and Jordan.  Initially, the script uses Windows Management Instrumentation (WMI) to gather operating system (OS) information. It checks the current domain and OS version, terminating itself if it encounters certain conditions, such as older Windows versions like XP or Vista. The script performs disk resizing operations only on fixed drives to avoid detection tools on network drives. For Windows Server 2008 and 2012, it shrinks non-boot partitions, creates new partitions, formats them, and reinstalls boot files using diskpart and bcdboot. For other Windows versions, similar operations are executed wit]]> 2024-05-28T19:40:48+00:00 https://community.riskiq.com/article/7589c689 www.secnews.physaphae.fr/article.php?IdArticle=8508788 False Threat,Ransomware,Tool None None RiskIQ - cyber risk firms (now microsoft) 2024-05-28T17:37:40+00:00 https://community.riskiq.com/article/eb5e10a2 www.secnews.physaphae.fr/article.php?IdArticle=8508725 False Threat,Ransomware,Malware,Hack,Tool APT 34 None RiskIQ - cyber risk firms (now microsoft) 2024-05-24T18:42:00+00:00 https://community.riskiq.com/article/c95e7fd5 www.secnews.physaphae.fr/article.php?IdArticle=8506285 True Threat,Ransomware,Spam,Malware,Tool,Commercial None None RiskIQ - cyber risk firms (now microsoft) 2024-05-24T17:17:36+00:00 https://community.riskiq.com/article/a8c96e40 www.secnews.physaphae.fr/article.php?IdArticle=8508821 False Threat,Malware,Tool None None RiskIQ - cyber risk firms (now microsoft) 2024-05-24T01:09:17+00:00 https://community.riskiq.com/article/8ca39741 www.secnews.physaphae.fr/article.php?IdArticle=8505826 False Threat,Ransomware,Spam,Malware,Tool None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-05-22T16:31:26+00:00 https://community.riskiq.com/article/bc072613 www.secnews.physaphae.fr/article.php?IdArticle=8504898 False Threat,Spam,Malware,Tool,Legislation None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-05-22T15:21:21+00:00 https://community.riskiq.com/article/d5d5c07f www.secnews.physaphae.fr/article.php?IdArticle=8504864 False Threat,Ransomware,Malware,Tool APT 34 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Targeted Geolocations - United States #### Targeted Industries - Education - Higher Education - Government Agencies & Services ## Snapshot Proofpoint has detected a SugarGh0st RAT campaign active during May 2024 aimed at US organizations involved in artificial intelligence, including those in academia, private industry, and government. ## Description The campaign uses a remote access trojan (RAT) variant of the older Gh0stRAT. Historically, Gh0stRAT has been used by Chinese-speaking threat actors to target users in Central and East Asia.  In this campaign, the threat actors used a free email account to send AI-themed spearphishing emails to targets that instructed them to open an attached zip file. Upon opening the file, an LNK shortcut file deployed a JavaScript dropper that then installed the SugarGh0st payload, employing various techniques like base64 encoding, ActiveX tool abuse, and multi-stage shellcode execution to establish persistence and exfiltrate data.  Proofpoint notes that it has observed a relatively small number of campaigns involving SugarGh0stRAT since it was first detected in 2023. Previous targets include a US telecommunications company, an international media organization, and a South Asian government organization. Proofpoint assesses that these campaigns are extremely targeted. This most recent campaign appears to have targeted less than 10 individuals, all of whom are connected to a single US artificial intelligence organization. ## References [Security Brief: Artificial Sweetener: SugarGh0st RAT Used to Target American Artificial Intelligence Experts](https://www.proofpoint.com/us/newsroom/news/us-ai-experts-targeted-sugargh0st-rat-campaign). Microsoft (accessed 2024-05-21)]]> 2024-05-21T15:18:47+00:00 https://community.riskiq.com/article/a67a621d www.secnews.physaphae.fr/article.php?IdArticle=8504155 False Threat,Tool None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-05-20T14:19:33+00:00 https://community.riskiq.com/article/8374cff8 www.secnews.physaphae.fr/article.php?IdArticle=8503469 False Threat,Ransomware,Malware,Tool,Vulnerability,Medical None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-05-17T19:54:33+00:00 https://community.riskiq.com/article/ce0bf000 www.secnews.physaphae.fr/article.php?IdArticle=8501845 False Threat,Ransomware,Tool None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-05-17T19:11:34+00:00 https://community.riskiq.com/article/86a682a8 www.secnews.physaphae.fr/article.php?IdArticle=8501846 False Threat,Malware,Tool,Technical None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-05-16T19:51:14+00:00 https://community.riskiq.com/article/95ff5bf6 www.secnews.physaphae.fr/article.php?IdArticle=8501182 True Threat,Ransomware,Spam,Malware,Tool None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-05-15T20:41:19+00:00 https://community.riskiq.com/article/4782de66 www.secnews.physaphae.fr/article.php?IdArticle=8500488 False Threat,Ransomware,Malware,Tool None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-05-15T20:23:43+00:00 https://community.riskiq.com/article/6c0c8997 www.secnews.physaphae.fr/article.php?IdArticle=8500489 False Threat,Malware,Tool,Prediction None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) ## Snapshot The joint Cybersecurity Advisory (CSA) released by the FBI, CISA, HHS, and MS-ISAC provides detailed information on the Black Basta ransomware variant, a ransomware-as-a-service (RaaS) that has targeted critical infrastructure sectors, including healthcare. ## Description Black Basta affiliates gain initial access through techniques such as phishing, exploiting vulnerabilities, and abusing valid credentials. Once inside the victim\'s network, they employ a double-extortion model, encrypting systems and exfiltrating data. The threat actors use various tools for network scanning, reconnaissance, lateral movement, privilege escalation, exfiltration, and encryption, including SoftPerfect network scanner, BITSAdmin, PsExec, RClone, and Mimikatz. The Black Basta ransomware variant, operating as a RaaS, has impacted over 500 organizations globally as of May 2024, primarily gaining initial access through spearphishing, exploiting known vulnerabilities, and abusing valid credentials. The ransom notes do not generally include an initial ransom demand or payment instructions, but instead provide victims with a unique code and instruct them to contact the ransomware group via a .onion URL reachable through the Tor browser. The advisory urges critical infrastructure organizations, especially those in the Healthcare and Public Health (HPH) Sector, to apply recommended mitigations to reduce the likelihood of compromise from Black Basta and other ransomware attacks, and victims of ransomware are encouraged to report the incident to their local FBI field office or CISA. ## References ["#StopRansomware: Black Basta"](https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a) CISA. (Accessed 2024-05-13)]]> 2024-05-14T20:40:25+00:00 https://community.riskiq.com/article/f32fd613 www.secnews.physaphae.fr/article.php?IdArticle=8499814 False Threat,Ransomware,Tool,Vulnerability,Medical None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-05-14T20:34:29+00:00 https://community.riskiq.com/article/5b5aaff4 www.secnews.physaphae.fr/article.php?IdArticle=8499815 False Threat,Ransomware,Spam,Malware,Tool,Vulnerability None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-05-13T13:30:14+00:00 https://community.riskiq.com/article/fd207107 www.secnews.physaphae.fr/article.php?IdArticle=8498946 False Threat,Spam,Malware,Cloud,Tool,Vulnerability APT 42 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) ## Snapshot The North Korean hacking group Kimsuky has been observed using sophisticated methods to conduct espionage activities, including the exploitation of social media platforms and system management tools.  **Microsoft tracks Kimsuky as Emerald Sleet. [Read more about Emerald Sleet here.](https://security.microsoft.com/intel-profiles/f1e214422dcaf4fb337dc703ee4ed596d8ae16f942f442b895752ad9f41dd58e)** ## Description The group has been using fake Facebook profiles to target individuals involved in North Korean human rights and security affairs, engaging with potential targets through friend requests and personal messages. This social engineering tactic is designed to build trust and lure the targets into a trap, eventually leading to the sharing of malicious links or documents. Additionally, Kimsuky has adopted Microsoft Management Console (MMC) files, disguised as innocuous documents, to execute malicious commands on victims\' systems. Once opened, these files can potentially allow the attackers to gain control over the system or exfiltrate sensitive information, ultimately establishing a command and control (C2) channel to manage the compromised systems remotely. The use of social media platforms like Facebook for initial contact and the deployment of system management tools for executing attacks represents a significant escalation in cyber threat tactics. These methods indicate a shift towards more stealthy and socially engineered attacks that can bypass conventional security measures. The recent activities of the Kimsuky group underscore the continuous evolution of cyber threat actors and the need for robust cyb]]> 2024-05-10T19:33:41+00:00 https://community.riskiq.com/article/6e7f4a30 www.secnews.physaphae.fr/article.php?IdArticle=8497417 False Threat,Tool None 4.0000000000000000 RiskIQ - cyber risk firms (now microsoft) ## Snapshot SocGholish (also known as FakeUpdates), a malware known for its stealth and the intricacy of its delivery mechanisms, is targeting enterprises with deceptive browser update prompts. ## Description As reported by eSentire, compromised legitimate websites serve as the infection vector, where malicious JavaScript code is injected to prompt users to download browser updates. The downloaded files contain SocGholish malware, initiating the infection process upon execution.  The script employs various techniques to avoid detection and evade analysis. First, it checks if the browser is being controlled by automation tools and terminates execution if detected. Subsequently, it scrutinizes if the browser window has undergone significant manipulation to determine if the environment is being monitored. Additionally, it inspects for specific WordPress cookies to halt further actions if the user is logged into a WordPress site. If none of these conditions apply, it establishes a mouse movement event listener, tr]]> 2024-05-10T16:50:08+00:00 https://community.riskiq.com/article/c5bf96a0 www.secnews.physaphae.fr/article.php?IdArticle=8497333 False Threat,Malware,Tool None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) ## Snapshot Researchers at Zscaler have published a report about the evolution of HijackLoader, a malware loader, and its new evasion tactics. ## Description HijackLoader, also known as IDAT Loader, emerged in 2023 as a malware loader equipped with versatile modules for injecting and executing code. HijackLoader has modular architecture, an attribute that sets it apart from typical loaders.  Zscaler researchers analyzed a new HijackLoader variant that features upgraded evasion techniques. These enhancements aim to aid in the malware\'s stealth, prolonging its ability to evade detection. The latest version of HijackLoader introduces modules to bypass Windows Defender Antivirus, circumvent User Account Control (UAC), evade inline API hooking commonly used by security tools, and utilize process hollowing. HijackLoader\'s delivery mechanism involves utilizing a PNG image, decrypted and parsed to load the subsequent stage of the attack. HijackLoader has been observed serving as a delivery mechinism for various malware families, including Amadey, [Lumma Stealer](https://sip.security.microsoft.com/intel-profiles/33933578825488511c30b0728dd3c4f8b5ca20e41c285a56f796eb39f57531ad), Racoon Stealer v2, and Remcos RAT. ## Detections Microsoft Defender Antivirus detects threat components as the following malware: - [Trojan:Win32/HijackLoader](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/HijackLoader.AHJ!MTB&threatId=-2147058662) ## References [HijackLoader Updates](https://www.zscaler.com/blogs/security-research/hijackloader-updates). Zscaler (accessed 2024-05-09)]]> 2024-05-09T16:11:06+00:00 https://community.riskiq.com/article/8c997d7c www.secnews.physaphae.fr/article.php?IdArticle=8496698 False Threat,Malware,Tool None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-05-09T00:49:06+00:00 https://community.riskiq.com/article/1f1ae96f www.secnews.physaphae.fr/article.php?IdArticle=8496261 False Threat,Ransomware,Malware,Cloud,Tool,Prediction None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-05-06T16:26:54+00:00 https://community.riskiq.com/article/157eab98 www.secnews.physaphae.fr/article.php?IdArticle=8494726 False Threat,Ransomware,Malware,Tool,Vulnerability None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) ## Snapshot Cybersecurity professionals at GBHackers have discovered a series of cyberattacks targeting poorly managed Microsoft SQL (MS-SQL) servers to install Mallox Ransomware on systems. **Read more about Microsoft\'s coverage for [Mallox Ransomware here.](https://sip.security.microsoft.com/intel-profiles/7fbe39c998c8a495a1652ac6f8bd34852c00f97dc61278cafc56dca1d443131e)** ## Description The threat actor group\'s modus operandi involves exploiting vulnerabilities in improperly managed MS-SQL servers. By employing brute force and dictionary attacks, the attackers gain unauthorized access, primarily targeting the SA (System Administrator) account.  Once inside, they deploy the Remcos Remote Access Tool (RAT) to take control of the infected system. Remcos RAT, initially used for system breach and control, has been repurposed by attackers for malicious activities, featuring capabilities such as keylogging, screenshot capture, and control over webcams and microphones.  Additionally, a custom-made remote screen control malware is deployed, allowing attackers to gain access to the infected system using the AnyDesk ID obtained from the command and control server. Mallox ransomware, known for targeting MS-SQL servers, was then installed to encrypt the system.  Mallox ransomware, utilizes AES-256 and SHA-256 encryption algorithms, appending a ".rmallox" extension to encrypted files. The attack patterns observed in this campaign bear a striking resemblance to ]]> 2024-05-03T20:14:15+00:00 https://community.riskiq.com/article/f5f3ecc6 www.secnews.physaphae.fr/article.php?IdArticle=8493202 False Threat,Ransomware,Malware,Tool,Technical,Vulnerability None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-05-01T20:56:45+00:00 https://community.riskiq.com/article/e27d7355 www.secnews.physaphae.fr/article.php?IdArticle=8492041 False Threat,Ransomware,Malware,Tool None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-05-01T19:46:49+00:00 https://community.riskiq.com/article/ddb0878a www.secnews.physaphae.fr/article.php?IdArticle=8492016 False Threat,Studies,Tool,Technical,Mobile,Vulnerability None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-05-01T19:01:06+00:00 https://community.riskiq.com/article/9a596ba8 www.secnews.physaphae.fr/article.php?IdArticle=8492017 False Threat,Malware,Tool,Commercial,Medical None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) ## Snapshot The DFIR report provides a detailed account of a sophisticated intrusion that began with a phishing campaign using PrometheusTDS to distribute IcedID malware in August 2023. ## Description The IcedID malware established persistence, communicated with C2 servers, and dropped a Cobalt Strike beacon, which was used for lateral movement, data exfiltration, and ransomware deployment. The threat actor also utilized a suite of tools such as Rclone, Netscan, Nbtscan, AnyDesk, Seatbelt, Sharefinder, and AdFind. The intrusion culminated in the deployment of Dagon Locker ransomware after 29 days. The threat actors employed various techniques to obfuscate the JavaScript file and the Cobalt Strike shellcode, evade detection, maintain persistence, and perform network enumeration activities. The threat actor\'s activities included the abuse of lateral movement functionalities such as PsExec and Remote Desktop Protocol (RDP), exfiltration of files, dumping and exfiltration of Windows Security event logs, and the use of PowerShell commands executed from the Cobalt Strike beacon. Additionally, the threat actor employed multiple exfiltration techniques, including the use of Rclone and AWS CLI to exfiltrate data from the compromised infrastructure. The deployment of the Dagon Locker ransomware was facilitated through the use of a custom PowerShell script, AWScollector, and a locker module, with a specific PowerShell command run from a domain controller to deploy the ransomware to different systems. The impact of this incident resulted in all systems being affected by the Dagon Locker ransomware. ## References [https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/](https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/)]]> 2024-04-29T20:07:15+00:00 https://community.riskiq.com/article/55e96eb8 www.secnews.physaphae.fr/article.php?IdArticle=8490876 False Threat,Ransomware,Malware,Tool,Technical None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-04-29T16:05:58+00:00 https://community.riskiq.com/article/aa388c3b www.secnews.physaphae.fr/article.php?IdArticle=8490778 False Threat,Ransomware,Malware,Tool,Mobile,Industrial,Vulnerability None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-04-26T19:12:08+00:00 https://community.riskiq.com/article/2641df15 www.secnews.physaphae.fr/article.php?IdArticle=8489234 False Threat,Ransomware,Spam,Malware,Cloud,Tool,Industrial None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-04-26T17:23:14+00:00 https://community.riskiq.com/article/ff848e92 www.secnews.physaphae.fr/article.php?IdArticle=8489191 False Threat,Ransomware,Malware,Tool None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) ## Snapshot Cisco Talos reports on the ArcaneDoor campaign, attributed to the state-sponsored actor UAT4356 (Tracked by Microsoft as Storm-1849), targets perimeter network devices from multiple vendors, particularly Cisco Adaptive Security Appliances (ASA).  Microsoft tracks this actor as Storm-1849, [read more about them here.](https://sip.security.microsoft.com/intel-profiles/f3676211c9f06910f7f1f233d81347c1b837bddd93292c2e8f2eb860a27ad8d5) #]]> 2024-04-24T19:34:05+00:00 https://community.riskiq.com/article/a0cf0328 www.secnews.physaphae.fr/article.php?IdArticle=8488184 False Threat,Malware,Tool,Vulnerability None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Targeted Geolocations - United States ## Snapshot In late 2023, BlackBerry analysts detected a spear-phishing campaign launched by FIN7, tracked by Microsoft as Sangria Tempest, targeting a US-based automotive manufacturer. ## Description The attackers concentrated on employees within the IT department possessing elevated administrative privileges, luring them with an offer of a free IP scanning tool, which concealed the Anunak backdoor. This incident is demonstrative of a shift in FIN7\'s efforts from widespread targeting to more precise targeting of high-value sectors such as transportation and defense. Upon clicking on embedded URLs, victims were directed to malicious websites, part of a typosquatting scheme, which facilitated the download and execution of the Anunak backdoor onto their systems. The deployment of living off the land binaries, scripts, and libraries (lolbas) masked the malicious activity, aiding in the attackers\' initial foothold. Furthermore, the malware execution flow involved intricate multi-stage processes, including the decryption and execution of payloads, such as Anunak, and the establishment of persistence through OpenSSH. During the delivery phase of this campaign, the fake lure website, “advanced-ip-sccanner\[.\]com,” redirected to “myipscanner\[.\]com.” Blackberry analysts found multiple domains registered within minutes of the original on the same provider, illustrating that this campaign is likely not limited to this attack, but is instead part of a wider campaign by FIN7. ## References [https://blogs.blackberry.com/en/2024/04/fin7-targets-the-united-states-automotive-industry](https://blogs.blackberry.com/en/2024/04/fin7-targets-the-united-states-automotive-industry)]]> 2024-04-18T20:37:30+00:00 https://community.riskiq.com/article/e14e343c www.secnews.physaphae.fr/article.php?IdArticle=8484949 False Threat,Malware,Tool None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) ## Snapshot On April 10, 2024, Volexity discovered zero-day exploitation of a vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS at one of its network security monitoring (NSM) customers. The vulnerability was confirmed as an OS command injection issue and assigned CVE-2024-3400. The issue is an unauthenticated remote code execution vulnerability with a CVSS base score of 10.0. The threat actor, which Volexity tracks under the alias UTA0218, was able to remotely exploit the firewall device, create a reverse shell, and download further tools onto the device. The attacker focused on exporting configuration data from the devices, and then leveraging it as an entry point to move laterally within the victim organizations. During its investigation, Volexity observed that UTA0218 attempted to install a custom Python backdoor, which Volexity calls UPSTYLE, on the firewall. The UPSTYLE backdoor allows the attacker to execute additional commands on the device via specially crafted network requests. UTA0218 was observed exploiting firewall devices to successfully deploy malicious payloads. After successfully exploiting devices, UTA0218 downloaded additional tooling from remote servers they controlled in order to facilitate access to victims\' internal networks. They quickly moved laterally thr]]> 2024-04-15T20:31:45+00:00 https://community.riskiq.com/article/958d183b www.secnews.physaphae.fr/article.php?IdArticle=8482982 False Threat,Tool,Vulnerability None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-04-15T15:15:00+00:00 https://community.riskiq.com/article/c2035b32 www.secnews.physaphae.fr/article.php?IdArticle=8482834 False Threat,Ransomware,Spam,Malware,Tool,Prediction None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Targeted Geolocations - Germany ## Snapshot Proofpoint has identified TA547 launching an email campaign targeting German organizations with Rhadamanthys malware, marking the first known use of Rhadamanthys by this threat actor. The campaign involved impersonating a German retail company in emails containing password-protected ZIP files purportedly related to invoices, targeting multiple industries in Germany. ## Description The ZIP files contained LNK files which, when executed, triggered a PowerShell script to run a remote script loading Rhadamanthys into memory, bypassing disk writing. The PowerShell script displayed characteristics suggestive of machine-generated content, potentially from large language models (LLMs).  The recent campaign in Germany represents a shift in techniques for TA547, including the use of compressed LNKs and the previously unobserved Rhadamanthys stealer. The incorporation of suspected LLM-generated content into the attack chain provides insight into how threat actors are leveraging LLM-generated content in malware campaigns, although it did not change the functionality or efficacy of the malware or the way security tools defended against it. ## Recommendations [Check out Microsoft\'s write-up on information stealers here.](https://sip.security.microsoft.com/intel-profiles/2296d491ea381b532b24f2575f9418d4b6723c17b8a1f507d20c2140a75d16d6) [Check out additional OSINT on Rhadamanthys here.](https://sip.security.microsoft.com/intel-explorer/articles/0131b256) ## References [https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta547-targets-german-organizations-rhadamanthys-stealer](https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta547-targets-german-organizations-rhadamanthys-stealer)]]> 2024-04-12T18:11:30+00:00 https://community.riskiq.com/article/119bde85 www.secnews.physaphae.fr/article.php?IdArticle=8480922 False Threat,Malware,Tool None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) ## Snapshot The article from FortiGuard Labs Threat Research uncovers a recent threat actor\'s distribution of VenomRAT and other plugins through a phishing email containing malicious Scalable Vector Graphics (SVG) files. ## Description The email entices victims to click on an attachment, which downloads a ZIP file containing a Batch file obfuscated with the BatCloak tool. Subsequently, ScrubCrypt is used to load the final payload, VenomRAT, while maintaining a connection with a command and control (C2) server to install plugins on victims\' environments. The plugin files downloaded from the C2 server include VenomRAT version 6, Remcos, XWorm, NanoCore, and a stealer designed for specific crypto wallets. ## References [https://www.fortinet.com/blog/threat-research/scrubcrypt-deploys-venomrat-with-arsenal-of-plugins](https://www.fortinet.com/blog/threat-research/scrubcrypt-deploys-venomrat-with-arsenal-of-plugins)]]> 2024-04-08T20:36:41+00:00 https://community.riskiq.com/article/98d69c76 www.secnews.physaphae.fr/article.php?IdArticle=8478320 False Threat,Tool None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-04-08T15:09:15+00:00 https://community.riskiq.com/article/974639f2 www.secnews.physaphae.fr/article.php?IdArticle=8478203 False Threat,Ransomware,Spam,Malware,Cloud,Tool APT 41 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-04-05T13:39:39+00:00 https://community.riskiq.com/article/b4f39b04 www.secnews.physaphae.fr/article.php?IdArticle=8476526 False Threat,Malware,Studies,Tool,Technical,Prediction,Industrial,Vulnerability Guam 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description Trend Micro analyzed a cyberespionage attack the company has attributed to Earth Freybug, a subset of APT41 (tracked by Microsoft as [Brass Typhoon](https://sip.security.microsoft.com/intel-profiles/f0aaa62bfbaf3739bb92106688e6a00fc05eafc0d4158b0e389b4078112d37c6?)). According to Trend Micro, Earth Freybug has been active since at least 2012 and the Chinese-linked group has been active in espionage and financially motivated attacks. Earth Freybug employs diverse tools like LOLBins and custom malware, targeting organizations globally. The attack used techniques like dynamic link library (DLL) hijacking and API unhooking to avoid monitoring for a new malware called UNAPIMON. UNAPIMON evades detection by preventing child processes from being monitored. The attack flow involved creating remote scheduled tasks and executing reconnaissance commands to gather system information. Subsequently, a backdoor was launched using DLL side-loading via a service called SessionEnv, which loads a malicious DLL. UNAPIMON, the injected DLL, uses API hooking to evade monitoring and execute malicious commands undetected, showcasing the attackers\' sophistication. [Check out Microsoft\'s write-up on dynamic-link library (DLL) hijacking here.](https://sip.security.microsoft.com/intel-explorer/articles/91be20e8?) #### Reference URL(s) 1. https://www.trendmicro.com/en_us/research/24/d/earth-freybug.html #### Publication Date April 2, 2024 #### Author(s) Christopher So]]> 2024-04-03T20:46:53+00:00 https://community.riskiq.com/article/327771c8 www.secnews.physaphae.fr/article.php?IdArticle=8475473 False Malware,Tool,Prediction APT 41 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description Check Point Research has analyzed the latest Linux version (v11) of DinodasRAT, which is a cross-platform backdoor that was observed in attacks by the Chinese threat actor LuoYu. The malware is more mature than the Windows version, with a set of capabilities tailored specifically for Linux servers. The latest version introduces a separate evasion module to hide any traces of malware in the system by proxying and modifying the system binaries\' execution. The malware is installed on Linux servers as a way for the threat actors to gain an additional foothold in the network. DinodasRAT was initially based on the open-source project called SimpleRemoter, a remote access tool based on the Gh0st RAT, but with several additional upgrades. #### Reference URL(s) 1. https://research.checkpoint.com/2024/29676/ #### Publication Date March 31, 2024 #### Author(s) Check Point Research ]]> 2024-04-02T20:33:27+00:00 https://community.riskiq.com/article/57ab8662 www.secnews.physaphae.fr/article.php?IdArticle=8474837 False Threat,Malware,Tool None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-04-01T13:51:22+00:00 https://community.riskiq.com/article/0bb98406 www.secnews.physaphae.fr/article.php?IdArticle=8474062 False Threat,Ransomware,Spam,Malware,Cloud,Tool,Mobile,Vulnerability None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-03-25T13:28:48+00:00 https://community.riskiq.com/article/95f9e604 www.secnews.physaphae.fr/article.php?IdArticle=8470186 False Threat,Ransomware,Spam,Malware,Tool,Vulnerability None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description Perception Point\'s security researchers uncovered the PhantomBlu campaign targeting US-based organizations, deploying the NetSupport RAT through sophisticated evasion techniques and social engineering tactics. The attackers used legitimate features of remote administration tools, such as NetSupport Manager, for malicious activities like surveillance, keylogging, file transfer, and system control. The campaign leveraged OLE template manipulation in Microsoft Office documents to hide and execute malicious code, evading traditional security systems. Through analysis of phishing emails and payloads, the researchers identified the attackers\' preference for using reputable email delivery platforms and their intricate PowerShell dropper techniques. The PhantomBlu operation represents an evolution in malware delivery strategies, blending advanced evasion methods with social engineering to compromise targeted organizations effectively. #### Reference URL(s) 1. https://perception-point.io/blog/operation-phantomblu-new-and-evasive-method-delivers-netsupport-rat/ #### Publication Date March 18, 2024 #### Author(s) Ariel Davidpur]]> 2024-03-19T21:16:06+00:00 https://community.riskiq.com/article/356f4d44 www.secnews.physaphae.fr/article.php?IdArticle=8466954 False Malware,Tool None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-03-18T13:23:03+00:00 https://community.riskiq.com/article/54f79303 www.secnews.physaphae.fr/article.php?IdArticle=8466085 False Threat,Ransomware,Spam,Malware,Tool,Prediction None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-03-11T13:43:18+00:00 https://community.riskiq.com/article/0d210725 www.secnews.physaphae.fr/article.php?IdArticle=8462154 False Threat,Ransomware,Malware,Cloud,Tool,Prediction,Vulnerability None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description Check Point reports Magnet Goblin is a financially motivated threat actor that quickly adopts and leverages 1-day vulnerabilities in public-facing services as an initial infection vector. At least in one case of Ivanti Connect Secure VPN (CVE-2024-21887), the exploit entered the group\'s arsenal as fast as within 1 day after a POC for it was published. The group has targeted Ivanti, Magento, Qlink Sense, and possibly Apache ActiveMQ. Analysis of the actor\'s recent Ivanti Connect Secure VPN campaign revealed a novel Linux version of a malware called NerbianRAT, in addition to WARPWIRE, a JavaScript credential stealer. The actor\'s arsenal also includes MiniNerbian, a small Linux backdoor, and remote monitoring and management (RMM) tools for Windows like ScreenConnect and AnyDesk. #### Reference URL(s) 1. https://research.checkpoint.com/2024/magnet-goblin-targets-publicly-facing-servers-using-1-day-vulnerabilities/ #### Publication Date March 8, 2024 #### Author(s) Check Point ]]> 2024-03-08T17:30:16+00:00 https://community.riskiq.com/article/11616c16 www.secnews.physaphae.fr/article.php?IdArticle=8460926 False Threat,Malware,Tool,Vulnerability None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description Cado Security Labs researchers have recently encountered an emerging malware campaign targeting misconfigured servers running web-facing services. The campaign utilises a number of unique and unreported payloads, including four Golang binaries, that serve as tools to automate the discovery and infection of hosts running the above services. The attackers leverage these tools to issue exploit code, taking advantage of common misconfigurations and exploiting an n-day vulnerability, to conduct Remote Code Execution (RCE) attacks and infect new hosts. Once initial access is achieved, a series of shell scripts and general Linux attack techniques are used to deliver a cryptocurrency miner, spawn a reverse shell and enable persistent access to the compromised hosts. #### Reference URL(s) 1. https://www.cadosecurity.com/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence/ #### Publication Date March 6, 2024 #### Author(s) Matt Muir ]]> 2024-03-06T21:12:22+00:00 https://community.riskiq.com/article/68797fe5 www.secnews.physaphae.fr/article.php?IdArticle=8460028 False Threat,Malware,Tool,Vulnerability None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-03-06T01:05:06+00:00 https://community.riskiq.com/article/1fe95f7f www.secnews.physaphae.fr/article.php?IdArticle=8459610 False Threat,Ransomware,Spam,Malware,Tool,Medical,Legislation None 4.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description Cisco Talos observed a surge in GhostSec, a hacking group\'s malicious activities since this past year. GhostSec, a financially motivated hacking group, has been observed conducting double extortion ransomware attacks on various business verticals in multiple countries. The group has evolved with a new GhostLocker 2.0 ransomware, a Golang variant of the GhostLocker ransomware. GhostSec and Stormous ransomware groups are jointly conducting these attacks and have started a new ransomware-as-a-service (RaaS) program STMX_GhostLocker, providing various options for their affiliates. GhostSec and Stormous ransomware groups have jointly conducted double extortion ransomware attacks targeting victims across various business verticals in multiple countries. Talos also discovered two new tools in GhostSec\'s arsenal, the "GhostSec Deep Scan tool" and "GhostPresser," both likely being used in the attacks against websites GhostSec has remained active since last year and has conducted several denial-of-service (DoS) attacks and has taken down victims\' websites. #### Reference URL(s) 1. https://blog.talosintelligence.com/ghostsec-ghostlocker2-ransomware/ #### Publication Date March 5, 2024 #### Author(s) Chetan Raghuprasad ]]> 2024-03-05T20:46:20+00:00 https://community.riskiq.com/article/ee5a4e56 www.secnews.physaphae.fr/article.php?IdArticle=8459509 False Ransomware,Tool None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-03-05T19:03:47+00:00 https://community.riskiq.com/article/ed40fbef www.secnews.physaphae.fr/article.php?IdArticle=8459485 False Threat,Ransomware,Malware,Studies,Tool,Technical,Vulnerability,Medical ChatGPT,APT 28,APT 4 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description Recorded Future\'s Insikt Group has discovered new infrastructure related to the operators of Predator, a mercenary mobile spyware. The infrastructure is believed to be in use in at least eleven countries, including Angola, Armenia, Botswana, Egypt, Indonesia, Kazakhstan, Mongolia, Oman, the Philippines, Saudi Arabia, and Trinidad and Tobago. Despite being marketed for counterterrorism and law enforcement, Predator is often used against civil society, targeting journalists, politicians, and activists. The use of spyware like Predator poses significant risks to privacy, legality, and physical safety, especially when used outside serious crime and counterterrorism contexts. The Insikt Group\'s research identified a new multi-tiered Predator delivery infrastructure, with evidence from domain analysis and network intelligence data. Despite public disclosures in September 2023, Predator\'s operators have continued their operations with minimal changes. Predator, alongside NSO Group\'s Pegasus, remains a leading provider of mercenary spyware, with consistent tactics, techniques, and procedures over time. As the mercenary spyware market expands, the risks extend beyond civil society to anyone of interest to entities with access to these tools. Innovations in this field are likely to lead to more stealthy and comprehensive spyware capabilities. #### Reference URL(s) 1. https://www.recordedfuture.com/predator-spyware-operators-rebuild-multi-tier-infrastructure-target-mobile-devices #### Publication Date March 1, 2024 #### Author(s) Insikt Group]]> 2024-03-01T20:49:50+00:00 https://community.riskiq.com/article/7287eb1b www.secnews.physaphae.fr/article.php?IdArticle=8457691 False Tool,Technical,Mobile None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description Phobos is structured as a ransomware-as-a-service (RaaS) model. Since May 2019, Phobos ransomware incidents impacting state, local, tribal, and territorial (SLTT) governments have been regularly reported to the MS-ISAC. Phobos ransomware operates in conjunction with various open source tools such as Smokeloader, Cobalt Strike, and Bloodhound. These tools are all widely accessible and easy to use in various operating environments, making it (and associated variants) a popular choice for many threat actors. #### Reference URL(s) 1. https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060a #### Publication Date February 26, 2024 #### Author(s) CISA ]]> 2024-02-29T20:16:44+00:00 https://community.riskiq.com/article/ad1bfcb4 www.secnews.physaphae.fr/article.php?IdArticle=8457173 False Threat,Ransomware,Tool None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description Alpha, a new ransomware that first appeared in February 2023 has intensified its activities in recent weeks and strongly resembles the now defunct NetWalker ransomware that vanished in January 2021. Analysis of Alpha reveals significant parallels with NetWalker, including the use of a similar PowerShell-based loader and code overlap. While Alpha initially remained low-profile after its appearance in February 2023, recent attacks indicate a surge in operations, including the deployment of a data leak site and the utilization of living-off-the-land tools like Taskkill and PsExec. The similarities between Alpha and NetWalker suggest a potential revival of the old ransomware operation by original developers or the acquisition and modification of the NetWalker payload by new attackers. #### Reference URL(s) 1. https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/alpha-netwalker-ransomware 2. https://gbhackers.com/alpha-ransomware-living-off-the-land/ #### Publication Date February 16, 2024 #### Author(s) Symantec Threat Hunter Team]]> 2024-02-20T21:35:38+00:00 https://community.riskiq.com/article/507ee0d6 www.secnews.physaphae.fr/article.php?IdArticle=8452902 False Threat,Ransomware,Tool None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description SentinelOne researchers have discovered a new Python script called SNS Sender that uses AWS Simple Notification Service (SNS) to send bulk SMS messages for the purpose of spamming phishing links, also known as Smishing. This is the first script observed using AWS SNS, and it is believed that the actor behind this tool is using cloud services to send bulk SMS phishing messages. The script author is known by the alias ARDUINO_DAS and is prolific in the phish kit scene. The script requires a list of phishing links named links.txt in its working directory. SNS Sender also takes several arguments that are entered as input: a text file containing a list of AWS access keys, secrets, and region delimited by a colon; a text file containing a list of phone numbers to target; a sender ID, similar to a display name for a message; and the message content. The script replaces any occurrences of the string in the message content variable with a URL from the links.txt file, which weaponizes the message as a phishing SMS. The actor behind this tool has been linked to many phishing kits used to target victims\' personally identifiable information (PII) and payment card details under the guise of a message from the United States Postal Service (USPS) regarding a missed package delivery. #### Reference URL(s) 1. https://www.sentinelone.com/labs/sns-sender-active-campaigns-unleash-messaging-spam-through-the-cloud/ #### Publication Date February 15, 2024 #### Author(s) Alex Delamotte ]]> 2024-02-16T20:41:12+00:00 https://community.riskiq.com/article/262fc193 www.secnews.physaphae.fr/article.php?IdArticle=8451105 False Spam,Cloud,Tool None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description Cado researchers have discovered a new malware campaign called "Commando Cat" that targets exposed Docker API endpoints. The campaign is a cryptojacking campaign that leverages Docker as an initial access vector and mounts the host\'s filesystem before running a series of interdependent payloads directly on the host. The payloads are delivered to exposed Docker API instances over the internet. The attacker instructs Docker to pull down a Docker image called cmd.cat/chattr. The cmd.cat project "generates Docker images on-demand with all the commands you need and simply point them by name in the docker run command." It is likely used by the attacker to seem like a benign tool and not arouse suspicion. The attacker then creates the container with a custom command to execute. The primary purpose of the user.sh payload is to create a backdoor in the system by adding an SSH key to the root account, as well as adding a user with an attacker-known password. The tshd.sh script is responsible for deploying TinyShell (tsh), an open-source Unix backdoor written in C. The gsc.sh script is responsible for deploying a backdoor called gs-netcat, a souped-up version of netcat that can punch through NAT and firewalls. The aws.sh script is a credential grabber that pulls credentials from a number of files on disk, as well as IMDS, and environment variables. The final payload is delivered as a base64 encoded script rather than in the traditional curl-into-bash method used previously by the malware. This base64 is echoed into base64 -d, and then piped into bash. #### Reference URL(s) 1. https://www.cadosecurity.com/the-nine-lives-of-commando-cat-analysing-a-novel-malware-campaign-targeting-docker/ #### Publication Date February 1, 2024 #### Author(s) Nate Bill Matt Muir ]]> 2024-02-08T20:42:07+00:00 https://community.riskiq.com/article/1ae69360 www.secnews.physaphae.fr/article.php?IdArticle=8448153 False Malware,Tool None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description ESET researchers have discovered a new cyber espionage campaign that uses twelve Android apps carrying VajraSpy, a remote access trojan (RAT) used by the Patchwork APT group. Six of the apps were available on Google Play, and six were found on VirusTotal. The apps were advertised as messaging tools, and one posed as a news app. VajraSpy has a range of espionage functionalities that can be expanded based on the permissions granted to the app bundled with its code. It steals contacts, files, call logs, and SMS messages, but some of its implementations can even extract WhatsApp and Signal messages, record phone calls, and take pictures with the camera. The campaign targeted users mostly in Pakistan, and the threat actors likely used targeted honey-trap romance scams to lure their victims into installing the malware. #### Reference URL(s) 1. https://www.welivesecurity.com/en/eset-research/vajraspy-patchwork-espionage-apps/ #### Publication Date February 1, 2024 #### Author(s) Lukas Stefanko ]]> 2024-02-05T21:31:30+00:00 https://community.riskiq.com/article/b8134bfa www.secnews.physaphae.fr/article.php?IdArticle=8447349 False Threat,Malware,Tool,Mobile None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description ReversingLabs researchers have discovered two malicious packages on the npm open source package manager that leverages GitHub to store stolen Base64-encrypted SSH keys lifted from developer systems that installed the malicious npm packages. The packages, warbeast2000 and kodiak2k, were identified in January and have since been removed from npm. The warbeast2000 package was downloaded a little less than 400 times, whereas the kodiak2k was downloaded around 950 times. The malicious actors behind the packages used GitHub to store the stolen information. The warbeast2000 package contained just a few components and was still under development when it was detected. The package would launch a postinstall script that fetched and executed a javascript file. This second stage malicious script read the private ssh key stored in the id_rsa file located in the /.ssh directory. It then uploaded the Base64 encoded key to an attacker-controlled GitHub repository. The kodiak2k package had more than 30 different versions and, apart from the first few, all of them were malicious. The package also executed a script found in an archived GitHub project containing the Empire post-exploitation framework. The script also invokes the Mimikatz hacking tool, which is commonly used to dump credentials from process memory. #### Reference URL(s) 1. https://www.reversinglabs.com/blog/gitgot-cybercriminals-using-github-to-store-stolen-data #### Publication Date January 23, 2024 #### Author(s) Lucija Valentić ]]> 2024-01-30T19:59:14+00:00 https://community.riskiq.com/article/d8ec25d3 www.secnews.physaphae.fr/article.php?IdArticle=8444918 False Threat,Tool None 4.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description The ransomware operation named \'Kasseika\' has adopted Bring Your Own Vulnerable Driver (BYOVD) tactics to disable antivirus software before encrypting files. Kasseika exploits the Martini driver, part of TG Soft\'s VirtIT Agent System, to disable antivirus products protecting the targeted system. Trend Micro discovered Kasseika in December 2023, noting its similarities with BlackMatter, suggesting it may have been built by former members or actors who purchased BlackMatter\'s code. The attack begins with a phishing email, stealing credentials for initial access, followed by the abuse of Windows PsExec tool for lateral movement. Kasseika utilizes BYOVD attacks to gain privileges, terminate antivirus processes, and execute its ransomware binary, demanding a Bitcoin ransom and providing victims with a decryption option within 120 hours. #### Reference URL(s) 1. https://www.trendmicro.com/en_us/research/24/a/kasseika-ransomware-deploys-byovd-attacks-abuses-psexec-and-expl.html #### Publication Date January 25, 2024 #### Author(s) TrendMicro Researchers ]]> 2024-01-25T20:18:28+00:00 https://community.riskiq.com/article/86b5ec3e www.secnews.physaphae.fr/article.php?IdArticle=8443135 False Ransomware,Tool,Prediction None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description The Parrot TDS (Traffic Redirect System) has escalated its campaign since October 2021, employing sophisticated techniques to avoid detection and potentially impacting millions through malicious scripts on compromised websites. Identified by Unit 42 researchers, Parrot TDS injects malicious scripts into existing JavaScript code on servers, strategically profiling victims before delivering payloads that redirect browsers to malicious content. Notably, the TDS campaign exhibits a broad scope, targeting victims globally without limitations based on nationality or industry. To bolster evasion tactics, attackers utilize multiple lines of injected JavaScript code, making it harder for security researchers to detect. The attackers, likely employing automated tools, exploit known vulnerabilities, with a focus on compromising servers using WordPress, Joomla, or other content management systems. #### Reference URL(s) 1. https://unit42.paloaltonetworks.com/parrot-tds-javascript-evolution-analysis/#post-132073-_jt3yi5rhpmao #### Publication Date January 19, 2024 #### Author(s) Zhanglin He Ben Zhang Billy Melicher Qi Deng Bo Qu Brad Duncan ]]> 2024-01-25T19:48:09+00:00 https://community.riskiq.com/article/7b5d88cb www.secnews.physaphae.fr/article.php?IdArticle=8443112 False Threat,Malware,Tool,Vulnerability None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description FBot is a Python-based hacking tool distinct from other cloud malware families, targeting web servers, cloud services, and SaaS platforms like AWS, Office365, PayPal, Sendgrid, and Twilio. Key features include credential harvesting for spamming attacks, AWS account hijacking tools, and functions to enable attacks against PayPal and various SaaS accounts. FBot has several features that target payment services as well as SaaS configurations. The PayPal Validator feature validates PayPal account status by contacting a hardcoded URL with an email address read from an input list. The email is added to the request in the customer details section to validate whether an email address is associated with a PayPal account. #### Reference URL(s) 1. https://www.sentinelone.com/labs/exploring-fbot-python-based-malware-targeting-cloud-and-payment-services/ #### Publication Date January 11, 2024 #### Author(s) Alex Delamotte ]]> 2024-01-12T19:55:57+00:00 https://community.riskiq.com/article/6f897211 www.secnews.physaphae.fr/article.php?IdArticle=8438377 False Malware,Cloud,Tool None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description Between December 15-25, 2023, a series of cyberattacks were identified involving the distribution of emails containing links to purported "documents" among government organizations. Clicking on these links resulted in malware infecting computers. Investigation revealed that the links redirected victims to a website where a JavaScript-based download initiated a shortcut file. Opening this file triggered a PowerShell command to download and execute a decoy document, a Python interpreter, and a classified MASEPIE file named Client.py. Subsequently, various tools including OPENSSH, STEELHOOK PowerShell scripts, and the OCEANMAP backdoor were downloaded, with additional tools like IMPACKET and SMBEXEC created for network reconnaissance and lateral movement. The overall tactics, techniques, and tools used pointed to the APT28 group. Notably, the attack strategy indicated a broader plan to compromise the entire organization\'s information and communication system, emphasizing the potential threat to the entire network. Similar attacks were also reported against Polish organizations. #### Reference URL(s) 1. https://cert.gov.ua/article/6276894 #### Publication Date January 3, 2024 #### Author(s) CERT-UA ]]> 2024-01-03T19:16:54+00:00 https://community.riskiq.com/article/3c424c10 www.secnews.physaphae.fr/article.php?IdArticle=8433900 False Threat,Malware,Tool APT 28 4.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description AhnLab Security Emergency Response Center (ASEC) has reported that the Apache ActiveMQ vulnerability (CVE-2023-46604) is being exploited by various threat actors. The vulnerability is a remote code execution vulnerability in the open-source messaging and integration pattern server Apache ActiveMQ. The vulnerability attack involves manipulating a serialized class type in the OpenWire protocol to instantiate the class in classpath. When the threat actor transmits a manipulated packet, the vulnerable server references the path (URL) contained in the packet to load the XML configuration file for the class. The malware used in the attacks includes Ladon, NetCat, AnyDesk, and z0Miner. Ladon is one of the tools that are mainly used by Chinese-speaking threat actors. Netcat is a utility for transmitting data to and from certain targets in a network connected by TCP/UDP protocol. AnyDesk, NetSupport, and Chrome Remote Desktop have recently been used for bypassing security products. z0Miner was first reported in 2020 by the Tencent Security Team and was distributed via attacks exploiting the Oracle Weblogic remote code execution vulnerabilities (CVE-2020-14882/CVE-2020-14883). #### Reference URL(s) 1. https://asec.ahnlab.com/en/59904/ #### Publication Date December 18, 2023 #### Author(s) Sanseo ]]> 2023-12-21T21:09:57+00:00 https://community.riskiq.com/article/6a2272ec www.secnews.physaphae.fr/article.php?IdArticle=8427029 False Threat,Malware,Tool,Vulnerability None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description September 2023, cybersecurity firm Group-IB uncovered GambleForce, a previously unknown threat actor specializing in SQL injection attacks across the Asia-Pacific region. GambleForce has targeted more than 20 websites (government, gambling, retail, and travel) in Australia, China, Indonesia, the Philippines, India, South Korea, Thailand, and Brazil. The group employed a toolset with basic but effective attack methods, leading to concerns of further activity even after Group-IB took down their command and control server. The entire toolset was based on publicly available open-source instruments used for pentesting purposes. After examining the toolset in more detail, it became clear that the tools were most likely associated with a threat actor executing one of the oldest attack methods: SQL injections. The attackers gained initial access using SQLmap, then proceeded to upload Cobalt Strike on compromised servers. Notably, the version of Cobalt Strike discovered on the gang\'s server used commands in Chinese, but this fact alone is not enough to attribute the group\'s origin. #### Reference URL(s) 1. https://www.group-ib.com/blog/gambleforce-gang/ #### Publication Date December 15, 2023 #### Author(s) Nikita Rostovcev ]]> 2023-12-15T21:35:08+00:00 https://community.riskiq.com/article/ddb7bf58 www.secnews.physaphae.fr/article.php?IdArticle=8423405 False Threat,Tool None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description A new variant of Agent Tesla has been discovered that uses the ZPAQ archive and .wav file extension to infect systems and steal information from approximately 40 web browsers and various email clients. ZPAQ is a file compression format that offers a better compression ratio and journaling function compared to widely used formats like ZIP and RAR. However, ZPAQ has limited software support, making it difficult to work with, especially for users without technical expertise. The .NET executable file is bloated with zero bytes, which allows threat actors to bypass traditional security measures and increase the effectiveness of their attack. The usage of the ZPAQ compression format raises more questions than answers. The assumptions here are that either threat actors target a specific group of people who have technical knowledge or use less widely known archive tools, or they are testing other techniques to spread malware faster and bypass security software. The malware uses Telegram as a C&C due to its widespread legal usage and the fact that its traffic is often allowed through firewalls, making it a useful medium for covert communication. Like any other stealer, Agent Tesla can harm not only private individuals but also organizations. It has gained popularity among cybercriminals for many reasons including ease of use, versatility, and affordability on the Dark Web. #### Reference URL(s) 1. https://www.gdatasoftware.com/blog/2023/11/37822-agent-tesla-zpaq #### Publication Date November 20, 2023 #### Author(s) Anna Lvova ]]> 2023-11-21T21:19:53+00:00 https://community.riskiq.com/article/818d5f5c www.secnews.physaphae.fr/article.php?IdArticle=8415603 False Threat,Malware,Tool,Technical None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description Cisco Talos has recently observed an increase in activity conducted by 8Base, a ransomware group that uses a variant of the Phobos ransomware and other publicly available tools to facilitate their operations. Most of the group\'s Phobos variants are distributed by SmokeLoader, a backdoor trojan. This commodity loader typically drops or downloads additional payloads when deployed. In 8Base campaigns, however, it has the ransomware component embedded in its encrypted payloads, which is then decrypted and loaded into the SmokeLoader process\' memory. #### Reference URL(s) 1. https://blog.talosintelligence.com/deep-dive-into-phobos-ransomware/ 2. https://blog.talosintelligence.com/understanding-the-phobos-affiliate-structure/ #### Publication Date November 17, 2023 #### Author(s) Guilherme Venere ]]> 2023-11-20T20:25:28+00:00 https://community.riskiq.com/article/d75b18b5 www.secnews.physaphae.fr/article.php?IdArticle=8415045 False Ransomware,Tool None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description Rhysida-an emerging ransomware variant-has predominately been deployed against the education, healthcare, manufacturing, information technology, and government sectors since May 2023. Threat actors leveraging Rhysida ransomware are known to impact “targets of opportunity,” including victims in the education, healthcare, manufacturing, information technology, and government sectors. Open source reporting details similarities between Vice Society (DEV-0832) activity and the actors observed deploying Rhysida ransomware. Additionally, open source reporting has confirmed observed instances of Rhysida actors operating in a ransomware-as-a-service (RaaS) capacity, where ransomware tools and infrastructure are leased out in a profit-sharing model. Any ransoms paid are then split between the group and the affiliates. #### Reference URL(s) 1. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-319a #### Publication Date November 15, 2023 #### Author(s) CISA ]]> 2023-11-15T21:25:29+00:00 https://community.riskiq.com/article/966909c4 www.secnews.physaphae.fr/article.php?IdArticle=8412573 False Threat,Ransomware,Tool None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description In a new campaign, Malwarebytes observed a threat actor copying a legitimate Windows news portal to distribute a malicious installer for the popular processor tool CPU-Z. This incident is a part of a larger malvertising campaign that targets other utilities like Notepad++, Citrix and VNC Viewer as seen in its infrastructure (domain names) and cloaking templates used to avoid detection. Malwarebytes have informed Google with the relevant details for takedown. #### Reference URL(s) 1. https://www.malwarebytes.com/blog/threat-intelligence/2023/11/malvertiser-copies-pc-news-site-to-deliver-infostealer #### Publication Date November 8, 2023 #### Author(s) Jérôme Segura ]]> 2023-11-10T19:10:55+00:00 https://community.riskiq.com/article/fb1132c1 www.secnews.physaphae.fr/article.php?IdArticle=8409316 False Threat,Tool None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description SentinelLabs has identified a new Python-based infostealer and hacktool called \'Predator AI\' that is designed to target cloud services. Predator AI is advertised through Telegram channels related to hacking. The main purpose of Predator is to facilitate web application attacks against various commonly used technologies, including content management systems (CMS) like WordPress, as well as cloud email services like AWS SES. However, Predator is a multi-purpose tool, much like the AlienFox and Legion cloud spamming toolsets. These toolsets share considerable overlap in publicly available code that each repurposes for their brand\'s own use, including the use of Androxgh0st and Greenbot modules. The Predator AI developer implemented a ChatGPT-driven class into the Python script, which is designed to make the tool easier to use and to serve as a single text-driven interface between disparate features. There were several projects like BlackMamba that ultimately were more hype than the tool could deliver. Predator AI is a small step forward in this space: the actor is actively working on making a tool that can utilize AI. #### Reference URL(s) 1. https://www.sentinelone.com/labs/predator-ai-chatgpt-powered-infostealer-takes-aim-at-cloud-platforms/ #### Publication Date November 7, 2023 #### Author(s) Alex Delamotte ]]> 2023-11-08T18:59:39+00:00 https://community.riskiq.com/article/e5536969 www.secnews.physaphae.fr/article.php?IdArticle=8408039 False Cloud,Tool ChatGPT 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description In the ever-evolving cybersecurity landscape, one consistent trend witnessed in recent years is the unsettling rise in ransomware attacks. NCC Group shares TTP\'s deployed by four ransomware families recently observed during NCC Group\'s incident response engagements. The ransomware families that will be explored are: - BlackCat – Also known as ALPHV, first observed in 2021, is a Ransomware-as-a-Service (Raas) often using the double extortion method for monetary gain. - Donut –The D0nut extortion group was first reported in August 2022 for breaching networks and demanding ransoms in return for not leaking stolen data. A few months later, reports of the group utilizing encryption as well as data exfiltration were released with speculation that the ransomware deployed by the group was linked to HelloXD ransomware. There is also suspected links between D0nut affiliates and both Hive and Ragnar Locker ransomware operations. - Medusa – Not to be confused with MedusaLocker, Medusa was first observed in 2021, is a Ransomware-as-a-Service (RaaS) often using the double extortion method for monetary gain. In 2023 the groups\' activity increased with the launch of the \'Medusa Blog\'. This platform serves as a tool for leaking data belonging to victims. - NoEscape – At the end of May 2023, a newly emerged Ransomware-as-a-Service (RaaS) was observed on a cybercrime forum named NoEscape. #### Reference URL(s) 1. https://research.nccgroup.com/2023/10/31/unveiling-the-dark-side-a-deep-dive-into-active-ransomware-families/ #### Publication Date October 31, 2023 #### Author(s) Alex Jessop @ThisIsFineChief Molly Dewis ]]> 2023-11-02T20:07:38+00:00 https://community.riskiq.com/article/b7e4b3b3 www.secnews.physaphae.fr/article.php?IdArticle=8404933 False Ransomware,Tool,Prediction None 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description Check Point Research (CPR) is monitoring an ongoing Iranian espionage campaign by Scarred Manticore, an actor affiliated with the Ministry of Intelligence and Security (MOIS). The attacks rely on LIONTAIL, an advanced passive malware framework installed on Windows servers. For stealth purposes, LIONTIAL implants utilize direct calls to Windows HTTP stack driver HTTP.sys to load memory-residents payloads. The current campaign peaked in mid-2023, going under the radar for at least a year. The campaign targets high-profile organizations in the Middle East with a focus on government, military, and telecommunications sectors, in addition to IT service providers, financial organizations and NGOs. Scarred Manticore has been pursuing high-value targets for years, utilizing a variety of IIS-based backdoors to attack Windows servers. These include a variety of custom web shells, custom DLL backdoors, and driver-based implants. While the main motivation behind Scarred Manticore\'s operation is espionage, some of the tools described in this report have been associated with the MOIS-sponsored destructive attack against Albanian government infrastructure (referred to as DEV-0861). #### Reference URL(s) 1. https://research.checkpoint.com/2023/from-albania-to-the-middle-east-the-scarred-manticore-is-listening/ #### Publication Date October 31, 2023 #### Author(s) Check Point Research ]]> 2023-10-31T19:45:32+00:00 https://community.riskiq.com/article/b37061cc www.secnews.physaphae.fr/article.php?IdArticle=8403717 False Malware,Tool APT 34,APT 34 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description QuasarRAT, also known as CinaRAT or Yggdrasil, is a lightweight remote administration tool written in C#. This tool is openly accessible as a GitHub project. This tool is capable of various functions such as gathering system data, running applications, transferring files, recording keystrokes, taking screenshots or camera captures, recovering system passwords, and overseeing operations like File Manager, Startup Manager, Remote Desktop, and executing shell commands. In the initial phase, the attacker harnesses "ctfmon.exe," which is an authentic Microsoft file. By doing so, they load a malicious DLL which, to the untrained eye, would seem benign because of its disguised name. Upon execution of the "ctfmon.exe" binary, the stage is set as the attacker acquires a \'stage 1\' payload. This initial payload is crucial, acting as the gateway for the subsequent malicious actions. At this juncture, the threat actor brings into play the "calc.exe" file, which in this context, isn\'t just a simple calculator application. Alongside "calc.exe," the malicious DLL is also set into motion. On executing "calc.exe," the malicious DLL is triggered. This action culminates in the infiltration of the "QuasarRAT" payload into the computer\'s memory, reflecting the attacker\'s adeptness at circumventing security mechanisms. #### Reference URL(s) 1. https://www.uptycs.com/blog/quasar-rat #### Publication Date October 24, 2023 #### Author(s) Tejaswini Sandapolla ]]> 2023-10-24T19:50:31+00:00 https://community.riskiq.com/article/1eeb2026 www.secnews.physaphae.fr/article.php?IdArticle=8402085 False Threat,Tool None 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description In recent weeks, Google\'s Threat Analysis Group\'s (TAG) has observed multiple government-backed hacking groups exploiting the known vulnerability, CVE-2023-38831, in WinRAR, which is a popular file archiver tool for Windows. A patch is now available, but many users still seem to be vulnerable. TAG has observed government-backed actors from a number of countries exploiting the WinRAR vulnerability as part of their operations. CVE-2023-38831 is a logical vulnerability within WinRAR causing extraneous temporary file expansion when processing crafted archives, combined with a quirk in the implementation of Windows\' ShellExecute when attempting to open a file with an extension containing spaces. The vulnerability allows attackers to execute arbitrary code when a user attempts to view a benign file (such as an ordinary PNG file) within a ZIP archive. #### Reference URL(s) 1. https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/ 2. https://ti.defender.microsoft.com/cves/CVE-2023-38831 3. https://ti.defender.microsoft.com/intel-profiles/cf1e406a16835d56cf614430aea3962d7ed99f01ee3d9ee3048078288e5201bb/description #### Publication Date October 18, 2023 #### Author(s) Kate Morgan ]]> 2023-10-20T18:49:47+00:00 https://community.riskiq.com/article/8a55efc4 www.secnews.physaphae.fr/article.php?IdArticle=8402087 False Threat,Tool,Vulnerability None 3.0000000000000000