PATCHED Malwarebytes Anti-Malware Premium 2.0.4.1028 Keys [ATOM]
Olaf Pinette
In this month's cyber threats rollup, we have observed continued cyber-attacks from well-known threat actors and state sponsored attacks from China, Russia, and North Korea. We also saw the resurgence of Bumblebee malware and the continued campaign by an unknown actor who uses malvertising to distribute the Rhadamanthys infostealer.
We also saw large range of attack techniques from the use of Calendly meeting links and WhatsApp messages, through to methods of hiding malware in PNG files and emails impersonating booking requests from Booking.com. We also observed the discovery of a new backdoor attack that targets macOS users.
PATCHED Malwarebytes Anti-Malware Premium 2.0.4.1028 Keys [ATOM]
Download Zip >>>>> https://byltly.com/2yN6Cp
Our Keysight Application and Threat Intelligence (ATI) Research Center stays alert to this changing threat landscape and has created a number of new Threat Campaigns and Audits to keep our customers and partners safe, by simulating the attacks and incorporating them into Threat Simulator, our breach and attack simulation (BAS) platform.
The article outlines a threat campaign by an unknown actor who uses malvertising to distribute the Rhadamanthys info stealer. The actor impersonates well-known brands in sponsored search results, tricking users into clicking malicious ads which lead to decoy websites. Upon clicking the ad, victims are tricked into downloading a dropper, which retrieves Rhadamanthys via a URL. Rhadamanthys attempts to steal credentials stored in applications such as PuTTY, WinSCP and mail programs. The campaign has been ongoing since 2023 and has been observed to target business users.
The article discusses a recent campaign involving GUloader, a sophisticated malware loader that uses evasion techniques such as polymorphic code and encryption to alter its structure and avoid detection by antivirus software and intrusion detection systems. The campaign is characterized by the distribution of GUloader through a malicious SVG (Scalable Vector Graphics) file delivered via email. Upon opening the SVG file, several actions are triggered leading to the infiltration of the victim's network. The malware modifies the Registry run key to achieve persistence and can download and deploy various other malware variants.
North Korean state-sponsored hackers, reportedly a subgroup of the Lazarus hacking group known as BlueNoroff, are targeting individuals in the cryptocurrency space. The attackers impersonate credible cryptocurrency investors and use the scheduling application Calendly to send malicious meeting links. The links prompt the user to run a script that installs malware on macOS systems. Victims are tricked into clicking the link under the guise of a video conference call. The malicious script gives hackers control over the victim's computer, leading to potential theft of funds.
The article describes a ransomware attack executed through the ScreenConnect application. The threat actor gained access to an endpoint via a rogue ScreenConnect instance, downloaded and executed the ALPHV/BlackCat ransomware variant, which is offered as Ransomware as a Service (RaaS). The ransomware was able to move laterally within the infrastructure and targeted named endpoints. The affected entity appears to be within the healthcare community. Two vulnerabilities and software weaknesses in ScreenConnect were mentioned in the text.
Cyfirma describes a campaign involving the use of Xeno RAT, an advanced malware available for free on GitHub. The threat actor customized the settings of Xeno RAT and disseminated it via the Discord CDN, primarily through a shortcut file disguised as a WhatsApp screenshot. The malware employs multiple evasion tactics including anti-debugging techniques, obfuscation within files/code, and obfuscated network traffic. It also maintains persistence by adding itself as a scheduled task and leverages the DLL search order functionality in Windows to load the malicious DLL into a trusted executable process. The article does not specify any affected entities, regions, or exploited vulnerabilities.
Bitdefender detected a new variant of the AMOS (Atomic) Stealer, a prevalent threat for macOS users. This malware variant a combination of Python and Apple Script to steal data and remain covert. It targets browser data, user account password, and specific system files, and uses tactics to identify sandbox or emulator execution. The malware also shares code with the RustDoor backdoor. The stolen data is sent to the C2 server.
Threat actor UAC-0184 is employing steganography techniques to hide Remcos RAT malware in PNG files and target Ukrainian entities based in Finland. The threat actor is using the IDAT loader to obscure malicious code, enabling the malware to evade detection and execute in memory. The Remcos RAT allows the attacker to control infected computers, steal data, and monitor activities. Morphisec Threat Labs identified the threat and successfully prevented numerous attacks. The threat actor also uses deceptive recruitment tactics, as revealed in a phishing email posing as an IDF consultant.
FortiGuard Labs reports on the Abyss Locker ransomware, which targets Microsoft Windows and Linux platforms, particularly those using VMware ESXi systems. Based on the HelloKitty ransomware source code, Abyss Locker steals and encrypts victims' files, and demands a ransom for file decryption. This ransomware was first detected in July 2023, but its origins may date even earlier. The Windows version of Abyss Locker was discovered in January 2024, with a second version and a Linux variant identified shortly after. The ransomware samples have been submitted from various regions, indicating a widespread attack.
The article describes a campaign called SMUGX, attributed to the APT group Earth Preta, targeting Asian countries including Taiwan, Vietnam, and Malaysia. The campaign uses a customized PlugX malware, named DOPLUGS, different from general PlugX malware, which is used for downloading the latter. The DOPLUGS malware uses the KillSomeOne module, a USB worm.
The text describes a cyber-attack campaign orchestrated by threat actor UAC-0184, targeting Ukrainian entities based in Finland. The attack uses the IDAT loader to deliver the Remcos Remote Access Trojan (RAT), using steganography as a technique for defense evasion. The IDAT loader also loads other malware families like Danabot, SystemBC, and RedLine Stealer. The attack was initiated through a carefully crafted phishing email.
The threat actor initiated the attack by exploiting search engine optimization (SEO) poisoning to cause a user to download and execute a Gootloader malware. This was followed by the deployment of a Cobalt Strike beacon payload and the use of SystemBC to gain Remote Desktop Protocol (RDP) access into the network, compromising domain controllers and other key servers. The attacker continued to move laterally within the network, disabling security measures and attempting to deploy more payloads. Despite setbacks from active security defenses, the threat actor persisted and managed to gain access to sensitive files and servers. It is unconfirmed whether any data was exfiltrated.
Cyble describes a phishing campaign targeted at the cryptocurrency community and healthcare organizations in the US, led by unidentified Threat Actors (TAs). The TAs exploit ScreenConnect, a legitimate remote support tool, for malicious purposes. The campaign uses sophisticated tactics such as subdomain takeover to host phishing sites and lure victims into downloading ScreenConnect clients. Once compromised, the TAs can conduct further malicious operations, including data theft and ransomware deployment. The campaign indicates a particular focus on the healthcare sector's vulnerabilities.
Unit42 discusses the technique of Dynamic-link library (DLL) hijacking used by various threat actors for cyber espionage and system compromise. Both nation-state Advanced Persistent Threat (APT) groups and cybercrime threat actors use this technique as it provides a stealthy way to run malware, evade detection, and establish a foothold in the system. The actors exploit vulnerabilities in legitimate executables to load and run a malicious DLL, often using different variations like DLL side-loading, DLL search order hijacking, and phantom DLL loading. The article highlights real-world examples, including attacks from the Stately Taurus APT group and cybercriminals using AsyncRAT and PlugX Remote Access Trojan (RAT).
EclecticIQ analysts describe a cybercrime campaign involving the use of the DarkGate loader by financially motivated threat actors, such as TA577, Ducktail, BianLian, and Black Basta. These actors primarily target financial institutions in Europe and the USA, deploying the DarkGate loader through tactics like double extortion, phishing emails, and abusing legitimate channels like Google's DoubleClick Ad. The DarkGate loader is used to create an initial foothold and deploy different types of malware within the victims' corporate networks, thus increasing the number of infected devices and volume of data exfiltrated. The loader is also advertised as a Malware-as-a-Service (MaaS) tool on cybercrime forums, offering features like hidden virtual network computing (hVNC), user interface for data exfiltration, keylogger, and a rootkit module.
Nood RAT, a Linux variant of Gh0st RAT developed by the C. Rufus Security Team of China, has been used in various vulnerability attacks since 2018. The malware disguises itself as a legitimate program and enables threat actors to carry out multiple malicious activities, including downloading malicious files, stealing system's internal files, and executing commands. It is equipped with encryption features to avoid network packet detection. Notable attacks include WebLogic vulnerability attacks and Cloud Snooper APT attacks.
SentinelOne discusses a new tool called SNS Sender used by a threat actor known by the alias ARDUINO_DAS for SMS phishing attacks using AWS SNS. This tool sends bulk SMS messages containing phishing links. The attacks often masquerade as a message from the United States Postal Service (USPS) about a missed package delivery. AWS credentials compromised from an environment not under SNS sandbox restrictions are needed for the script to run. The actor has been linked to numerous phishing kits used to steal personal and payment card information.
b1e95dc632