Cyware Weekly Threat Intelligence, April 15–19, 2024

The Good

• European police arrested nine people and seized millions of euros in an operation to dismantle the JuicyFields investment fraud scheme. The scheme, which operated as a Ponzi scheme, targeted 550,000 Europeans by promising high returns from investing in a non-existent cannabis cultivation operation. The ringleaders used social media ads and physical offices to give the illusion of legitimacy.
• The Five Eyes agencies have released a joint cybersecurity information sheet that offers guidance and recommendations on deploying and operating externally developed AI systems. The document, titled "Deploying AI Systems Securely: Best Practices for Deploying Secure and Resilient AI Systems," provides methodologies for protecting data and AI systems, with a focus on securing the deployment environment, continuously protecting the AI system, and secure AI operation and maintenance.
• Microsoft is taking steps to combat spam by implementing a daily limit of 2,000 external recipients for Exchange Online users starting in January 2025. This limit will be enforced in two phases, affecting both new and existing tenants. Users exceeding this limit can switch to Azure Communication Services for Email. Additionally, Google has also tightened its spam thresholds and authentication guidelines for bulk email senders, requiring email authentication and responsiveness to unsubscription requests to prevent rejection of emails.
• Law enforcement from 19 countries, coordinated by Europol, disrupted the LabHost phishing-as-a-service platform. The operation led to the arrest of 37 suspects across the world and the shutdown of LabHost's infrastructure. Despite its user-friendly appearance, the use of LabHost constitutes illegal activity, and law enforcement now possesses a vast amount of data to target malicious users of the platform in ongoing international operations.

The Bad

• A phishing ad for the decentralized OTC trading platform Whales Market is being displayed in Google search results. The ad redirects visitors to a wallet-draining phishing site that replicates the legitimate website, including its trading platform. Once a wallet is connected, malicious scripts drain it of all assets.
• Researchers uncovered a sophisticated phishing operation targeting cryptocurrency users with the notorious FatalRAT alongside Clipper and Keylogger malware. Employing DLL side-loading tactics, attackers crafted a deceptive website resembling the Exodus wallet interface, primarily targeting Chinese-speaking individuals. Technical analysis revealed a multi-staged attack orchestrating data theft and clipboard manipulation to intercept cryptocurrency transactions.
• The zero-day flaw disclosed last week in Palo Alto Networks PAN-OS software is under attack by an operation named MidnightEclipse. Threat actors, tracked as UTA0218, utilize a Python-based backdoor named UPSTYLE to create a reverse shell, download tools, pivot into networks, and exfiltrate data. The flaw allows an attacker to execute arbitrary code with root privileges on affected firewalls.
• The LightSpy iOS espionage campaign has reemerged, targeting Southern Asia, possibly indicating political motives. F_Warehouse, its latest iteration, features extensive spying capabilities, including file theft and audio recording. Evidence suggested Chinese origins, raising concerns about state-sponsored activity. Advanced techniques like certificate pinning enhance its stealth. The hyper-focused attacks pose risks to journalists, activists, and politicians globally.
• The Blackjack hacker group reportedly unleashed the destructive Fuxnet malware to target one of Moscow's internet providers and a military infrastructure, damaging emergency detection and response systems. This sophisticated malware aimed to disable 87,000 sensors and control systems. Fuxnet was deployed to lock devices, erase filesystems, disable services, and rewrite flash memory, rendering them inoperable. The malware's final objective was to disrupt sensors by flooding serial channels.

New Threats

• A new information-stealing malware, disguised as a game cheat called Cheat Lab is being spread through fake demos of cheating tools on Microsoft's GitHub repository. The malware, linked to Redline, promises a free copy if users convince their friends to install it. The malware injects into legitimate processes for stealth, using Lua bytecode to evade detection and take advantage of Just-In-Time (JIT) compilation performance.
• Zscaler ThreatLabz uncovered a sophisticated malvertising campaign in March, utilizing typosquatting domains and Google Ads to distribute a novel backdoor dubbed MadMxShell. The threat actor registered multiple sites masquerading as legitimate IP and port scanner software programs. Employing DLL sideloading and DNS tunneling for C2 communication, the backdoor evades memory forensics and endpoint security.
• The financially motivated group FIN7 employed the Anunak backdoor to target a leading U.S. car manufacturer. The attack utilized spear-phishing tactics, luring high-level IT personnel with a counterfeit Advanced IP Scanner tool. Through a multi-stage process, the malicious executable 'WsTaskLoad.exe' deployed the Anunak backdoor, enabling persistent access by installing OpenSSH, and created a scheduled task.
• An Android malware campaign, tracked as eXotic Visit by cybersecurity firm ESET, has been actively targeting users in South Asian countries since November 2021. Operating under the name Virtual Invaders, the campaign distributed malware via dedicated websites and the Google Play Store. Downloaded apps also include code from the open-source Android XploitSPY RAT which could gather sensitive data from infected devices.
• Juniper Networks published multiple advisories detailing more than a hundred vulnerabilities in Junos OS, Junos OS Evolved, and other products. Patches were released for over 80 bugs, including critical issues in Junos cRPD and Cloud Native Router. Additionally, high-severity flaws, such as information leaks and denial-of-service vulnerabilities, were addressed in Paragon Active Assurance Control Center and Junos OS.
• The FBI warned about a widespread SMS phishing campaign targeting Americans with fraudulent messages claiming unpaid road toll fees. The scam, which started in March 2024, has already affected thousands of individuals across multiple states. The malicious texts contain links disguised as state toll service websites, aiming to trick recipients into clicking and providing personal information.
• A flaw in TP-Link Archer AX21 router models is being exploited by multiple botnet operators, such as Moobot, Miori, and AGoent (a Gafgyt Variant), found FortiGuard Labs. The vulnerability enables unauthenticated command injection through the web management interface, allowing attackers to execute arbitrary code. Various botnets utilize different infection tactics, such as fetching script files, establishing connections with C2 servers, and launching DDoS attacks.
• The TA558 hacking group launched a new campaign called SteganoAmor, with over 320 attacks impacting multiple sectors across different countries. The attackers exploit the CVE-2017-11882 flaw in Microsoft Office. The group uses long chains of tools and malware, including AgentTesla, FormBook, Remcos, LokiBot, Guloader, SnakeKeylogger, and XWorm. The attackers use compromised legitimate FTP servers for C2, and SMTP servers for C2 and phishing. The group also uses legitimate services to store malware strings and images with embedded malicious code.
• WithSecure researchers uncovered a new backdoor, Kapeka, attributed to the Russian nation-state group Sandworm. Used in espionage campaigns across Eastern and Central Europe since the Russia-Ukraine conflict, Kapeka facilitates intelligence collection and potential sabotage, including ransomware attacks and modular payload execution. The malware bears similarities to GreyEnergy, indicating Sandworm's involvement.
• A recent investigation by Sophos X-Ops delves into a new trend in the cybercrime landscape: the emergence of junk gun ransomware. Drawing parallels to cheap, unreliable firearms from the past, this ransomware is independently produced, inexpensive, and sold as a one-time purchase. Unlike typical ransomware-as-a-service models, these variants lack complex infrastructure and corporate-like hierarchies.
• Microsoft warned of a series of chained vulnerabilities in the OpenMetadata platform on Kubernetes clusters, allowing Chinese hackers to execute code and install cryptomining software remotely. The flaws, including CVE-2024-28255 and CVE-2024-28847, affect versions before 1.3.1. Attackers left a plea for victims not to remove the malware, citing financial hardship. The attack sequence involves reconnaissance, exploitation, and installation of cryptomining software.