We use cookies to improve your experience. Do you accept?

Cyware Announces Healthcare TIP

Check it Out

Skip to main content

Cyware Weekly Threat Intelligence - July 08–12

Cyware Weekly Threat Intelligence - July 08–12 - Featured Image

Weekly Threat Briefing Jul 12, 2024

The Good

In a remarkable turn of events, Avast's cryptographic savants unearthed a pivotal vulnerability within the DoNex ransomware and its prior iterations. This discovery has paved the way for a decryptor, disseminated to victims. Concurrently, a seismic shift in federal directives has emanated from the White House, compelling federal research agencies to fortify their cybersecurity bastions. This mandate insists on rigorous certification that R&D institutions are equipped with robust security infrastructures, a response to the escalating cyber onslaughts from formidable adversaries.

  • Avast researchers discovered a cryptographic flaw in the DoNex ransomware and its predecessors, allowing for the provision of a decryptor to victims and making the weakness public knowledge. DoNex ransomware, previously rebranded from Muse to Fake LockBit 3.0 to DarkRace, ceased its evolution in April 2024 and targeted victims primarily in the US, Italy, and the Netherlands. They have been providing the decryptor to victims in cooperation with law enforcement since March 2024, and the cryptographic weakness was made public at Recon 2024.

  • The White House is requiring federal research agencies to implement increased cybersecurity protocols, including certifying that institutions conducting R&D have proper security measures in place, in response to growing threats from adversaries like China. Higher education institutions must implement cybersecurity programs consistent with the CHIPS and Science Act's cybersecurity resource for research-focused entities. Other covered institutions must implement cybersecurity programs consistent with resources maintained by NIST or other federal research agencies.

  • The U.S. and its allies took down a Kremlin-backed AI bot farm that was used to spread disinformation on the X social media platform. The FBI and international partners targeted a total of 968 accounts, seizing a portion of them, while the X platform voluntarily suspended the remaining sham users. The takedown marks a major U.S. push to clamp down on Russian information operations that aim to sow doubt about domestic and international politics on social media.

The Bad

Researchers unveiled a nefarious stratagem aimed at the NuGet package manager, ultimately disseminating the SeroXen RAT. This covert campaign has ensnared approximately 60 packages and spanned 290 distinct package versions. Meanwhile, the elusive ViperSoftX resurfaced with an enhanced arsenal, harnessing the .NET CLR to cloak its PowerShell machinations. In a parallel vein, AsyncRAT is being spread camouflaged as an innocuous ebook. This insidious ploy employs a medley of tactics—malicious scripts, compressed archives, and scheduled tasks—to compromise systems and deploy the RAT.

  • ReversingLabs detailed a malicious campaign targeting the NuGet package manager, which has evolved to include tactics such as using obfuscated downloaders, exploiting NuGet’s MSBuild integrations, and manipulating legitimate PE .NET binaries using IL weaving. The threat actors used techniques like typo-squatting and homoglyphs to evade detection and distributed malicious code, including the SeroXen RAT. Approximately 60 packages and 290 package versions were identified as part of this campaign.

  • ViperSoftX, first spotted in 2020, has recently reemerged with the ability to use the .NET CLR to obfuscate its use of PowerShell commands. The malware further disguises the PowerShell commands by hiding them within scripts generated by the freeware program AutoIt. This allows ViperSoftX to execute malicious functions while evading detection mechanisms that might otherwise flag standalone PowerShell activity. ViperSoftX is capable of stealing system information, cryptocurrency wallet details (and the coins they contain), clipboard contents, and other such data.

  • ASEC blog reported on the distribution of AsyncRAT malware disguised as an ebook, which uses various techniques like malicious scripts, compressed files, and scheduled tasks to infect systems and execute the remote access trojan. The compressed ebook file contains a malicious LNK file, a text file with a malicious PowerShell script, additional compressed files disguised as videos, and the actual ebook file. AsyncRAT possesses features such as anti-VM, anti-AV, maintaining persistence, and exfiltrating user information.

  • An ongoing surveillance campaign has been found spreading the GuardZoo malware in the Middle East. The campaign has impacted over 450 victims in countries such as Egypt, Saudi Arabia, and Yemen, with the malware being distributed through WhatsApp and direct browser downloads. GuardZoo, with over 60 commands, can fetch additional payloads, upload files, and change C2 addresses, using dynamic DNS domains registered to YemenNet for its operations.

  • Smishing Triad has been registering multiple domain names impersonating the India Post to carry out large-scale smishing campaigns to steal PII and payment data. The group uses compromised and registered iCloud accounts to send fraudulent iMessages with smishing URLs, directing victims to provide personal and payment details under the pretext of a failed package delivery. This threat has been observed targeting a wide range of individuals in India, including consumers, businesses, and government entities.

New Threats

A formidable new phishing toolkit, dubbed FishXProxy, has emerged on the cybercrime landscape, empowering malevolent actors to orchestrate sophisticated phishing schemes with alarming ease. In another alarming development, the Chinese government-backed cyber espionage ensemble, APT41, has augmented its already formidable toolkit with the addition of the DodgeBox loader and the MoonWalk backdoor. The newly identified multi-stage trojan, Orcinius, has been discovered exploiting popular cloud services like Dropbox and Google Docs, marking it as a formidable threat in the cyber landscape.

  • A new phishing toolkit called FishXProxy enables cybercriminals to conduct sophisticated phishing attacks with ease. The toolkit includes advanced features such as an antibot system, Cloudflare integration, inbuilt redirector, page expiration settings, and cross-project user tracking. It also allows for the generation of malicious file attachments using HTML smuggling techniques. The toolkit lowers the technical barriers to conducting phishing campaigns, posing a significant threat.
  • The Chinese government-backed cyber espionage group APT41 has added a new loader called DodgeBox and a backdoor named MoonWalk to its arsenal of malware tools, according to research by Zscaler ThreatLabz. DodgeBox, similar to APT41's StealthVector, is a shellcode loader with advanced features such as encryption, environment checks, and evasion techniques. It also drops the MoonWalk backdoor, which utilizes Google Drive for command-and-control communication.
  • The newly identified multi-stage trojan Orcinius has been found exploiting popular cloud services like Dropbox and Google Docs, making it a formidable threat. The trojan starts with an innocuous Excel spreadsheet containing a modified VBA macro, enabling it to capture keystrokes and active windows once executed. Orcinius downloads secondary payloads from cloud services to evade detection.
  • A new RaaS called Eldorado has emerged, targeting Windows and VMware ESXi virtual machines with its ability to encrypt files using the ChaCha20 algorithm and delete shadow volume copies to prevent recovery. The ransomware has already claimed 16 victims, primarily in the U.S., across various sectors. Eldorado uses advanced encryption methods, targets network shares, and deletes shadow volume copies to maximize impact, but also allows affiliates to customize their attacks.
  • Check Point noted an increase in cybercriminal activity targeting online shoppers in anticipation of Amazon Prime Day on July 16-17. Researchers have observed a surge in suspicious domains impersonating Amazon, aiming to steal sensitive information such as login credentials and payment details. The tactics used include phishing emails, fake domains, and deceptive files. Online shoppers should exercise caution during Amazon Prime Day, checking URLs, creating strong passwords, and being wary of phishing emails to ensure safe and secure shopping.
  • The Blast-RADIUS attack is a newly discovered authentication bypass vulnerability in the RADIUS/UDP protocol. It allows attackers to manipulate RADIUS traffic and gain admin privileges on network devices without brute forcing passwords or stealing credentials. The attack exploits a new protocol bug (CVE-2024-3596) and an MD5 collision attack, enabling the forging of a valid response to authentication requests. Although end-users cannot protect against this attack, network operators are advised to upgrade to RADIUS over TLS, switch to "multihop" RADIUS deployments, and isolate RADIUS traffic from internet access for defense.
  • A large-scale fraud campaign called Ticket Heist is targeting Russian-speaking users seeking tickets for major events, particularly the Summer Olympics in Paris. The operation involves 708 convincing websites offering overpriced fake tickets for events like the Olympics, UEFA European Championship, and music concerts. The fraudsters use a consistent UI framework and inflated prices to deceive victims. Transactions are carried out through the Stripe payment platform to steal money from victims. The operation also targets Russian-speaking users with fake concert tickets.

Related Threat Briefings

Dec 20, 2024

Cyware Weekly Threat Intelligence, December 16–20, 2024

In a digital age where borders are blurred, governments are sharpening their strategies to outpace cyber adversaries. The draft update to the National Cyber Incident Response Plan (NCIRP) introduces a comprehensive framework for managing nationwide cyberattacks that impact critical infrastructure and the economy. Meanwhile, the fiscal year 2025 defense policy bill, recently approved by the Senate, emphasizes strengthening cybersecurity measures both at home and abroad. A deceptive health app on the Amazon Appstore turned out to be a Trojan horse for spyware. Masquerading as BMI CalculationVsn, the app recorded device screens, intercepted SMS messages, and scanned for installed apps to steal sensitive data. Malicious extensions targeting developers and cryptocurrency projects have infiltrated the VSCode marketplace and NPM. Disguised as productivity tools, these extensions employed downloader functionality to deliver obfuscated PowerShell payloads. The BADBOX botnet has resurfaced, compromising over 192,000 Android devices, including high-end smartphones and smart TVs, directly from the supply chain. Industrial control systems are facing heightened risks as malware like Ramnit and Chaya_003 targets engineering workstations from Mitsubishi and Siemens. Both malware families exploit legitimate services, complicating detection and mitigation efforts in ICS environments. The Chinese hacking group Winnti has been leveraging a PHP backdoor called Glutton, targeting organizations in China and the U.S. This modular ELF-based malware facilitates tailored attacks across industries and even embeds itself into software packages to compromise other cybercriminals. A tax-themed phishing campaign, dubbed FLUX#CONSOLE, is deploying backdoor payloads to compromise systems in Pakistan. Threat actors employ phishing emails with double-extension files masquerading as PDFs.

Dec 13, 2024

Cyware Weekly Threat Intelligence, December 09–13, 2024

Cybercrime’s web of deception unraveled in South Korea as authorities dismantled a fraud network responsible for extorting $6.3 million through fake online trading platforms. Dubbed Operation Midas, the effort led to the arrest of 32 individuals and the seizure of 20 servers. In a significant move to combat surveillance abuses, the U.S. defense policy bill for 2025 introduced measures to shield military and diplomatic personnel from commercial spyware threats. The legislation calls for stringent cybersecurity standards, a review of spyware incidents, and regular reporting to Congress. The subtle art of deception found a new stage with a Microsoft Teams call, as attackers used social engineering to manipulate victims into granting remote access. By convincing users to install AnyDesk, they gained control of systems, executing commands to download the DarkGate malware. Russian APT Secret Blizzard has resurfaced and used the Amadey bot to infiltrate Ukrainian military devices and deploy their Tavdig backdoor. In a phishing spree dubbed "Aggressive Inventory Zombies (AIZ)," scammers impersonated brands like Etsy, Amazon, and Binance to target retail and crypto audiences. Surveillance has reached unsettling new depths with the discovery of BoneSpy and PlainGnome, two spyware families linked to the Russian group Gamaredon. Designed for extensive espionage, these Android malware tools track GPS, capture audio, and harvest data. A new Android banking trojan has already caused havoc among Indian users, masquerading as utility and banking apps to steal sensitive financial information. With 419 devices compromised, the malware intercepts SMS messages, exfiltrates personal data via Supabase, and even tricks victims into entering details under the pretense of bill payment. Iranian threat actors have set their sights on critical infrastructure, deploying IOCONTROL malware to infiltrate IoT and OT/SCADA systems in Israel and the U.S.

Dec 6, 2024

Cyware Weekly Threat Intelligence, December 02–06, 2024

NIST sharpened the tools for organizations to measure their cybersecurity readiness, addressing both technical and leadership challenges. The two-volume guidance blends data-driven assessments with managerial insights, emphasizing the critical role of leadership in applying findings. The Manson Market, a notorious hub for phishing networks, fell in a sweeping Europol-led takedown. With over 50 servers seized and 200TB of stolen data recovered, the operation spanned multiple countries, including Germany and Austria. Russian APT group BlueAlpha leveraged Cloudflare Tunnels to cloak its GammaDrop malware campaign from prying eyes. The group deployed HTML smuggling and DNS fast-fluxing to bypass detection, targeting Ukrainian organizations with precision. Earth Minotaur intensified its surveillance operations against Tibetan and Uyghur communities through the MOONSHINE exploit kit. The kit, now updated with newer exploits, enables the installation of the DarkNimbus backdoor on Android and Windows devices. Cloudflare Pages became an unwitting ally in the sharp rise of phishing campaigns, with a staggering 198% increase in abuse cases. Cybercriminals exploited the platform's infrastructure to host malicious pages, fueling a surge from 460 incidents in 2023 to over 1,370 by October 2024. DroidBot has quietly infiltrated over 77 cryptocurrency exchanges and banking apps, building a web of theft across Europe. Active since June 2024, this Android malware operates as a MaaS platform, enabling affiliates to tailor attacks. Rockstar 2FA, a phishing platform targeting Microsoft 365 users, has set the stage for large-scale credential theft. With over 5,000 phishing domains launched, the platform is marketed on Telegram. The Gafgyt malware is shifting gears, targeting exposed Docker Remote API servers through legitimate Docker images, creating botnets capable of launching DDoS attacks.

Nov 15, 2024

Cyware Weekly Threat Intelligence - November 11–15

As cyber threats to critical infrastructure surge, the TSA has proposed formal rules for pipeline and railroad operators, while the World Economic Forum introduced a new framework to enhance public-private collaboration against cybercrime. These efforts highlight the urgency of uniting resources and governance to fortify cybersecurity resilience on all fronts. This week, several emerging threats highlighted the diversity of attack tactics. The new Glove Stealer exploits browser encryption to pilfer cookies and crypto wallets, whereas the Lazarus group’s RustyAttr trojan targets macOS users using the Tauri framework. A Chinese threat actor, SilkSpecter, was found scamming online shoppers via 4,695 fake domains, impersonating popular brands to steal credit card details during Black Friday hunts. This week, several emerging threats highlighted the diversity of attack tactics. The new Glove Stealer exploits browser encryption to pilfer cookies and crypto wallets, whereas the Lazarus group’s RustyAttr trojan targets macOS users using the Tauri framework. A Chinese threat actor, SilkSpecter, was found scamming online shoppers via 4,695 fake domains, impersonating popular brands to steal credit card details during Black Friday hunts.

Sep 20, 2024

Cyware Weekly Threat Intelligence - September 16–20

The Good German law enforcement has dealt a double blow to cybercriminals, first by dismantling infrastructure used by the Vanir Locker ransomware group. In a separate operation, they took down 47 cryptocurrency exchanges used for illegal money

Sep 13, 2024

Cyware Weekly Threat Intelligence - September 09–13

The Good The U.K government has elevated data centers to a new level of importance, officially designating them as critical national infrastructure - ensuring these digital fortresses get the protection and support they need during crises. Choo

Sep 6, 2024

Cyware Weekly Threat Intelligence - September 02–06

The Good As cyber threats loom larger than ever, the White House released a comprehensive roadmap to secure the Border Gateway Protocol (BGP), a key component of internet routing. The initiative focuses on implementing Resource Public Key Infra

Aug 30, 2024

Cyware Weekly Threat Intelligence - August 26–30

The Good In response to the rising tide of cyber threats, organizations and governments are stepping up their efforts to protect critical infrastructure and personal data. NASA's Katherine Johnson IV&V Facility expanded its mission to include c

Aug 23, 2024

Cyware Weekly Threat Intelligence - August 19–23

The Good With global cyber threats on the rise, over a dozen cyber authorities have endorsed new guidance to set baseline standards for logging and threat detection. This guidance aims to enhance cybersecurity monitoring, helping to prevent inc

Aug 16, 2024

Cyware Weekly Threat Intelligence - August 12–16

The Good In a landmark move, the UN has unanimously passed its first-ever cybercrime treaty, laying the groundwork for a unified global response to cyber threats. This historic treaty, now headed to the General Assembly for final approval, empo

Aug 9, 2024

Cyware Weekly Threat Intelligence - August 05–09

The Good In a significant international crackdown, authorities from the U.S. and Germany have seized the domain of the online cryptocurrency wallet service, Cryptonator, after it was found to be facilitating illicit activities and failing to im

Aug 5, 2024

Cyware Weekly Threat Intelligence, July 29 - August 02, 2024

The Good In recent cybersecurity developments, significant strides have been made in combating cyber threats and enhancing defenses. The UK’s NCA has successfully dismantled Russian Coms, a major caller ID spoofing platform used by scammers to make