Cyware Weekly Threat Intelligence - July 08–12
Weekly Threat Briefing • Jul 12, 2024
We use cookies to improve your experience. Do you accept?
Weekly Threat Briefing • Jul 12, 2024
In a remarkable turn of events, Avast's cryptographic savants unearthed a pivotal vulnerability within the DoNex ransomware and its prior iterations. This discovery has paved the way for a decryptor, disseminated to victims. Concurrently, a seismic shift in federal directives has emanated from the White House, compelling federal research agencies to fortify their cybersecurity bastions. This mandate insists on rigorous certification that R&D institutions are equipped with robust security infrastructures, a response to the escalating cyber onslaughts from formidable adversaries.
Avast researchers discovered a cryptographic flaw in the DoNex ransomware and its predecessors, allowing for the provision of a decryptor to victims and making the weakness public knowledge. DoNex ransomware, previously rebranded from Muse to Fake LockBit 3.0 to DarkRace, ceased its evolution in April 2024 and targeted victims primarily in the US, Italy, and the Netherlands. They have been providing the decryptor to victims in cooperation with law enforcement since March 2024, and the cryptographic weakness was made public at Recon 2024.
The White House is requiring federal research agencies to implement increased cybersecurity protocols, including certifying that institutions conducting R&D have proper security measures in place, in response to growing threats from adversaries like China. Higher education institutions must implement cybersecurity programs consistent with the CHIPS and Science Act's cybersecurity resource for research-focused entities. Other covered institutions must implement cybersecurity programs consistent with resources maintained by NIST or other federal research agencies.
The U.S. and its allies took down a Kremlin-backed AI bot farm that was used to spread disinformation on the X social media platform. The FBI and international partners targeted a total of 968 accounts, seizing a portion of them, while the X platform voluntarily suspended the remaining sham users. The takedown marks a major U.S. push to clamp down on Russian information operations that aim to sow doubt about domestic and international politics on social media.
Researchers unveiled a nefarious stratagem aimed at the NuGet package manager, ultimately disseminating the SeroXen RAT. This covert campaign has ensnared approximately 60 packages and spanned 290 distinct package versions. Meanwhile, the elusive ViperSoftX resurfaced with an enhanced arsenal, harnessing the .NET CLR to cloak its PowerShell machinations. In a parallel vein, AsyncRAT is being spread camouflaged as an innocuous ebook. This insidious ploy employs a medley of tactics—malicious scripts, compressed archives, and scheduled tasks—to compromise systems and deploy the RAT.
ReversingLabs detailed a malicious campaign targeting the NuGet package manager, which has evolved to include tactics such as using obfuscated downloaders, exploiting NuGet’s MSBuild integrations, and manipulating legitimate PE .NET binaries using IL weaving. The threat actors used techniques like typo-squatting and homoglyphs to evade detection and distributed malicious code, including the SeroXen RAT. Approximately 60 packages and 290 package versions were identified as part of this campaign.
ViperSoftX, first spotted in 2020, has recently reemerged with the ability to use the .NET CLR to obfuscate its use of PowerShell commands. The malware further disguises the PowerShell commands by hiding them within scripts generated by the freeware program AutoIt. This allows ViperSoftX to execute malicious functions while evading detection mechanisms that might otherwise flag standalone PowerShell activity. ViperSoftX is capable of stealing system information, cryptocurrency wallet details (and the coins they contain), clipboard contents, and other such data.
ASEC blog reported on the distribution of AsyncRAT malware disguised as an ebook, which uses various techniques like malicious scripts, compressed files, and scheduled tasks to infect systems and execute the remote access trojan. The compressed ebook file contains a malicious LNK file, a text file with a malicious PowerShell script, additional compressed files disguised as videos, and the actual ebook file. AsyncRAT possesses features such as anti-VM, anti-AV, maintaining persistence, and exfiltrating user information.
An ongoing surveillance campaign has been found spreading the GuardZoo malware in the Middle East. The campaign has impacted over 450 victims in countries such as Egypt, Saudi Arabia, and Yemen, with the malware being distributed through WhatsApp and direct browser downloads. GuardZoo, with over 60 commands, can fetch additional payloads, upload files, and change C2 addresses, using dynamic DNS domains registered to YemenNet for its operations.
Smishing Triad has been registering multiple domain names impersonating the India Post to carry out large-scale smishing campaigns to steal PII and payment data. The group uses compromised and registered iCloud accounts to send fraudulent iMessages with smishing URLs, directing victims to provide personal and payment details under the pretext of a failed package delivery. This threat has been observed targeting a wide range of individuals in India, including consumers, businesses, and government entities.
New Threats
A formidable new phishing toolkit, dubbed FishXProxy, has emerged on the cybercrime landscape, empowering malevolent actors to orchestrate sophisticated phishing schemes with alarming ease. In another alarming development, the Chinese government-backed cyber espionage ensemble, APT41, has augmented its already formidable toolkit with the addition of the DodgeBox loader and the MoonWalk backdoor. The newly identified multi-stage trojan, Orcinius, has been discovered exploiting popular cloud services like Dropbox and Google Docs, marking it as a formidable threat in the cyber landscape.