The Good

In a remarkable turn of events, Avast's cryptographic savants unearthed a pivotal vulnerability within the DoNex ransomware and its prior iterations. This discovery has paved the way for a decryptor, disseminated to victims. Concurrently, a seismic shift in federal directives has emanated from the White House, compelling federal research agencies to fortify their cybersecurity bastions. This mandate insists on rigorous certification that R&D institutions are equipped with robust security infrastructures, a response to the escalating cyber onslaughts from formidable adversaries.

• Avast researchers discovered a cryptographic flaw in the DoNex ransomware and its predecessors, allowing for the provision of a decryptor to victims and making the weakness public knowledge. DoNex ransomware, previously rebranded from Muse to Fake LockBit 3.0 to DarkRace, ceased its evolution in April 2024 and targeted victims primarily in the US, Italy, and the Netherlands. They have been providing the decryptor to victims in cooperation with law enforcement since March 2024, and the cryptographic weakness was made public at Recon 2024.

• The White House is requiring federal research agencies to implement increased cybersecurity protocols, including certifying that institutions conducting R&D have proper security measures in place, in response to growing threats from adversaries like China. Higher education institutions must implement cybersecurity programs consistent with the CHIPS and Science Act's cybersecurity resource for research-focused entities. Other covered institutions must implement cybersecurity programs consistent with resources maintained by NIST or other federal research agencies.

• The U.S. and its allies took down a Kremlin-backed AI bot farm that was used to spread disinformation on the X social media platform. The FBI and international partners targeted a total of 968 accounts, seizing a portion of them, while the X platform voluntarily suspended the remaining sham users. The takedown marks a major U.S. push to clamp down on Russian information operations that aim to sow doubt about domestic and international politics on social media.

The Bad

Researchers unveiled a nefarious stratagem aimed at the NuGet package manager, ultimately disseminating the SeroXen RAT. This covert campaign has ensnared approximately 60 packages and spanned 290 distinct package versions. Meanwhile, the elusive ViperSoftX resurfaced with an enhanced arsenal, harnessing the .NET CLR to cloak its PowerShell machinations. In a parallel vein, AsyncRAT is being spread camouflaged as an innocuous ebook. This insidious ploy employs a medley of tactics—malicious scripts, compressed archives, and scheduled tasks—to compromise systems and deploy the RAT.

• ReversingLabs detailed a malicious campaign targeting the NuGet package manager, which has evolved to include tactics such as using obfuscated downloaders, exploiting NuGet’s MSBuild integrations, and manipulating legitimate PE .NET binaries using IL weaving. The threat actors used techniques like typo-squatting and homoglyphs to evade detection and distributed malicious code, including the SeroXen RAT. Approximately 60 packages and 290 package versions were identified as part of this campaign.

• ViperSoftX, first spotted in 2020, has recently reemerged with the ability to use the .NET CLR to obfuscate its use of PowerShell commands. The malware further disguises the PowerShell commands by hiding them within scripts generated by the freeware program AutoIt. This allows ViperSoftX to execute malicious functions while evading detection mechanisms that might otherwise flag standalone PowerShell activity. ViperSoftX is capable of stealing system information, cryptocurrency wallet details (and the coins they contain), clipboard contents, and other such data.

• ASEC blog reported on the distribution of AsyncRAT malware disguised as an ebook, which uses various techniques like malicious scripts, compressed files, and scheduled tasks to infect systems and execute the remote access trojan. The compressed ebook file contains a malicious LNK file, a text file with a malicious PowerShell script, additional compressed files disguised as videos, and the actual ebook file. AsyncRAT possesses features such as anti-VM, anti-AV, maintaining persistence, and exfiltrating user information.

• An ongoing surveillance campaign has been found spreading the GuardZoo malware in the Middle East. The campaign has impacted over 450 victims in countries such as Egypt, Saudi Arabia, and Yemen, with the malware being distributed through WhatsApp and direct browser downloads. GuardZoo, with over 60 commands, can fetch additional payloads, upload files, and change C2 addresses, using dynamic DNS domains registered to YemenNet for its operations.

• Smishing Triad has been registering multiple domain names impersonating the India Post to carry out large-scale smishing campaigns to steal PII and payment data. The group uses compromised and registered iCloud accounts to send fraudulent iMessages with smishing URLs, directing victims to provide personal and payment details under the pretext of a failed package delivery. This threat has been observed targeting a wide range of individuals in India, including consumers, businesses, and government entities.

New Threats

A formidable new phishing toolkit, dubbed FishXProxy, has emerged on the cybercrime landscape, empowering malevolent actors to orchestrate sophisticated phishing schemes with alarming ease. In another alarming development, the Chinese government-backed cyber espionage ensemble, APT41, has augmented its already formidable toolkit with the addition of the DodgeBox loader and the MoonWalk backdoor. The newly identified multi-stage trojan, Orcinius, has been discovered exploiting popular cloud services like Dropbox and Google Docs, marking it as a formidable threat in the cyber landscape.

• A new phishing toolkit called FishXProxy enables cybercriminals to conduct sophisticated phishing attacks with ease. The toolkit includes advanced features such as an antibot system, Cloudflare integration, inbuilt redirector, page expiration settings, and cross-project user tracking. It also allows for the generation of malicious file attachments using HTML smuggling techniques. The toolkit lowers the technical barriers to conducting phishing campaigns, posing a significant threat.
• The Chinese government-backed cyber espionage group APT41 has added a new loader called DodgeBox and a backdoor named MoonWalk to its arsenal of malware tools, according to research by Zscaler ThreatLabz. DodgeBox, similar to APT41's StealthVector, is a shellcode loader with advanced features such as encryption, environment checks, and evasion techniques. It also drops the MoonWalk backdoor, which utilizes Google Drive for command-and-control communication.
• The newly identified multi-stage trojan Orcinius has been found exploiting popular cloud services like Dropbox and Google Docs, making it a formidable threat. The trojan starts with an innocuous Excel spreadsheet containing a modified VBA macro, enabling it to capture keystrokes and active windows once executed. Orcinius downloads secondary payloads from cloud services to evade detection.
• A new RaaS called Eldorado has emerged, targeting Windows and VMware ESXi virtual machines with its ability to encrypt files using the ChaCha20 algorithm and delete shadow volume copies to prevent recovery. The ransomware has already claimed 16 victims, primarily in the U.S., across various sectors. Eldorado uses advanced encryption methods, targets network shares, and deletes shadow volume copies to maximize impact, but also allows affiliates to customize their attacks.
• Check Point noted an increase in cybercriminal activity targeting online shoppers in anticipation of Amazon Prime Day on July 16-17. Researchers have observed a surge in suspicious domains impersonating Amazon, aiming to steal sensitive information such as login credentials and payment details. The tactics used include phishing emails, fake domains, and deceptive files. Online shoppers should exercise caution during Amazon Prime Day, checking URLs, creating strong passwords, and being wary of phishing emails to ensure safe and secure shopping.
• The Blast-RADIUS attack is a newly discovered authentication bypass vulnerability in the RADIUS/UDP protocol. It allows attackers to manipulate RADIUS traffic and gain admin privileges on network devices without brute forcing passwords or stealing credentials. The attack exploits a new protocol bug (CVE-2024-3596) and an MD5 collision attack, enabling the forging of a valid response to authentication requests. Although end-users cannot protect against this attack, network operators are advised to upgrade to RADIUS over TLS, switch to "multihop" RADIUS deployments, and isolate RADIUS traffic from internet access for defense.
• A large-scale fraud campaign called Ticket Heist is targeting Russian-speaking users seeking tickets for major events, particularly the Summer Olympics in Paris. The operation involves 708 convincing websites offering overpriced fake tickets for events like the Olympics, UEFA European Championship, and music concerts. The fraudsters use a consistent UI framework and inflated prices to deceive victims. Transactions are carried out through the Stripe payment platform to steal money from victims. The operation also targets Russian-speaking users with fake concert tickets.