Data wipers sent to Israeli companies through compromised ESET partner
Hackers reportedly breached ESET’s exclusive partner in Israel, Comsecure, to deliver data wipers masquerading as antivirus software to Israeli companies. Starting October 8th, 2024, emails branded with ESET’s logo were sent from a legitimate domain operated by Comsecure, pretending to be from ‘ESET’s Advanced Threat Defense Team’ and warning customers of hackers trying to access their device. The emails prompted targets to install a purported antivirus tool, named ESET Unleashed, with the link to the download hosted on legitimate URLs. The resulting download consisted of a ZIP archive containing four DLL files signed by ESET’s legitimate code signing certificate alongside a malicious executable file that is the data wiper.
Cyble researchers identified a sophisticated multi-stage malware attack that likely originates from spam emails containing phishing attachments. Based on the observed lure document, the threat actor is likely targeting job seekers and digital marketing professionals, particularly those involved with Meta Ads within the United States. The emails include an archive file containing a LNK file disguised as a PDF file, with the LNK responsible for triggering a series of PowerShell-based commands that ultimately lead to the delivery of the Quasar remote access trojan (RAT). Throughout the infection chain, the threat actor employs a variety of evasion techniques, including checks for virtual machines, sandbox environments, and debugging tools
Gophish toolkit used to deliver new PowerRAT and DCRAT
Cisco Talos researchers discovered a new phishing campaign leveraging the open-source phishing toolkit, Gophish, to deliver a newly discovered remote access trojan (RAT), dubbed PowerRAT, and DCRAT. The campaign appears to be targeting Russian-speaking users, using lures related to the VKontakte social media app. The malware is delivered via a modular infection chain, starting with malicious hyperlinks embedded in phishing emails. PowerRAT is a new PowerShell RAT that executes in memory and is capable of executing other PowerShell scripts or commands. DCRAT can download and execute additional files, contains stealer plugin modules, and can take screenshots and capture keystrokes.
Docker remote API abused to deploy perfctl malware
Trend Micro researchers observed an unknown threat actor abusing exposed Docker remote API servers to deploy the perfctl malware. The attack begins with a ping to the Docker remote API server, followed by the creation of a Docker container with specific settings using an Ubuntu image from Docker Hub. The attacker then uses ‘nsenter’ to break out of the container and run the Base64 encoded shell script payload. Payload execution involves checking and preventing duplicate processes, creating a bash script that includes another Base64 encoded payload, setting environment variables, and downloading a malicious binary disguised as a PHP extension. To maintain persistence, the malware creates a systemd service using ‘multi-user[.]target if it is run as non-offline, otherwise it creates a cron job.
New China-nexus APT IcePeony potentially linked to Chinese maritime strategy
nao_sec researchers identified a China-nexus advanced persistent threat (APT) actor, dubbed IcePeony, that has been active since at least 2023. The threat actor has targeted government agencies, academic institutions, and political organisations in India, Vietnam, and Mauritius, with recent attacks also potentially impacting Brazil. IcePeony’s initial infection vector is typically an SQL injection, which is followed by compromise via webshells and backdoors, as well as the usage of custom malware, dubbed IceCache and IceEvent. IcePeony is believed to potentially be connected with China’s maritime strategy, with its attacks on Mauritius linked to China’s expansion into the Indian Ocean.
Ransomware
Volume of blog posts by operators during the last week.
Embargo Ransomware Gang Deploys Customized Defense Evasion ToolsInfosecurity Today – Oct 23 2024Avast Releases Free Decryptor for Mallox RansomwareSecurityWeek RSS Feed – Oct 23 2024macOS NotLockBit | Evolving Ransomware Samples Suggest a Threat Actor Sharpening Its ToolsSentinelOne – Oct 22 2024Akira ransomware continues to evolveTalos Intelligence Blog – Oct 21 2024Analysis of the Crypt Ghouls group: continuing the investigation into a series of attacks on RussiaKaspersky Lab – Oct 18 2024Researchers Uncover Cicada3301 Ransomware Operations and Its Affiliate ProgramThe Hacker News – Oct 17 2024
Financial Services
Attackers Target Crypto Wallets Using Codeless Webflow Phishing PagesNetskope – Threat Labs – Oct 23 2024Grandoreiro, the global trojan with grandiose ambitionsKaspersky Lab – Oct 22 2024Phishing Attack Impacts Over 92,000 Transak UsersInfosecurity Today – Oct 22 2024Abbott Laboratories Employees Credit Union Data Breach Caused by Compromised Email AccountJD Supra – Oct 22 2024Hackers blackmail Globe Life after stealing customer dataBleeping Computer – Oct 17 2024
Geopolitics
How Russia’s spies hacked the entire nation of Georgia Economic Times – Oct 22 2024China’s Spamouflage cranks up trolling of US Senator Rubio as election day loomsThe Register – Security – Oct 21 2024DDoS Attacks Against Japan NETSCOUT Blog – Oct 17 2024UAT-5647 targets Ukrainian and Polish entities with RomCom malware variantsTalos Intelligence Blog – Oct 17 2024China’s Influence Ops | Twisting Tales of Volt Typhoon at Home and AbroadSentinelLabs – Oct 16 2024
High Priority Vulnerabilities
Name | Software | Base Score |
Temp Score |
|
---|---|---|---|---|
CVE-2024-47575 | FortiManager | 9.8 | 9.4 | |
Related: Investigating FortiManager Zero-Day Exploitation (CVE-2024-47575) | ||||
CVE-2024-9537 | SL1 | 9.8 | 9.4 | |
Related: U.S. CISA adds ScienceLogic SL1 flaw to its Known Exploited Vulnerabilities catalog | ||||
CVE-2024-44068 | W920 | 8.1 | 8.0 | |
Related: Samsung zero-day under active exploitation | ||||
CVE-2024-4947 | Chrome | 8.8 | 6.0 | |
Related: The Crypto Game of Lazarus APT: Investors vs. Zero-days | ||||
CVE-2024-37383 | Webmail | 3.5 | 3.4 | |
Related: Unknown threat actors exploit Roundcube Webmail flaw in phishing campaign |