Czech officials targeted in NATO-themed campaign delivering Freeze and Havoc
Seqrite researchers identified a new malware campaign, dubbed Operation Oxidový, targeting government and military officials in the Czech Republic using NATO-themed lures. The campaign delivers the Rust-based loader, Freeze, used to load a Demon DLL, which is part of the post-exploitation framework, Havoc. The campaign is believed to have been active since at least May 2024.The malware is delivered via malicious ZIP files containing a LNK file. An investigation of the attacker’s infrastructure revealed further similar loader samples, including one downloading a custom Sliver stager. The researchers attribute the campaign with medium confidence to a threat actor of Russian origin.
Lazarus Group updates its BeaverTail malware capabilities and distribution methods
In mid-August 2024, Group-IB researchers identified new methods of distribution and a new Python version of Lazarus Group’s BeaverTail malware. The new version boasts new features like establishing persistence and configuring AnyDesk. It also fetches several Python scripts, collectively dubbed CivetQ, that function as a backdoor, keylogger, and infostealer. BeaverTail was initially observed being distributed via fake job interview files on LinkedIn, but Lazarus Group has since been observed also using other job search platforms to target victims. The group typically asks to move conversations to Telegram, where victims are asked to download a fake Windows video conferencing application or node.js files as part of the interview process. Lazarus Group has also expanded its targeting from just cryptocurrency-related repositories by injecting malicious JavaScript into gaming-related repositories.
SLOW#TEMPEST campaign targets Chinese-speaking users with Cobalt Strike
Securonix researchers identified an ongoing campaign, dubbed SLOW#TEMPEST, that is targeting Chinese-speaking users with Cobalt Strike. The payload is delivered via a LNK file within a ZIP file, likely distributed via phishing emails. Based on the language used in the lures, the researchers believe the campaign may be targeted at Chinese related businesses or government sectors. In some cases, the ZIP file is password protected, while the LNK file masquerades as a Microsoft Word file to further evade detection. It contains a DLL file and a legitimate signed executable by Microsoft, with DLL sideloading used to deliver Cobalt Strike.
Suspected espionage campaign delivers Voldemort malware
In August 2024, Proofpoint researchers identified a suspected espionage campaign delivering a new custom malware, dubbed Voldemort. The campaign began on August 5th, 2024, and uses messages claiming to be from tax authorities from governments in the United States, the UK, France, Germany, Italy, India, and Japan. The threat actor targeted 18 different sectors, with insurance companies making up nearly a quarter of the targeted organisations. Voldemort is written in C, can gather information and drop additional payloads, including Cobalt Strike. It is executed by using a CiscoCollabHost executable that is vulnerable to DLL hijacking. The researchers note that its attack chain has unusual, customised functionality, such as the use of Google Sheets for C2 communication and a saved search file on an external share.
New PyPI hijacking technique exploited in the wild
JFrog researchers identified a new PyPI supply chain attack technique, dubbed Revival Hjiack, being exploited in the wild to hijack software packages. The technique involves manipulating the option to re-register packages once they have been removed from PyPI’s index by the original owner. The researchers warn that the method could be used to hijack 22,000 existing PyPI packages, possibly leading to hundreds of thousands of malicious package downloads.
Ransomware
Volume of blog posts by operators during the last week.
Mallox ransomware: in-depth analysis and evolutionKaspersky Lab – Sep 04 2024 Luxy: A Stealer and a Ransomware in oneK7 Security Labs – Sep 03 2024Dark Web Profile: Abyss Ransomware SOCRadar – Sep 02 2024Cicada3301 ransomware’s Linux encryptor targets VMware ESXi systemsBleepingComputer.com – Sep 01 2024#StopRansomware: RansomHub RansomwareCISA Current Activity – Aug 29 2024So-Phish-ticated AttacksGuidePoint Security – Aug 27 2024
Financial Services
North Korea Aggressively Targeting Crypto Industry with Well-Disguised Social Engineering AttacksIC3.gov News – Sep 03 2024Rocinante: The Trojan Horse That Wanted to FlyITSecurityNews.info – Aug 31 2024Communication Federal Credit Union Notifies Customers of Recent Data BreachJD Supra – Aug 30 2024Website operators promised fraudsters profit within minutes if they subscribed to illegal serviceNational Crime Agency – News – Aug 30 2024CAF Data Leak: Hacker Shares Social Security Numbers and Passwords of Over 60,000 French Citizens OnlineBitdefender – Aug 29 2024
Geopolitics
The Intricate Babylon RAT Campaign Targets Malaysian Politicians, Government Cyble Blog – Sep 04 2024The #Americans Chinese State-Linked Influence Operation Spamouflage Masquerades as U.S. Voters to Push Divisive Online Narratives Ahead of 2024 ElectionThreat Reports – Graphika – Sep 02 2024Stone Wolf employs Meduza Stealer to hack Russian companiesBi-Zone Blog – Sep 02 2024Insights into a “Cyber Attack” against the Venezuelan National Electoral CouncilTeam Cymru – Blog – Aug 29 2024Threat Actors Target the Middle East Using Fake Palo Alto GlobalProtect ToolTrend Micro – Aug 29 2024
High Priority Vulnerabilities
| Name | Software | Base Score |
Temp Score |
|
|---|---|---|---|---|
| CVE-2024-7971 | Chrome | 8.8 | 6.0 | |
| Related: North Korean threat actor Citrine Sleet exploiting Chromium zero-day | ||||
| CVE-2023-22527 | Confluence Server | 9.8 | 9.8 | |
| Related: Silent Intrusions: Godzilla Fileless Backdoors Targeting Atlassian Confluence | ||||
| CVE-2024-5274 | Chrome | 8.8 | 6.0 | |
| Related: State-backed attackers and commercial surveillance vendors repeatedly use the same exploits | ||||
| CVE-2023-38831 | WinRAR | 7.8 | 6.0 | |
| Related: Head Mare exploits WinRAR flaw in ransomware attacks against Russia and Belarus | ||||
| CVE-2024-34102 | Magento | 9.8 | 9.4 | |
| Related: CosmicSting flaw chained with CNEXT flaw to achieve remote code execution | ||||