Cybersecurity Wiretap #12: APT41’s MoonWalk to DodgeBox with Focus on New Vulnerability Class: False File Immutability (week of 07/08/2024)

Welcome to the weekly digest about the Cybersecurity & Threats in the wild. Below you will find a very subjective summary of Cybersecurity events for the prior week.

1.Hidden between the tags: Insights into spammers’ evasion techniques in HTML Smuggling by @TalosSecurity

  • several malicious email campaigns over past months that disguise JavaScript code within HTML email attachments

https://blog.talosintelligence.com/hidden-between-the-tags-insights-into-evasion-techniques-in-html-smuggling/

2.Introducing a New Vulnerability Class: False File Immutability by @elasticseclabs

  • such vulnerability in the Windows 11 kernel can be exploited to achieve arbitrary code execution with kernel privileges

https://www.elastic.co/security-labs/false-file-immutability

3. MoonWalk: A deep dive into the updated arsenal of APT41 | P2 by @Threatlabz

  • shares DodgeBox dev toolkit
  • employs Google Drive as C2 channel to blend in with legitimate network traffic & utilization of Windows Fibers to evade AV/EDR security solutions

https://www.zscaler.com/blogs/security-research/moonwalk-deep-dive-updated-arsenal-apt41-part-2

4. DodgeBox: A deep dive into the updated arsenal of APT41 | P1 by @Threatlabz

  • incorporates various evasive techniques such as call stack spoofing, DLL sideloading, DLL hollowing and environmental guardrails

https://www.zscaler.com/blogs/security-research/dodgebox-deep-dive-updated-arsenal-apt41-part-1

5. Fake Microsoft Teams for Mac delivers Atomic Stealer by @Malwarebytes

  • each click is profiled to ensure only real people h proceed, followed by cloaking domain (voipfaqs[.]com) separating initial redirect from malicious landing (teamsbusiness[.]org)

https://www.malwarebytes.com/blog/threat-intelligence/2024/07/fake-microsoft-teams-for-mac-delivers-atomic-stealer

6. Malicious NuGet campaign uses homoglyphs and IL weaving to fool devs by @ReversingLabs

  • obfuscated downloaders inserted into legitimate PE binaries using Intermediary Language weaving,.NET programming technique for modifying apps code after compilation

https://www.reversinglabs.com/blog/malicious-nuget-campaign-uses-homoglyphs-and-il-weaving-to-fool-devs

7. Threat Actors Actively Exploiting CVE-2024-24919: Underground Forums Share IP Addresses of Vulnerable Check Point Security Gateway Devices by @CyfirmaR

  • search engine shows ~16,035 results related to the purportedly affected Check Point SVN Foundation

https://www.cyfirma.com/research/threat-actors-actively-exploiting-cve-2024-24919-underground-forums-share-ip-addresses-of-vulnerable-check-point-security-gateway-devices/

8. Braodo Info Stealer Targeting Vietnam and Abroad by @CyfirmaR

  • Utilizes GitHub and a Singapore-based VPS server for hosting and distributing malicious code.
  • VPS server’s ASN/IPs also host non-functional sites resembling Vietnam government sites.

https://www.cyfirma.com/research/braodo-info-stealer-targeting-vietnam-and-abroad/

9. PHP CGI Argument Injection (CVE-2024-4577)- Vulnerability Analysis and Exploitation by @CyfirmaR

  • critical vuln leading to remote code execution.
  • if left unpatched, it could enable attackers to gain unauthorized access and control over affected servers

https://www.cyfirma.com/research/php-cgi-argument-injection-cve-2024-4577-vulnerability-analysis-and-exploitation/

10. THE GHOST IN THE MACHINE: STEALTHY FILELESS MALWARE IN THE WINDOWS REGISTRY by @Securonix ThreatResearch

  • By injecting code into registry attackers parse & execute malware directly into running app when the registry key is read by the system or appl

https://www.securonix.com/blog/the-ghost-in-the-machine-tracking-stealthy-fileless-malware-in-the-windows-registry/

Thanks a lot for reading.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.