Welcome to the weekly digest about the Cybersecurity & Threats in the wild. Below you will find a very subjective summary of Cybersecurity events for the prior week.
1. From Cobalt Strike to Mimikatz: A Deep Dive into the SLOW#TEMPEST Campaign Targeting Chinese Users by @Securonix Threat Research
- covert campaign targeting Chinese-speaking users with Cobalt Strike payloads likely delivered through phishing emails
- attackers managed to move laterally, establish persistence and remain undetected within the systems for more than two weeks.
https://www.securonix.com/blog/from-cobalt-strike-to-mimikatz-slowtempest/
2.Analyzing the Mekotio Trojan by @CyfirmaR
- sophisticated piece of malware that utilizes PowerShell dropper to execute its payload
- dropper is obfuscated to conceal its operations, using custom XOR decryption to hide crucial details
- tasks: gathering system info, interacting with command-and-control (C2) server to download additional payloads, and ensuring persistence by modifying system settings
https://www.cyfirma.com/research/analyzing-the-mekotio-trojan/
3.Silent Intrusions: Godzilla Fileless Backdoors Targeting Atlassian Confluence by @TrendMicro
- new attack vector that exploits the CVE-2023-22527 through deployment of an in-memory fileless backdoor known as Godzilla webshell
- CVE-2023-22527 is vulnerability affecting older versions of Atlassian Confluence Data Center and Server that allows attackers to perform remote code execution
- loader is introduced into compromised Atlassian server, subsequently activating the Godzilla webshell
https://www.trendmicro.com/en_us/research/24/h/godzilla-fileless-backdoors.html
4.Cryptojacking via CVE-2023-22527: Dissecting a Full-Scale Cryptomining Ecosystem by @TrendMicro
- critical vuln CVE-2023-22527 is actively being exploited for cryptojacking activities, turning affected environments into cryptomining networks
- attacks involve threat actors that employ methods such as the deployment of shell scripts and XMRig miners, targeting of SSH endpoints, killing competing cryptomining processes, and maintaining persistence via cron jobs
https://www.trendmicro.com/en_us/research/24/h/cve-2023-22527-cryptomining.html
5.Threat Actors Target the Middle East Using Fake Palo Alto GlobalProtect Tool by @TrendMicro
- malware uses a two-stage infection routine and advanced C&C infrastructure.
- infects via a setup.exe file while using the Interactsh project for beaconing, communicating with specific hostnames to report infection progress and gather victim info.
- can execute remote PowerShell commands, download and exfiltrate files, encrypt communications, and bypass sandbox solutions
https://www.trendmicro.com/en_us/research/24/h/threat-actors-target-middle-east-using-fake-tool.html
6.Analysis of two arbitrary code execution vulnerabilities affecting WPS Office by @ESETresearch
- APT-C-60 weaponized code execution vulnerability in WPS Office for Windows (CVE-2024-7262) in order to target East Asian countries
- root cause analysis of this vulnerability is provided along with description of its weaponization
7.I Spy With My Little Eye: Uncovering an Iranian Counterintelligence Operation by @Mandiant
- data collected by this campaign may support Iranian intelligence apparatus in pinpointing individuals who are interested in collaborating with Iran’s perceived adversarial countries.
- include Iranian dissidents, activists, human rights advocates, and Farsi speakers living in and outside Iran.
8.A Measure of Motive: How Attackers Weaponize Digital Analytics Tools by @Mandiant
- threat actors cleverly repurposing digital analytics and advertising tools to evade detection and amplify the effectiveness of their malicious campaigns
- deep dive into the threat actor playbook, revealing how these tools can be weaponized by attackers to add malicious data analytics (“malnalytics”) capabilities to their threat campaigns
- We’ll expose the surprising effectiveness of these tactics and arm defenders with detection and mitigation strategies for their own environments
9.The Emerging Dynamics of Deepfake Scam Campaigns on the Web by #PaloAlto‘s #Unit42
- scam campaigns using deepfake videos featuring likeness of various public figures, including CEOs, news anchors and top government officials
- Due to their infrastructural and tactical similarities, many of these campaigns likely stem from single threat actor group.
https://unit42.paloaltonetworks.com/dynamics-of-deepfake-scams/
10.Linux Detection Engineering – A Sequel on Persistence Mechanisms by @elasticseclabs
- 4rd part of Linux Detection Engineering series
- Goal: to educate defenders and security researchers on the foundational aspects of Linux persistence by examining both trivial and more complicated methods, understanding how these methods work, how to hunt for them, and how to develop effective detection strategies.
https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms
11.Exploring AsyncRAT and Infostealer Plugin Delivery Through Phishing Emails by @esthreat
- infection involving AsyncRAT stemming from the execution of a Windows Script File delivered via email
- payload is a .wsf file which uses a naming scheme that begins with “SummaryForm_”
12.Deep Analysis of Snake Keylogger’s New Variant by #FORTIGUARD LABS
- phishing campaign in the wild with a malicious Excel document attached to the phishing email that delivers a new variant of Snake Keylogger
- Snake Keylogger (aka “404 Keylogger” or “KrakenKeylogger”) is a subscription-based keylogger with many capabilities
- .NET-based software originally sold on a hacker forum
- once executed, it has the ability to steal sensitive data, saved credentials from web browsers and other popular software, system clipboard, basic device info, log keystrokes and capture screenshots.
https://www.fortinet.com/blog/threat-research/deep-analysis-of-snake-keylogger-new-variant
13.BlackByte blends tried-and-true tradecraft with newly disclosed vulnerabilities to support ongoing attacks by @TalosSecurity
- using techniques that depart from their established tradecraft, such as exploiting CVE-2024-37085 – an authentication bypass vulnerability in VMware ESXi – shortly after it was disclosed, and using a victim’s authorized remote access mechanism rather than deploying a commercial remote administration tool like AnyDesk
- new iteration of BlackByte encryptor that appends the file extension “blackbytent_h” to encrypted files, drops 4 vulnerable driver files compared to the previously observed 3, and uses victim Active Directory creds to self-propagate.
Thanks a lot for reading.