Cybersecurity Wiretap #26: From RomCom Malware to Bored BeaverTail Lures with a Focus on Nation-State Strategies (week of 14/10/2024)

Welcome to the weekly digest about the Cybersecurity & Threats in the wild. Below you will find a very subjective summary of Cybersecurity events for the prior week.

1.APT Profile – VOLT TYPHOON by @CyfirmaR

  • Alias: BRONZE SILHOUETTE, Dev-0391, Insidious Taurus, UNC3236, Vanguard Panda, Voltzite
  • Motivation: Espionage, Information theft, Intelligence gathering
  • Target Technologies: Cisco, Net Gear routers, SOHO routers, firewalls & VPN, Zoho
  • Techniques: Credential Harvesting, Custom Malware Implant, Spear-Phishing, Vulnerabilities & Exploits, Living of the land

https://www.cyfirma.com/research/apt-profile-volt-typhoon/

2.The Will of D: A Deep Dive into Divulge Stealer, Dedsec Stealer, and Duck Stealer by @CyfirmaR

  • Many of these stealers are promoted on the surface web like GitHub with developers either rebuilding existing open-source versions or creating new variants that target browser, game data, and other sensitive information.

https://www.cyfirma.com/research/the-will-of-d-a-deep-dive-into-divulge-stealer-dedsec-stealer-and-duck-stealer/

3.Data Breach Investigation on Cisco by @CyfirmaR

  • Over 26 B2B clients have been identified as having their production source codes compromised by the CyberNiggers group in the breach.
  • A user named Emo reported that IntelBroker used stealer logs to gain access and exfiltrate data and recently the threat actor EnergyWeaponUser claimed it still has access to Cisco infrastructure, as of 16th Oct.

https://www.cyfirma.com/research/data-breach-investigation-on-cisco/

4.Water Makara Uses Obfuscated JavaScript in Spear Phishing Campaign, Targets Brazil With Astaroth Malware by @TrendMicro

  • uses notorious Astaroth banking malware, with a new evasion technique
  • spear phishing targeting companies in Latin America, with a particular focus on orgs in Brazil
  • malicious emails often impersonate official tax documents, using the urgency of personal income tax filings to trick users into downloading the malware.

https://www.trendmicro.com/en_us/research/24/j/water-makara-uses-obfuscated-javascript-in-spear-phishing-campai.html

5.Fake LockBit, Real Damage: Ransomware Samples Abuse AWS S3 to Steal Data by @TrendMicro

  • Golang ransomware samples that abuse Amazon S3 Transfer Acceleration feature to exfiltrate the victim’s files and upload them to the attacker-controlled S3

https://www.trendmicro.com/en_us/research/24/j/fake-lockbit-real-damage-ransomware-samples-abuse-aws-s3-to-stea.html

6.Gatekeeper Bypass: Uncovering Weaknesses in a macOS Security Mechanism by PaloAlto’s #Unit42

  • certain third-party utilities and applications pertaining to archiving, virtualization and Apple’s native command-line tools do not enforce the quarantine attribute
  • This can pose a threat to the integrity of a security feature on macOS known as Gatekeeper, which is responsible for ensuring that only trusted software runs on the system
  • A bypass of Gatekeeper could leave the user unprotected from risky applications that may attempt to execute malicious content.

https://unit42.paloaltonetworks.com/gatekeeper-bypass-macos

7.Tricks and Treats: GHOSTPULSE’s new pixel- level deception by @elasticseclabs

  • shifted from using the IDAT chunk of PNG files to embedding its encrypted configuration & payload within the pixel structure
  • recent campaigns involve tricking victims with creative social engineering techniques, such as CAPTCHA validations that trigger malicious commands through Windows keyboard shortcuts

https://www.elastic.co/security-labs/tricks-and-treats

8.Bored BeaverTail Yacht Club – A Lazarus Lure by @esthreat

  • user downloaded a malicious NFT marketplace project named “nft_marketplace-main” from a GitHub repository. Based on our investigation, it was determined that “nft_marketplace-main” was BeaverTail malware.

https://www.esentire.com/blog/bored-beavertail-yacht-club-a-lazarus-lure

9.UAT-5647 targets Ukrainian and Polish entities with RomCom malware variants by @TalosSecurity

  • latest series of attacks deploys an updated version of the RomCom malware – “SingleCamper”, loaded directly from registry into memory and uses loopback address to communicate with its loader.
  • UAT-5647 has also evolved their tooling to include 4 distinct malware families: 2 downloaders RustClaw and MeltingClaw; a RUST-based backdoor – DustyHammock; and a C++ based backdoor – ShadyHammock.

https://blog.talosintelligence.com/uat-5647-romcom

Thanks a lot for reading.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.