Welcome to the weekly digest about the Cybersecurity & Threats in the wild. Below you will find a very subjective summary of Cybersecurity events for the prior week.
1.Exploration of Parano – Multiple Hacking Tools’ Capabilities by @CyfirmaR
- focus on a range of malicious tools developed by a single actor, “PARANODEUS” who appears responsible for the creation and distribution of various hacking tools, including Parano Stealer, remote access Trojans (RATs), ransomware, checkers, and screen-lockers
https://www.cyfirma.com/research/exploration-of-parano-multiple-hacking-tools-capabilities/
2.Unidentified Threat Actor Utilizes Android Malware to Target High-Value Assets in South Asia by by @CyfirmaR
- sample, attributed to an unknown threat actor, was generated using the Spynote Remote Administration Tool
- specifics of the targeted asset remain confidential, it is likely that such a target would attract the interest of APT groups.
3.Gafgyt Malware Broadens Its Scope in Recent Attacks by @TrendMicro
- threat actors targeting misconfigured Docker Remote API servers with the Gafgyt malware
- threat actors can perform a DDoS attack on the target servers if the Gafgyt malware is successfully deployed
- Gafgyt primarily targets vulnerable IoT devices, but recently this malware being used to attack Docker Remote API servers, signifying a notable shift in its behavior
4.MOONSHINE Exploit Kit and DarkNimbus Backdoor Enabling Earth Minotaur’s Multi-Platform Attacks by @TrendMicro
- MOONSHINE exploit kit targets vulnerabilities in instant messaging apps on Android devices, primarily affecting Tibetan and Uyghur communitiesThey also discovered an unreported Android backdoor, DarkNimbus, that was used by Earth Minotaur
- Earth Minotaur uses MOONSHINE to deliver the DarkNimbus backdoor to Android and Windows devices, targeting WeChat, and possibly making it a cross-platform threat
- MOONSHINE exploits multiple known vulnerabilities in Chromium-based browsers and applications, requiring users to update software regularly to prevent attacks.
https://www.trendmicro.com/en_us/research/24/l/earth-minotaur.html
5.(QR) Coding My Way Out of Here: C2 in Browser Isolation Environments by @Mandiant
- novel technique that can be used to circumvent all three current types of browser isolation (remote, on-premises, and local) for the purpose of controlling a malicious implant via C2
- attackers can use machine-readable QR codes to send commands from an attacker-controlled server to a victim device
https://cloud.google.com/blog/topics/threat-intelligence/c2-browser-isolation-environments
6. Threat Assessment: Howling Scorpius (Akira Ransomware) by PaloAlto’s #Unit42
- targets small to medium-sized businesses in North America, Europe and Australia, across various sectorsa
- ffected industries include education, consulting, government, manufacturing, telecommunications, technology and pharma
- maintains and operates encryptors for Windows and Linux operating systems, variants specifically designed for ESXi hosts
https://unit42.paloaltonetworks.com/threat-assessment-howling-scorpius-akira-ransomware/
7.Network Abuses Leveraging High-Profile Events: Suspicious Domain Registrations and Other Scams by PaloAlto’s #Unit42
- Threat actors frequently exploit trending events like global sporting championships to launch attacks, including phishing and scams
- example case studies include observations related to the 2024 Summer Olympics in Paris
https://unit42.paloaltonetworks.com/suspicious-domain-registration-campaigns
8.Malware found in Solana npm library raises the bar for crypto security by @ReversingLabs
- Unknown malicious actors compromised an open source library affiliated with the Solana blockchain platform, putting untold numbers of cryptocurrency platforms and individual wallets at risk of theft
https://www.reversinglabs.com/blog/malware-found-in-solana-npm-library-with-50m-downloads
9.Compromised ultralytics PyPI package delivers crypto coinminer by @ReversingLabs
- malicious version 8.3.41 of the popular AI library ultralytics — which has almost 60 million downloads — was published to the Python Package Index (PyPI) package repository
- package contained downloader code that was downloading the XMRig coinminer
- compromise of the project’s build environment was achieved by exploiting a known and previously reported GitHub Actions script injection
https://www.reversinglabs.com/blog/compromised-ultralytics-pypi-package-delivers-crypto-coinminer
10.Unveiling RevC2 and Venom Loader by @Threatlabz
- 2 new malware families – RevC2 & Venom Loader, deployed via Venom Spider malware-as-service (MaaS) tools
- RevC2 uses WebSockets to communicate with its C2 server and is capable of stealing cookies and passwords, proxies network traffic, and RCE
- Venom Loader is new malware loader that is customized for each victim, using the victim’s computer name to encode the payload
https://www.zscaler.com/blogs/security-research/unveiling-revc2-and-venom-loader
11.SmokeLoader Attack Targets Companies in Taiwan by #FORTIGUARD LABS
- attack using the notorious SmokeLoader malware to target companies in Taiwan, including those in manufacturing, healthcare, information technology, and other sectors
- primarily serves as a downloader to deliver other malware, in this case, it carries out the attack itself by downloading plugins from its C2 server
https://www.fortinet.com/blog/threat-research/sophisticated-attack-targets-taiwan-with-smokeloader
Thanks a lot for reading.
Please add interesting items you came across during the week in the comments below.