Welcome to the weekly digest about the Cybersecurity & Threats in the wild. Below you will find a very subjective summary of Cybersecurity events for the prior week.
1.RUSSIA AS A THREAT ACTOR IN THE UK by @CyfirmaR
- the UK faces an escalating cyber threat landscape dominated by sophisticated Russian actors, including state-affiliated groups like Sandworm and APT29, as well as privateer entities operating with Kremlin leniency
- notable campaigns include espionage via spear-phishing, destructive malware like Whispergate, and supply chain compromises, such as SolarWinds
https://www.cyfirma.com/research/russia-as-a-threat-actor-in-the-uk/


2.BIZFUM STEALER by @CyfirmaR
- sophisticated malware collects browser credentials, files, and Discord tokens and stores all data in an advanced RSA-encrypted format
- after encryption, it sends the data securely to an attacker’s Telegram bot
https://www.cyfirma.com/research/bizfum-stealer/



3.Vishing via Microsoft Teams Facilitates DarkGate Malware Intrusion by @TrendMicro
- attacker gained access to the machine & dropped multiple suspicious files
- one of the suspicious files was detected as Trojan.AutoIt.DARKGATE.D.
- series of commands executed by Autoit3.exe led to the connection to a potential command-and-control server and the subsequent download of a malicious payload.
- persistent files and a registry entry were created on the victim’s machine, though the attack was ultimately thwarted before exfiltration occurred
https://www.trendmicro.com/en_us/research/24/l/darkgate-malware.html


4.Crypted Hearts: Exposing the HeartCrypt Packer-as-a-Service Operation by #PaloAlto’s #Unit42
- new packer-as-a-service (PaaS) which is used to protect malware by packing malicious code into otherwise legitimate binaries
- operators charge $20 per file to pack, supporting both Windows x86 and .NET payloads
- majority of HeartCrypt customers are malware operators using families such as LummaStealer, Remcos and Rhadamanthys
https://unit42.paloaltonetworks.com/packer-as-a-service-heartcrypt-malware/


5.Inside Zloader’s Latest Trick: DNS Tunneling by @Threatlabz
- Zloader (a.k.a. Terdot, DELoader, or Silent Night) is a modular Trojan based on the leaked Zeus source code dating back to 2015
- v2.9.4.0 adds notable improvements including a custom DNS tunnel protocol for C2 communications and an interactive shell that supports more than a dozen commands
https://www.zscaler.com/blogs/security-research/inside-zloader-s-latest-trick-dns-tunneling


6.NodeLoader Exposed: The Node.js Malware Evading Detection by @Threatlabz
- threat actors deploying NodeLoader using the Node Package Manager (NPM) pkg module to turn Node.js code into standalone Windows executable files for malicious purposes
- NodeLoader uses a module called sudo-prompt, a publicly available tool on GitHub and NPM, for privilege escalation
- malware delivered by NodeLoader includes cryptocurrency miners and information stealers
https://www.zscaler.com/blogs/security-research/nodeloader-exposed-node-js-malware-evading-detection



7.Declawing PUMAKIT by @elasticseclabs
- malware combines dropper, 2 memory-resident executables, an LKM rootkit & SO userland rootkit, activating only under specific conditionsh
- ooks 18 syscalls and several kernel functions using ftrace()u
- tilizes unconventional hooking methods like the rmdir() syscall for escalating privileges & interacting with the rootki
- tincludes privilege escalation, C2 communication, anti-debugging & system manipulation to maintain persistence & control
https://www.elastic.co/security-labs/declawing-pumakit


8.Under the SADBRIDGE with GOSAR: QUASAR Gets a Golang Rewrite by @elasticseclabs
- ongoing campaigns targeting Chinese language speakers with malicious installers masquerading as legitimate software like Telegram and the Opera web browser
- Infection chains employ injection and DLL side-loading using a custom loader (SADBRIDGE)
- SADBRIDGE deploys a newly-discovered variant of the QUASAR backdoor written in Golang (GOSAR)
https://www.elastic.co/security-labs/under-the-sadbridge-with-gosar


9.Oh No Cleo! Malichus Implant Malware Analysis by @HuntressLabs
- malicious activity from the exploitation of a 0-day vulnerability in Cleo software
- malware being delivered through this exploitation is named Malichus
https://www.huntress.com/blog/cleo-software-vulnerability-malware-analysis


Thanks a lot for reading.
Please add interesting items you came across during the week in the comments below.