Cybersecurity Wiretap #34: From Microsoft Teams Abuse to Golang QUASAR with a Focus on Russia’s UK Operations (week of 12/09/2024)

Welcome to the weekly digest about the Cybersecurity & Threats in the wild. Below you will find a very subjective summary of Cybersecurity events for the prior week.

1.RUSSIA AS A THREAT ACTOR IN THE UK by @CyfirmaR

  • the UK faces an escalating cyber threat landscape dominated by sophisticated Russian actors, including state-affiliated groups like Sandworm and APT29, as well as privateer entities operating with Kremlin leniency
  • notable campaigns include espionage via spear-phishing, destructive malware like Whispergate, and supply chain compromises, such as SolarWinds

https://www.cyfirma.com/research/russia-as-a-threat-actor-in-the-uk/

2.BIZFUM STEALER by @CyfirmaR

  • sophisticated malware collects browser credentials, files, and Discord tokens and stores all data in an advanced RSA-encrypted format
  • after encryption, it sends the data securely to an attacker’s Telegram bot

https://www.cyfirma.com/research/bizfum-stealer/

3.Vishing via Microsoft Teams Facilitates DarkGate Malware Intrusion by @TrendMicro

  • attacker gained access to the machine & dropped multiple suspicious files
  • one of the suspicious files was detected as Trojan.AutoIt.DARKGATE.D.
  • series of commands executed by Autoit3.exe led to the connection to a potential command-and-control server and the subsequent download of a malicious payload.
  • persistent files and a registry entry were created on the victim’s machine, though the attack was ultimately thwarted before exfiltration occurred

https://www.trendmicro.com/en_us/research/24/l/darkgate-malware.html

4.Crypted Hearts: Exposing the HeartCrypt Packer-as-a-Service Operation by #PaloAlto’s #Unit42

  • new packer-as-a-service (PaaS) which is used to protect malware by packing malicious code into otherwise legitimate binaries
  • operators charge $20 per file to pack, supporting both Windows x86 and .NET payloads
  • majority of HeartCrypt customers are malware operators using families such as LummaStealer, Remcos and Rhadamanthys

https://unit42.paloaltonetworks.com/packer-as-a-service-heartcrypt-malware/

5.Inside Zloader’s Latest Trick: DNS Tunneling by @Threatlabz

  • Zloader (a.k.a. Terdot, DELoader, or Silent Night) is a modular Trojan based on the leaked Zeus source code dating back to 2015
  • v2.9.4.0 adds notable improvements including a custom DNS tunnel protocol for C2 communications and an interactive shell that supports more than a dozen commands

https://www.zscaler.com/blogs/security-research/inside-zloader-s-latest-trick-dns-tunneling

6.NodeLoader Exposed: The Node.js Malware Evading Detection by @Threatlabz

  • threat actors deploying NodeLoader using the Node Package Manager (NPM) pkg module to turn Node.js code into standalone Windows executable files for malicious purposes
  • NodeLoader uses a module called sudo-prompt, a publicly available tool on GitHub and NPM, for privilege escalation
  • malware delivered by NodeLoader includes cryptocurrency miners and information stealers

https://www.zscaler.com/blogs/security-research/nodeloader-exposed-node-js-malware-evading-detection

7.Declawing PUMAKIT by @elasticseclabs

  • malware combines dropper, 2 memory-resident executables, an LKM rootkit & SO userland rootkit, activating only under specific conditionsh
  • ooks 18 syscalls and several kernel functions using ftrace()u
  • tilizes unconventional hooking methods like the rmdir() syscall for escalating privileges & interacting with the rootki
  • tincludes privilege escalation, C2 communication, anti-debugging & system manipulation to maintain persistence & control

https://www.elastic.co/security-labs/declawing-pumakit

8.Under the SADBRIDGE with GOSAR: QUASAR Gets a Golang Rewrite by @elasticseclabs

  • ongoing campaigns targeting Chinese language speakers with malicious installers masquerading as legitimate software like Telegram and the Opera web browser
  • Infection chains employ injection and DLL side-loading using a custom loader (SADBRIDGE)
  • SADBRIDGE deploys a newly-discovered variant of the QUASAR backdoor written in Golang (GOSAR)

https://www.elastic.co/security-labs/under-the-sadbridge-with-gosar

9.Oh No Cleo! Malichus Implant Malware Analysis by @HuntressLabs

  • malicious activity from the exploitation of a 0-day vulnerability in Cleo software
  • malware being delivered through this exploitation is named Malichus

https://www.huntress.com/blog/cleo-software-vulnerability-malware-analysis

Thanks a lot for reading.

Please add interesting items you came across during the week in the comments below.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.