Welcome to the weekly digest about the Cybersecurity & Threats in the wild. Below you will find a very subjective summary of Cybersecurity events for the prior week.
1.Analyzing FLUX#CONSOLE: Using Tax-Themed Lures, Threat Actors Exploit Windows Management Console to Deliver Backdoor Payloads by @Securonix Threat Research
- Users are tricked into downloading & running malicious payloads by tax-themed document lures
- Leveraging MSC files legitimate appearance to evade detection while delivering malicious payloads
- Copying legitimate Windows process Dism.exe into a staging directly to sideload a malicious dropped DLL (DismCore.dll)
- Campaign uses scheduled tasks to ensure the malware remains active & survives system reboots



2.Link Trap: GenAI Prompt Injection Attack by @TrendMicro
- new type of prompt injection that could lead to user or company data leaks, even if the AI does not have external connectivity capabilities
https://www.trendmicro.com/en_us/research/24/l/genai-prompt-injection-attack-threat.html


3.Python-Based NodeStealer Version Targets Facebook Ads Manager by @TrendMicro
- NodeStealer malware advanced to Python-based threat, enabling it to steal broader range of sensitive info
- targeting an educational institution in Malaysia, linked to a Vietnamese threat group
- latest version can not only harvests credit card details and browser-stored data, but also targets Facebook Ads Manager accounts for their critical financial and business info
- infection chain starts with spear-phishing email with malicious embedded link, which upon clicking, downloads and installs the malware under the guise of a legitimate app
- uses DLL sideloading & encoded PowerShell commands, to bypass security defenses and execute the final payload, exfil data through Telegram
https://www.trendmicro.com/en_us/research/24/l/python-based-nodestealer.html


4. LDAP Enumeration: Unveiling the Double-Edged Sword of Active Directory by #PaloAlto’s #Unit42
- practical guide to developing a detection strategy for Lightweight Directory Access Protocol (LDAP)-based attacks
- analyze real-world examples of nation-state and cybercriminal threat actors abusing LDAP attributes
- examine common LDAP enumeration queries and assess their potential risks
https://unit42.paloaltonetworks.com/lightweight-directory-access-protocol-based-attacks


5.Effective Phishing Campaign Targeting European Companies and Organizations by #PaloAlto’s #Unit42
- phishing campaign targeting European companies, including in Germany and the UK
- investigation revealed that the campaign aimed to harvest account credentials and take over the victim’s Microsoft Azure cloud infra
- campaign’s phishing attempts peaked in June 2024, with fake forms created using the HubSpot Free Form Builder service
https://unit42.paloaltonetworks.com/european-phishing-campaign/


6. Now You See Me, Now You Don’t: Using LLMs to Obfuscate Malicious JavaScript by #PaloAlto’s #Unit42
- adversarial machine learning (ML) algorithm that uses large language models (LLMs) to generate novel variants of malicious JavaScript code at scale
- used the results to improve our detection of malicious JavaScript code in the wild by 10%
https://unit42.paloaltonetworks.com/using-llms-obfuscate-malicious-javascript/


7.A new playground: Malicious campaigns proliferate from VSCode to npm by @ReversingLabs
- campaign that started on VSCode emerged in the npm community with malicious npm package etherscancontracthandler, bearing a striking resemblance to previously seen malicious VSCode extensions

8.OSS in the crosshairs: Cryptomining hacks highlight key new threat by @ReversingLabs
- dozen packages associated with the popular, open source projects rspack and vant were compromised this week by threat actors who implanted malicious, crypto-mining code in packages with hundreds of thousands of weekly downloads
https://www.reversinglabs.com/blog/cryptominers-growing-threat

9.Technical Analysis of RiseLoader by @Threatlabz
- malware implements a custom TCP-based binary network protocol that is similar to RisePro
- RiseLoader has been observed dropping malware families including Vidar, Lumma Stealer, XMRig, and Socks5Systemz – similar to those distributed by PrivateLoader
- RiseLoader collects information about installed applications & browser extensions related to cryptocurrency
https://www.zscaler.com/blogs/security-research/technical-analysis-riseloader


10.Winos4.0 “Online Module” Staging Component Used in CleverSoar Campaign by @esthreat
- ongoing campaign involving a new and highly evasive malware installer ( dubbed “CleverSoar” by Rapid7 Labs)
- CleverSoar has been found targeting primarily Chinese and Vietnamese-speaking users via malicious installer packages distributed through poisoned web search results
- installer package deploys the advanced post-exploitation toolkit Winos4.0 framework and the Nidhogg rootkit
https://www.esentire.com/blog/winos4-0-online-module-staging-component-used-in-cleversoar-campaign

11.Exploring vulnerable Windows drivers by @TalosSecurity
- result of research into the real-world application of the Bring Your Own Vulnerable Driver (BYOVD) technique
- investigated classes of vulnerabilities typically exploited by threat actors as well as the payloads they typically deploy post-exploitation
https://blog.talosintelligence.com/exploring-vulnerable-windows-drivers/


Thank you for reading.
Please add interesting items you came across during the week in the comments below.