Cybersecurity Wiretap #35: From GenAI Prompt Attacks to Python-Based NodeStealer with a Focus on VSCode Exploits (week of 12/16/2024)

Welcome to the weekly digest about the Cybersecurity & Threats in the wild. Below you will find a very subjective summary of Cybersecurity events for the prior week.

1.Analyzing FLUX#CONSOLE: Using Tax-Themed Lures, Threat Actors Exploit Windows Management Console to Deliver Backdoor Payloads by @Securonix Threat Research

  • Users are tricked into downloading & running malicious payloads by tax-themed document lures
  • Leveraging MSC files legitimate appearance to evade detection while delivering malicious payloads
  • Copying legitimate Windows process Dism.exe into a staging directly to sideload a malicious dropped DLL (DismCore.dll)
  • Campaign uses scheduled tasks to ensure the malware remains active & survives system reboots

https://www.securonix.com/blog/analyzing-fluxconsole-using-tax-themed-lures-threat-actors-exploit-windows-management-console-to-deliver-backdoor-payloads/

2.Link Trap: GenAI Prompt Injection Attack by @TrendMicro

  • new type of prompt injection that could lead to user or company data leaks, even if the AI does not have external connectivity capabilities

https://www.trendmicro.com/en_us/research/24/l/genai-prompt-injection-attack-threat.html

3.Python-Based NodeStealer Version Targets Facebook Ads Manager by @TrendMicro

  • NodeStealer malware advanced to Python-based threat, enabling it to steal broader range of sensitive info
  • targeting an educational institution in Malaysia, linked to a Vietnamese threat group
  • latest version can not only harvests credit card details and browser-stored data, but also targets Facebook Ads Manager accounts for their critical financial and business info
  • infection chain starts with spear-phishing email with malicious embedded link, which upon clicking, downloads and installs the malware under the guise of a legitimate app
  • uses DLL sideloading & encoded PowerShell commands, to bypass security defenses and execute the final payload, exfil data through Telegram

https://www.trendmicro.com/en_us/research/24/l/python-based-nodestealer.html

4. LDAP Enumeration: Unveiling the Double-Edged Sword of Active Directory by #PaloAlto’s #Unit42

  • practical guide to developing a detection strategy for Lightweight Directory Access Protocol (LDAP)-based attacks
  • analyze real-world examples of nation-state and cybercriminal threat actors abusing LDAP attributes
  • examine common LDAP enumeration queries and assess their potential risks

https://unit42.paloaltonetworks.com/lightweight-directory-access-protocol-based-attacks

5.Effective Phishing Campaign Targeting European Companies and Organizations by #PaloAlto’s #Unit42

  • phishing campaign targeting European companies, including in Germany and the UK
  • investigation revealed that the campaign aimed to harvest account credentials and take over the victim’s Microsoft Azure cloud infra
  • campaign’s phishing attempts peaked in June 2024, with fake forms created using the HubSpot Free Form Builder service

https://unit42.paloaltonetworks.com/european-phishing-campaign/

6. Now You See Me, Now You Don’t: Using LLMs to Obfuscate Malicious JavaScript by #PaloAlto’s #Unit42

  • adversarial machine learning (ML) algorithm that uses large language models (LLMs) to generate novel variants of malicious JavaScript code at scale
  • used the results to improve our detection of malicious JavaScript code in the wild by 10%

https://unit42.paloaltonetworks.com/using-llms-obfuscate-malicious-javascript/

7.A new playground: Malicious campaigns proliferate from VSCode to npm by @ReversingLabs

  • campaign that started on VSCode emerged in the npm community with malicious npm package etherscancontracthandler, bearing a striking resemblance to previously seen malicious VSCode extensions

https://www.reversinglabs.com/blog/a-new-playground-malicious-campaigns-proliferate-from-vscode-to-npm

8.OSS in the crosshairs: Cryptomining hacks highlight key new threat by @ReversingLabs

  • dozen packages associated with the popular, open source projects rspack and vant were compromised this week by threat actors who implanted malicious, crypto-mining code in packages with hundreds of thousands of weekly downloads

https://www.reversinglabs.com/blog/cryptominers-growing-threat

9.Technical Analysis of RiseLoader by @Threatlabz

  • malware implements a custom TCP-based binary network protocol that is similar to RisePro
  • RiseLoader has been observed dropping malware families including Vidar, Lumma Stealer, XMRig, and Socks5Systemz – similar to those distributed by PrivateLoader
  • RiseLoader collects information about installed applications & browser extensions related to cryptocurrency

https://www.zscaler.com/blogs/security-research/technical-analysis-riseloader

10.Winos4.0 “Online Module” Staging Component Used in CleverSoar Campaign by @esthreat

  • ongoing campaign involving a new and highly evasive malware installer ( dubbed “CleverSoar” by Rapid7 Labs)
  • CleverSoar has been found targeting primarily Chinese and Vietnamese-speaking users via malicious installer packages distributed through poisoned web search results
  • installer package deploys the advanced post-exploitation toolkit Winos4.0 framework and the Nidhogg rootkit

https://www.esentire.com/blog/winos4-0-online-module-staging-component-used-in-cleversoar-campaign

11.Exploring vulnerable Windows drivers by @TalosSecurity

  • result of research into the real-world application of the Bring Your Own Vulnerable Driver (BYOVD) technique
  • investigated classes of vulnerabilities typically exploited by threat actors as well as the payloads they typically deploy post-exploitation

https://blog.talosintelligence.com/exploring-vulnerable-windows-drivers/

Thank you for reading.

Please add interesting items you came across during the week in the comments below.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.