Welcome to the weekly digest about the Cybersecurity & Threats in the wild. Below you will find a very subjective summary of Cybersecurity events for the prior week.
1.APT PROFILE – TA397 by @CyfirmaR
- TA397, also known as Bitter, is a South Asia-nexus cyber espionage group targeting government, energy, telecommunications, defense, and engineering organizations in the EMEA and APAC regions
- operations typically involve spear-phishing emails with malicious attachments, leading to the installation of remote access trojans
https://www.cyfirma.com/research/apt-profile-ta397/


2.How Cracks and Installers Bring Malware to Your Device by @TrendMicro
- attackers use YouTube & social media to share download links for fake installers
- malicious downloads are password-protected and encoded
- post infection malware collects sensitive info from web browsers to steal credentials


3. Information Stealer Masquerades as LDAPNightmare (CVE-2024-49113) PoC Exploit by @TrendMicro
- designed to lure security researchers into downloading and executing information-stealing malware
- when a user executes the file, a PowerShell script is dropped and executed in the %Temp% folder. This will create a Scheduled Job, which in turn executes an encoded script


4. Phish-free PayPal Phishing by #FORTIGUARD LABS
- scammer registered an MS365 test domain (free for 3 months)
- created Distribution List containing victim emails
- request money & add distribution list as the address via PaPal web portal
- money request is distributed to targeted victims and M365 Sender Rewrite Scheme rewrites sender and pass SPF/DKIM/DMARC
- after victim logs in to see what is going on scammer’s account gets linked to the victim’s account which leads to taking control of the victim’s PayPal
https://www.fortinet.com/blog/threat-research/phish-free-paypal-phishing


5. The Hunt for RedCurl by @HuntressLabs
- activity across several organizations in Canada, with similar infrastructure and TTPs used that can be associated with the APT group known as RedCurl
- 7zip binary executed from a suspicious location
- several scheduled tasks that were used to execute the Windows Program Compatibility Assistant (pcalua.exe), which then executed a malicious binary
https://www.huntress.com/blog/the-hunt-for-redcurl-2

6. AI Domination: Remote Controlling ChatGPT ZombAI Instances by @wunderwuzzi23
- research demonstrates the potential for advanced prompt injection exploits to compromise AI systems in unprecedented ways, for long-term remote control, exposing significant gaps in existing safeguards


Thank you.
Please add interesting items you came across during the week in the comments below.