Welcome to the weekly digest about the Cybersecurity & Threats in the wild. Below you will find a very subjective summary of Cybersecurity events for the prior week.
1.‘Nnice’ RANSOMWARE by @CyfirmaR
- targets Windows systems with advanced encryption techniques, leaving a distinct file extension and sophisticated evasion and persistence methods, posing significant risks to data security
- Target Technologies: Windows
- Encrypted file extension: .xdddd
- Observed First: 2025-01-17
- Observed First By: CYFIRMA
- Threat actor Communication mode: Mail
https://www.cyfirma.com/research/nnice-ransomware/
2. CVE-2024-45387: Critical Vulnerability in Apache Traffic Control by @CyfirmaR
- critical SQL injection vulnerability that allows privileged users to execute arbitrary SQL queries, potentially leading to unauthorized access, data manipulation, and system compromise.
https://www.cyfirma.com/research/cve-2024-45387-critical-vulnerability-in-apache-traffic-control
3. PlushDaemon compromises supply chain of Korean VPN service by @ESETresearch
- PlushDaemon – China-aligned threat group, engaged in cyberespionage operations
- main initial access vector is hijacking legitimate updates of Chinese apps
- uncovered supply-chain attack against South Korean VPN developer
- is exclusive user of SlowStepper for Windows that has large toolkit composed of ~30 modules, programmed in C++, Python & Go
4. Lumma Stealer Malware Updated to Use ChaCha20 Cipher for Config Decryption by @esthreat
- Jan 21, 2025, identified new changes made to Lumma Stealer involving the usage of the ChaCha20 cipher for config decryption
- these changes provide insight into the evasive tactics employed by the developer(s) commonly delivered via ClickFix initial access method, where end-users are socially engineered into copying and executing malicious PowerShell
5. Seasoning email threats with hidden text salting by @TalosSecurity
- increase in the number of emails leveraging hidden text salting (also known as “poisoning”) in the second half of 2024
- idea is to include some characters into the HTML source of an email that are not visually recognizable
- this technique is used for evading brand name extraction by email parsers, confusing language detection procedures, and evading spam filters and detection engines in HTML smuggling
https://blog.talosintelligence.com/seasoning-email-threats-with-hidden-text-salting/
6. Tracking a Malicious Blogspot Redirection Campaign to ApateWeb by @ValidinLLC
- pivoted from a simple malicious Blogspot redirector
- analyzed identified IOCs & determined that rediscovered an active section of the ApateWeb campaign that was identified over an year ago
https://www.validin.com/blog/malicious_blogspot_apateweb_campaign/
7. 2024 macOS Malware Review | Infostealers, Backdoors, and APT Campaigns Targeting the Enterprise by @SentinelOne
- key macOS malware families appearing in 2024
- short synopsis highlighting the tactics, indicators of compromise, and opportunities for detection, along with links to further reading, to stay on top of an expanding macOS threat landscape
8.HellCat and Morpheus | Two Brands, One Payload as Ransomware Affiliates Drop Identical Code by @SentinelOne
- within the period of accelerated activity, the Ransomware-as-a-Service offerings HellCat and Morpheus have gained additional momentum and notoriety
- operators behind HellCat, in particular, have been vocal in their efforts to establish the RaaS as a ‘reputable’ brand and service within the crimeware economy
- affiliates across both operations are compiling payloads that contain almost identical code
Thank you for reading.
Please add interesting items you came across during the week in the comments below.
