Welcome to the weekly digest about the Cybersecurity & Threats in the wild.
Below you will find a very subjective summary of Cybersecurity events for the prior week.
1.WINDOWS LOCKER RANSOMWARE by @CyfirmaR
- new ransomware strain that targets victims by encrypting files & appending .winlocker extension to affected files
- after infection it drops ransom note Readme.txt, containing instructions for contacting attacker or designated admini to arrange payment and obtain the decryption key
https://www.cyfirma.com/research/windows-locker-ransomware/
2.Lumma Stealer’s GitHub-Based Delivery Explored via Managed Detection and Response by @TrendMicro
- campaign distributing Lumma Stealer through GitHub, abusing the platform’s release infrastructure to deliver various malware that included SectopRAT, Vidar, and Cobeacon
- attackers used GitHub release infrastructure for initial access, with users downloading files from secure URL
- files exfiltrated sensitive data and connected to external C&C servers
https://www.trendmicro.com/en_us/research/25/a/lumma-stealers-github-based-delivery-via-mdr.html
3.ASTRAL STEALER ANALYSIS by @CyfirmaR
- powerful stealer coded in Python, C#, and JavaScript
- malicious tool with abilities to compromise gaming accounts (Steam, Roblox, and Minecraft), while stealing browser creds, cookies, clipboard data & history
- conducts crypto wallet exploitation by harvesting sensitive data from cryptocurrency wallets (e.g., Ethereum, MetaMask) & extensions
https://www.cyfirma.com/research/astral-stealer-analysis/
4.ScatterBrain: Unmasking the Shadow of PoisonPlug’s Obfuscator by @Mandiant
- sophisticated obfuscator used by POISONPLUG.SHADOW
- advanced modular backdoor leveraged by specific China-nexus threat actors GTIG has been tracking since 2022
5. Adversarial Misuse of Generative AI by @Mandiant
- rather than engineering tailored prompts, threat actors used more basic measures or publicly available jailbreak prompts in unsuccessful attempts to bypass Gemini’s safety controlst
- hreat actors primarily use AI for research, troubleshooting code, and creating and localizing content. APT actors used Gemini to support several phases of the attack lifecycle, including researching potential infrastructure and free hosting providers, reconnaissance on target organizations, research into vulnerabilities, payload development, and assistance with malicious scripting and evasion techniques.
https://cloud.google.com/blog/topics/threat-intelligence/adversarial-misuse-generative-ai
6. CL-STA-0048: An Espionage Operation Against High-Value Targets in South Asia by #PaloAlto’s #Unit42
- used rare tools and techniques like Hex Staging to deliver payloads in chunks
- exfiltration over DNS using ping, and abusing the SQLcmd utility for data theft
- campaign primarily aimed to obtain personal info of gov employees and steal sensitive data from targeted orgs
https://unit42.paloaltonetworks.com/espionage-campaign-targets-south-asian-entities/
7.Recent Jailbreaks Demonstrate Emerging Threat to DeepSeek by #PaloAlto’s #Unit42
- two novel and effective jailbreaking techniques -Deceptive Delight & Bad Likert Judge
- achieved significant bypass rates, with little to no specialized knowledge or expertise being necessary.
https://unit42.paloaltonetworks.com/jailbreaking-deepseek-three-techniques/
8.Technical Analysis of Xloader Versions 6 and 7 | Part 1 by @Threatlabz
- Xloader(aka Formbook) is a malware family that steals data from a variety of targeted apps – web browsers, email clients and FTP apps
- can be leveraged to download and execute second-stage payloads
- v6 and 7 include additional obfuscation and encryption layers meant to protect critical code and info to defeat signature-based detection and complicate reverse engineering efforts
https://www.zscaler.com/blogs/security-research/technical-analysis-xloader-versions-6-and-7-part-1
9. Threat Actors Use CVE-2019-18935 to Deliver Reverse Shells and JuicyPotatoNG Privilege Escalation Tool by @esthreat
- threat actor(s) using the w3wp.exe (IIS worker process) to load a reverse shell and run follow up commands for reconnaissance through cmd.exe
- reverse shells were dropped in the C:\Windows\Temp directory
10. Coyote Banking Trojan: A Stealthy Attack via LNK Files by #FORTIGUARD LABS
- several similar LNK files containing PowerShell commands designed to execute malicious scripts and connect to remote servers
- files are part of multi-stage operations that ultimately deliver the Coyote Banking Trojan
- primarily targets users in Brazil, seeking to harvest sensitive information from over 70 financial applications and numerous websites
- it can carry out various malicious activities, including keylogging, capturing screenshots, and displaying phishing overlays to steal sensitive credentials
https://www.fortinet.com/blog/threat-research/coyote-banking-trojan-a-stealthy-attack-via-lnk-files
Thank you for reading.
Please add interesting items you came across during the week in the comments below.
