Cybersecurity Wiretap #5: From Arbitrary JavaScript Execution to Crypto Mining Operations with a Focus on Ransomware Analysis (week of 05/20/2024)

Welcome to the weekly digest about the Cybersecurity & Threats in the wild. Below you will find a very subjective summary of Cybersecurity events for the prior week.

CVE-2024-4367 – Arbitrary JavaScript execution in PDF.js by @CodeanIO

  • allows attacker execute arbitrary JavaScript code as malicious PDF file is opened
  • affects all Firefox users (<126) & many web- and Electron-based apps that use(indirectly ) PDF.js

https://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/

ANALYSIS AND DETECTION OF CLOUD#REVERSER by @Securonix Threat Research

  • infect & persist while blending into regular background network noise
  • embedding malicious scripts within innocuous clouds provides sustained access for data exfil & command exec

https://www.securonix.com/blog/analysis-and-detection-of-cloudreverser-an-attack-involving-threat-actors-compromising-systems-using-a-sophisticated-cloud-based-malware/

SamsStealer: Unveiling the Information Stealer Targeting Windows Systems by @CyfirmaR

  • collects system info & creates Temp folder to store extracted data
  • compresses gathered info into “Backup.zip” & uploads to gofile.io

https://www.cyfirma.com/research/samsstealer-unveiling-the-information-stealer-targeting-windows-systems/

Tinyproxy (CVE-2023-49606) – Vulnerability Analysis and Exploitation by @CyfirmaR

  • allows remote attackers to execute arbitrary code on affected systems
  • vulnerability stems from memory safety issue, triggered by processing HTTP connection headers

https://www.cyfirma.com/research/tinyproxy-cve-2023-49606-vulnerability-analysis-and-exploitation/

Iluria Stealer; a Variant of Another Discord Stealer by @CyfirmaR

  • created by same dev behind Nikki Stealer
  • both share similar code with SonicGlyde; variant of Epsilon Stealer, which captures browser cookies, creds, & credit card info saved in Discord

https://www.cyfirma.com/research/iluria-stealer-a-variant-of-another-discord-stealer/

SYNAPSE : Ransomware Technical Analysis by @CyfirmaR

  • spares Iranian systems from encryption
  • Pre-encryption: privilege escalation, defense system impairment & shadow copy deletion.
  • Post-encryption: file renaming, wallpaper and icon changes & data wiping

https://www.cyfirma.com/research/synapse-ransomware-technical-analysis/

Operation Diplomatic Specter by #PaloAlto‘s #Unit42

  • long-term espionage operations against at least 7 governmental entities
  • threat actor performed intel collection efforts at large scale, leveraging rare email exfil techniques

https://unit42.paloaltonetworks.com/operation-diplomatic-specter/

Invisible miners: unveiling GHOSTENGINE’s crypto mining operations by @elasticseclabs

  • leverages vuln drivers to terminate & delete known EDR agents that would interfere with deployed coin miner
  • incorporated many contingency & duplication mechanisms

https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine

Ikaruz Red Team | Hacktivist Group Leverages Ransomware for Attention Not Profit by @LabsSentinel

  • profile and recent actions, highlighting the threat actor’s methodology, social media activity and relevance within the wider geopolitical context

https://www.sentinelone.com/blog/ikaruz-red-team-hacktivist-group-leverages-ransomware-for-attention-not-profit/

Thanks a lot for reading.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.