Cyber Security Advisories

Xiū gǒu
Phishing Kit

 

The Xiū gǒu phishing kit represents a newly uncovered, highly sophisticated and global phishing threat, designed to deceive and exploit unsuspecting users across diverse sectors. Derived from Mandarin internet slang for “doggo,” this toolkit is distinguished by its refined branding and advanced evasion techniques, which collectively enhance its efficacy in targeting individuals across a wide array of industries, including public services, postal systems, banking, and digital platforms. Since its emergence in September 2024, the Xiū gǒu phishing kit has proliferated across over 2,000 known malicious websites, primarily affecting users in the UK, US, Spain, Australia, and Japan. The kit harnesses Rich Communication Services (RCS) messaging to distribute malicious, shortened URLs, which lure recipients with fraudulent alerts concerning government payments, postal fines, and other urgent notifications. These deceptive messages direct victims to counterfeit websites that closely mimic legitimate institutions, such as the UK Government, USPS, and Lloyds Bank. Once victims are compelled to enter sensitive personal or financial information, it is surreptitiously exfiltrated via a Telegram bot controlled by the attackers. Furthermore, the Xiū gǒu phishing kit leverages sophisticated anti-detection measures, including Cloudflare’s obfuscation technologies, to mask the malicious nature of the campaign and circumvent traditional security mechanisms, rendering it an exceptionally potent and evasive threat.

Corrupted ZIPs and Office Docs Bypass Security

 

A sophisticated phishing campaign, leveraging corrupted ZIP archives and Microsoft Office files, is successfully bypassing traditional security defenses, including antivirus systems, sandboxes, and email spam filters. Active since August 2024, this attack exploits vulnerabilities in file recovery mechanisms within widely used applications such as Microsoft Word, Outlook, and WinRAR. When users open seemingly legitimate business communications, the malicious payloads are triggered, executing harmful code. What makes this threat particularly concerning is its ability to target trusted tools, allowing attackers to bypass security layers that rely on detecting suspicious file types or behaviors. The sophistication of the campaign reflects a deep understanding of how modern security defenses operate, posing a significant risk to organizational integrity. By exploiting trusted file formats and recovery features, attackers can establish a foothold in corporate environments, potentially leading to data breaches, ransomware deployment, or the theft of sensitive information. This campaign underscores the urgent need for organizations to move beyond reliance on a single layer of threat detection, such as Microsoft Defender, which many businesses depend on without validating its effectiveness or assessing potential evasion. Relying solely on one security measure leaves organizations vulnerable to sophisticated attacks that can bypass traditional defenses. To mitigate these risks, organizations should implement multi-layered security strategies, including advanced, behavior-based detection systems, and ensure that employees are trained to identify and avoid increasingly sophisticated social engineering tactics.

Latrodectus Malware
The Black Widow Threat

Latrodectus, a newly identified and highly sophisticated malware, is rapidly capturing the attention of the cybersecurity community. Named after the notorious black widow spider, this malware employs stealthy and dangerous tactics to infiltrate targeted systems. Latrodectus is linked to data exfiltration, credential theft, and ransomware attacks, with a particular focus on critical infrastructure sectors such as healthcare, financial institutions, and government agencies, highlighting the urgent need for heightened vigilance. The methods used by Latrodectus include advanced phishing campaigns specifically targeting high-ranking executives and system administrators. Its remarkable ability to evade detection allows it to siphon off sensitive data while delivering secondary payloads that increase its destructive potential. The malware’s evolving characteristics present significant challenges to conventional security measures. The cybercriminal groups orchestrating Latrodectus are believed to operate on a global scale, driven by motives of financial gain and corporate espionage. Given its adaptable and persistent nature, Latrodectus is likely to remain a formidable threat to organizations handling sensitive information, necessitating ongoing and enhanced defensive strategies.  

SideWinder APT
StealerBot Campaign

SideWinder APT—also known as APT-C-17, Baby Elephant, Hardcore Nationalist, Leafperforator, Rattlesnake, Razor Tiger, or T-APT-04—has been active since at least 2012 and is believed to support the strategic interests of the Indian state. Recently, the group has expanded its operations to include the Middle East, Africa, and Southeast Asia.

SideWinder primarily targets military, governmental, telecommunications, and critical infrastructure entities in these regions. The group typically initiates attacks through spear-phishing emails, followed by sophisticated multi-stage assaults that exploit well-documented vulnerabilities, such as CVE-2017-11882.

In its latest campaign, SideWinder has introduced a new variant of “StealerBot,” an advanced cyberespionage tool designed for data exfiltration, system compromise, and the facilitation of additional malicious activities. This evolution in their toolkit highlights their growing capabilities and intent, positioning them as a significant threat in the cyber landscape.

Pygmy Goat
Malware

 

“Pygmy Goat” malware is a highly sophisticated backdoor payload designed to provide unauthorized access to Linux-based network devices, with a particular focus on Sophos XG firewall appliances. Discovered as part of an ongoing series of cyber-espionage operations linked to Chinese state-sponsored threat actors, the malware is emblematic of the broader Pacific Rim campaign—a targeted assault on critical infrastructure and high-value entities. First identified by the UK’s National Cyber Security Centre (NCSC), these attacks exploit known vulnerabilities, such as CVE-2022-1040, in edge devices and network appliances, particularly those used by government agencies, critical infrastructure sectors, and private enterprises. Once deployed, “Pygmy Goat” grants attackers persistent, covert access to compromised systems, enabling the exfiltration of sensitive data and remote control of infected devices. The malware employs advanced evasion techniques, including the use of encrypted ICMP packets for stealthy communication and disguising malicious activity as legitimate SSH traffic, thereby circumventing traditional detection mechanisms

North Korean
Linked MISTPEN Malware

A recently identified cyber-espionage group associated with North Korea, designated as UNC2970 by Mandiant, has been employing job-themed phishing tactics to penetrate organizations within the energy and aerospace sectors. This group is deploying a novel backdoor malware, referred to as MISTPEN, specifically engineered to exfiltrate sensitive data. UNC2970 is linked to the notorious Lazarus Group (also known as TEMP.Hermit or Diamond Sleet), which operates under the auspices of North Korea’s Reconnaissance General Bureau (RGB). Since at least 2013, this organization has strategically targeted a range of sectors, including government, defense, telecommunications, and finance, with the intent to gather intelligence that aligns with North Korean strategic objectives. The ongoing campaign, named “Operation Dream Job,” has effectively targeted prominent organizations across multiple countries, including the United States, United Kingdom, Germany, Sweden, Singapore, and Australia. The implications of this activity underscore the need for heightened vigi lance and robust cybersecurity measures within affected sectors.  

Latrodectus Malware
The Black Widow Threat

Latrodectus, a newly identified and highly sophisticated malware, is rapidly capturing the attention of the cybersecurity community. Named after the notorious black widow spider, this malware employs stealthy and dangerous tactics to infiltrate targeted systems. Latrodectus is linked to data exfiltration, credential theft, and ransomware attacks, with a particular focus on critical infrastructure sectors such as healthcare, financial institutions, and government agencies, highlighting the urgent need for heightened vigilance. The methods used by Latrodectus include advanced phishing campaigns specifically targeting high-ranking executives and system administrators. Its remarkable ability to evade detection allows it to siphon off sensitive data while delivering secondary payloads that increase its destructive potential. The malware’s evolving characteristics present significant challenges to conventional security measures. The cybercriminal groups orchestrating Latrodectus are believed to operate on a global scale, driven by motives of financial gain and corporate espionage. Given its adaptable and persistent nature, Latrodectus is likely to remain a formidable threat to organizations handling sensitive information, necessitating ongoing and enhanced defensive strategies.  

SideWinder APT
StealerBot Campaign

SideWinder APT—also known as APT-C-17, Baby Elephant, Hardcore Nationalist, Leafperforator, Rattlesnake, Razor Tiger, or T-APT-04—has been active since at least 2012 and is believed to support the strategic interests of the Indian state. Recently, the group has expanded its operations to include the Middle East, Africa, and Southeast Asia.

SideWinder primarily targets military, governmental, telecommunications, and critical infrastructure entities in these regions. The group typically initiates attacks through spear-phishing emails, followed by sophisticated multi-stage assaults that exploit well-documented vulnerabilities, such as CVE-2017-11882.

In its latest campaign, SideWinder has introduced a new variant of “StealerBot,” an advanced cyberespionage tool designed for data exfiltration, system compromise, and the facilitation of additional malicious activities. This evolution in their toolkit highlights their growing capabilities and intent, positioning them as a significant threat in the cyber landscape.

Neutralizing Russian
Military Cyber Threats

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and National Security Agency (NSA) have identified cyber actors associated with the Russian General Staff Main Intelligence Directorate (GRU), specifically the 161st Specialist Training Center (Unit 29155), as responsible for sophisticated cyber operations targeting global entities.  Since at least 2020, Unit 29155 has engaged in activities aimed at espionage, sabotage, and inflicting reputational damage. Notably, these actors have employed the destructive WhisperGate malware against several Ukrainian organizations starting January 13, 2022. It is important to distinguish Unit 29155 from other GRU cyber units such as Unit 26165 and Unit 74455, as their tactics and targets differ significantly.

Security Advisory -
VectorStealer Malware

VectorStealer is modular malware that emerged in 2020 and steals .rdp files using phishing emails and malicious websites, enabling threat actors to perform RDP hijacking and propagate across connected systems. Its primary goal is to exfiltrate sensitive information, including log- in credentials and financial and personal data, through popular channels like SMTP, Discord, or Telegram. VectorStealer uses advanced anti-analysis techniques, including the KGB Crypter tool, which encrypts and modifies the code with each compilation, making it challenging to detect and remove. It can also recover sensitive data from popular browsers, like Firefox, Chrome, and Safari. By leveraging KGB Crypter, VectorStealer can evade traditional security measures and successfully infiltrate systems, posing a severe threat to targeted individuals and organisa- tions.

Security Advisory -
Snake Implant Malware

The Snake implant is considered the most sophisticated cyber espionage tool designed and used by Center 16 of Russia’s Federal Security Service (FSB) for long-term intelligence collection on sensitive targets. Globally, the FSB has used Snake to collect sensitive intelligence from high priority targets, such as government networks, research facilities, and journalists. As one example, FSB actors used Snake to access and exfiltrate sensitive international relations documents, as well as other diplomatic communications, from a victim in a NATO country. With- in the United States, the FSB has victimized industries including education, small businesses, and media organizations, as well as critical infrastructure sectors including government facili- ties, financial services, critical manufacturing, and communications.  

Cicada3301: A Cross-Platform
Rust-Based Ransomware

A new and formidable threat has emerged in the cybersecurity landscape: a Rust-based ransomware variant known as Cicada3301. This advanced malware targets both Windows and Linux systems, reflecting its cross-platform versatility and raising alarms across diverse IT environments. Cicada3301 is linked to a notorious adversarial group with a history of attacking critical sectors, including government, healthcare, and financial institutions. The sophistication of Cicada3301 lies not only in its cross-platform capabilities but also in its execution of a double-extortion strategy. Initially, the ransomware infiltrates corporate networks to exfiltrate sensitive data, followed by the encryption of the victim’s devices. The attackers then lever age both the encryption key and the threat of publicly releasing the stolen data to coerce organizations into paying the ransom. A key concern is Cicada3301’s advanced evasion techniques, particularly its ability to bypass traditional endpoint detection and response (EDR) systems. The ransomware employs sophisticated methods, such as weaponizing vulnerable signed drivers, to evade detection and complicate mitigation efforts. This dual-layered approach and its EDR evasion tactics significantly amplify the threat posed by Cicada3301, underscoring the critical need for robust, multi-faceted cybersecurity defenses. Organizations must be vigilant and proactive in their security measures to effectively counter this evolving and dangerous adversary.

CrowdStrike
Fallout

In recent days, an incident involving CrowdStrike’s Falcon platform has ignited a flurry of posts across social media platforms. Reports of Windows hosts encountering blue screen errors following a flawed content update have highlighted a critical cybersecurity concern often underestimated: the inadvertent exposure of organizational vulnerabilities through social media. The outcry on platforms like LinkedIn and Facebook inadvertently disclosed users’ reliance on CrowdStrike for endpoint security. Beyond immediate operational disruptions, this exposure introduces a subtler yet significant risk: targeted attacks. Adversaries proficient in reconnaissance capitalize on such disclosures to gather intelligence on potential targets. This intelligence can inform the development of customized endpoint exploits meticulously crafted to evade or compromise CrowdStrike’s defenses. Compounding this emerging incident is attacks from malicious actors who are mimicking CrowdStrike’s official site, disseminating counterfeit code and instructions under the guise of assisting entities affected by the outage. In responding to this incident, it’s crucial for organizations to mitigate risks stemming from social media exposure, while also remaining vigilant against fraud ulent attempts to exploit the situation for malicious purposes.

CyberStash Security Advisory -
Lockbit 3.0 Ransomware

Lockbit 3.0 is a pernicious form of ransomware that encrypts files on infected systems and demands payment for the decryption key. This Ransomware-as-a-Service (RaaS) variant first emerged in March 2023 and employs various distribution vectors, including phishing emails, exploit kits, compromised credentials, and brute-force attacks against exposed public services. The threat actors behind Lockbit 3.0 also leverage remote administration tools such as AnyDesk, Splashtop, and Atera RMM to establish persistent access to the victim’s network. Once a system is infected with Lockbit 3.0 ransomware, it employs advanced Living-off-the-Land (LoL) techniques and additional tools to spread itself across the network, seeking out other vulnerable devices. This allows the ransomware to maximise its impact, potentially causing significant damage to the affected organisation. Given the sophisticated tactics used by Lockbit 3.0 threat actors, organisations must remain vigilant and adopt a multi-layered security approach to detect and prevent attacks in real-time

Cuttlefish
Malware

A new malware dubbed Cuttlefish has emerged, posing a significant threat to small office and home office (SOHO) routers. Its primary objective is to covertly monitor all traffic passing through these devices and extract authentication data from HTTP GET and POST requests. Cuttlefish operates as a modular malware, specifically targeting web requests passing through routers, facilitating the theft of authentication material.

Deadglyph
Malware

 

In a recent cyber espionage incident targeting the Middle Eastern Government entities, a newly emerged and highly sophisticated backdoor malware called ‘Deadglyph’ made its ominous debut.

The Deadglyph malware is designed with interchangeable parts, known as modules. These modules are like specialized tools that it can download from a central control center (C2). Each tool, or module, comes with specific instructions called shellcodes that the malware follows to carry out different tasks.

This modular approach gives threat actors the flexibility to create new tools whenever they need them. It’s like having a toolbox with the ability to craft custom tools for specific targets. These custom tools can then be sent to victims to carry out additional harmful actions.

Deep
Gosu

 

DEEP#GOSU Malware represents a highly sophisticated and elaborate cyber threat campaign observed recently, leveraging PowerShell and VBScript malware to compromise Windows systems. DEEP#GOSU malware is highly advanced and operates stealthily on Windows systems, especially when it comes to monitoring network activity.

Its abilities encompassed keylogging, monitoring clipboard activities, executing dynamic payloads, exfiltrating data, and maintaining persistence. This was achieved through a combination of Remote Access Trojan (RAT) software for complete remote control, scheduled tasks, and self-executing PowerShell scripts utilizing jobs.

Security Advisory -
DragonSpark

The DragonSpark Attack is a sophisticated attack that utilizes a tool called SparkRAT. SparkRAT is a Remote Access Trojan that can run on multiple platforms and is developed using the Go programming language. The attack was first discovered by SentinelLabs and is carried out by compromising infrastructure located in China, Hong Kong, Taiwan, Singapore, and the United States. The attacker uses this compromised infrastructure to deploy malware and a variety of other tools. To execute code from the malware binaries, the attackers use a technique called Golang source code interpretation, which allows them to create a reverse shell for remote code execution. This technique makes it difficult to detect the attack because most endpoint security software assesses the behavior of compiled code, rather than the source code itself

Exploiting
The regreSSHion Vulnerability

The identified vulnerability, known as “regreSSHion,” impacts OpenSSH, a widely-deployed implementation of the Secure Shell (SSH) protocol pivotal for secure remote administration and file transfers within enterprises. This flaw permits remote, unauthenticated adversaries to execute arbitrary code on affected systems, thereby potentially compromising the confidentiality, integrity, and availability of the targeted infrastructure. Designated a CVE-2024-6387, this vulnerability manifests as a race condition in the signal handler of OpenSSH, facilitating unauthenticated remote code execution with root privileges. Notably, this issue pertains specifically to the default configuration of sshd, thus posing a critical security threat necessitating immediate attention and remediation by organizations reliant on OpenSSH for secure communications. Addressing this vulnerability can be effectively managed through proactive measures such as ap plying patches promptly or implementing network configurations that restrict direct internet access. If these controls are not feasible right away, you can reduce the risk by configuring the OpenSSH server to set the LoginGraceTime parameter to 0. This prevents unauthenticated sessions from staying open and being vulnerable to exploitation. Yet, this adjustment could potential- ly lead to a denial of service if all connection slots are filled

Emojis
Powered Malware Operations

A novel Linux malware, designated as ‘DISGOMOJI,’ has emerged, distinguished by its unconventional use of emojis to facilitate command execution on compromised systems. Predominantly directed at governmental entities within India, this malicious software has been linked to the activities of ‘UTA0137,’ a threat actor believed to operate out of Pakistan. In functionality, DISGOMOJI exhibits traits akin to conventional backdoors and botnets, empowering threat actors with capabilities such as remote command execution, screen capturing, file exfil tration, payload deployment, and targeted file reconnaissance. However, its hallmark innovation resides in its adoption of Discord as a command and control (C2) platform, supplemented by emojis to issue directives. This departure from traditional text-based commands potentially augments its stealth capabilities, as it may elude detection by security solutions oriented towards scrutinizing text-based communications. The emergence of DISGOMOJI underscores a notable evolution in malware tactics, where leverag- ing popular communication platforms and unconventional mediums like emojis represents a concerted effort to circumvent traditional cybersecurity defenses. As such, vigilance and adaptation in defensive strategies are imperative to counteract this emerging threat landscape effectively

3CX
Desktop App Report

Several cybersecurity vendors expressed concerns on March 29th 2023, about a potential supply chain attack involving tampered 3CX installers that had been digitally signed. The attack aimed to compromise downstream customers. 3CX’s CEO confirmed that the desktop app was compromised with malware and advised customers to uninstall it and switch to the PWA client. This new malware has the ability to gather system information and steal stored credentials and data from user profiles of Chrome, Edge, Brave, and Firefox. Affected platforms: The following platforms are known to be affected: Windows users: versions 18.12.407 & 18.12.416 of the 3CX Desktop App Electron application shipped in Update 7 macOS users: versions 18.11.1213, 18.12.402, 18.12.407, and 18.12.416 of the 3CX Desktop App Electron application  

BellaCiao
IRGC

 

An Iranian state-sponsored hacking group known as APT35/APT42 or Mint Sandstorm has been identified as deploying a new strain of malware named BellaCiao, which has targeted victims in various countries, including the U.S., Europe, India, Turkey, and others. The campaign aims to exploit vulnerabilities in Microsoft Exchange servers to gain unauthorized access and deploy malicious payloads for espionage, data theft, and potentially ransomware attacks.

BellaCiao is a dropper malware designed to deliver additional malicious payloads to compromised devices based on instructions from the threat actors. Its primary objective is to establish persistence and maintain stealth while awaiting further instructions. The malware is customized for each victim (including hardcoded information such as company name, specially crafted subdomains, or associated public IP address) ensuring tailored implants and evading detection mechanisms.

BiBi
Wiper Malware

 

In a recent surge of cyber threats, Israeli computers are increasingly facing data-wiping attacks perpetrated by variants of the BiBi malware family. Researchers have identified these destructive elements affecting both Linux and Windows systems. The attacks are part of a broader cyber offensive targeting various sectors in Israel, notably in education and technology.

The Security Joes’ Incident Response team recently uncovered ‘BiBi-Linux,’ a malware strain designed for irreversible data corruption and operational disruption. Following this discovery, ESET researchers confirmed on October 31,2023 that a Windows variant of the same malware, linked to a hacktivist group named BiBiGun, was identified. This group is associated with Hamas, indicating a coordinated effort in deploying the malware for potential cyber-attacks and disruptions.

CMoon
USB Worm

A new USB worm, identified as “CMoon,” has emerged, specifically targeting Russian individuals and organizations. The malware is designed for data theft, with the primary objective of exfiltrating sensitive information from infected systems. The attack vector utilizes USB drives, making it particularly potent in environments with shared or transient storage media. The CMoon worm has raised significant concerns due to its potential impact on both government and private sector entities in Russia.In this attack, users are lured into clicking on links to regulatory documents—such as .docx, .xlsx, .rtf, and .pdf files—on the company’s website. However, these links have been compromised by threat actors, who have substituted the legitimate documents with malicious executables. These executables are distributed in the form of self-extracting archives that contain both the supposed document and a malicious payload named CMoon. When users download and open these archives, they inadvertently execute the CMoon payload, which establishes a backdoor or performs other malicious actions, giving the attackers control over the affected systems. This tactic exploits the trust users have in the legitimate appearance of regulatory documents and the company’s website to initiate the infection chain.

Mint
Sandstorm Campaign

Mint Sandstorm, who share similarities with the threat actor monitored by other researchers under the names APT35 and Charming Kitten, is an Iranian state-sponsored APT group that primarily focuses on cyber-espionage activities, with a specific interest in targeting individuals and organiza- tions associated with Microsoft’s educational and research sectors. Their operations aim to steal sensitive intellectual property, research findings, and other valuable information. Mint Sandstorm’s primary targets are educators and researchers affiliated with Microsoft. The group is known for leveraging social engineering tactics, spear-phishing campaigns, and watering hole attacks to compromise the systems of their victims. The adversaries exploit vulnerabilities in software commonly used by educators and researchers, seeking to gain unauthorized access to sensitive information. The threat actors utilized compromised legitimate email accounts to send phishing lures, employed the Client for URL (curl) command to establish connections with the Mint Sandstorm command-and-control (C2) server for downloading malicious files, and introduced a new custom backdoor named MediaPl. These sophisticated techniques enhance Mint Sandstorm’s ability to evade detection and persistently compromise targeted systems.  

Security Advisory -
Nevada Ransomware

NEVADA is a ransomware that targets Windows and Linux operating systems, encrypting files and appending the “.NEVADA” extension to filenames. It also drops a ransom note in folders containing encrypted files. The security community has addressed the malware’s initial access vector and variations, with investigations ongoing to determine which known vulnerabilities attackers may be exploiting. As of February 3rd, 2023, Nevada ransomware is targeting VMware ESXi servers exposed to the Internet, and it’s a growing Ransomware-as-a-Service with an affiliate network for both Russian and English-speaking entities. The new variant of ESXiArgs encrypts more data, mak- ing it challenging to recover, and the bitcoin wallet is no longer trackable. To counter the ongoing situation, it’s essential to ensure that ESXi servers are updated with VMWare’s provided patches for known vulnerabilities and not exposed to the Internet.

Quasar
RAT Stealthy DLL Side-Loading

The Quasar RAT, an open-source remote access trojan, has been observed employing DLL side-loading techniques to discreetly operate and siphon data from compromised Windows hosts. This method takes advantage of the implicit trust these files hold within the Windows environment, utilizing ctfmon.exe and calc.exe as integral components of its attack chain. Quasar RAT, also recognized as CinaRAT or Yggdrasil, operates as a C#-based remote administra- tion tool, offering functionalities such as collecting system information, listing running applications, accessing files, logging keystrokes, capturing screenshots, and executing arbitrary shell commands. This trojan’s utilization of DLL side-loading adds a layer of stealth to its activities, enabling it to navigate undetected through security measures while conducting its malicious operations on the compromised systems.

Remcos
RAT

The advent of a fresh variant of the IDAT loader, frequently utilized by cybercriminals for malware dissemination, presents a formidable obstacle for both standard and advanced defense mechanisms. This latest iteration harnesses steganography, a technique for camouflaging data within apparently benign files, to clandestinely deploy the Remcos Remote Access Trojan (RAT). Steganography amplifies the stealth attributes of the payload, rendering it notably arduous for conventional security measures to identify. The Remcos RAT facilitates various malicious activities, including remote monitoring and data exfil- tration. IDAT utilizes sophisticated evasion techniques, such as dynamic loading of Windows API functions and obfuscation of API calls, to avoid detection. Upon execution, IDAT extracts the hidden payload from a PNG image file, decrypts it, and executes it in memory, injecting additional modules into legitimate processes. The final stage involves decrypting and executing the Remcos RAT, enabling covert data theft and surveillance. Mitigation strategies include deploying robust security controls to reduce exposure and educating users about the risks of opening files from untrusted sources.