Cyber Security Advisories
North Korean Linked MISTPEN Malware
A recently identified cyber-espionage group associated with North Korea, designated as UNC2970 by Mandiant, has been employing job-themed phishing tactics to penetrate organizations within the energy and aerospace sectors. This group is deploying a novel backdoor malware, referred to as MISTPEN, specifically engineered to exfiltrate sensitive data. UNC2970 is linked to the notorious Lazarus Group (also known as TEMP.Hermit or Diamond Sleet), which operates under the auspices of North Korea’s Reconnaissance General Bureau (RGB). Since at least 2013, this organization has strategically targeted a range of sectors, including government,
defense, telecommunications, and finance, with the intent to gather intelligence that aligns with North Korean strategic objectives. The ongoing campaign, named “Operation Dream Job,” has effectively targeted prominent organizations across multiple countries, including the United States, United Kingdom, Germany, Sweden, Singapore, and Australia. The implications of this activity underscore the need for heightened vigi
lance and robust cybersecurity measures within affected sectors.
Security Advisory -
VectorStealer Malware
VectorStealer is modular malware that emerged in 2020 and steals .rdp files using phishing emails and malicious websites, enabling threat actors to perform RDP hijacking and propagate across connected systems. Its primary goal is to exfiltrate sensitive information, including log-
in credentials and financial and personal data, through popular channels like SMTP, Discord, or
Telegram. VectorStealer uses advanced anti-analysis techniques, including the KGB Crypter tool, which
encrypts and modifies the code with each compilation, making it challenging to detect and remove. It can also recover sensitive data from popular browsers, like Firefox, Chrome, and
Safari. By leveraging KGB Crypter, VectorStealer can evade traditional security measures and successfully infiltrate systems, posing a severe threat to targeted individuals and organisa-
tions.
Security Advisory -
Snake Implant Malware
The Snake implant is considered the most sophisticated cyber espionage tool designed and used by Center 16 of Russia’s Federal Security Service (FSB) for long-term intelligence collection
on sensitive targets. Globally, the FSB has used Snake to collect sensitive intelligence from high
priority targets, such as government networks, research facilities, and journalists.
As one example, FSB actors used Snake to access and exfiltrate sensitive international relations
documents, as well as other diplomatic communications, from a victim in a NATO country. With-
in the United States, the FSB has victimized industries including education, small businesses,
and media organizations, as well as critical infrastructure sectors including government facili-
ties, financial services, critical manufacturing, and communications.
Cicada3301: A Cross-Platform
Rust-Based Ransomware
A new and formidable threat has emerged in the cybersecurity landscape: a Rust-based ransomware variant known as Cicada3301. This advanced malware targets both Windows and Linux systems, reflecting its cross-platform versatility and raising alarms across diverse IT environments. Cicada3301 is linked to a notorious adversarial group with a history of attacking critical sectors, including government, healthcare, and financial institutions. The sophistication of Cicada3301 lies not only in its cross-platform capabilities but also in its execution of a double-extortion strategy. Initially, the ransomware infiltrates corporate networks to exfiltrate sensitive data, followed by the encryption of the victim’s devices. The attackers then lever
age both the encryption key and the threat of publicly releasing the stolen data to coerce organizations into paying the ransom. A key concern is Cicada3301’s advanced evasion techniques, particularly its ability to bypass traditional endpoint detection and response (EDR) systems. The ransomware employs sophisticated methods, such as weaponizing vulnerable signed drivers, to evade detection and complicate mitigation efforts. This dual-layered approach and its EDR evasion tactics significantly amplify the
threat posed by Cicada3301, underscoring the critical need for robust, multi-faceted cybersecurity
defenses. Organizations must be vigilant and proactive in their security measures to effectively counter this evolving and dangerous adversary.
Neutralizing Russian
Military Cyber Threats
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and National Security Agency (NSA) have identified cyber actors associated with the Russian General Staff Main Intelligence Directorate (GRU), specifically the 161st Specialist Training Center (Unit 29155), as responsible for sophisticated cyber operations targeting global entities. Since at least 2020, Unit 29155 has engaged in activities aimed at espionage, sabotage, and inflicting reputational damage. Notably, these actors have employed the destructive WhisperGate malware against several Ukrainian organizations starting January 13, 2022. It is important to distinguish Unit 29155 from other GRU cyber units such as Unit 26165 and Unit 74455, as their tactics and targets differ significantly.
Security Advisory -
VectorStealer Malware
VectorStealer is modular malware that emerged in 2020 and steals .rdp files using phishing emails and malicious websites, enabling threat actors to perform RDP hijacking and propagate across connected systems. Its primary goal is to exfiltrate sensitive information, including log-
in credentials and financial and personal data, through popular channels like SMTP, Discord, or
Telegram. VectorStealer uses advanced anti-analysis techniques, including the KGB Crypter tool, which
encrypts and modifies the code with each compilation, making it challenging to detect and remove. It can also recover sensitive data from popular browsers, like Firefox, Chrome, and
Safari. By leveraging KGB Crypter, VectorStealer can evade traditional security measures and successfully infiltrate systems, posing a severe threat to targeted individuals and organisa-
tions.
Security Advisory -
Snake Implant Malware
The Snake implant is considered the most sophisticated cyber espionage tool designed and used by Center 16 of Russia’s Federal Security Service (FSB) for long-term intelligence collection
on sensitive targets. Globally, the FSB has used Snake to collect sensitive intelligence from high
priority targets, such as government networks, research facilities, and journalists.
As one example, FSB actors used Snake to access and exfiltrate sensitive international relations
documents, as well as other diplomatic communications, from a victim in a NATO country. With-
in the United States, the FSB has victimized industries including education, small businesses,
and media organizations, as well as critical infrastructure sectors including government facili-
ties, financial services, critical manufacturing, and communications.
Cicada3301: A Cross-Platform
Rust-Based Ransomware
A new and formidable threat has emerged in the cybersecurity landscape: a Rust-based ransomware variant known as Cicada3301. This advanced malware targets both Windows and Linux systems, reflecting its cross-platform versatility and raising alarms across diverse IT environments. Cicada3301 is linked to a notorious adversarial group with a history of attacking critical sectors, including government, healthcare, and financial institutions. The sophistication of Cicada3301 lies not only in its cross-platform capabilities but also in its execution of a double-extortion strategy. Initially, the ransomware infiltrates corporate networks to exfiltrate sensitive data, followed by the encryption of the victim’s devices. The attackers then lever
age both the encryption key and the threat of publicly releasing the stolen data to coerce organizations into paying the ransom. A key concern is Cicada3301’s advanced evasion techniques, particularly its ability to bypass traditional endpoint detection and response (EDR) systems. The ransomware employs sophisticated methods, such as weaponizing vulnerable signed drivers, to evade detection and complicate mitigation efforts. This dual-layered approach and its EDR evasion tactics significantly amplify the
threat posed by Cicada3301, underscoring the critical need for robust, multi-faceted cybersecurity
defenses. Organizations must be vigilant and proactive in their security measures to effectively counter this evolving and dangerous adversary.
CrowdStrike
Fallout
In recent days, an incident involving CrowdStrike’s Falcon platform has ignited a flurry of posts across social media platforms. Reports of Windows hosts encountering blue screen errors following a flawed content update have highlighted a critical cybersecurity concern often underestimated: the inadvertent exposure of organizational vulnerabilities through social media. The outcry on platforms like LinkedIn and Facebook inadvertently disclosed users’ reliance on
CrowdStrike for endpoint security. Beyond immediate operational disruptions, this exposure introduces a subtler yet significant risk: targeted attacks. Adversaries proficient in reconnaissance capitalize on such disclosures to gather intelligence on potential targets. This intelligence can inform the development of customized endpoint exploits meticulously crafted to evade or compromise CrowdStrike’s defenses. Compounding this emerging incident is attacks from malicious actors who are mimicking CrowdStrike’s official site, disseminating counterfeit code and instructions under the guise of assisting entities affected by the outage. In responding to this incident, it’s crucial for organizations to mitigate risks stemming from social media exposure, while also remaining vigilant against fraud ulent attempts to exploit the situation for malicious purposes.
CyberStash Security Advisory -
Lockbit 3.0 Ransomware
Lockbit 3.0 is a pernicious form of ransomware that encrypts files on infected systems and demands payment for the decryption key. This Ransomware-as-a-Service (RaaS) variant first
emerged in March 2023 and employs various distribution vectors, including phishing emails,
exploit kits, compromised credentials, and brute-force attacks against exposed public services. The threat actors behind Lockbit 3.0 also leverage remote administration tools such as
AnyDesk, Splashtop, and Atera RMM to establish persistent access to the victim’s network. Once a system is infected with Lockbit 3.0 ransomware, it employs advanced Living-off-the-Land (LoL) techniques and additional tools to spread itself across the network, seeking out
other vulnerable devices. This allows the ransomware to maximise its impact, potentially causing significant damage to the affected organisation. Given the sophisticated tactics used by Lockbit 3.0 threat actors, organisations must remain vigilant and adopt a multi-layered security approach to detect and prevent attacks in real-time
Cuttlefish
Malware
A new malware dubbed Cuttlefish has emerged, posing a significant threat to small office and home office (SOHO) routers. Its primary objective is to covertly monitor all traffic passing through these devices and extract authentication data from HTTP GET and POST requests. Cuttlefish operates as a modular malware, specifically targeting web requests passing through routers, facilitating the theft of authentication material.
Deadglyph
Malware
In a recent cyber espionage incident targeting the Middle Eastern Government entities, a newly emerged and highly sophisticated backdoor malware called ‘Deadglyph’ made its ominous debut.
The Deadglyph malware is designed with interchangeable parts, known as modules. These modules are like specialized tools that it can download from a central control center (C2). Each tool, or module, comes with specific instructions called shellcodes that the malware follows to carry out different tasks.
This modular approach gives threat actors the flexibility to create new tools whenever they need them. It’s like having a toolbox with the ability to craft custom tools for specific targets. These custom tools can then be sent to victims to carry out additional harmful actions.
Deep
Gosu
DEEP#GOSU Malware represents a highly sophisticated and elaborate cyber threat campaign observed recently, leveraging PowerShell and VBScript malware to compromise Windows systems. DEEP#GOSU malware is highly advanced and operates stealthily on Windows systems, especially when it comes to monitoring network activity.
Its abilities encompassed keylogging, monitoring clipboard activities, executing dynamic payloads, exfiltrating data, and maintaining persistence. This was achieved through a combination of Remote Access Trojan (RAT) software for complete remote control, scheduled tasks, and self-executing PowerShell scripts utilizing jobs.
Security Advisory -
DragonSpark
The DragonSpark Attack is a sophisticated attack that utilizes a tool called SparkRAT. SparkRAT
is a Remote Access Trojan that can run on multiple platforms and is developed using the Go programming language. The attack was first discovered by SentinelLabs and is carried out by compromising infrastructure located in China, Hong Kong, Taiwan, Singapore, and the United
States. The attacker uses this compromised infrastructure to deploy malware and a variety of
other tools. To execute code from the malware binaries, the attackers use a technique called Golang source code interpretation, which allows them to create a reverse shell for remote code execution. This technique makes it difficult to detect the attack because most endpoint security
software assesses the behavior of compiled code, rather than the source code itself
Exploiting
The regreSSHion Vulnerability
The identified vulnerability, known as “regreSSHion,” impacts OpenSSH, a widely-deployed implementation of the Secure Shell (SSH) protocol pivotal for secure remote administration and file transfers within enterprises. This flaw permits remote, unauthenticated adversaries to execute arbitrary code on affected systems, thereby potentially compromising the confidentiality, integrity, and availability of the targeted infrastructure.
Designated a CVE-2024-6387, this vulnerability manifests as a race condition in the signal handler of OpenSSH, facilitating unauthenticated remote code execution with root privileges. Notably, this
issue pertains specifically to the default configuration of sshd, thus posing a critical security threat necessitating immediate attention and remediation by organizations reliant on OpenSSH for secure communications. Addressing this vulnerability can be effectively managed through proactive measures such as ap plying patches promptly or implementing network configurations that restrict direct internet access. If these controls are not feasible right away, you can reduce the risk by configuring the OpenSSH server to set the LoginGraceTime parameter to 0. This prevents unauthenticated sessions from staying open and being vulnerable to exploitation. Yet, this adjustment could potential-
ly lead to a denial of service if all connection slots are filled
Emojis
Powered Malware Operations
A novel Linux malware, designated as ‘DISGOMOJI,’ has emerged, distinguished by its unconventional use of emojis to facilitate command execution on compromised systems. Predominantly directed at governmental entities within India, this malicious software has been linked to the activities of ‘UTA0137,’ a threat actor believed to operate out of Pakistan. In functionality, DISGOMOJI exhibits traits akin to conventional backdoors and botnets, empowering threat actors with capabilities such as remote command execution, screen capturing, file exfil
tration, payload deployment, and targeted file reconnaissance. However, its hallmark innovation resides in its adoption of Discord as a command and control (C2) platform, supplemented by emojis to issue directives. This departure from traditional text-based commands potentially augments its stealth capabilities, as it may elude detection by security solutions oriented towards scrutinizing text-based communications.
The emergence of DISGOMOJI underscores a notable evolution in malware tactics, where leverag-
ing popular communication platforms and unconventional mediums like emojis represents a concerted effort to circumvent traditional cybersecurity defenses. As such, vigilance and adaptation in defensive strategies are imperative to counteract this emerging threat landscape effectively
3CX
Desktop App Report
Several cybersecurity vendors expressed concerns on March 29th 2023, about a potential supply chain attack involving tampered 3CX installers that had been digitally signed. The attack aimed to compromise downstream customers. 3CX’s CEO confirmed that the desktop app was compromised with malware and advised customers to uninstall it and switch to the PWA client. This new malware has the ability to gather system information and steal stored credentials and data from user profiles of Chrome, Edge, Brave, and Firefox.
Affected platforms: The following platforms are known to be affected:
Windows users: versions 18.12.407 & 18.12.416 of the 3CX Desktop App Electron application shipped in Update 7
macOS users: versions 18.11.1213, 18.12.402, 18.12.407, and 18.12.416 of the 3CX Desktop App Electron application
BellaCiao
IRGC
An Iranian state-sponsored hacking group known as APT35/APT42 or Mint Sandstorm has been identified as deploying a new strain of malware named BellaCiao, which has targeted victims in various countries, including the U.S., Europe, India, Turkey, and others. The campaign aims to exploit vulnerabilities in Microsoft Exchange servers to gain unauthorized access and deploy malicious payloads for espionage, data theft, and potentially ransomware attacks.
BellaCiao is a dropper malware designed to deliver additional malicious payloads to compromised devices based on instructions from the threat actors. Its primary objective is to establish persistence and maintain stealth while awaiting further instructions. The malware is customized for each victim (including hardcoded information such as company name, specially crafted subdomains, or associated public IP address) ensuring tailored implants and evading detection mechanisms.
BiBi
Wiper Malware
In a recent surge of cyber threats, Israeli computers are increasingly facing data-wiping attacks perpetrated by variants of the BiBi malware family. Researchers have identified these destructive elements affecting both Linux and Windows systems. The attacks are part of a broader cyber offensive targeting various sectors in Israel, notably in education and technology.
The Security Joes’ Incident Response team recently uncovered ‘BiBi-Linux,’ a malware strain designed for irreversible data corruption and operational disruption. Following this discovery, ESET researchers confirmed on October 31,2023 that a Windows variant of the same malware, linked to a hacktivist group named BiBiGun, was identified. This group is associated with Hamas, indicating a coordinated effort in deploying the malware for potential cyber-attacks and disruptions.
CMoon
USB Worm
A new USB worm, identified as “CMoon,” has emerged, specifically targeting Russian individuals and organizations. The malware is designed for data theft, with the primary objective of exfiltrating sensitive information from infected systems. The attack vector utilizes USB drives, making it particularly potent in environments with shared or transient storage media. The CMoon worm has raised significant concerns due to its potential impact on both government and private sector entities in Russia.In this attack, users are lured into clicking on links to regulatory documents—such as .docx, .xlsx, .rtf, and .pdf files—on the company’s website. However, these links have been compromised by threat actors, who have substituted the legitimate documents with malicious executables. These executables are distributed in the form of self-extracting archives that contain both the supposed document and a malicious payload named CMoon. When users download and open these archives, they inadvertently execute the CMoon payload, which establishes a backdoor or performs other malicious actions, giving the attackers control over the affected systems. This tactic exploits the trust users have in the legitimate appearance of regulatory documents and the company’s website to initiate the infection chain.
Mint
Sandstorm Campaign
Mint Sandstorm, who share similarities with the threat actor monitored by other researchers under the names APT35 and Charming Kitten, is an Iranian state-sponsored APT group that primarily
focuses on cyber-espionage activities, with a specific interest in targeting individuals and organiza-
tions associated with Microsoft’s educational and research sectors. Their operations aim to steal
sensitive intellectual property, research findings, and other valuable information. Mint Sandstorm’s primary targets are educators and researchers affiliated with Microsoft. The group is known for leveraging social engineering tactics, spear-phishing campaigns, and watering hole attacks to compromise the systems of their victims. The adversaries exploit vulnerabilities in software commonly used by educators and researchers, seeking to gain unauthorized access to
sensitive information.
The threat actors utilized compromised legitimate email accounts to send phishing lures, employed the Client for URL (curl) command to establish connections with the Mint Sandstorm command-and-control (C2) server for downloading malicious files, and introduced a new custom backdoor named MediaPl. These sophisticated techniques enhance Mint Sandstorm’s ability to evade detection and persistently compromise targeted systems.
Security Advisory -
Nevada Ransomware
NEVADA is a ransomware that targets Windows and Linux operating systems, encrypting files and appending the “.NEVADA” extension to filenames. It also drops a ransom note in folders containing encrypted files. The security community has addressed the malware’s initial access
vector and variations, with investigations ongoing to determine which known vulnerabilities attackers may be exploiting. As of February 3rd, 2023, Nevada ransomware is targeting VMware ESXi servers exposed to the Internet, and it’s a growing Ransomware-as-a-Service with an affiliate network for both Russian and English-speaking entities. The new variant of ESXiArgs encrypts more data, mak-
ing it challenging to recover, and the bitcoin wallet is no longer trackable. To counter the ongoing situation, it’s essential to ensure that ESXi servers are updated with VMWare’s provided
patches for known vulnerabilities and not exposed to the Internet.
Quasar
RAT Stealthy DLL Side-Loading
The Quasar RAT, an open-source remote access trojan, has been observed employing DLL side-loading techniques to discreetly operate and siphon data from compromised Windows hosts. This method takes advantage of the implicit trust these files hold within the Windows environment, utilizing ctfmon.exe and calc.exe as integral components of its attack chain. Quasar RAT, also recognized as CinaRAT or Yggdrasil, operates as a C#-based remote administra-
tion tool, offering functionalities such as collecting system information, listing running applications, accessing files, logging keystrokes, capturing screenshots, and executing arbitrary shell commands. This trojan’s utilization of DLL side-loading adds a layer of stealth to its activities, enabling it to navigate undetected through security measures while conducting its malicious operations on the compromised systems.
Remcos
RAT
The advent of a fresh variant of the IDAT loader, frequently utilized by cybercriminals for malware
dissemination, presents a formidable obstacle for both standard and advanced defense mechanisms. This latest iteration harnesses steganography, a technique for camouflaging data within apparently benign files, to clandestinely deploy the Remcos Remote Access Trojan (RAT). Steganography amplifies the stealth attributes of the payload, rendering it notably arduous for conventional security measures to identify. The Remcos RAT facilitates various malicious activities, including remote monitoring and data exfil-
tration. IDAT utilizes sophisticated evasion techniques, such as dynamic loading of Windows API
functions and obfuscation of API calls, to avoid detection. Upon execution, IDAT extracts the hidden payload from a PNG image file, decrypts it, and executes it in memory, injecting additional
modules into legitimate processes. The final stage involves decrypting and executing the Remcos
RAT, enabling covert data theft and surveillance.
Mitigation strategies include deploying robust security controls to reduce exposure and educating
users about the risks of opening files from untrusted sources.