Weekly Cyber Round-up

Power Parasites campaign targets Asia with job and investment scams

Silent Push researchers observed an ongoing scam campaign, dubbed Power Parasites, that is primarily targeting individuals across Asian countries, including Bangladesh, Nepal, and India. The campaign uses job and investment scams impersonating major energy and technology brands, such as Siemens Energy, Schneider Electric, Repsol, Netflix, and more, to facilitate financial fraud and identity theft. The scams have been observed being promoted on YouTube, Telegram channels, Facebook, and other deceptive websites and social media groups. Individuals who interact with the job scams receive legitimate-looking employment agreements demanding sensitive personal details. The researchers discovered more than 150 domains as part of the campaign’s infrastructure.

Phishing campaign targets Office 365 credentials using multiple methods to bypass security

Fortra researchers identified a new phishing campaign that has targeted the Office 365 credentials of 30 organisations across varying sectors. The campaign leverages emails seemingly sent from a financial institution, using randomly generated strings of characters in the subject and sender name fields to bypass email security controls. Except for header information, the email body is blank, with the threat actors hiding the payload within another attached email. The embedded email contains an SVG file with malicious code leading to a phishing site that appears to display a standard CAPTCHA challenge. Completing the CAPTCHA directs the user to what appears to be a PDF download portal, with the user prompted to provide their email address to access the file. The email address is used to generate a custom Office 365 login page that requests full login credentials.

Nation-state actors and cybercriminals observed targeting cybersecurity vendors

SentinelOne researchers warned that both nation-state actors and cybercriminals are targeting cybersecurity vendors, including SentinelOne. For example, North Korean IT workers have been observed posing as job applicants to identify ways to access or abuse their platform, while Chinese-linked actors have targeted organisations aligned with SentinelOne’s business and customer base. Among the identified China-linked threat actors is PurpleHaze, who relied on an operational relay box network to target multiple sectors in October 2024 with GoReShell. One of the targets was a South Asian government entity that was also targeted with ShadowPad samples obfuscated with ScatterBrain in June 2024. Threat actors are also increasingly shifting to private messaging apps to advertise their services, while groups such as Nitrogen ransomware impersonate real companies to purchase official licenses for endpoint detection and response services and other security products from small resellers. 

Outlaw botnet leverages SSH credentials for command execution, DDoS, and more

Kaspersky researchers observed an Outlaw botnet campaign leveraging weak or default SSH credentials to target Linux environments in the United States, Germany, Italy, Brazil, and more. The botnet disguises itself as an ‘rsync’ process, creates a copy of itself in the background, ignores termination signals and supports a range of malicious features. After compromising SSH credentials, the threat actor downloads the first-stage script, via utilities such as wget or curl, to download a file from the attacker’s server. The threat actor then checks whether miners are present on the machine, blocking any that are present, and executes a file for persistence and next-stage malware execution. The malware is a Base64-encoded string that can be decoded to reveal a Perl script for an IRC-based botnet client that acts as a backdoor on compromised systems. Another file within the hidden directory holds the binary for the XMRig cryptocurrency miner.