Request demo

The New ‘Ransomware? What Ransomware?’ Report


Weekly Cyber Round-up

Intelligence Report

July 18, 2024

MuddyWater distributes BugSleep backdoor via phishing emails

Check Point researchers observed a new MuddyWater phishing campaign using a new backdoor, dubbed BugSleep, to target organisations in Israel. BugSleep has been used in phishing lures since May 2024 and has multiple variants.The attackers used the Egnyte file-sharing platform to deliver malicious files to target organisationsBugSleep is capable of evading sandboxes, creates a mutex, decrypts its configuration, creates a scheduled task to maintain persistence, and utilises encrypted C2 communication to transfer files from the victim’s machine. The researchers noted that MuddyWater activity has significantly increased since the start of the Israel-Hamas war in October 2023.

Get the alert delivered directly to your inbox

Researchers discover multiple domains linked to FIN7 campaigns 

Silent Push researchers discovered multiple new campaigns attributed to the threat actor FIN7. Over 4,000 domains related to phishing, spoofing, shell, and malware delivery activity were identified. The campaigns targeted multiple organisations, including Microsoft 365, Wall Street Journal, Reuters, Louvre Museum, as well as software such as 7-ZIP, PuTTY, and Python. FIN7 attack vectors include specific templates for distributing MSIX malware via Google ads. One attack chain targeting LexisNexis involved the use of the NetSupport remote access trojan to obtain elevated privileges for lateral movement and access to Active Directory.

Facebook malvertising campaign distributes SYS01 infostealer

Trustwave researchers observed a Facebook malvertising campaign that delivers the SYS01 information stealer through fake downloads for pirated games and software, as well as fake Windows themes. The advertisements are promoted through newly created business pages or hijacked existing pages which are modified to support the malicious downloads. Upon clicking on an ad, victims are redirected to webpages hosted on Google Sites or True Hosting that contain a download for a ZIP archive which leverages DLL sideloading to set up SYS01’s operating environment. SYS01’s primary payload uses PHP scripts to create scheduled tasks for persistence and to steal data.

APT17 targets Italian entities with Rat 9002

On June 24th and July 2nd, 2024, TG Soft researchers observed two attacks from the Chinese advanced persistent threat (APT) actor, APT17, targeting Italian companies and government entities. The threat actor ultimately delivered a variant of Rat 9002 in diskless mode. Rat 9002 is a modular malware that can monitor network traffic and download additional diskless plugins, enabling screen capture, browsing files, process management, uninstallation, and the execution of programs.In both attacks, the threat actor lured victims to install a Skype for Business package from a link on a malicious domain mimicking an official page for Equitalia Giustizia meetings.

Konfety operation uses malicious ‘twin’ apps for advert fraud

HUMAN researchers recently identified an advert fraud operation, dubbed Konfety, that abuses the CaramelAds software development kit (SDK) to create harmless decoy apps on Google Play and malicious counterparts. The threat actors uploaded more than 250 Android apps on the official Google Play Store that use the CaramelAds SDK in their code. The apps have malicious twins, also containing the CaramelAds SDK, that are distributed outside the Play Store through malvertising, click-baiting, and drive-by downloads. The malicious apps spoof the app and advertising publisher IDs of the legitimate apps in order to trick networks into believing the traffic is legitimate. The twin apps perform advert fraud by covertly loading and playing video ads on infected devices.


Volume of blog posts by operators during the last week.

Deep Dive: Exposing BlackSuit RansomwareDeep Instinct Blog – Jul 17 2024Shadowroot Ransomware Lures Turkish Victims via Phishing AttacksDark Reading – Jul 16 2024Microsoft links Scattered Spider hackers to Qilin ransomware – Jul 16 2024Technical Analysis: Killer Ultra Malware Targeting EDR Products in Ransomware AttacksBinary Defense – Jul 16 2024SEXi ransomware rebrands to APT INC, continues VMware ESXi – Jul 15 2024Hardening of HardBitCybereason – Blog – Jul 10 2024

High Priority Vulnerabilities

Name Software Base
CVE-2024-38112 Windows 7.5 7.2
Related: CVE-2024-38112: Void Banshee Targets Windows Users Through Zombie Internet Explorer in Zero-Day Attacks
CVE-2024-36401 GeoServer 9.8 9.4
Related: CISA warns critical Geoserver GeoTools RCE flaw is exploited in attacks
CVE-2024-4879 Now Platform 9.8 9.4
Related: ServiceNow flaws could be chained for full database access
CVE-2019-18394 Openfire 9.8 9.8
Related: CRYSTALRAY: Inside the Operations of a Rising Threat Actor Exploiting OSS Tools
CVE-2024-34102 Magento 9.8 9.4
Related: Mass exploitation of CosmicSting flaw impacting Adobe Commerce Stores observed

Get the full report
delivered to your inbox​

By filling out and submitting this request you give us your consent to use and store the information  you have provided for the purpose set out above or in connection with it. For more information, see our Privacy Policy.