PlugX Malware Hides On USB Devices To Infect New Windows Hosts
PlugX malware that can hide malicious files on removable USB devices and then infect the Windows hosts they connect to.The malware uses what researchers call “a novel technique” that allows it to remain undetected for longer periods and could potentially spread to air-gapped systems. A sample of this PlugX variant was found by Palo Alto Network’s Unit 42 team during a response to a Black Basta ransomware attack that relied on GootLoader and the Brute Ratel post-exploitation toolkit for red-team engagements.

READ MORE

8220 Gang Targets Public Cloud Providers With Cryptominers And IRC Bots
A for-profit Chinese threat group, 8220 Gang, was observed targeting cloud service providers and poorly secured apps. The group was observed using a cryptominer and IRC botnet to churn financial advantage out of public cloud infrastructure.The source IP address used for the attack was a compromised Apache server hosted on a cloud provider. The IP address sent scripted commands to Radware’s Redis honeypot. Further, the Tsunami IRC bot has support for four different types of denial-of-service attacks, such as SYN and UDP floods, which could result in financial losses for a victim organization.

READ MORE

Bitwarden Password Vaults Targeted In Google Ads Phishing Attack
Bitwarden and other password managers are being targeted in Google ads phishing campaigns to steal users’ password vault credentials. As the enterprise and consumers move to use unique passwords at every site, it has become essential to use password managers to keep track of all the passwords.These passwords are stored in the cloud in “password vaults” that keep the data in an encrypted format, usually encrypted using users’ master passwords.

READ MORE

Emotet Returns With New Evasion Tactics
Emotet has continued to evolve steadily, adding several new tactics and techniques to increase its likelihood of successful infection. The latest addition to its arsenal is a new evasion technique to trick users into allowing macros to download the dropper. Emotet operators are using .xls files in this new wave of phishing attacks.The new variant of Emotet has now moved from 32-bit to 64-bit as another method for evading detection.

READ MORE

Hive Ransomware Infrastructure Seized in Joint International Law Enforcement Effort
The darknet infrastructure associated with the Hive ransomware-as-a-service (RaaS) operation has been seized as part of a coordinated law enforcement effort involving 13 countries.Some Hive actors gained access to victim’s networks by using single factor logins via Remote Desktop Protocol, virtual private networks, and other remote network connection protocol. Hive actors bypassed multi-factor authentication and gained access by exploiting vulnerabilities. This enabled malicious cybercriminals to log in without a prompt for the user’s second authentication factor by changing the case of the username.

READ MORE

Python-Based PY#RATION RAT Stealthily Harvests Sensitive Information
A new attack campaign using a Python-based RAT, dubbed as PY#RATION has been discovered recently. The attackers have been leveraging the RAT since August 2022, to gain control over compromised systems.PY#RATION can transfer files from the infected host machine to its C2 servers or vice versa. It uses WebSockets to avoid detection and for C2 communication and exfiltration.The attack starts with a phishing email laden with a ZIP archive that comes with two shortcut (.LNK) files. These files masquerade as front/back side images of a U.K driver’s license seem legitimate. The nature of the phishing lures indicates that the intended targets could be from the U.K or North America.

READ MORE

Websites Of German Airports, Administration Bodies And Banks Were Hit By DDoS Attacks Attributed To Russian Hacker Group Killnet
A distributed denial-of-service (DDoS) attack is designed to overwhelm the target with a flood of internet traffic, preventing the system from functioning normally. The attacks were aimed “in particular at the websites of airports”, as well as some “targets in the financial sector” and “the websites of federal and state administrations”

READ MORE

Chinese Hackers Utilize Golang Malware In DragonSpark Attacks To Evade Detection
Organizations in East Asia are being targeted by a likely Chinese-speaking actor dubbed DragonSpark while employing uncommon tactics to go past security layers.A striking aspect of the intrusions is the consistent use of SparkRAT to conduct a variety of activities, including stealing information, obtaining control of an infected host, or running additional PowerShell instructions.Another malware of note is the Golang-based m6699.exe, which interprets at runtime the source code contained within it so as to fly under the radar and launch a shellcode loader that’s engineered to contact the C2 server for fetching and executing the next-stage shellcode.

READ MORE

New Mimic Ransomware Abuses ‘Everything’ Windows Search Tool
New ransomware strain dubbed as Mimic leverages the APIs of the ‘Everything’ file search tool for Windows to look for files targeted for encryption.Mimic ransomware attacks begin with the victim receiving an executable, presumably via email, which extracts four files on the target system, including the main payload, ancillary files, and tools to disable Windows Defender. Mimic is a versatile ransomware strain that supports command line arguments to narrow file targeting, while it can also make use of multiple processor threads to speed up the data encryption process.

READ MORE

Ukraine Hit With New Golang-Based ‘SwiftSlicer’ Wiper Malware In Latest Cyber Attack
Ukraine has come under a fresh cyber onslaught from Russia that involved the deployment of a previously undocumented Golang-based data wiper dubbed SwiftSlicer.The discovery of SwiftSlicer points to the consistent use of wiper malware variants by the Russian adversarial collective in attacks designed to wreak havoc in Ukraine. The development also comes as the Computer Emergency Response Team of Ukraine (CERT-UA) linked Sandworm to a recent largely unsuccessful cyberattack on the national news agency Ukrinform.

READ MORE