Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.
For more articles, check out our #onpatrol4malware blog.
Large scale Google Ads campaign targets utility software
Source: Malwarebytes LABS
Following the creation of advertiser identities belonging to real businesses, the threat actors launch their malicious ads, hiding their infrastructure behind several layers of fingerprinting and cloaking. Read more.
Mind the (air) gap: GoldenJackal gooses government guardrails
Source: welivesecurity
These toolsets provide GoldenJackal a wide set of capabilities for compromising and persisting in targeted networks. Victimized systems are abused to collect interesting information, process the information, exfiltrate files, and distribute files, configurations and commands to other systems. Read more.
Awaken Likho is awake: new techniques of an APT group
Source: SECURE LIST
Analysis of the campaign revealed that the attackers had significantly changed the software they used in their attacks. The attackers now prefer using the agent for the legitimate MeshCentral platform instead of the UltraVNC module, which they had previously used to gain remote access to systems. Read more.
How Malware is Evolving: Sandbox Evasion and Brand Impersonation
Source: VERITI
According to the MITRE ATT&CK framework, malware can check for signs of a sandbox by monitoring system behavior, including checking for user actions like mouse clicks or running time-based checks. Once the malware detects it is inside a sandbox, it can change its behavior, often terminating its execution or connecting to benign domains to avoid raising suspicion. Read more.
perfctl: A Stealthy Malware Targeting Millions of Linux Servers
Source: Aqua
During one of our sandbox tests, the threat actor utilized one of the malware’s backdoors to access the honeypot and started deploying some new utilities to better understand the nature of our server, trying to understand what exactly we are doing to its malware. Read more.
Scam Information and Event Management
Source: SECURE LIST
The attackers distributed the malicious files using websites for downloading popular software (uTorrent, Microsoft Office, Minecraft, etc.) for free. These websites were shown to users in the top search results in Yandex. Malware was also distributed through Telegram channels targeted at crypto investors and in descriptions and comments on YouTube videos about cryptocurrency, cheats and gambling. Read more.
Crypto-Stealing Code Lurking in Python Package Dependencies
Source: Checkmarx
On September 22nd, a new PyPI user orchestrated a wide-ranging attack by uploading multiple packages within a short timeframe. These packages, bearing names like “AtomicDecoderss,” “TrustDecoderss,” “WalletDecoderss,” and “ExodusDecodes,” masqueraded as legitimate tools for decoding and managing data from an array of popular cryptocurrency wallets. Read more.
Stonefly: Extortion Attacks Continue Against U.S. Targets
Source: Symantec
In several of the attacks, Stonefly’s custom malware Backdoor.Preft (aka Dtrack, Valefor) was deployed. This tool is exclusively associated with the group. In addition to this, several Stonefly indicators of compromise recently documented by Microsoft were found on the compromised networks. Read more.
Pig Butchering Alert: Fraudulent Trading App targeted iOS and Android users
Source: Group-IB
Pig Butchering is a term used to describe a sophisticated and manipulative scam in which cybercriminals lure victims into fraudulent investment schemes, typically involving cryptocurrency or other financial instruments. The name of the scam refers to the practice of fattening a pig before slaughter. Read more.
BBTok Targeting Brazil: Deobfuscating the .NET Loader with dnlib and PowerShell
Source: G Data
In a complex infection chain that starts with an email containing an ISO image, this malware stands out by its way of compiling C# code directly on the infected machine. It also uses a technique known as AppDomain Manager Injection to advance execution. Read more.