Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.
For more articles, check out our #onpatrol4malware blog.
Cloudy With a Chance of RATs: Unveiling APT36 and the Evolution of ElizaRAT
Source: CHECK POINT
Our analysis of recent campaigns reveals continuous enhancements in the malware’s evasion techniques, along with introducing a new stealer payload called “ApoloStealer.” Read more.
TA Phone Home: EDR Evasion Testing Reveals Extortion Actor’s Toolkit
Source: UNIT 42
In a recent investigation involving an extortion attempt, we discovered a threat actor had purchased access to the client network via Atera RMM from an initial access broker. We discovered the threat actor used rogue systems to install the Cortex XDR agent onto a virtual system. Read more.
Custom “Pygmy Goat” malware used in Sophos Firewall hack on govt network
Source: BLEEPING COMPUTER
UK’s National Cyber Security Centre (NCSC) has published an analysis of a Linux malware named “Pigmy Goat” created to backdoor Sophos XG firewall devices as part of recently disclosed attacks by Chinese threat actors. Read more.
Chinese threat actor Storm-0940 uses credentials from password spray attacks from a covert network
Source: Microsoft
Microsoft has linked the source of these password spray attacks to a network of compromised devices we track as CovertNetwork-1658, also known as xlogin and Quad7 (7777). Read more.
Strela Stealer targets Central and Southwestern Europe through Stealthy Execution via WebDAV
Source: CYBLE
The payload, Strela Stealer, is embedded within an obfuscated DLL file, specifically targeting systems in Germany and Spain. Strela Stealer is programmed to steal sensitive email configuration details, such as server information, usernames, and passwords. Read more.
Every Doggo Has Its Day: Unleashing the Xi? G?u Phishing Kit
Source: Netcraft
The kit comes equipped with Telegram bots to exfiltrate credentials, ensuring that threat actors can maintain access to data even if their phishing site is taken down. Threat actors using the kit use Rich Communications Services (RCS) rather than SMS to send lure messages. Read more.
New LightSpy Spyware Version Targets iPhones with Increased Surveillance Tactics
Source: The Hacker News
Cybersecurity researchers have discovered an improved version of an Apple iOS spyware called LightSpy that not only expands on its functionality, but also incorporates destructive capabilities to prevent the compromised device from booting up. Read more.
Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files
Source: Microsoft
In this campaign, the malicious .RDP attachment contained several sensitive settings that would lead to significant information exposure. Once the target system was compromised, it connected to the actor-controlled server and bidirectionally mapped the targeted user’s local device’s resources to the server. Read more.
CloudScout: Evasive Panda scouting cloud services
Source: welivesecurity
CloudScout utilizes stolen cookies, provided by MgBot plugins, to access and exfiltrate data stored at various cloud services. We analyzed three CloudScout modules, which aim to steal data from Google Drive, Gmail, and Outlook. We believe that at least seven additional modules exist. Read more.
RAT Malware Operating via Discord Bot
Source: ASEC
This post analyzes a case (PySilon) where RAT malware was implemented using a Discord Bot. The full source code of this RAT malware is publicly available on GitHub, and there are communities on platforms like its website and Telegram servers. Read more.