Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.
For more articles, check out our #onpatrol4malware blog.
Under the SADBRIDGE with GOSAR: QUASAR Gets a Golang Rewrite
Source: Elastic Security Labs
Infection chains employ injection and DLL side-loading using a custom loader (SADBRIDGE). SADBRIDGE deploys a newly-discovered variant of the QUASAR backdoor written in Golang (GOSAR). GOSAR is a multi-functional backdoor under active development with incomplete features and iterations of improved features observed over time. Read more.
Analysis of TIDRONE attackers’ attacks on domestic companies
Source: ASEC
AhnLab Security Intelligence Center (ASEC) has confirmed that the TIDRONE attacker has recently been conducting attacks against companies. The software exploited in these attacks is ERP, through which a backdoor malware called CLNTEND is installed. Read more.
Declawing PUMAKIT
Source: Elastic Security Labs
PUMAKIT is a sophisticated piece of malware, initially uncovered during routine threat hunting on VirusTotal and named after developer-embedded strings found within its binary. Its multi-stage architecture consists of a dropper (cron), two memory-resident executables (/memfd:tgt and /memfd:wpn), an LKM rootkit module and a shared object (SO) userland rootkit. Read more.
Gamaredon Deploys Android Spyware “BoneSpy” and “PlainGnome” in Former Soviet States
Source: The Hacker News
The Russia-linked state-sponsored threat actor tracked as Gamaredon has been attributed to two new Android spyware tools called BoneSpy and PlainGnome, marking the first time the adversary has been discovered using mobile-only malware families in its attack campaigns. Read more.
Iran-Linked IOCONTROL Malware Targets SCADA and Linux-Based IoT Platforms
Source: The Hacker News
The malware has been codenamed IOCONTROL by OT cybersecurity company Claroty, highlighting its ability to attack IoT and supervisory control and data acquisition (SCADA) devices such as IP cameras, routers, programmable logic controllers (PLCs), human-machine interfaces (HMIs), firewalls, and other Linux-based IoT/OT platforms. Read more.
Careto is back: what’s new after 10 years of silence?
Source: SECURE LIST
The persistence method used by the threat actor was based on WorldClient allowing loading of extensions that handle custom HTTP requests from clients to the email server. These extensions can be configured through the C:\MDaemon\WorldClient\WorldClient.ini file. Read more.
Malware Analysis: A Kernel Land Rootkit Loader for FK_Undead
Source: G Data
We discovered a Windows rootkit loader [F1] for the malware family FK_Undead. The malware family is known for intercepting user network traffic through manipulation of proxy configurations. Read more.
Law enforcement shuts down 27 DDoS booters ahead of annual Christmas attacks
Source: EUROPOL
Law enforcement agencies worldwide have disrupted a holiday tradition for cybercriminals: launching Distributed Denial-of-Service (DDoS) attacks to take websites offline. As part of an ongoing international crackdown known as PowerOFF, authorities have seized 27 of the most popular platforms used to carry out these attacks. Read more.
Inside Zloader’s Latest Trick: DNS Tunneling
Source: Zscaler
Zloader (a.k.a. Terdot, DELoader, or Silent Night) is a modular Trojan based on the leaked Zeus source code dating back to 2015. Zloader 2.9.4.0 adds notable improvements including a custom DNS tunnel protocol for C2 communications and an interactive shell that supports more than a dozen commands, which may be valuable for ransomware attacks. Read more.
Meeten Malware: A Cross-Platform Threat to Crypto Wallets on macOS and Windows
Source: CADO
“Meeten” is the application that is attempting to scam users into downloading an information stealer. The company regularly changes names, and is currently going by the name Meetio. The threat actors set up full company websites, with AI-generated blog and product content and social media accounts including Twitter and Medium. Read more.