Chinese PlugX Malware Hidden in Your USB Devices?
(published: January 26, 2023)
Background:
Palo Alto researchers analyzed a PlugX malware variant (KilllSomeOne) that spreads via USB devices such as floppy, thumb, or flash drives. The variant is used by a technically-skilled group, possibly by the Black Basta ransomware. The actors use special shortcuts, folder icons and settings to make folders impersonating disks and a recycle bin directory. They also name certain folders with the 00A0 (no-break space) Unicode character thus hindering Windows Explorer and the command shell from displaying the folder and all the files inside it.
Takeaway:
Several behavior detections could be used to spot similar PlugX malware variants: DLL side loading, adding registry persistence, and payload execution with rundll32.exe. Incidents responders can check USB devices for the presence of no-break space as a folder name.
Abraham’s Ax Likely Linked to Moses Staff
(published: January 26, 2023)
Background:
Cobalt Sapling is an Iran-based threat actor active in hacking, leaking, and sabotage since at least November 2020. Since October 2021, Cobalt Sapling has been operating under a persona called Moses Staff to leak data from Israeli businesses and government entities. In November 2022, an additional fake identity was created, Abraham’s Ax, to target government ministries in Saudi Arabia. Cobalt Sapling uses their custom PyDCrypt loader, the StrifeWater remote access trojan, and the DCSrv wiper styled as ransomware.
Takeaway:
A defense-in-depth approach can assist in creating a proactive stance against threat actors attempting to destroy data. Critical systems should be segregated from each other to minimize potential damage, with any attack surface closely monitored for malicious activity. A strong and enforced backup policy will assist in a fast recovery of compromised systems.
Learn about our Penetration Testing Services
New Mimic Ransomware Abuses Everything APIs for its Encryption Process
(published: January 26, 2023)
Background:
New Mimic ransomware has been active since June 2022. At least some of its functions have significant code similarity to the Conti ransomware source code leaked in March 2022. Mimic is unique in a way that it uses Everything32.dll, a legitimate Windows filename search engine. It uses the Everything_SetSearchW function to search for files to be encrypted (and to retrieve the file’s path) or avoided.
Takeaway:
ulti-threading and abusing Everything’s APIs optimises Mimic for fast encryption. Ransomware is a constantly evolving threat, and the most fundamental defense is having proper backup and restore processes in place that allows recovery without any need to decrypt the affected data. Data theft is containable through segmentation, encrypting data at rest, and limiting the storage of personal and sensitive data.
TA444: The APT Startup Aimed at Acquisition (of Your Funds)
(published: January 25, 2023)
Background:
The North Korea-sponsored, financially-motivated group APT38 (Bluenoroff, Stardust Chollima, TA444) and related clusters stole nearly $400 million dollars’ worth of cryptocurrency-related assets in 2021, and more than $1 billion during 2022, according to Proofpoint estimates. The group extensively experimented with new delivery methods, continuing with remote templates and LNK shortcuts, while trying MSI Installer, Virtual Hard Drive, ISO image, and compiled HTML files. APT38 operates multiple post-exploitation backdoors as well. In 2021-2022, the group was detected using browser extensions, Cardinal, CheeseTray, DyePack, msoRAT, passive backdoors, the Rantankba suite, and virtualized listeners.
Takeaway:
Defenders are advised to block these on their infrastructure.
DragonSpark | Attacks Evade Detection with SparkRAT and Golang Source Code Interpretation
(published: January 24, 2023)
Background:
An unknown Chinese-speaking attacker is utilizing the multiplatform, open-source, remote access tool SparkRAT. To evade detection by static analysis, the DragonSpark campaign uses the Yaegi framework to interpret at runtime encoded Golang source code stored within the compiled binary. DragonSpark infrastructure is mostly based on compromised web servers and MySQL database servers in Eastern Asia (China, Hong Kong, Singapore, and Taiwan). DragonSpark has been dropping the China Chopper webshell, utilizing custom Loaders, and additional open-source tools including the GotoHTTP cross-platform remote access tool, and the BadPotato and SharpToken privilege escalation tools.
Takeaway:
The use of SparkRAT by various threat actors is likely to increase in the future. Always practice defense-in-depth (do not rely on single security mechanisms – security measures should be layered, redundant, and failsafe).
Massive Campaign Uses Hacked WordPress Sites as Platform for Black Hat Ad Network
(published: January 24, 2023)
Background:
New Violetlovelines campaign is a continuation of a larger multi-year WordPress infection campaign that was seeking to redirect users to tech support scam. Violetlovelines expands to new types of redirects to include promotion of suspicious apps and outright drive-by malware compromise delivering Racoon stealer. Sucuri researchers estimate over 5,600 affected WordPress websites, and over 190,000 applications installed through fake browser update warnings.
Takeaway:
Site administrators should keep their systems updated and secure the administrator panel with two-factor authentication or other access restrictions. If your site was infected, perform a core file integrity check, query for any files containing the same injection, and check any recently modified or added files.
Learn about our Penetration Testing Services
Subscribe So You Never Miss an Update
