Blind Eagle and StrongPity hackers use sophisticated attack techniques to deploy malware
SISA Weekly Threat Watch?– our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.
Hackers are utilizing a?DLL sideloading approach?to load malware into the Memory of a compromised system by abusing the?Windows Problem Reporting?(WerFault.exe) error reporting utility for Windows. A phishing email with an?ISO?attachment?served as the launchpad for the virus campaign employing this method. A DLL file, an XLS file, a shortcut LNK file, and the genuine?WerFault.exe binary?were all included in this ISO file. A?scriptrunner.exe?process is started when the LNK file is launched, and it is utilized to proxy the WerFault.exe binary’s execution.
The WerFault.exe process sideloads the malicious faultrep.dll, which subsequently opens the accompanying?XLS spreadsheet?as a ruse and loads a copy of?Pupy RAT?into memory. Pupy RAT is an open-source piece of malware that gives threat actors complete access to an infected device. All devices within an organization should be kept up to date with proper security endpoint controls, such as an?EDR. Implementing and maintaining email security rules, including the capability to block certain file attachments, is also highly advised.
A?threat actor known as?Blind Eagle (APT-C-36)?that targets companies in Colombia and Ecuador has reemerged with a sophisticated toolkit and sophisticated infection chain. The starting point of attack chains are phishing emails with a?booby-trapped link, which upon clicking, launches an open source trojan called?Quasar RAT?with the aim of accessing the victim’s bank accounts.
Instead of distributing RAT malware, this attack uses a more complex multi-stage procedure that takes advantage of the legitimate?mshta.exe binary?to execute VBScript embedded within an?HTML file, which then downloads two malicious?Python scripts. To protect systems and prevent data loss, it is recommended to block URLs like Torrent/Warez, deploy a?Data Loss Prevention (DLP)?solution, and keep an eye on the beacon at the network level.
领英推荐
Automated Libra is a?freejacking organization?based in South Africa that primarily targets cloud platforms offering free trials of cloud resources for a brief period to carry out their?cryptomining operations. Actors from PurpleUrchin carried out these?Play and Run activities?by setting up fake accounts by using fraudulent or stolen payment cards.
Additionally, it was discovered that the actors preferred to use cloud services provided by conventional?virtual service providers (VSPs). Heroku and Togglebox are a couple of the cloud service providers that provide?CAP?and AHP services?and were attacked by the PurpleUrchin actors. The actor used the tools from the?ImageMagick toolbox?to complete the?CAPTCHA, which asks users to identify spiral galaxies. Such operations by Automated Libra’s can be stopped from continuing in a cloud environment by scanning all containers for vulnerabilities and abuse before deployment and keeping track of their runtime status.
Kinsing malware is known to target?Linux environments?for cryptomining. It uses certain unique techniques that target containerized environments, making it also common in?Kubernetes clusters. When exploiting image vulnerabilities, the threat actors hunt for?remote code execution flaws?in PHPUnit, Liferay, Oracle WebLogic, and WordPress that enable them to push their?payloads.
‘Trust authentication’ setting is one of the most common misconfigurations the attackers leverage, which instructs?PostgreSQL?to assume that “anyone who can connect to the server is authorized to access the database.” Even if the IP access configuration is strict, Kubernetes is still prone to?ARP (Address Resolution Protocol)?poisoning, so attackers could spoof apps in the cluster to gain access. It is recommended to scan all images for vulnerabilities, especially those used in exposed containers. Additionally, minimize?access to exposed containers?by using IP allow lists and following least privilege principles. In case of misconfiguration in PostgreSQL, remove trust authentication and harden the network access to DB.
A?persistent campaign linked to the?StrongPity APT?group disseminated a malicious app through a?fake Shagle website, which offers random video chats with strangers that are encrypted. Although it appears to be the fake Shagle app, the malicious app is actually a fully functional, trojanized version of the genuine?Telegram app. One of the malicious StrongPity app’s modules can?exfiltrate communication from 17 apps, including Viber, Skype, Gmail, Messenger, and Tinder, if the victim grants it access to the accessibility services.
The fake Shagle app contains malicious code that implements a straightforward but effective?backdoor?that StrongPity discovered in a prior mobile campaign. To protect systems against such attacks, it is recommended to avoid installing?third party applications?on any device and block the?IOCs?in your perimeter and core network devices.
Next Trend Realty LLC./wwwHar.com/Chester-Swanson/agent_cbswan
1 年Thanks for Posting.