CYFIRMA: Cybersecurity Dossier
Threat Actor in Focus - APT29 Launches First-Ever Campaign Targeting Political Parties in Germany
In a recent observation, researchers discovered a campaign against political parties in Germany led by APT29. In late February 2024, researchers discovered APT29, a Russian-backed threat group linked to Russia’s Foreign Intelligence Service (SVR), targeting German political parties with a phishing campaign. This marks a significant shift as APT29 typically targets governmental and diplomatic entities. The operation employed a new backdoor variant known as WINELOADER, indicating a broadening operational focus. Phishing emails masquerading as invitations to a Christian Democratic Union (CDU) dinner reception were sent to victims, containing a link to a malicious ZIP file hosted on a compromised website. The ZIP file delivered the ROOTSAW dropper, which in turn deployed the WINELOADER payload. This activity is the first instance of APT29 targeting political parties, suggesting an expansion in their scope of interest. The WINELOADER backdoor, observed previously in January 2024, shares similarities with other APT29 malware families, implying a common developer.?
SYNC-SCHEDULER: A DEDICATED DOCUMENT STEALER
At CYFIRMA, we are dedicated to providing current insights into prevalent threats and strategies utilized by malicious entities, targeting both organizations and individuals. This in-depth examination focuses on Sync-Scheduler stealer, a malware that specifically targets documents, and has been designed with anti-analysis capabilities. The research explores the evasion tactics employed by threat actors, while also illuminating the procedures involved in crafting resilient malware payloads. Significantly, the report underscores the adaptive characteristics of these threats, emphasizing the imperative for enhanced security protocols and user vigilance to effectively mitigate associated risks. This study provides a detailed overview of Sync-Scheduler, a potent malware written in C++ boasting defense evasion and anti-analysis capabilities. This paper explores the workings of Sync-Scheduler, how it avoids detection, and creates a strong payload. It highlights how these threats keep changing and the importance of better security and user awareness to stay safe from such harmful attacks.
CYFIRMA INDUSTRY REPORT – MATERIALS
Welcome to the CYFIRMA infographic industry report, where we delve into the external threat landscape of the materials industry over the past three months. This report provides valuable insights and data-driven statistics, delivering a concise analysis of attack campaigns, phishing telemetry, and ransomware incidents targeting the materials industry. We aim to present an industry-specific overview in a convenient, engaging, and informative format. Leveraging our cutting-edge platform telemetry and the expertise of our analysts, we bring you actionable intelligence to stay ahead in the cybersecurity landscape.
THE CHANGING CYBER THREAT LANDSCAPE: EUROPE
The Europe Threat Landscape Report provides a comprehensive overview of the evolving cybersecurity landscape in the region. In recent years, Europe has witnessed a significant increase in cyber threats, driven by factors such as rapid digitalization, increased internet penetration, and geopolitical tensions. This report aims to provide key insights into the current state of cyber threats, and emerging trends. This is a running report. Our research team will update this report on an ongoing basis to keep the reader updated on the evolving cyber threat landscape of the region.
领英推荐
Ransomware of the Week
CYFIRMA Research and Advisory Team has found Donex ransomware while monitoring various underground forums as part of our Threat Discovery Process. Donex ransomware was discovered in the beginning of March 2024. This ransomware encrypts data, adds a unique victim ID extension to filenames, and leaves a ransom note named “Readme.[victim’s_ID].txt” demanding payment for decryption. Despite being a new entrant, the group has developed robust and sophisticated features that match those of established encryptors. These features include cleaning up attack- related files, restarting the machine, clearing event logs, discovering local and network files, and terminating processes that could disrupt the encryption of valuable files. Most of these functionalities leverage common Windows APIs for execution.
Trending Malware of the Week
This week “FalseFont” is trending. Researchers have discovered the FalseFont backdoor, utilized by the suspected Iranian- affiliated threat actor known as Curious Serpens (aka Peach Sandstorm, APT33, Elfin, HOLMIUM, MAGNALIUM, and REFINED KITTEN). This espionage group has a notable history of targeting the aerospace and energy sectors, operating since at least 2013. Across the Middle East, the United States, and Europe, Curious Serpens has engaged in espionage activities. FalseFont represents their latest tool, deployed through a deceptive recruitment process mimicking legitimate human resources software to trick victims into installing the backdoor. The FalseFont backdoor, coded in ASP .NET Core, has been observed in the wild. It is packaged within a single native executable, sized at 182 MB.
CYFIRMA is a?threat?discovery?and cyber-intelligence company with the world’s first platform that can deliver predictive cyber-intelligence. We combine cyber-intelligence with attack surface discovery and digital risk protection to deliver early warning, personalized, contextual, outside-in, and multi-layered insights. We have built the next generation of AI-powered threat intelligence platform called External Threat Landscape Management (ETLM) to provide cyber defenders with the hacker’s view to help clients prepare for impending attacks.
SCHEDULE A DEMO HERE
Visit www.cyfirma.com