CYFIRMA: Cybersecurity Dossier - Oct 14, 2024

Threat Actor in Focus - SHROUDED#SLEEP: An In-Depth Analysis of North Korea’s Ongoing Campaign Targeting Southeast Asia

The SHROUDED#SLEEP campaign, attributed to North Korea’s APT37 group, also known as Reaper or Group123, represents a sophisticated and stealthy cyberattack targeting Southeast Asia, with a significant focus on Cambodia. The campaign typically initiates through phishing emails containing malicious shortcut files disguised as legitimate documents, such as Excel spreadsheets or PDFs. These shortcut files utilize double-extension techniques to deceive users into believing they are opening an innocuous file. Once executed, the shortcut files trigger a series of PowerShell commands embedded within, which extract and execute hidden payloads. The malware employs a variety of evasion tactics, including long sleep intervals between commands to avoid detection by security software. The extracted payloads include a custom DLL known as DomainManager.dll. READ MORE?

iTunes Local Privilege Escalation (CVE-2024-44193) Vulnerability Analysis and Exploitation

The iTunes vulnerability (CVE-2024-44193) was recently discovered, affecting iTunes for Windows, specifically version 12.13.2.3 and earlier. Attackers can exploit this vulnerability to gain local privilege escalation, granting them administrative access on targeted systems. This vulnerability has widespread implications for any Windows environment running vulnerable iTunes versions, especially for organizations with large numbers of unmanaged endpoints. CVE-2024-44193 is a critical vulnerability affecting iTunes for Windows. This local privilege escalation vulnerability can allow unauthorized users to gain elevated access, potentially compromising system security. It is essential for organizations and individuals using iTunes to patch this vulnerability immediately to prevent exploitation. READ MORE

YUNIT STEALER

The Yunit Stealer leverages JavaScript to incorporate system utility and cryptographic modules, allowing it to execute tasks, such as system information retrieval, command execution, and HTTP requests. To avoid detection, it utilizes obfuscation and persistence mechanisms. Based on our analysis, we confidently assess that the developer is likely a French speaker, with a track record of malicious projects and ties to various platforms. At CYFIRMA, we provide cutting-edge intelligence on emerging cyber threats targeting organizations and individuals. The Yunit Stealer malware is adept at system checks, file management, and extracting sensitive data like credentials, cookies, and cryptocurrency wallets. It achieves persistence through registry modifications, scheduled tasks, and disabling Windows Defender. Data exfiltration occurs via Telegram and Discord webhooks. Our analysis indicates the developer is likely based in France, with links to gaming platforms. READ MORE

VILSA STEALER

A new stealer known as “Vilsa” has been discovered on GitHub, which is both user-friendly and powerful, featuring advanced security bypass capabilities that make it a formidable tool for covert data collection. Stealers are a class of malware designed to target system and personal information, capable of extracting a broad range of sensitive data from applications on victims’ devices, obtaining information from web browsers, including browsing history, bookmarks, auto-fill data, cookies, passwords, and MetaMask. Additionally, they can harvest login credentials, personally identifiable information, financial details, and other critical data from various applications. CYFIRMA is committed to providing timely insights into emerging threats, including the newly identified “Vilsa Stealer” found on GitHub. This sophisticated malware is notable for its speed and reliability in extracting sensitive data, such as browser credentials and tokens. READ MORE

Ransomware of the Week

CYFIRMA Research and Advisory Team has found Moon Ransomware while monitoring various underground forums as part of our Threat Discovery Process. Researchers have identified a new ransomware variant called Moon. This ransomware encrypts files and modifies their names by appending a series of random characters followed by the “.moon” extension. Additionally, Moon creates a ransom note titled “README.txt” to communicate with victims. It is important to highlight that this ransomware variant closely resembles others, including MoneyIsTime, and Beast. The ransom note informs victims that their files, including documents, photos, and databases, have been encrypted and are now inaccessible. It states that the victims cannot decrypt their files without help and offers recovery options through the purchase of a private key from the attackers. Victims are instructed to reach out to cybercriminals via email, or through Telegram to initiate the recovery process. READ MORE

Trending Malware of the Week

This week “WarmCookie” is trending. Researchers have discovered a new ‘FakeUpdate’ campaign targeting users in France, where compromised websites display fake browser and application updates to distribute a new version of the WarmCookie backdoor. The ‘FakeUpdate’ strategy, which involves tricking users into downloading malicious payloads, presents fake update prompts for popular software like web browsers and Java. Once installed, the WarmCookie backdoor allows attackers to steal data, execute commands, capture screenshots, and introduce additional malware. The latest version includes enhanced capabilities, such as running DLLs from temporary folders and executing EXE and PowerShell files. Researchers discovered that the primary lure for triggering the infection in this FakeUpdate campaign is a fake browser update, a typical tactic in these attacks. Additionally, a compromised site promoting a fake Java update was also identified as part of the campaign. READ MORE

CYFIRMA is a?threat?discovery?and cyber-intelligence company with the world’s first platform that can deliver predictive cyber-intelligence. We combine cyber-intelligence with attack surface discovery and digital risk protection to deliver early warning, personalized, contextual, outside-in, and multi-layered insights. We have built the next generation of AI-powered threat intelligence platform called External Threat Landscape Management (ETLM) to provide cyber defenders with the hacker’s view to help clients prepare for impending attacks.tive cyber-intelligence. We combine cyber-intelligence with attack surface discovery and digital risk protection to deliver early warning, personalized, contextual, outside-in, and multi-layered insights. We have built the next generation of AI-powered threat intelligence platform called External Threat Landscape Management (ETLM) to provide cyber defenders with the hacker’s view to help clients prepare for impending attacks.

SCHEDULE A DEMO HERE

Visit www.cyfirma.com

Message sent by CYFIRMA at 16 Raffles Quay #09-01 S(048581), Singapore, Singapore.