CYFIRMA: Cybersecurity Dossier -Sept. 8, 2023
Threat Actor in Focus: Lazarus Group Behind Malicious Python Packages, Part of Supply Chain Attack
In a recent observation, the North Korean state-sponsored Advanced Persistent Threat group; Lazarus, was observed uploading malicious packages to the Python Package Index (PyPI) repository. Security researchers uncovered a malicious supply chain campaign. This campaign involved the upload of two dozen malicious Python packages onto the Python Package Index (PyPI) open-source repository. This campaign started in August, and the packages were removed from PyPI after accumulating downloads. The group disguised these packages as legitimate software, with one of them masquerading as a VMware vSphere connector module called vConnector. One of the malicious packages, named VMConnect, targeted IT professionals seeking virtualization tools and was downloaded 237 times. Two other packages, ‘ethter’ and ‘quantiumbase,’ were also found to contain the same code and were downloaded 253 and 216 times, respectively.?
New MaaS Prysmax Launches Fully Undetectable Infostealer?
The CYFIRMA research team has discovered a new malware-as-a-service known as Prysmax. The developer behind Prysmax claims that their USP is FUD (fully undetectable) malware, be it their stealer or their RAT. They offer custom development services, along with subscriptions for a stealer, RAT, and botnet services. This report delves into their python-based information stealer known as Prysmax stealer, aimed at discreetly extracting sensitive data such as crypto wallets, passwords and cookies from a wide range of services. The malware is indeed fully undetectable by over 95% of signature-based detections commonly employed by antivirus solutions. By manipulating file associations and executing alongside legitimate .exe processes, Prysmax stealer maximizes its reach and impact. The malware’s extensive use of PowerShell enhances its capabilities for data exfiltration and stealthy actions.
CYFIRMA & FireTail: Working Together to Deliver Complete Visibility and Robust API Security
CYFIRMA is excited to announce our strategic partnership with FireTail, a trailblazer in API security. Together, we are joining forces to provide organizations with complete visibility and robust API security solutions to tackle digital risks and cyber threats head-on. In today’s digital landscape, APIs play a vital role in the functioning of modern applications. However, they also present potential security challenges for organizations. That’s where our partnership with FireTail comes in. By combining CYFIRMA’s advanced threat intelligence capabilities with FireTail’s comprehensive API security solutions, we’re arming organizations with the tools they need to mitigate risks and stay secure.
Tracking Ransomware – August 2023
Welcome to the August 2023 Ransomware Report. This report offers a detailed analysis of significant ransomware events during this period. We explore the top 5 ransomware groups responsible for the highest number of victims and the industries they targeted. Additionally, we investigate the geographical locations that experienced the most ransomware attacks in August 2023. Furthermore, we discuss the evolution of ransomware groups during this month, focusing on emerging actors and vulnerabilities exploited by ransomware groups in August 2023. The report aims to equip organizations with crucial insights to bolster their cybersecurity measures and combat the evolving ransomware threat landscape effectively. Organizations can leverage these insights to enhance their cybersecurity strategies and mitigate ransomware risks.
领英推荐
Ransomware of the Week
CYFIRMA Research and Advisory Team has found ransomware known as FreeWorld while monitoring various underground forums as part of our Threat Discovery Process. FreeWorld is a recently emerged Mimic Ransomware variant. The Ransomware once executed will encrypt files and append their filenames with a “.FreeWorldEncryption”. Once this process is concluded, a ransom note “FreeWorld- Contact.txt” – will be created.
Trending Malware of the Week
Researchers have uncovered a new and unique remote access trojan (RAT) called SuperBear RAT that has been identified in a malware campaign and specifically targets journalists. This malware is deployed using open-source AutoIT scripts, posing a significant security concern for media professionals. Researchers received a targeted sample sent to a journalist, containing a lure to open the document.
CYFIRMA is a?threat?discovery?and cyber-intelligence company with the world’s first platform that can deliver predictive cyber-intelligence. We combine cyber-intelligence with attack surface discovery and digital risk protection to deliver early warning, personalized, contextual, outside-in, and multi-layered insights. We have built the next generation of AI-powered threat intelligence platform called External Threat Landscape Management (ETLM) to provide cyber defenders with the hacker’s view to help clients prepare for impending attacks.
SCHEDULE A DEMO?HERE
Visit?www.cyfirma.com
Message sent by CYFIRMA at 6 Raffles Quay, Level 16 S(048580), Singapore, Singapore.