Malware Threat Intelligence Notes - October 01
Our biweekly newsletter is designed to bring you the most relevant updates. By focusing on malware and in-depth threat analysis, we aim to provide you with the latest insights, tools and research to keep you ahead of the curve. Expect concise, actionable insights to support your efforts. Let's dive in!
OpenAI: Threat Actors Misusing Models, No New Malware Breakthroughs
OpenAI released a report detailing how threat actors are attempting to misuse its models for cyber operations. The report highlights three disrupted groups: China-based SweetSpecter, Iran-affiliated CyberAv3ngers, and STORM-0817. OpenAI confirmed no evidence of breakthroughs in using its models to create substantially new malware. One notable case involved SweetSpecter launching a spear-phishing attack on OpenAI employees, delivering SugarGh0st RAT via an LNK file in a ZIP attachment. This underscores the evolving tactics of threat actors while showing no immediate advancement in their exploitation capabilities with AI.
Ongoing DPRK Fake Recruiter Attacks with Updated Malware
Unit 42 reports ongoing DPRK-linked cyber campaigns targeting job hunters via a network of fake recruiters, aiming to install malware. In the final stage, the BeaverTail malware?delivers the InvisibleFerret backdoor, a Python-based tool with capabilities like remote control, keylogging, and credential theft. The campaign’s updates include a new Qt-based BeaverTail variant (replacing old JavaScript variant), targeting 13 cryptocurrency wallet extensions. This persistence, despite being uncovered, highlights how well-resourced nation-state actors adapt and evolve their toolsets to continue operations.
Mobile App-Themed Excel Malware Evades Detection with XSLT Script
An Excel malware sample titled "Mobile App Project Details" was recently found by VMRay Labs with very low detection rates (4/64) on VirusTotal, making it a potential threat. The use of a seemingly harmless project-related name suggests the malware could target professionals in mobile development, tech startups, or IT departments. This sample takes advantage of the lesser-known MSXML2 XSLT script feature to embed and execute malicious code during XML transformations, bypassing traditional detection methods. The attack chain—Excel → VBA → XML → JScript → Windows Installer → AutoHotKey—leads to continuous C2 communication for payload delivery, including screenshot capture and exfiltration. With default behavior of Office applications to block macros, analysts should be aware of the evolving use of XSL Script Processing (T1220) in malware tactics.
Malware analysis report can be accessed here: https://www.vmray.com/analyses/_vt/205a543c733e/report/overview.html
Gamaredon Uses Cloudflare and Telegram to Bypass Domain-Based Blocking
ESET’s latest research reveals how the Russia-aligned APT group Gamaredon (aka Primitive Bear)?continues targeting Ukrainian governmental institutions with spearphishing campaigns and custom malware designed to weaponize Word documents and USB drives. Their toolset includes malware written in PowerShell, VBScript, and C, along with open-source tools. Notably, Gamaredon has shifted its strategy to bypass domain-based blocking by utilizing third-party services like Telegram, Cloudflare's DNS-over-HTTPS (DOH), and the ngrok utility to maintain communication with their C&C servers. These evolving tactics demonstrate their adaptability in avoiding traditional detection methods.
领英推荐
Spammers Exploit Legitimate Infrastructure to Evade Detection
In a new blog post, Jaeson Schultz from Cisco Talos uncovers how attackers are abusing legitimate web and email infrastructures to send spam, bypassing traditional filters. By exploiting normal website features, such as event signup, Google Quizzes, Calendar, Forms, spammers leverage legitimate domains to make blocking their messages more difficult. Additionally, they use credential stuffing attacks on IMAP and SMTP accounts to hijack compromised credentials for sending spam. Some common test message subject headers, shared in the research, can help identify these attacks.This highlights the evolving tactics spammers use to evade detection. There are valuable insights into the tools and methods used in these sorts of attacks, mentioning MadCat and MailRip.
Vulnerabilities Added to CISA KEV Catalog
CISA recently added many vulnerabilities to its Known Exploited Vulnerabilities Catalog, highlighting critical threats that require immediate attention. These vulnerabilities, if exploited, pose significant risks, from remote code execution to loss of confidentiality. Here's a breakdown of the newly listed vulnerabilities:
Despite being listed as Moderate, CVE-2024-43573 is similar to one Void Banshee used in July, which means it might still be a target for future APT campaigns.
These vulnerabilities affect widely used software and hardware systems, making them high-priority targets for threat actors.
Latest Picks from VMRay Threat Feed?
RedLine Stealer: https://www.vmray.com/analyses/719fc2f1cdb5/report/overview.html