SISA Weekly Threat Watch
SISA Weekly Threat Watch?– our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.
The Domestic Kitten hacking group, also known as?APT-C-50, has been found to be using a new version of the?“FurBall”?Android spyware?to target Iranian citizens during mobile surveillance activities. An Iranian website that offers translated books, journals, and articles is where FurBall is circulated. This website is a?duplicate of a real Iranian website. The campaign’s operators employed a variety of threat vectors, including direct messaging, social media posts, emails, SMS,?black SEO, and?SEO poisoning, to lure victims.
The most recent malware variant uses techniques for?code obfuscation, such as obfuscating class names, strings, logs, and server URI routes. This version helps to avoid being detected by security software because it simply requests access to contacts and storage media. It is recommended to turn on the?automatic software update?feature, use strong passwords, enforce?multi-factor authentication (MFA), and implement a?Data Loss Prevention (DLP)?solution to prevent data compromise through such attacks.
The new WarHawk backdoor was launched by?SideWinder on the National Electric Power Regulatory Authority (NEPRA), Pakistan, official website.?Cobalt Strike?is delivered through several malicious?WarHawk modules, a few of which use fresh TTPs and track the Pakistan Standard Time zone for successful operations. To trick unsuspecting users into executing the payload, the backdoor appears as legitimate apps.
A kill-chain that deploys WarHawk is set into motion by the SideWinder APT group using a?weaponized ISO file?that is hosted on NEPRA’s website. Typically, WarHawk poses as?ASUS Update Setup?and?Realtek HD Audio Manager. The system metadata is then exfiltrated to a hard-coded remote server after being executed, while additional payloads are being received from the URL. Organizations in sensitive areas of the target must maintain?updated software?and deploy suitable?threat intelligence solutions?to take preventative measures against the threat.
Two point-of-sale (POS) malware variants:?MajikPOS?and?Treasure Hunter, have been used by a threat actor to compromise 77,428 and 90,024 unique payment records, respectively, between February and September 2022. These malwares are designed to brute-force their way into a?PoS terminal?after confirming if?Virtual Network Computing (VNC)?and?Remote Desktop Protocol (RDP)?services exist. RAM-scraping Routine:?Conhost.exe?is the component responsible for RAM scraping. It uses information from the configuration file for this routine.
领英推荐
MajikPOS checks a sizeable range of cards, such as?American Express,?Diners Club,?Discover,?Maestro,?Mastercard, and?Visa. After verifying the credit card’s track data, the information is sent to the?C&C server?via HTTP POST, Action=””bin”.” It is recommended to employ?endpoint application control?or?whitelisting?to reduce attack exposure. Endpoint solutions that provide both detection and blocking of all the relevant, malicious files and C&C traffic, must also be deployed.
Drinik Android Malware, against which?CERT-In?had issued a warning earlier in 2021, has once again come to notice due to its upgraded version as an?Android banking trojan. It disguises itself as an ‘iAssist.APK‘, which in reality is an application managed by the?Income Tax Department, hence deceiving users to believe that it is a legitimate app. Once installed, the malware accesses victim’s SMSs, call log and file storage, which is followed by gaining permissions to the?accessibility settings?allowing the malware to start?screen recording, disable Google Play Protect, execute auto-gestures and?capture keystrokes.
The malware then steals user’s credentials by recording the screen and using a keylogger once the actual website of Indian Income Tax is loaded via?WebView. Once the requested action is taken by clicking the ‘Apply’ button, the victim is redirected to a?phishing page?where it is asked to enter the card details. To prevent such attacks, it is advised to enable?biometric authentication?for apps, confirm the authenticity of the URL of the page before using?banking credentials?on any website, and limit access permissions for all apps.
According to Microsoft, a threat organization identified as?DEV-0950?utilized the?Clop ransomware?to encrypt a victim’s network after it had already been infected by the?Raspberry Robin worm. The malware, which at first propagated through?external USB drives, now uses various infection techniques, and has recently joined forces with other malware families in cyberattacks.
Since September, DEV-0950 began infecting targets with Raspberry Robin, which then unleashed the Clop ransomware and other second-stage payloads like?IcedID, Bumblebee, and Truebot. The malicious activity of hacking groups?FIN11?and?TA505, which are notorious for their involvement in Clop ransomware attacks, overlaps with that of DEV-0950. It is recommended to keep software and hardware applications up to date and block the IOCs at?perimeter firewalls?and any other security solution to stay protected from these ransomware attacks.