Weekly Threat Briefing: March 11 - 15, 2024
Every week, eSentire’s Threat Response Unit (TRU) compiles the following threat intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
New BunnyLoader Variant
Palo Alto Networks' Unit 42 has identified a new variant of the BunnyLoader malware. BunnyLoader is a Malware-as-a-Service (MaaS) that has operated since September 2023. BunnyLoader is a loader malware with a variety of modules, including information stealing and keylogging; it is capable of stealing data, credentials, and cryptocurrency, as well as deploying secondary payloads.
The most recent variant of BunnyLoader is masquerading as various security products and companies, including the eSentire Agent . The authors behind BunnyLoader have a rapid development cycle, releasing updates frequently to avoid detection and improve functionality.
eSentire MDR for Network has a variety of rules in place to identify BunnyLoader. Additionally, the eSentire Threat Response Unit (TRU) is tracking the new variant and has performed threat hunts across the client base. TRU is reviewing the technical details of BunnyLoader for new detection opportunities.
Tax Themed Lures
As the U.S. and Canadian tax season approaches, eSentire has observed a substantial increase in malware being delivered through tax-themed phishing emails. Cybercriminals are exploiting the tax season to trick individuals into opening emails that appear to be from legitimate tax authorities or financial institutions but contain malicious links, leading to malware infections.
These emails have led to infections with various malware families, including GuLoader (which loads RemcosRAT), XWorm, RattyRat, and SorillusRAT, providing threat actors with a variety of functionalities including keylogging, capturing screenshots, audio and webcam recording, file transfer, and remote code execution.
GuLoader is a sophisticated malware loader which has heavily abused tax-themed lures in the past. eSentire’s Threat Response Unit reported on GuLoader around tax season last year in both April and June of 2023. Starting in early March 2024, eSentire has observed an increase in GuLoader incidents resulting in the deployment of the RemcosRAT malware.
With the increasing sophistication of tax-themed phishing campaigns, it is crucial organizations implement proactive email security measures, as well as educate users to minimize the risk of malware infections and protect sensitive information, during the tax season and throughout the calendar year.
领英推荐
Microsoft Update on Russian APT Attack
In January of 2024, Microsoft disclosed that the company had been breached by a sophisticated Russian APT group tracked as “Midnight Blizzard” (aka. Nobelium, APT29, UNC2452, Cozy Bear). The US and UK have directly attributed Midnight Blizzard to the Foreign Intelligence Service of the Russian Federation (SVR).
The attack was detected by Microsoft on January 12th, 2024, but began in late November 2023. Initial access was established via a password spray attack on a legacy non-production test tenant account which the attackers used to infiltrate a small percentage of Microsoft's corporate email accounts, including those of senior leadership and employees in cybersecurity and legal functions. The attackers exfiltrated emails and attached documents with a focus on information related to Midnight Blizzard itself.
On March 8th, Microsoft shared additional details on the breach, including secondary attacks attributed to the group. Microsoft identified “evidence that Midnight Blizzard is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access.”
Midnight Blizzard and other sophisticated threat actors view organizations like Microsoft as very high-value targets. Microsoft technology is pervasive worldwide, meaning that a breach may not only provide access to sensitive information, but it may enable future attacks or even access to other organizations.
Despite the publication of recent attacks, the eSentire Threat Response Unit (TRU) assesses with high confidence that Midnight Blizzard activity will continue, with new attacks against both government organizations and technology companies.
About the eSentire Threat Response Unit (TRU)
Our industry-renowned Threat Response Unit (TRU) is an elite team of threat hunters and researchers, that supports our 24/7 Security Operations Centers (SOCs), builds detection models across our XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. TRU has been recognized for its threat hunting, original research and content development capabilities. TRU is strategically organized into cross-functional groups to protect you against advanced and emerging threats, allowing your organization to gain leading threat intelligence and incredible cybersecurity acumen.