New Immediate Threats!

Elke week komen er nieuwe cyberdreigingen en threats bij in de wereld. Zodra een threat bekend is, wordt deze door het Cymulate Research Lab geanalyseerd, en gekopieerd, zodat de angel eruit kan worden getrokken. Deze de-weaponized threat is binnen 48 uur beschikbaar om daarmee offensief de weerbaarheid van de beveiligingssystemen te testen. Zo weet je direct of de beveiligingsmaatregelen nog steeds adequaat zijn en welke rules je eventueel moet toepassen indien nodig.

New Immediate Threats is een onderdeel van het Cymulate platform.

Wil je daar meer over weten, een demo, of een try-out? Stuur je vraag naar udo.messack@cert2connect.com

Hieronder zie je de Immediate Threats van de afgelopen weken.

Cert2Connect

Immediate Threats

    • Latrodectus Rapid Evolution Continues With Latest New Payload Features

      This report discusses the latest updates to the Latrodectus malware including a different string deobfuscation approach a new C2 endpoint and two new backdoor commands. It provides an in-depth analysis of the new version 1.4 focusing on the new features added or updated in this variant. The report examines the obfuscation techniques used the deobfuscation process the C2 communication and the new commands introduced.

      Bekijk onze oplossing
    • Threat actors using MacroPack to deploy Brute Ratel Havoc and PhantomCore payloads

      Multiple Microsoft Office documents generated by the MacroPack framework have been discovered likely used by malicious actors to deploy various payloads. These documents uploaded to VirusTotal between May and July 2024 originated from different countries including China Pakistan Russia and the U.S. The payloads include Havoc and Brute Ratel post-exploitation frameworks as well as a new variant of the PhantomCore remote access trojan. The MacroPack-generated code employs various obfuscation techniques to evade detection. The documents feature different lures ranging from generic instructions to military-themed content. While the specific threat actors remain unidentified the analysis reveals distinct clusters based on lure themes payload types and command and control infrastructure.

      Bekijk onze oplossing
    • State-backed attackers and commercial surveillance vendors repeatedly use the same exploits

      Googles Threat Analysis Group (TAG) uncovered in-the-wild exploit campaigns targeting Mongolian government websites between November 2023 and July 2024. TAG attributes the attack to the Russian government-backed actor APT29 tracked by Microsoft as Midnight Blizzard. The attackers utilized exploits similar to those used by commercial surveillance vendors Intellexa and NSO Group.

      Bekijk onze oplossing
    • Emansrepo Stealer Multi-Vector Attack Chains

      A Python infostealer named Emansrepo has been observed since November 2023 distributed via phishing emails containing fake purchase orders and invoices. The malware steals browser data credit card information and files sending them to the attackers email. The attack chain has evolved becoming more complex with multiple stages before downloading Emansrepo. Three main attack chains are described involving HTML files AutoIt scripts and PowerShell commands. The stealers behavior is divided into three parts targeting different types of data. A new related campaign using Remcos malware has also been identified. The attackers continuously evolve their methods emphasizing the importance of cybersecurity awareness for organizations.

      Bekijk onze oplossing
    • Toneshell Backdoor Used to Target Attendees of the IISS Defence Summit

      A cyber espionage campaign using the ToneShell backdoor associated with Mustang Panda has been detected targeting attendees of the 2024 IISS Defence Summit in Prague. The attack utilizes a malicious PIF file masquerading as summit documents which drops SFFWallpaperCore.exe and libemb.dll. The malware establishes persistence through registry run keys and scheduled tasks communicating with a C2 server in Hong Kong using raw TCP mimicking TLS. The campaign highlights the intersection of cyber espionage and international strategy aiming to infiltrate sensitive defense discussions. Analysis revealed connections to previously reported APT-Q-27 activities and potential links to other infrastructure through shared RDP certificates.

      Bekijk onze oplossing
    • US Cert Alert - Russian Military Target US and Global Critical Infrastructure

      The Federal Bureau of Investigation (FBI) Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA) assess that cyber actors affiliated with the Russian General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155) are responsible for computer network operations against global targets for the purposes of espionage sabotage and reputational harm since at least 2020. GRU Unit 29155 cyber actors began deploying the destructive WhisperGate malware against multiple Ukrainian victim organizations as early as January 13 2022. These cyber actors are separate from other known and more established GRU-affiliated cyber groups such as Unit 26165 and Unit 74455.

      Bekijk onze oplossing
    • Threat Actors Target the Middle East Using Fake Palo Alto GlobalProtect Tool

      Cybercriminals are employing a sophisticated two-stage malware campaign masquerading as the Palo Alto GlobalProtect tool to infiltrate systems in the Middle East region. The malware leverages a complex command-and-control infrastructure involving newly registered domains designed to resemble legitimate VPN portals. It utilizes the Interactsh project for beaconing and maintains stealth through encryption and sandbox evasion techniques enabling remote code execution payload deployment and data exfiltration on compromised hosts.

      Bekijk onze oplossing