Malware targeting government organizations

May 27 2024

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that wishes all our UK readers a happy Spring bank holiday πŸ–οΈπŸŽ‰πŸ˜Ž

Today’s hottest cybersecurity news stories:

  • 🌏 ASEAN countries targeted by BLOODALCHEMY malware πŸ§›

  • πŸšͺ RustDoor infiltrates JAVS courtroom recording software πŸ‘¨β€βš–οΈ

  • πŸ“± Windows, Android users beware of fake anti-virus websites 🎭 

BLOOD, stealth, and fears 😱😱😱

🚨 BLOODALCHEMY Malware: The Updated Threat πŸ›‘οΈ

Cybersecurity researchers have identified BLOODALCHEMY, a malware targeting government organizations in Southern and Southeastern Asia, as an updated version of Deed RAT, a successor to ShadowPad.

ShadowPad Origins 🧩

"The origin of BLOODALCHEMY and Deed RAT is ShadowPad," noted ITOCHU Cyber & Intelligence. ShadowPad has been used in numerous APT campaigns, making it crucial to monitor this malware closely.

First Discovery πŸ•΅οΈβ€β™‚οΈ

Elastic Security Labs first documented BLOODALCHEMY in October 2023, linked to a campaign by REF5961 targeting ASEAN countries. BLOODALCHEMY is a simple x86 backdoor written in C, injected into a benign process using DLL side-loading. It can gather host information, load additional payloads, and uninstall itself.

Infection Method ☣️

Attackers gain initial access by compromising a maintenance account on a VPN device, then deploy BrDifxapi.exe to sideload BrLogAPI.dll. This loader executes BLOODALCHEMY shellcode in memory, evading sandbox analysis, setting up persistence, and establishing contact with a remote server.

Code Similarities πŸ”

ITOCHU found code similarities between BLOODALCHEMY and Deed RAT, which is linked to the Space Pirates threat actor and viewed as the next iteration of ShadowPad. Both share unique data structures and shellcode loading processes.

Chinese Nexus 🌐

ShadowPad and PlugX have been used extensively by China-linked hacking groups. Leaks from Chinese state contractor I-Soon indicate that similar tools are used across multiple campaigns, suggesting centralised oversight of tools and techniques.

Ongoing Threat πŸš€

Sharp Dragon (formerly Sharp Panda), a China-linked threat actor, has expanded its targeting to include government organisations in Africa and the Caribbean, highlighting the persistent and evolving nature of these cyber threats.

Stay informed and secure! πŸ”’πŸ’‘

It’s a revolving RustDoor of cybercrime πŸ’€πŸ’€πŸ’€

🚨 Malicious Actors Compromise JAVS Software with RustDoor Malware 🦠

Cybersecurity experts have discovered that the installer for Justice AV Solutions (JAVS) courtroom video recording software has been backdoored to deliver RustDoor malware.

Vulnerability Details πŸ”’

The attack, tracked as CVE-2024-4978 (CVSS score: 8.7), affects JAVS Viewer v8.3.7, used for managing digital recordings of courtroom proceedings. The compromised installer, "JAVS Viewer Setup 8.3.7.250-1.exe," was downloaded from the official JAVS site on March 5, 2024.

Rapid7's Findings πŸ”

Rapid7 initiated an investigation after finding a malicious executable "fffmpeg.exe" in the software's Windows installation folder. This file, signed by "Vanguard Tech Limited" instead of "Justice AV Solutions Inc," executed encoded PowerShell scripts and contacted a command-and-control (C&C) server.

Malware Capabilities βš™οΈ

The malware:

  • Uses Windows sockets and WinHTTP requests to communicate with the C&C server.

  • Runs obfuscated PowerShell scripts to bypass AMSI and disable ETW.

  • Downloads an additional payload posing as a Google Chrome installer ("chrome_installer.exe").

  • Drops Python scripts and another executable ("main.exe") to gather web browser credentials.

RustDoor Malware 🦠

RustDoor, initially targeting macOS devices, now has a Windows version named GateDoor. Both versions are disguised as legitimate software updates. RustDoor is linked to the ransomware-as-a-service (RaaS) affiliate, ShadowSyndicate, suggesting possible collaboration in providing infrastructure for other threat actors.

JAVS' Response 🚨

JAVS pulled the impacted version, reset passwords, and audited its systems. The company confirmed that no JAVS source code, certificates, or other software releases were compromised.

Top Tips πŸ›‘οΈ

Users should:

  • Verify JAVS digital signatures on software.

  • Check for indicators of compromise (IoCs).

  • Re-image infected endpoints and reset credentials.

  • Update to the latest JAVS Viewer version.

Stay vigilant and ensure your systems are secure! πŸ”’πŸ”

🎣 Catch of the Day!! 🌊🐟🦞

Stay ahead of the curve with Presspool.ai! πŸš€ Subscribe to their newsletter for the latest buzz in the information technology space, with a special focus on AI. Their slogan says it all: "Actionable marketing insights for the visionary AI executive." πŸ€“πŸ’‘ That’s us, alright! 🀡 How about you? Visionary AI executive, much? πŸ‘€

And if the newsletter gets your motor running then you can take a butchers at their cool AI marketing product too which is sure to help you make the most of our new artificial overlords and put them to work for your business πŸ€–πŸ‘©β€πŸ’»πŸŒ

Rest assured, the process is very straightforward.

You simply:

πŸ†• Sign Up & Create Campaign

πŸ“Š Define your audience, budget, and message to captivate your audience.

πŸš€ Launch your campaign, as Presspool’s AI matches it with ideal newsletter audiences for optimal reach and conversions. 🎯

πŸ•΅οΈ Finally, you leverage real-time analytics to track performance and refine future strategies. πŸ“ˆ Elevate your marketing game and stay informed with Presspool.ai! 🌟 Simples! 🦦

Presspool.aiΒ πŸ“°πŸŠπŸ€– may just have what you need to succeed. And if the product isn’t for you, the newsletter alone is a gamechanger. And we know newsletters πŸ˜‰

Hackers see Windows of opportunity in Android πŸ’»πŸ“±πŸ‘€

🚨 Threat Actors Use Fake Antivirus Websites to Spread Malware 🦠

Cybersecurity researchers have uncovered a malicious campaign where threat actors create fake websites masquerading as legitimate antivirus solutions to spread malware targeting both Android and Windows devices.

Key Findings πŸ”

Fake Antivirus Websites Identified:

avast-securedownload[.]com: Distributes the SpyNote trojan as an Android package file ("Avast.apk"). This malware requests intrusive permissions, including reading SMS messages and call logs, installing and deleting apps, taking screenshots, tracking location, and mining cryptocurrency.

bitdefender-app[.]com: Delivers a ZIP archive file ("setup-win-x86-x64.exe.zip") containing the Lumma information stealer malware.

malwarebytes[.]pro: Provides a RAR archive file ("MBSetup.rar") that instals the StealC information stealer malware.

Malicious Techniques βš™οΈ

Trellix Binary: A rogue Trellix binary named "AMCoreDat.exe" was found, which drops a stealer malware capable of harvesting and exfiltrating browser data and other victim information to a remote server.

Distribution Methods: The exact distribution methods for these fake websites remain unclear, but similar campaigns have used malvertising and search engine optimization (SEO) poisoning.

Growing Threat of Stealer Malware πŸ“ˆ

Stealer Malware Varieties: Cybercriminals are increasingly advertising custom stealer malware variants. Notable examples include Acrid, SamsStealer, ScarletStealer, and Waltuhium Grabber, as well as updates to existing malware like SYS01stealer (aka Album Stealer or S1deload Stealer).

Market Demand: The frequent emergence of new stealers and their varying sophistication levels indicate a robust criminal market demand for such malware .

Top Tips πŸ›‘οΈ

Verify Source: Ensure antivirus software is downloaded directly from the official vendor's website.

Check Digital Signatures: Always verify the digital signatures of software before installation.

Maintain Cyber Hygiene: Regularly update your security software and stay informed about the latest cybersecurity threats.

These findings highlight the sophisticated methods cybercriminals use to target consumers looking to protect their devices. Staying vigilant and adhering to cybersecurity best practices is crucial in mitigating these threats.

For more detailed information, refer to the full report from Trellix.

πŸ—žοΈ Extra, Extra! Read all about it! πŸ—žοΈ

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • πŸ›‘οΈ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday πŸ“…

  • πŸ’΅Β Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for πŸ†“

  • πŸ“ˆΒ Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future πŸ‘Ύ

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

Recent articles