May 27 2024
Welcome to Gone Phishing, your daily cybersecurity newsletter that wishes all our UK readers a happy Spring bank holiday ποΈππ
Todayβs hottest cybersecurity news stories:
π ASEAN countries targeted by BLOODALCHEMY malware π§
πͺ RustDoor infiltrates JAVS courtroom recording software π¨ββοΈ
π± Windows, Android users beware of fake anti-virus websites πΒ
Cybersecurity researchers have identified BLOODALCHEMY, a malware targeting government organizations in Southern and Southeastern Asia, as an updated version of Deed RAT, a successor to ShadowPad.
ShadowPad Origins π§©
"The origin of BLOODALCHEMY and Deed RAT is ShadowPad," noted ITOCHU Cyber & Intelligence. ShadowPad has been used in numerous APT campaigns, making it crucial to monitor this malware closely.
First Discovery π΅οΈββοΈ
Elastic Security Labs first documented BLOODALCHEMY in October 2023, linked to a campaign by REF5961 targeting ASEAN countries. BLOODALCHEMY is a simple x86 backdoor written in C, injected into a benign process using DLL side-loading. It can gather host information, load additional payloads, and uninstall itself.
Infection Method β£οΈ
Attackers gain initial access by compromising a maintenance account on a VPN device, then deploy BrDifxapi.exe to sideload BrLogAPI.dll. This loader executes BLOODALCHEMY shellcode in memory, evading sandbox analysis, setting up persistence, and establishing contact with a remote server.
Code Similarities π
ITOCHU found code similarities between BLOODALCHEMY and Deed RAT, which is linked to the Space Pirates threat actor and viewed as the next iteration of ShadowPad. Both share unique data structures and shellcode loading processes.
Chinese Nexus π
ShadowPad and PlugX have been used extensively by China-linked hacking groups. Leaks from Chinese state contractor I-Soon indicate that similar tools are used across multiple campaigns, suggesting centralised oversight of tools and techniques.
Ongoing Threat π
Sharp Dragon (formerly Sharp Panda), a China-linked threat actor, has expanded its targeting to include government organisations in Africa and the Caribbean, highlighting the persistent and evolving nature of these cyber threats.
Stay informed and secure! ππ‘
Cybersecurity experts have discovered that the installer for Justice AV Solutions (JAVS) courtroom video recording software has been backdoored to deliver RustDoor malware.
Vulnerability Details π
The attack, tracked as CVE-2024-4978 (CVSS score: 8.7), affects JAVS Viewer v8.3.7, used for managing digital recordings of courtroom proceedings. The compromised installer, "JAVS Viewer Setup 8.3.7.250-1.exe," was downloaded from the official JAVS site on March 5, 2024.
Rapid7's Findings π
Rapid7 initiated an investigation after finding a malicious executable "fffmpeg.exe" in the software's Windows installation folder. This file, signed by "Vanguard Tech Limited" instead of "Justice AV Solutions Inc," executed encoded PowerShell scripts and contacted a command-and-control (C&C) server.
Malware Capabilities βοΈ
The malware:
Uses Windows sockets and WinHTTP requests to communicate with the C&C server.
Runs obfuscated PowerShell scripts to bypass AMSI and disable ETW.
Downloads an additional payload posing as a Google Chrome installer ("chrome_installer.exe").
Drops Python scripts and another executable ("main.exe") to gather web browser credentials.
RustDoor Malware π¦
RustDoor, initially targeting macOS devices, now has a Windows version named GateDoor. Both versions are disguised as legitimate software updates. RustDoor is linked to the ransomware-as-a-service (RaaS) affiliate, ShadowSyndicate, suggesting possible collaboration in providing infrastructure for other threat actors.
JAVS' Response π¨
JAVS pulled the impacted version, reset passwords, and audited its systems. The company confirmed that no JAVS source code, certificates, or other software releases were compromised.
Top Tips π‘οΈ
Users should:
Verify JAVS digital signatures on software.
Check for indicators of compromise (IoCs).
Re-image infected endpoints and reset credentials.
Update to the latest JAVS Viewer version.
Stay vigilant and ensure your systems are secure! ππ
Stay ahead of the curve with Presspool.ai! π Subscribe to their newsletter for the latest buzz in the information technology space, with a special focus on AI. Their slogan says it all: "Actionable marketing insights for the visionary AI executive." π€π‘ Thatβs us, alright! π€΅ How about you? Visionary AI executive, much? π
And if the newsletter gets your motor running then you can take a butchers at their cool AI marketing product too which is sure to help you make the most of our new artificial overlords and put them to work for your business π€π©βπ»π
Rest assured, the process is very straightforward.
You simply:
π Sign Up & Create Campaign
π Define your audience, budget, and message to captivate your audience.
π Launch your campaign, as Presspoolβs AI matches it with ideal newsletter audiences for optimal reach and conversions. π―
π΅οΈ Finally, you leverage real-time analytics to track performance and refine future strategies. π Elevate your marketing game and stay informed with Presspool.ai! π Simples! π¦¦
Presspool.aiΒ π°ππ€ may just have what you need to succeed. And if the product isnβt for you, the newsletter alone is a gamechanger. And we know newsletters π
Cybersecurity researchers have uncovered a malicious campaign where threat actors create fake websites masquerading as legitimate antivirus solutions to spread malware targeting both Android and Windows devices.
Key Findings π
Fake Antivirus Websites Identified:
avast-securedownload[.]com: Distributes the SpyNote trojan as an Android package file ("Avast.apk"). This malware requests intrusive permissions, including reading SMS messages and call logs, installing and deleting apps, taking screenshots, tracking location, and mining cryptocurrency.
bitdefender-app[.]com: Delivers a ZIP archive file ("setup-win-x86-x64.exe.zip") containing the Lumma information stealer malware.
malwarebytes[.]pro: Provides a RAR archive file ("MBSetup.rar") that instals the StealC information stealer malware.
Malicious Techniques βοΈ
Trellix Binary: A rogue Trellix binary named "AMCoreDat.exe" was found, which drops a stealer malware capable of harvesting and exfiltrating browser data and other victim information to a remote server.
Distribution Methods: The exact distribution methods for these fake websites remain unclear, but similar campaigns have used malvertising and search engine optimization (SEO) poisoning.
Growing Threat of Stealer Malware π
Stealer Malware Varieties: Cybercriminals are increasingly advertising custom stealer malware variants. Notable examples include Acrid, SamsStealer, ScarletStealer, and Waltuhium Grabber, as well as updates to existing malware like SYS01stealer (aka Album Stealer or S1deload Stealer).
Market Demand: The frequent emergence of new stealers and their varying sophistication levels indicate a robust criminal market demand for such malware .
Top Tips π‘οΈ
Verify Source: Ensure antivirus software is downloaded directly from the official vendor's website.
Check Digital Signatures: Always verify the digital signatures of software before installation.
Maintain Cyber Hygiene: Regularly update your security software and stay informed about the latest cybersecurity threats.
These findings highlight the sophisticated methods cybercriminals use to target consumers looking to protect their devices. Staying vigilant and adhering to cybersecurity best practices is crucial in mitigating these threats.
For more detailed information, refer to the full report from Trellix.
ποΈ Extra, Extra! Read all about it! ποΈ
Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!
π‘οΈ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday π
π΅Β Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for π
πΒ Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future πΎ
Let us know what you think.
So long and thanks for reading all the phish!