New malware variant has stealth mode.

Mar 09 2023

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that’s more opinionated than a Gary Lineker tweet. 

Today’s hottest cyber security stories:

  • Super sneaky Sharp Panda spear-phishing scam features stealth mode
  • No silver lining here: Hackers are learning how to breach the cloud
  • New “Colour-Blind RAT” malware is robbing victims blind

ALL WE HEAR IS ‘RADIO SILENCE’

Sneaky sons of bitches, these Chinese hackers are. So, here’s the latest…

There’s a hacking group called Sharp Panda that’s been wreaking havoc on government entities and the like across Southeast Asia with attacks taking place in Vietnam, Thailand, and Indonesia.

The groups reckon themselves activists engaging in cyberespionage and have been utilising the infamous ‘Soul’ malware framework, but with a twist…

I’ve got Soul but I’m not a Malware 🎶

Upon execution, the main module of the Soul malware establishes a connection with the C2 and waits for additional modules that will extend its functionality.

The new version features a “radio silence” mode which allows the threat actors to specify the specific hours of the week that the backdoor should not communicate with the command-and-control server, likely to evade detection during the victim’s working hours.

A brief history of Sharp Panda 

In 2021, a report was published on a previously undisclosed toolset used by Sharp Panda, a long-running Chinese cyber-espionage operation targeting Southeast Asian government entities. 

Since then, researchers have tracked the use of these tools across several operations in multiple Southeast Asian countries, in particular nations with similar territorial claims or strategic infrastructure projects such as Vietnam, Thailand, and Indonesia.

Check Point Research said: “This is an advanced OpSec feature that allows the actors to blend their communication flow into general traffic and decrease the chances of network communication being detected.”

So yeah, beware of the silent but deadly…

CLOUDY WITH A CHANCE OF PHISH STICKS

Gone Phishing is here to give you nothing but the straight undiluted facts when it comes to the risks that now come with utilising cloud storage. Prepare to have your minds blown whilst we hit you with some knowledge… 

FYI, these are highlights of a report released by CrowdStrike last week: 

  • Attacks exploiting cloud systems nearly doubled in 2022
  • The number of hacking groups that can target the cloud tripled last year
  • A wide-reaching ransomware attack last month targeted a vulnerability in a popular VMware machine used in cloud systems, leaving thousands of systems vulnerable
  • Bloomberg reported last month that the recent exposure of roughly a terabyte of Pentagon emails was likely due to a cloud configuration error

Adam Meyers, senior vice president of intelligence at CrowdStrike, had the following to say on the subject of cloud computing and whether large organisations are doing enough to combat crime:

“As more organizations are moving into the cloud, it becomes a much more attractive target for these threat actors, and they’re spending more time and resources trying to get into that environment,”

“Everybody is doing it. We’ve seen 17-year-olds, and we’ve seen the Russian SVR.”  

45% of the organizations that faced a cloud security incident experienced at least four attacks during that period, the research found. 

During traditional attacks targeting onsite servers, malicious hackers typically need their own port-scanning tools to detect what systems are in an enterprise and where the weak, exploitable spots are.

Meyers added: “You’ve created a Mentos of security: crunchy on the outside, soft and chewy on the inside.”

“Most organizations also fail to update their legacy cybersecurity tools to spot those cloud configuration errors.”

Organisers basically need to make sure that as IT spending on the cloud continues to grow, their security levels must increase accordingly to ensure threat actors don’t rain on their parade.

So, as long as they do that, the hackers will be left dead in the water. 

There you go, we found our silver lining after all! 

WHAT DO YOU GET WHEN YOU CROSS A COLOUR-BLIND RAT WITH A PYTHON?

A nasty strain of malware, evidently. First thing’s first. What the hell is a rat? We’re guessing not literally an optically impaired rodent that’s gnawing on cables, causing cyber disruption the old-fashioned way. That would be funny. But no.

RAT stands for Remote Access Trojan. RAT malware is designed so as to allow an attacker to remotely control an infected computer. Once the RAT is running on a compromised system, the attacker can send commands to it and receive data back in response. So, much their living, breathing counterparts, RATs are bad news.

And the Colour-Blind part? 

Recently, researchers have identified a malicious PyPI (Python, hence the headline) package that delivers a fully featured information stealer and remote access trojan dubbed Colour-Blind. Ah, makes sense. 

To stay protected, users are urged to exercise caution when downloading and running any packages and double-check the reviews and author details. The usual stuff, basically.

So, when using the internet, watch out for rats and pythons. Just like in real life. We should print some variation of that on a t-shirt. Stella advice.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

Recent articles