Threat Pulse – August 2024

Each month, DigitalXRAID’s Security Operations Centre (SOC) analysts share the top threats affecting businesses globally. Take action to protect your organisation against these prolific threats. 

If you’ve been affected by any of these threats, we’re here to help. You can call our Cyber Emergency line any time of the day or night for help with active cyberattacks.

DigitalXRAID’s SOC analysts constantly monitor for zero-day threats and update our signature databases using the largest Open Threat Exchange database available. 

New Voldemort Malware Abuses Google Sheets to Store Stolen Data 

A sophisticated malware campaign dubbed “Voldemort,” is targeting organisations worldwide by impersonating tax authorities in Europe, Asia, and the US.  

The malware is a custom backdoor written in C, designed for data exfiltration and deploying additional malicious payloads. The attack utilises Google Sheets for command and control (C2) communications.  

The Voldemort malware is delivered via phishing emails in which the threat actors are impersonating tax agencies including the US Internal Revenue Service (IRS), the UK’s HM Revenue & Customs, and France’s Direction Générale des Finances Publiques, among others.  

Unveiling “sedexp”: A Stealthy Linux Malware Exploiting udev Rules 

A stealthy Linux malware named ‘sedexp‘ has been evading detection since 2022 by using a persistence technique not yet included in the MITRE ATT&CK framework.  

The malware provides attackers with reverse shell capabilities and uses udev rules to maintain persistence. udev is a device management system for the Linux kernel, responsible for managing device nodes in the /dev directory.   

New Gafgyt Botnet Variant Targets Weak SSH Passwords for GPU Crypto Mining 

Security researchers discovered a new variant of Gafgyt botnet. This campaign is targeting machines with weak SSH passwords, executing 2 binaries from memory to increase the Gafgyt botnet and mine crypto currency with GPU power.  

The botnet typically targets IoT devices but is now targeting more robust servers running on cloud native environments. Once a device has been compromised, it then itself starts searching for other devices with weak SSH configurations in order to spread further.  

Black Basta-Linked Attackers Target Users with SystemBC Malware 

An ongoing social engineering campaign with alleged links to the Black Basta ransomware group has been linked to “multiple intrusion attempts” with the goal of conducting credential theft and deploying a malware dropper called SystemBC.  

The attackers are using an email bomb to cause a denial-of-service (DoS) and disrupt users followed by a fake phone call impersonating internal IT staff to offer a fake solution to the problem.  

The attack chain then convinces the user to download and install a legitimate remote access software named AnyDesk, which acts as a channel for deploying follow-on payloads and exfiltrate sensitive data.  

Ransomware attackers introduce new EDR killer to their arsenal 

Analysis by security researchers has uncovered the existence of a new tool called EDRKillShifter, which is used by threat actors to disable endpoint protection software during ransomware attacks.  

The tool is designed to terminate antivirus and endpoint detection and response (EDR) solutions on targeted systems, paving the way for the deployment of ransomware payloads.  

EDRKillShifter works as a loader, delivering various malicious drivers that exploit vulnerabilities to gain elevated privileges and unhook security protections.  

The Emerging Dynamics of Deepfake Scam Campaigns on the Web 

Researchers uncovered dozens of scam campaigns utilising deepfake videos impersonating public figures to promote fake investment schemes and government-sponsored giveaways.  

These campaigns targeted victims across multiple countries, with websites averaging 114,000 visits each.  

Though using generative AI, traditional investigative techniques identified the shared hosting infrastructure, suggesting a single threat actor group behind many campaigns. As deepfake technology becomes more accessible, proactive defence against such scams is crucial. 

Threat actor targeting UK banks in ongoing AnyDesk social engineering campaign 

Threat analysts are tracking an ongoing campaign that employs fake websites and social engineering tactics to distribute a malicious version of the AnyDesk remote access software to Windows and macOS users.  

Once installed on a victim’s machine, it is being utilised to steal data and money. The campaign primarily targets UK banks like HSBC, Natwest, Lloyds, Santander, and Virgin Money, as well as Avast, Ledger, and Wise. 

Threat actor impersonates Google via fake ad for Authenticator 

An unknown threat actor created a deceptive advertisement that appeared as if it was from a reputable company, enticing users to click on it and visit a malicious website. The site hosted a digitally signed malicious file disguised as a popular multi-factor authentication application. 

Upon execution, the malware would exfiltrate personal data from the victim’s device to an attacker-controlled server. This attack highlights the ongoing abuse of online advertising platforms for distributing malware and demonstrates the need for users to exercise caution when downloading software, even from seemingly trustworthy sources. 

DigitalXRAID exists to ensure that the bad guys don’t win. We’re driven and motivated to protect customers. Our expertise and unrivalled service means we can take care of your security, whilst you take care of business.    

Talk to the team to see how you can start protecting your business against cyberattacks today.