X
NEXT
Forgot password?

DigitalXRAID

Threat Pulse – February 2023

Each month, DigitalXRAID’s Security Operations Centre (SOC) analysts share the top threats affecting businesses globally. Take action to protect your organisation against these prolific threats. 

If you’ve been affected by any of these threats, we’re here to help. You can call our Cyber Emergency line any time of the day or night for help with active cyberattacks.

PureCrypter malware targeting government organisations 

A threat actor has been detected using the PureCrypter malware downloader to target government organisations by delivering multiple information stealers and ransomware strains. 

The researchers have found that the PureCrypter campaign have delivered different types of malwares such as Redline Stealer, AgentTesla, Eternity, Blackmoon and Philadelphia Ransomware. 

The threat actor behind the PureCrypter campaign is considered to be a minor one. However, it is nevertheless important to keep an eye on their activity because they are targeting government agencies. 

A New Evasive Malware That Can Fly Under the Radar 

Cybersecurity researchers have unearthed a new piece of evasive malware dubbed Beep that’s designed to fly under the radar and drop additional payloads onto a compromised host.  

“It seemed as if the authors of this malware were trying to implement as many anti-debugging and anti-VM (anti-sandbox) techniques as they could find,” Minerva Labs researcher Natalie Zargarov said.  

“One such technique involved delaying execution through the use of the Beep API function, hence the malware’s name.”  

Beep comprises three components, the first of which is a dropper that’s responsible for creating a new Windows Registry key and executing a Base64-encoded PowerShell script stored in it. 

Python Developers Warned of Trojanised PyPI Packages Mimicking Popular Libraries 

Threat researchers have warned against imposter Python packages that mimic popular libraries. These packages, for the most part, do not hint at their malicious nature. The descriptions and features match legitimate HTTP libraries.  

After being downloaded, the script “setup.py” contains malicious code with the ability to launch a trojan downloader that, in turn, contains a DLL file (Rdudkye.dll) packing a variety of functions. Including the option to steal data from services such as Discord and Telegram. A full list of all malicious packages can be seen in the Reversing Labs report. 

HTML Smuggling: The Hidden Threat in Your Inbox 

Some notable malware strains that have utilised HTML smuggling in their infection chain have been discovered.  

The shift in malware delivery methods to using HTML is concerning, as it challenges email gateway scanners, endpoint protection, and security solutions, especially their ability to unpack, decode and detect such techniques.  

With HTML smuggling, the malware is concealed from the scanners as most AVs will see the HTML attachment only compared with using an ISO file attachment, which will immediately throw red flags 

Stealc: a copycat of Vidar and Raccoon infostealers gaining in popularity 

A new information stealer called Stealc has emerged on the dark web gaining traction due to aggressive promotion of stealing capabilities and similarities with malware of the same kind as Vidar, Raccoon, Mars, and Redline.  

According to the advertiser, apart from the typical targeting of web browser data, extensions, and cryptocurrency wallets, Stealc also has a customisable file grabber that can be set to target whatever file types the operator wishes to steal. 

Beepin’ Out of the Sandbox: Analysing a New, Extremely Evasive Malware 

Researchers have recently discovered new “beep malware“, which uses a significant amount of evasion techniques, such as anti-debugging and anti-VM, to try to avoid detection.  

Once it has established that it has not been seen, it collected victim data to send to the C&C server. 

Massive Ransomware Attack Targets VMware ESXi Servers 

Vulnerable ESXi servers are being attacked by ransomware, using a two-year-old vulnerability.  

The EXSI Args attack involves using a shell script file “encrypt.sh” that runs an ELF executable “encrypt,” causing file encryption.  

Around the globe, nearly one thousand ESXi servers have been affected. The recommendation is to disable OpenSLP and to update to the latest versions of ESXi as soon as possible, as there has been a patch for CVE-2021-21974 since 2021. 

DigitalXRAID exists to ensure that the bad guys don’t win. We’re driven and motivated to protect customers. Our expertise and unrivalled service means we can take care of your security, whilst you take care of business.    

Talk to the team to see how you can start protecting your business against cyberattacks today. 

Protect Your Business & Your Reputation.

With a continued focus on security, you can rest assured that breaches and exploits won't be holding you back.

Speak To An Expert

x

Get In Touch

[contact-form-7 id="5" title="Contact Us Form"]