Cyber Threat Breakdown May 2023

Here is the May 2023 summary of threats, with a short list of IoCs.

The full IoC list for each specific threat is available from the Cymulate app.

Reminder: The Cymulate BAS Immediate Threat capabilities can be configured to automatically update your SIEM list of IoCs, including hashes, URLs, domain names, etc.

Table of Contents

CosmicEnergy Malware Possibly Related to Russian Emergency Response Exercises

Shedding Light on AceCryptor and its Operation

DocuSign Themed Email Leads to Script-Based Infection

GobRat Malware Written in Go Language Targeting Linux Routers

New Malware Sample Identified – JsOutProx

New Lazarus Malware Samples Identified

Mercenary Mayhem: A Technical Analysis of Intellexa’s Predator Spyware

Old Wine in the New Bottle: Mirai Variant Targets Multiple IoT Devices

Buhti Ransomware Operation Relies on Repurposed Payloads

People’s Republic of China State-sponsored Cyber Actor Living off the Land to Evade Detection

YouTube Pirated Software Videos Deliver Triple Threat

Lazarus Group Targeting Windows IIS Web Servers

MS-SQL Server Powershell Exploited to Deploy RemcosRAT

Kraken – The Deep Sea Lurker

Back in Black – BlackByte Ransomware Returns with its New Technology (NT) Version

Analysis of the CloudWizard APT Framework

Analysis of Rhysida Ransomware

MDBotnet Unleashes DDoS Attacks

GoldenJackal APT Group Focuses on Entities in the Middle East

SparkRAT Distributes Malicious MeshCentral MeshAgent

Malicious WinTapix Kernel Driver Targets Countries in the Middle East

BlackCat Ransomware Deploys New Signed Kernel Driver

Analysis of CryptNet Ransomware

AndoryuBots DDoS Rampage

Dissecting Amadey Malware in Multi-Stage Attack Campaign

Fake System Update Drops Aurora Stealer via Invalid Printer Loader

US-CERT Alert – BianLian Ransomware

The Evasive Panda APT Group Targets NGOs in China

Novel Cylance Ransomware Targets Windows and Linux Systems

Remote Code Execution Exploitation on Huawei HG532 Routers in the Wild

ViperSoftX Infostealer Malware: Targeting Password Managers with Evasive Tactics

SISA ProACT MDR Solution – Threat Advisory – Stealthy Linux Malware Strikes: Defending Against PingPull Cyberespionage Campaigns

US-CERT Alert – Malicious Actors Exploit CVE-2023-27350 in PaperCut MF and NG

Atomic Stealer | Threat Actor Spawns Second Variant of macOS Malware Sold on Telegram

BlackBit Ransomware: A Threat from the Shadows of LokiLocker

Tonto Team Using Anti-Malware Related Files for DLL Side-Loading

FIN7 Tradecraft Seen in Attacks Against Veeam Backup Servers

ChatGPT-Themed Scam Attacks Are on the Rise

Attackers Gaining Access to the Kubernetes Cluster Through a Misconfigured API Server

Analysis of the DevOpt Multifunctional Backdoor

CosmicEnergy Malware Possibly Related to Russian Emergency Response Exercises

CosmicEnergy is OT/ICS malware that interacts with IEC 60870-5-104 (IEC-104) devices such as remote terminal units (RTUs) to cause electric power disruption. The malicious software uses two disruption tools PieHop to connect to a remote MSSQL server to upload files and issue remote commands and LightWork to modify the state of RTUs over TCP. The malware has not been attributed to a specific threat actor but could be related to an APT or was used in red teaming attacks.

IOCs:

• Cosmicenergybgifeiideh4_browsing7Exe.exe SHA1: bc07686b422aa0dd01c87ccf557863ee62f6a435 MD5: cd8f394652db3d0376ba24a990403d20 SHA256: 358f0f8c23acea82c5f75d6a2de37b6bea7785ed0e32c41109c217c48bf16010
• Cosmicenergybgifeiideh48_browsingExe.exe SHA1: 6eceb78acd1066294d72fe86ed57bf43bc6de6eb MD5: 7b6678a1c0000344f4faf975c0cfc43d SHA256: 740e0d2fba550308344b2fb0e5ecfebdd09329bdcfaa909d3357ad4fe5552532
• Cosmicenergybgifeiideh4_edr7Exe.exe SHA1: bc07686b422aa0dd01c87ccf557863ee62f6a435 MD5: cd8f394652db3d0376ba24a990403d20 SHA256: 358f0f8c23acea82c5f75d6a2de37b6bea7785ed0e32c41109c217c48bf16010

Shedding Light on AceCryptor and its Operation

Researchers have analyzed AceCryptor a popular crypter used by different well-known malware families such as SmokeLoader Redline or Emotet. To protect the samples from analysts it uses three protection layers composed of different encryption algorithms and techniques such as reflective loading or process hollowing.

IOCs:

 

• Sheddingbgifeiicag30_browsingExe.exe SHA1: 8e99a5ec8c173033941f5e00a3fc38b7dea9dcb3 MD5: cc492729431765a9bc9cbf54625a6dac SHA256: f9c5a36f0f48ed12df657b9f3742215d9209c01d6bfee7c9b8c730874dc705cd
• Sheddingbgifeiicag31_browsingExe.exe SHA1: 88b125dda928462fdb00c459131b232a3cd21887 MD5: 8dbdef6108e6b202ecc0570c9e96d76b SHA256: 57ec32c13db1f6d5ce116dc9de40370d5fbd8fcbe121219d6c29672aaceb64eb
• Sheddingbgifeiicag32_browsingExe.exe SHA 1: 0be8f44f5351a6cbef1a54a6de7674e1219d65b6 MD5: e320bb753ba6fb13ea7ef15e7efc315e SHA256: 6b7358c4428369b60b034566b72d8e4a3a0d723d5bfcd8386babb515b337f8c4

DocuSign Themed Email Leads to Script Based Infection

Twitter user @0xToxin has reported seeing malicious emails impersonating DocuSign with HTML attachments.

IOCs:

• Docusignbgifdjebea21_browsingHtml.html SHA1: 08a6cf51a4a5478c983205e2e4982b62161c5f45 MD5: c7f3ff6056ee802953af5a271166755a SHA256: 418c0706510868bf2afad98bfb66d7492fdb594ca8d477aba89f471ca00d70fd
• Docusignbgifdjebea22_browsingHtml.html SHA1: be8894d050617fc80505042aebdcc2d7f1969994 MD5: 199b64abcb71b6802601bf81fe71a646 SHA256: 064ee9cc4256a4e004d3c6e74e1a4cc2d686f82a7e22640aa718167b5af40a29
• Docusignbgifdjebea23_browsingHtml.html SHA1: 0e7a7c7abb5df0b93935e7e1bf6c620040c49b20 MD5: f75e7dcdd30bb326e01f01df143f6425 SHA256: efbb83a531b88d0820d36410356cc4c8deef25deaa8da351a963dd51eadf8048

GobRat Malware Written in Go Language Targeting Linux Routers

JPCERT/CC has confirmed attacks that infected routers in Japan with malware around February 2023. This blog article explains the details of the attack confirmed by JPCERT/CC and GobRAT malware which was used in the attack.

IOCs:

• Gobratbgifdjeaif8_browsingElf.elf SHA1: 901485fa05c94c235cf9b39b92942e6c2a970d38 MD5: 27f7a7f5f4af1100e0467b1bfeb67060 SHA256: a8b914df166fd0c94106f004e8ca0ca80a36c6f2623f87a4e9afe7d86b5b2e3a
• Gobratbgifdjeaif18_browsingElf.elf SHA1: 67ea6d219abbdb803519892a3689dfcdf91b563c MD5: 7cc41954e94c658c0cc12acfb654c8df SHA256: 2c1566a2e03c63b67fbdd80b4a67535e9ed969ea3e3013f0ba503cfa58e287e3
• Gobratbgifdjeaif20_browsingElf.elf SHA1: 2fd7941fb4a48b57f5890fdefee76939416ae3a2 MD5: bde9c6108e6c85339838e9e2c97fae72 SHA256: 03b92442cb118084df1a26067f2b5cb6e2b8a8b00b69370002780103d9a8c9b1

New Malware Sample Identified – JsOutProx

The threat group is associated with phishing campaigns delivering the JsOutProx RAT to financial institutions across Africa the Middle East South Asia and Southeast Asia. JsOutProx RAT Malware is a highly obfuscated JavaScript backdoor that was first observed in December 2019. The malware has modular plugin capabilities and is capable of running shell commands, downloading, uploading, and executing files, manipulating the file system, establishing persistence, taking screenshots, and manipulating keyboard and mouse events. One unique feature of the malware is its use of the Cookie header field within its C2 communication.

IOCs:

• Newbgifdgbjde2_browsingZip.zip SHA1: a7fdee25f3887b4ceffb3d3018da88f9e79211ab MD5: 113d6da8fdefb00f3f4c8e078f63a430 SHA256: 07ecdc6af7a9b80ce2a77e57e41a14504720a1871e32fb1aa2454467b265c25e
• j Newbgifdgbjde3_browsingJs.js SHA1: c124fbccdc6848a1ba3d0425052a4afd88d60d84 MD5: d2c7cb88e560cc78775510b596d20749 SHA256: 85e69d7163b781f3668b0420c507095800e8ae3d4c6032bf6cf0d357bd387d36
• Newbgifdgbjde4_browsingJs.js SHA1: 0a5e640d3315f73f50e3aa0714da2b23030878ce MD5: 06fd7cced7d576812938c9b8ec1ec67c SHA256: a49374ce8b3a1c272d9e1e038e72bd232d2b6e227a070064cf8a3ad7e1005655

New Lazarus Malware Samples Identified

The CageyChameleon and Lazarus Downloader Malware samples are both associated with the North Korean-sponsored Advanced Persistent Threat (APT) group broadly known as Lazarus or APT38 which targets financial institutions as well as companies involved in cryptocurrency and blockchain technology. While PFD could not confirm the type of campaign in which this malware was used, Lazarus targets global financial institutions to generate currency. The Lazarus sub-group is believed to be responsible for deploying recent campaigns of this malware.

IOCs:

• Newbgifdgaahj1_browsingLnk.lnk SHA1: 345bb81edbe9e5d5e8de2529aa37f47f1865f085 MD5: 9feef41c6aa4b71a382bbc9133f003d9 SHA256: b765f7e767a322628113be3b2e557c12bb9f22998e2830ad0fe450f518705c86
• Newbgifdgaahj2_browsingZip.zip SHA1: fded30f12601bd09eb6a4ed27f9961a3057e29d1 MD5: fead205c348fefea1e4663f2c80da82f SHA256: 474ce8c151b65c12930889dff0f97fc6467ac114fbfea1215469ae9c239e7aa6
• Newbgifdgaahj3_browsingLnk.lnk SHA1: ffaa313372e442da14ae48cfd55377a5b3820a24 MD5: e3cd20889b65ae7b4bb93ccb1790f808 SHA256: 70c4600d6920dadc1899603b131119427784fcd83d04da5c886bcad5a7af913b

Mercenary Mayhem: A Technical Analysis of Intellexa’s Predator Spyware

PREDATOR is an interesting piece of mercenary spyware that has been around since at least 2019, designed to be flexible so that new Python-based modules can be delivered without the need for repeated exploitation, thus making it especially versatile and dangerous.

IOCs:

• Mercenarybgifbgafbd40_browsingSo.so SHA1: 1cb8b2d82ec1290b7023f171781540d466c5a33e MD5: 1d6e0001eecd4022381498c4df81e324 SHA256: 8e4edb1e07ebb86784f65dccb14ab71dfd72f2be1203765b85461e65b7ed69c6
• Mercenarybgifbgafbd40_edrSo.so SHA1: 1cb8b2d82ec1290b7023f171781540d466c5a33e MD5: 1d6e0001eecd4022381498c4df81e324 SHA256: 8e4edb1e07ebb86784f65dccb14ab71dfd72f2be1203765b85461e65b7ed69c6

Old Wine in the New Bottle: Mirai Variant Targets Multiple IoT Devices

On April 10, Unit 42 researchers observed a Mirai variant called IZ1H9 which used several vulnerabilities to spread itself.

IOCs:

• Oldbgifbgadfc24_browsingElf.elf SHA1: c01fca35b9188049375ddf6d1fb86513262deb47 MD5: 3104afe0b30fa05be6c1796a85db6f1e SHA256: 38406b2effd9fc37ce41ee914fda798de9c9b0e239a0cc94b1464dc2a9984fe9
• Oldbgifbgadfc20_browsingElf.elf SHA1: 21d2fdc4c6835b77ac6b5e983dc5acd1451f5ae9 MD5: 779056690ccec8e3c14008f1ef87ff60 SHA256: 7bfb02c563ae266e81ba94a745ea7017f12010d5491708d748296332f26f04f5
• Oldbgifbgadfc25_browsingElf.elf SHA1: fa3083fe143eebf3340d12f6b8f920dd73f2b5f2 MD5: da8862011e565701cc1b706b392a265a SHA256: 65a46cd29dad935d067a4289445d2efb2710d44d789bf1bf0efb29f94d20e531

Buhti Ransomware Operation Relies on Repurposed Payloads

Blacktail group has been deploying a payload identified as Buhti ransomware. The threat actors leveraged leaked code from the Lockbit and Babuk ransomware to build their final payload.

IOCs:

• Buhtibgifbecbgc24_browsingExe.exe SHA1: 25c00c6e9303537b59ff8db85f561ce70ae6ee67 MD5: 5cf8fc798a1e52e849db69d5ba3b9700 SHA256: 8b2cf6af49fc3fb1f33e94ad02bd9e43c3c62ba2cfd25ff3dfc7a29dde2b20f2
• Buhtibgifbecbgc9_browsingElf.elf SHA1: 47e9e914c45e12453dff8439e68ceee9808f155a MD5: 587b8d79c9a8c8ddbb9fd0003e5de340 SHA256: eda0328bfd45d85f4db5dbb4340f38692175a063b7321b49b2c8ebae3ab2868c
• Buhtibgifbecbgc13_browsingElf.elf SHA1: cb04efef2de3d127f02f211e81855760a6819716 MD5: 263668455203d6b0f6c4b5e2cde9f446 SHA256: 22e74756935a2720eadacf03dc8fe5e7579f354a6494734e2183095804ef19fe

People’s Republic of China State-sponsored Cyber Actor Living off the Land to Evade Detection

Volt Typhoon, a new Chinese-sponsored actor, has been targeting critical infrastructures from the United States to obtain sensitive information.

IOCs:

• Peoplesbgifaffibf1_browsing7Exe.exe SHA1: 98c9fa7cab7499b6656a3329d4662c74f0b5466e MD5: 308cd259bb9b0ed17c876881852e7992 SHA256: 472ccfb865c81704562ea95870f60c08ef00bcd2ca1d7f09352398c05be5d05d
• Peoplesbgifaffibf18_browsingExe.exe SHA1: 234d24856c162ef75a67902d623bd6bd89338e64 MD5: 989c12b22ae56d5bc6249047119a9ed1 SHA256: c4b185dbca490a7f93bc96eefb9a597684fdf532d5a04aa4d9b4d4b1552c283b
• Peoplesbgifaffibf19_browsingExe.exe SHA1: 6acaa1ef5398c6a3d9bfaccd89865115eb47e60c MD5: c6d185d2c1dbfcb3a5073e0dcbc580e8 SHA256: 3e9fc13fab3f8d8120bd01604ee50ff65a40121955a4150a6d2c007d34807642

YouTube Pirated Software Videos Deliver Triple Threat

YouTube viewers are being targeted with pirated software which is used to steal sensitive data credentials and mine for cryptocurrency.

IOCs:

• Youtubebgiejjffde14_browsingExe.exe SHA1: 85c2c44e4addbdde87b49b33e252772126f9544e MD5: e72d497c94bb1ed882ac98931f70e82e SHA256: d2e371810e8c7b1e039a02a578b1af0c6250665e85206b97a1ecb71aa5568443
• Youtubebgiejjffde15_browsingExe.exe SHA1: c0f094b1b3b9c6f15dc978e1d87d1936a5a5e805 MD5: 4aac4668c51f49c91ee5c4d1c53435b7 SHA256: 5630c8f0dcd2393daf8477e6e4e419b0d0faf6780b6f1e00ad7a09fd37ddcdd3
• Youtubebgiejjffde16_browsingExe.exe SHA1: bd509f7c0af2edd605468c101189e5d3142c4deb MD5: 663a81e58bc2198124eed285fc7e4f04 SHA256: 44810cead810cd546a8983e464157a4eb98ebbd518c4f4249e6b99e7f911090f

Lazarus Group Targeting Windows IIS Web Servers

The Lazarus APT group was found targeting Internet-facing Microsoft Windows IIS web servers.

IOCs:

• Lazarusbgiejjffbg6_browsingDll.dll SHA1: 43d2443351deae4d9f97e134427852809de09ad2 MD5: 47d380dd587db977bf6458ec767fee3d SHA256: 722949710663062c0ffa71036004cb9aebf1a52d0af917ec37ebf0b32f6bd5e1
• Lazarusbgiejjffbg6_edrDll.dll SHA1: 43d2443351deae4d9f97e134427852809de09ad2 MD5: 47d380dd587db977bf6458ec767fee3d SHA256: 722949710663062c0ffa71036004cb9aebf1a52d0af917ec37ebf0b32f6bd5e1

MS-SQL Server Powershell Exploited to Deploy RemcosRAT

Threat actors are targeting poorly managed SQL servers to deploy the Remcos RAT.

IOCs:

• Ms_sqlbgiejjfegh2_browsingExe.exe SHA1: 71d7c5bac5517cda1217fd95cb8a2b9f62fe248e MD5: 55233743d7c15b0a417233becc07dcb4 SHA256: 7d1e2ee20bd92e21c381b28f93b87e6e998b11d9c289425e50a46ebad112b29e
• Ms_sqlbgiejjfegh3_browsingExe.exe SHA1: 2b41e544ea15899b5aba03f5fc0e7fd5690aff74 MD5: a6b930401417a341092dbfd48399c92b SHA256: d66694dbc5c5106beea74c21c818aa95b12e60f4f741e01f1b3a8111fc9ab5a5
• Ms_sqlbgiejjfegh4_browsingExe.exe SHA1: 06aabca8390dc928150fd01e951ae249645ab4e8 MD5: 2677b8022e9fd3c18334dd672e16f457 SHA256: ffb339749fded934c0f54794bc1bddddbd76c11a404ebb968e9b2d28873aa156

 

Kraken – The Deep Sea Lurker

Summary A new .NET based stealer/keylogger malware called KrakenKeylogger is being leveraged in phishing campaigns.

IOC:

• Krakenbgiejbhfae38_browsingExe.exe SHA1: 058763934fb991ace223861f1b4b83880bc0a63b MD5: 29531f95f2ffc356c67975a60effa857 SHA256: dddaf7dfb95c12acaae7de2673becf94fb9cfa7c2d83413db1ab52a5d9108b79
• Krakenbgiejbhfae42_browsingLnk.lnk SHA1: 8b49368462651afa265273151a1e7d4ea19e6347 MD5: efc382d915ab91f89946554f5e6cc42a SHA256: beec3ec08fba224c161464ebcc64727912c6678dd452596440809ce99c8390fd
• Krakenbgiejbhfae43_browsingDll.dll SHA1: 3809c075dea5f17511b5945110f4d6b1ac92fab5 MD5: 1356a94f2295499f1eef98661a2042a3 SHA256: f7c66ce4c357c3a7c44dda121f8bb6a62bb3e0bc6f481619b7b5ad83855d628b

Back in Black – BlackByte Ransomware Returns with its New Technology (NT) Version

Summary BlackByte Ransomware returns with a new version of the malware that uses different anti-analysis mechanisms to hide its behavior when its execution is monitored. Intel researchers have revealed in an analysis of a sample.

IOC:

• Backbgiejbhehh35_browsingExe.exe SHA1: c0950ebfa3a63c705ca813cfd28364aa1d90bb09 MD5: bf1f2f3759448a05d3dd92a4f7f042f6 SHA256: 02a0a39dbe0dcb5600f4179aeab457bb86965699e45d1d154082b02139dc701d
• Backbgiejbhehh35_edrExe.exe SHA1: c0950ebfa3a63c705ca813cfd28364aa1d90bb09 MD5: bf1f2f3759448a05d3dd92a4f7f042f6 SHA256: 02a0a39dbe0dcb5600f4179aeab457bb86965699e45d1d154082b02139dc701d

Analysis of the CloudWizard APT Framework

In March 2023, SecureList discovered a previously unknown cyber-attack (APT) campaign in the region of the Russo-Ukrainian conflict that involved the use of malware such as PowerMagic and CommonMagic.

IOC:

• Analysisbgiejbhdhb11_browsingDll.dll SHA1: 7275a6ed8ee314600a9b93038876f853b957b316 MD5: 1f9b32047c25e49ff8bfffa6e8a2efe9 SHA256: 89d236b0bc6bce722d314b3b868a59678c45320d9707582c3c1a1c3625e6b516
• Analysisbgiejbhdhb12_browsingDll.dll SHA1: ad74abea34a20d0196a152e6668e3c29135b22d4 MD5: 16793d6c3f2d56708e5fc68c883805b5 SHA256: 249e6ab11febfd87f9698f9c1eb2ab96f865ec2bc7f01d98cb25e1879d86b705
• Analysisbgiejbhdhb18_browsingExe.exe SHA1: e7962ab0304dedfc8bbead0e33c24d2bf7d07ca9 MD5: 7c0e5627fd25c40374bc22035d3fadd8 SHA256: 052309916380ef609cacb7bafbd71dc54b57f72910dca9e5f0419204dba3841d

Analysis of Rhysida Ransomware

Rhysida ransomware uses a combination of RSA and AES algorithms and appends the “.rhysida” extension to encrypted files. The malicious software excludes specific directories and extensions from encryption and drops a ransom note in the form of a PDF file. The ransomware also modifies the registry to set the ransom note as the desktop background.

IOC:

• Analysisbgiejbfhda9_browsingExe.exe SHA1: 69b3d913a3967153d1e91ba1a31ebed839b297ed MD5: 0c8e88877383ccd23a755f429006b437 SHA256: a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6
• Analysisbgiejbfhda9_edrExe.exe SHA1: 69b3d913a3967153d1e91ba1a31ebed839b297ed MD5: 0c8e88877383ccd23a755f429006b437 SHA256: a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6
• http://rhysidafohrhyy2aszi7bm32tnjat5xri65fopcxkdfxhi4tidsg7cad.onion

MDBotnet Unleashes DDoS Attacks

MDBotnet is sold on underground forums and is used to carry out DDoS attacks using an HTTP/SYN flood attack technique. The most recent version of the MDBotnet executable is downloaded if Updater.exe is not found under the %appdata% folder. An additional file, svhost.exe, is downloaded from a remote server and added as a registry run key for persistence.

IOC:

• Mdbotnetbgiejbfhaa6_browsingExe.exe SHA1: 24e6fc552344533c4723638e3f3368a57d705012 MD5: 4a6cb489c4efaffebd4dba83af747c76 SHA256: 5057465f9b1ddcd2548bea636a85c0a6c8165aab05b8613fd32dfc8b354fbf35
• Mdbotnetbgiejbfhaa_browsing7Exe.exe SHA1: bfd7a44a627a4a0ce372da9d8d4baa080aa928fa MD5: 32763009fd26a7190941e502fc2411c4 SHA256: d5a7efbb50fee2d47c447a0981fc2cea6fc56ed2251e81271b90ef829a0f4c8c
• Mdbotnetbgiejbfhaa8_browsingExe.exe SHA1: c0b83405c5c9e238c2cd3bc0fc2def2a3901c966 MD5: 46a3d4f752c48faa8b615d58d6160f25 SHA256: ae582545c3196afa5ac6419db9d57b11633e8282f29e3cd48fe31b9dd250a963

GoldenJackal APT Group Focuses on Entities in the Middle East

The GoldenJackal APT group was found to be targeting government and diplomatic entities in Afghanistan, Azerbaijan, Iran, Iraq, Pakistan, and Turkey. The group uses custom malware to carry out the infections, including JackalScreenWatcher, JackalPerInfo, JackalWorm, JackalSteal, and JackalControl. The group is focused on gathering and exfiltrating sensitive data to command-and-control servers.

IOC:

• Goldenjackalbgiejbfgbb1_browsingExe.exe SHA1: 4620e4d16ed752b7638c0187187ec9262f1841cb MD5: 5ed498f9ad6e74442b9b6fe289d9feb3 SHA256: 2d09a6d46dc12caa55f91cb09eaee7e8bf5af3fecaf857c71aa17279aaaf0e7d
• Goldenjackalbgiejbfgbb2_browsingExe.exe SHA1: 60f40468bdf6a300d79fa15f9b116d171ec35e7a MD5: eab4f3a69b2d30b16df3d780d689794c SHA256: 02e359d6faa49f85d21f73f28000f3194adc03eb3262be58528e124c58aae704
• Goldenjackalbgiejbfgbb3_browsingExe.exe SHA1: d7dfba9b32beb5f38d5449c615640d2ddf225f61 MD5: c6e5c8bd7c066008178bc1fb19437763 SHA256: c94d6ebc80f5dae5280543bd9c022eee63e49ab80c9daacc0688d5bba6598e49

SparkRAT Distributes Malicious MeshCentral MeshAgent

An attack campaign was discovered using SparkRAT to download a malicious version of the legitimate MeshCentral MeshAgent. The trojanized tool registers itself as a managed agent, allowing the threat actor to control the infected device from the MeshCentral public server. The malicious MeshAgent can be used to download and upload files and allow remote administration, including RDP and VNC.

IOC:

• Sparkratbgieicdeig38_browsingExe.exe SHA1: 70d0411f2714b05abc0a651fa5c610194fdeadcb MD5: 4a9369fcff5e934ab644c9aca6e42532 SHA256: 7df445244c625f4aa7cee9d5727860f3d727b3e8cdee07305343fa198279712a
• Sparkratbgieicdeig39_browsingExe.exe SHA1: 71680c7bbb165f1f3708db5bfeb3f933f7ac6488 MD5: 15d24570f3844987acce866d6541ba21 SHA256: 98cf8ddd43e445d10313f72ad6bffd3f25d02194aebb48ced2d35fc02d06dbbe
• Sparkratbgieicdeig40_browsingExe.exe SHA1: 289e811956a0ce924cb04fdb4d55366ca38b67d8 MD5: 162e17324f63f2e1d2c32f7c842b3917 SHA256: abf620257fea60766cb2ed18caf573c8ed5d78f3ba8ec59088fa2ba0a3bfdaec

Malicious WinTapix Kernel Driver Targets Countries in the Middle East

Countries in the Middle East were the targets of an attack campaign that leveraged the WinTapix loader. The malware injects an embedded shellcode into a local process and executes an encrypted .NET payload. WinTapix uses the Donut Framework for execution and is partially protected by the VMProtect software protection tool.

IOC:

• Maliciousbgieicdeei35_browsingExe.exe SHA1: 6802e2d2d4e6ee38aa513dafd6840e864310513b MD5: 4dd6250eb2d368f500949952eb013964 SHA256: f6c316e2385f2694d47e936b0ac4bc9b55e279d530dd5e805f0d963cb47c3c0d
• Maliciousbgieicdeei36_browsingExe.exe SHA1: 22c9da04847c26188226c3a345e2126ef00aa19e MD5: 3dd829fb27353622eff34be1eabb8f18 SHA256: 8578bff36e3b02cc71495b647db88c67c3c5ca710b5a2bd539148550595d0330
• Maliciousbgieicdeei3_browsing7Exe.exe SHA1: 7f7d144cc80129d0db3159ea5d4294c34b79b20a MD5: a90236e4962620949b720f647a91f101 SHA256: 1485c0ed3e875cbdfc6786a5bd26d18ea9d31727deb8df290a1c00c780419a4e

BlackCat Ransomware Deploys New Signed Kernel Driver

A BlackCat ransomware infection was found deploying a signed kernel driver to stay under the radar and avoid detection. The driver “ktgn.sys” is dropped and installed by “tjr.exe,” an executable protected via a virtual machine. The malicious software contains multiple features, including deleting and copying files, killing processes, and rebooting the system.

IOC:

• Blackcatbgieicdecg32_browsingExe.exe SHA1: 91568d7a82cc7677f6b13f11bea5c40cf12d281b MD5: a837302307dace2a00d07202b661bce2 SHA256: 52d5c35325ce701516f8b04380c9fbdb78ec6bcc13b444f758fdb03d545b0677
• Blackcatbgieicdecg32_edrExe.exe SHA1: 91568d7a82cc7677f6b13f11bea5c40cf12d281b MD5: a837302307dace2a00d07202b661bce2 SHA256: 52d5c35325ce701516f8b04380c9fbdb78ec6bcc13b444f758fdb03d545b0677

Analysis of CryptNet Ransomware

CryptNet is a ransomware-as-a-service (RaaS) which has been advertised on underground forums since early 2023. The ransomware is programmed in the .NET programming language, and 256-bit AES and 2048-bit RSA encryption are used to lock files. The malware uses .NET Reactor for obfuscation and deletes shadow copies and the backup catalog to inhibit recovery.

IOC:

• Analysisbgieicdbig1_browsingExe.exe SHA1: 323c2d8db7a1104a6631f420b3dfa98f693058a0 MD5: 733a808bc1be9d56026fd39b6e587ce4 SHA256: 2e37320ed43e99835caa1b851e963ebbf153f16cbe395f259bd2200d14c7b775
• Analysisbgieicdbig2_browsingExe.exe SHA1: 25f334bba4c7ecd4a1d2a9884b91750ec1d969bd MD5: de6d49cdd23e3064f3c3d4ae112a7fa0 SHA256: 1cc7283ee218081f2f056bd2ec70514e86b8dcb921342dc9aed69e7480dec18e
• Analysisbgieicdbig1_edrExe.exe SHA1: 323c2d8db7a1104a6631f420b3dfa98f693058a0 MD5: 733a808bc1be9d56026fd39b6e587ce4 SHA256: 2e37320ed43e99835caa1b851e963ebbf153f16cbe395f259bd2200d14c7b775

AndoryuBots DDoS Rampage

Researchers have identified a number of Ruckus Wireless Admin panels exposed over the internet to the threat posed by AndoryuBot, a new Botnet malware sold on Telegram.

IOC:

• Andoryubotsbgiegfhcfd40_browsingElf.elf SHA1: 86d630159a13b4a594e3eae23ccbda891a67f696 MD5: d2ad2d8d1b7dac89f2fb977c6b2c36a9 SHA256: c4925a91ed853920d8acee79bf0bb9342da4dabc0a2970823027f39ede399bce
• Andoryubotsbgiegfhcfd42_browsingElf.elf SHA1: 86d630159a13b4a594e3eae23ccbda891a67f696 MD5: d2ad2d8d1b7dac89f2fb977c6b2c36a9 SHA256: c4925a91ed853920d8acee79bf0bb9342da4dabc0a2970823027f39ede399bce
• Andoryubotsbgiegfhcfd41_browsingElf.elf SHA1: 86d630159a13b4a594e3eae23ccbda891a67f696 MD5: d2ad2d8d1b7dac89f2fb977c6b2c36a9 SHA256: c4925a91ed853920d8acee79bf0bb9342da4dabc0a2970823027f39ede399bce

Dissecting Amadey Malware in Multi-Stage Attack Campaign

Multiple malicious wextract.exe samples were used to infect devices with variants from the Amadey and Redline Stealer malware families. The Healer AVKiller tool was used to turn off Windows Defender. Schtasks.exe was used to create a new scheduled task, while cacls.exe was used to change the ACL of a file.

IOC:

• Dissectingbgiegejadh11_browsingExe.exe SHA1: c89477868792dbfc6abeb3016e4fcc542b01bea1 MD5: 30132c45c2305b287d96a3ad8158e9e3 SHA256: 0cca99711baf600eb030bbfcf279faf74c564084e733df3d9e98bea3e4e2f45f
• Dissectingbgiegejadh14_browsingExe.exe SHA1: 1496bd1d1981d8bf38cf98cdd4aa47020ffe9303 MD5: 4c35cfbd12826cedb7982ab4e1763a6a SHA256: 8020580744f6861a611e99ba17e92751499e4b0f013d66a103fb38c5f256bbb2
• Dissectingbgiegejadh1_browsingExe.exe SHA1: 44386a8947ddfab993409945dae05a772a13e047 MD5: fde8915d251fada3a37530421eb29dcf SHA256: 6cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116

Fake System Update Drops Aurora Stealer via Invalid Printer Loader

A malvertising campaign is using the Invalid Printer loader to drop the Aurora information stealer. Malicious ads trigger a fake Microsoft Windows update, which presents the victim with a bogus Chrome update. Before dropping the payload, Invalid Printer first performs a range of checks to confirm the malware is not running in a VM or sandbox.

IOC:

• Fakebgiedjdahe84_browsingExe.exe SHA1: 90ba9a27571314c95916d49c6606f9c9cb8279cb MD5: 01011596b39a495d1e900e8661f4112c SHA256: 193cec31ea298103fe55164ff6270a2adf70248b3a4d05127414d6981f72cef4
• Fakebgiedjdahe85_browsingExe.exe SHA1: b471aab5b59b80ac964fefcc1ad630bbddf6fbc7 MD5: 2cee103bad4f9fda79bdc93f2178dadc SHA256: 31c425510fe7f353002b7eb9d101408dde0065b160b089095a2178d1904f3434
• Fakebgiedjdahe80_browsingExe.exe SHA1: ad653482f577b707e97516ee4ac3994bcde17a96 MD5: 9db69da6c1cf93a60adf1e4370234ee8 SHA256: 5a07e02aec263f0c3e3a958f2b3c3d65a55240e5da30bbe77c60dba49d953b2c

US-CERT Alert – BianLian Ransomware

BianLian is a ransomware developer, deployer, and data extortion cybercriminal group that has targeted organizations in multiple U.S. critical infrastructure sectors since June 2022. They have also targeted Australian critical infrastructure sectors, in addition to professional services and property development. The group gains access to victim systems through valid Remote Desktop Protocol (RDP) credentials, uses open-source tools and command-line scripting for discovery and credential harvesting, and exfiltrates victim data via File Transfer Protocol (FTP), Rclone, or Mega. BianLian group actors then extort money by threatening to release data if payment is not made. BianLian group originally employed a double-extortion model in which they encrypted victims’ systems after exfiltrating the data; however, around January 2023, they shifted to primarily exfiltration-based extortion.

IOC:

• Bianlianbgiedbgach3_browsingExe.exe SHA1: 86447d6bcc862ebfa2366f751ce57de8b5948c9c MD5: e245f8d129e8eadb00e165c569a14b71 SHA256: 40126ae71b857dd22db39611c25d3d5dd0e60316b72830e930fba9baf23973ce
• Bianlianbgiedbgach1_browsingExe.exe SHA1: 67f25f899228a52c6668a7663ff8cf3f9e4dff22 MD5: ad5fbd52096e8bdc76d4052a5d8975a2 SHA256: 7b15f570a23a5c5ce8ff942da60834a9d0549ea3ea9f34f900a09331325df893
• Bianlianbgiedbgach2_browsingExe.exe SHA1: 3f3f62c33030cfd64dba2d4ecb1634a9042ba292 MD5: 08e76dd242e64bb31aec09db8464b28f SHA256: 1fd07b8d1728e416f897bef4f1471126f9b18ef108eb952f4b75050da22e8e43

The Evasive Panda APT Group Targets NGOs in China

The Evasive Panda APT group was discovered attacking NGOs in China with its custom backdoor, MgBot. The malicious software was delivered through a legitimate application software component from legitimate URLs and IP addresses. The malware contains many plugins capable of stealing keystrokes, files, clipboard data, audio streams, credentials, and browser cookies.

IOC:

• Thebgieceicfi220_browsingDll.dll SHA1: 970babe49945b98efada72b2314b25a008f75843 MD5: f553ea019b79742eabcbacd387231623 SHA256: 174a62201c7e2af67b7ad37bf7935f064a379f169cf257ca16e912a46ecc9841
• Thebgieceicfi218_browsingDll.dll SHA1: 9d1ecbbe8637fed0d89fca1af35ea821277ad2e8 MD5: 07df8d223f8a370cd703d177d7e93a36 SHA256: 2c0cfe2f4f1e7539b4700e1205411ec084cbc574f9e4710ecd4733fbf0f8a7dc
• Thebgieceicfi21_browsing7Dll.dll SHA1: e5214ab93b3a1fc3993ef2b4ad04dfcc5400d5e2 MD5: 13546e9d36effa74f971d90687b60ea6 SHA256: eb540cf9833ab8bd901b48ef258c0e14eb91fb3118fa967a40cd64d8ab417fa9

Novel Cylance Ransomware Targets Windows and Linux Systems

Researchers detected a ransomware family dubbed Cylance that affects both Windows and Linux systems. The ransomware performs tasks prior to starting the encryption process, such as enabling several privileges, creating a scheduled task for persistence, and dropping the ransom note in every single folder. Encryption is carried out using the Salsa20 (Windows) or ChaCha (Linux) stream ciphers.

IOC:

• Novelbgieceicac213_browsingElf.elf SHA1: 933ad0a7d9db57b92144840d838f7b10356c7e51 MD5: 4601076b807ed013844ac7e8a394eb33 SHA256: d1ba6260e2c6bf82be1d6815e19a1128aa0880f162a0691f667061c8fe8f1b2c
• Novelbgieceicac215_browsingExe.exe SHA1: ff602997ce7bdd695a282bd373daf57bea7a051f MD5: 31ed39e13ae9da7fa610f85b56838dde SHA256: 7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f
• Novelbgieceicac214_browsingExe.exe SHA1: 663081e2767df7083f765a3a8a994982959d4cbe MD5: 521666a43aeb19e91e7df9a3f9fe76ba SHA256: ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd

Remote Code Execution Exploitation on Huawei HG532 Routers in the Wild

Even though this is an old vulnerability from 2017 (CVE-2017-17215) that was discovered by Check Point, ongoing attacks exploiting this vulnerability have been observed. The reason for threat actors attempting to exploit it despite its age sparked interest in understanding the motivations behind it. Huawei has advised customers to apply temporary fixes to circumvent or prevent exploitation of the vulnerability or replace old routers with higher versions. Customers who are not willing to request a fix from Huawei or purchase a new router will still remain vulnerable. For more information, you can refer to the Huawei security notice: Huawei Security Notice

IOC:

• Huaweibgiecchefj_browsing7Elf.elf SHA1: f9e3e13a1b8c302fb02ba349450c287e28a138e1 MD5: 852f7fe842ce09e945bee124109bba50 SHA256: 97523b4732c4a08b493143650ce287dc3b125f47d3f7c8d825dcec898027b634
• Huaweibgiecchefj1_browsingSh.sh SHA1: 093892d4e295dfd49e7b4577645fc5e2c2688087 MD5: 8f1e527699808426a05de6d05ea13959 SHA256: 51ac62a9854f5515611aaba9e097157183bbc894d6f136263085e4553dc5f17b
• Huaweibgiecchefj2_browsingSh.sh SHA1: a65bb8fd4910eb313e4967714abde8b6ffeb08dd MD5: 03141053805f3a0e20b6c1eca7f52515 SHA256: 786ef090a24ffde30c88322593bb81c6675045f999f82736cbb3b10f79f6005f

ViperSoftX Infostealer Malware: Targeting Password Managers with Evasive Tactics

Researchers have recently discovered an enhanced variant of the ViperSoftX information-stealing malware. Unlike previous versions, this new iteration exhibits a wider range of targets, including popular password managers like KeePass and 1Password. Additionally, it has expanded its focus to encompass more cryptocurrency wallets and can infect browsers other than Chrome. To make matters worse, the latest version of ViperSoftX incorporates stronger code encryption and employs various evasion techniques to avoid detection by security software. These advancements contribute to the malware’s ability to remain hidden and maximize its effectiveness in stealing sensitive information.

IOC:

• Swordbgieahgbjf15_browsingTxt.ps1 SHA1: c31d3e9622f598da78cbf58abb328ed2cc53a015 MD5: 8e5d50712e606d5b06344f4c5247c7ec SHA256: 696978b39b7afc97d4b7d6a3ab56b6b991fab9f9e511e722a2db5b8459679240
• Swordbgieahgbjf16_browsingTxt.ps1 SHA1: b990107333027f0f52e75406b9ad90e646de0255 MD5: 8264204d0370eb7f6d13736823ebc744 SHA256: 6a7ccf87978dad1a2d1a1a52100101fb330d966ff6cd990b1d04eb627ef4530c
• Swordbgieahgbjf12_browsingTxt.ps1 SHA1: a2dac3fae7453444a30b2e3cb3a8a9131e6bc939 MD5: 3db930bac5e373b6ee330f66c036e90f SHA256: 5e9d9016bbb70c1b4b02f13d5a12e112250651a77bf5b89a92d124d0f8576cdb

SISA ProACT MDR Solution – Threat Advisory – Stealthy Linux Malware Strikes: Defending Against PingPull Cyberespionage Campaigns

New variants of Linux malware are being utilized by hackers in their cyberespionage activities. These include a recently discovered variant of PingPull, a remote access trojan (RAT), as well as a previously unknown backdoor named ‘Sword2033.’ PingPull was initially identified by Unit 42 last summer during espionage attacks attributed to the Chinese state-sponsored group known as Gallium or Alloy Taurus. These attacks specifically targeted government and financial institutions in several countries, including Australia, Russia, Belgium, Malaysia, Vietnam, and the Philippines. Unit 42 has continued to monitor these espionage campaigns and has now revealed that the Chinese threat actor has expanded their operations to South Africa and Nepal, deploying new malware variants against their targets in these regions.

IOC:

• Swordbgieahdaff1_browsingElf.elf SHA1: 4b143c8913594948d3b6b84d56cd09ebb622b927 MD5: bde2ba29e432eada31546175387dc456 SHA256: e39b5c32ab255ad284ae6d4dae8b4888300d4b5df23157404d9c8be3f95b3253
• Swordbgieahdaff1_edrElf.elf SHA1: 4b143c8913594948d3b6b84d56cd09ebb622b927 MD5: bde2ba29e432eada31546175387dc456 SHA256: e39b5c32ab255ad284ae6d4dae8b4888300d4b5df23157404d9c8be3f95b3253

Reference: SISA ProACT MDR Solution – Threat Advisory

US-CERT Alert – Malicious Actors Exploit CVE-2023-27350 in PaperCut MF and NG

The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) have released a joint Cybersecurity Advisory (CSA) in response to the active exploitation of CVE-2023-27350. This vulnerability affects certain versions of PaperCut NG and PaperCut MF, allowing unauthenticated actors to execute malicious code remotely without credentials. PaperCut released a patch in March 2023. According to FBI observations, malicious actors have been exploiting CVE-2023-27350 since mid-April 2023 up to the present. In early May 2023, the Bl00dy Ransomware Gang, as self-identified, attempted to exploit vulnerable PaperCut servers against the Education Facilities Subsector.

IOC:

• Bloodybgieafcjjd1_browsingExe.exe SHA1: d9f7a36db2a5117d73712fb93df23e3c2fc693fb MD5: e574ad52562fce9ea506f47e79516a52 SHA256: 6bb160ebdc59395882ff322e67e000a22a5c54ac777b6b1f10f1fef381df9c15
• Bloodybgieafcjjd2_browsingDll.dll SHA1: b918f97c7c6ebc9594de3c8f2d9d75ecc292d02b MD5: 46fe07c07fd0f45ba45240ef9aae2a44 SHA256: c0f8aeeb2d11c6e751ee87c40ee609aceb1c1036706a5af0d3d78738b6cc4125
• Bloodybgieafcjjd3_browsingDll.dll SHA1: 587bbb7ef50a72954d4ef9b22b27d4a377adc2fa MD5: f0c715e8318bb8a57b7072144753acac SHA256: 0ce7c6369c024d497851a482e011ef1528ad270e83995d52213276edbe71403f

Atomic Stealer | Threat Actor Spawns Second Variant of macOS Malware Sold on Telegram

Researchers at Sentinel One have discovered a new info-stealer called Atomic Stealer that specifically targets macOS devices. Atomic Stealer is a type of malware designed to steal sensitive information, including login credentials, cryptocurrency wallets, and other personal data, from infected devices. This particular variant of Atomic Stealer was found being sold on the Telegram messaging app. It can bypass macOS security features and target popular web browsers such as Google Chrome and Safari, as well as crypto wallets and crypto browsers.

IOC:

• Atomicbgidfeehfc62_browsingMacho.macho SHA1: 0db22608be1172844c0ebf08d573ea4e7ef37308 MD5: c7c4d58bfb5f2201966b0baf17babb46 SHA256: 56cd21cb9f114e7e1709592449ab7cce2bb3a2a7c89dab72f9be88a99fc9e775
• Atomicbgidfeehfc64_browsingMacho.macho SHA1: 2681a24f0ec0b1c153cc12d5d861c0c19c8383ea MD5: 7ac1e26e5453333df5b29c1b234eb5de SHA256: a2fec3172d70f7515d43959264a0ee55433ca8207b7022dc1f6430a1616d9a64
• Atomicbgidfeehfc66_browsingMacho.macho SHA1: 385b9cc7d3147f049e7b42e97f242c5060fc9e97 MD5: a9deab569c5cd7e5052bd1d42ab14150 SHA256: 990aaf49f24274dbecb68929683b1baa5ed1621722bed774ee8694b541b785e3

BlackBit Ransomware: A Threat from the Shadows of LokiLocker

BlackBit ransomware is a sophisticated strain of the LokiLocker ransomware variant that operates on the RaaS (Ransomware-as-a-Service) model. According to research published by Cyble Research and Intelligence Lab (CRIL), this ransomware has several capabilities for establishing persistence, evading defenses, and impairing recovery. It incorporates three distinct methods for presenting payment information to victims, including dropping ransom notes, displaying pop-ups when encrypted files are opened, and presenting an HTA page via mshta.exe.

IOC:

• Blackbitbgidfeegbg42_browsingExe.exe SHA1: 2f052cc3e64870b8ac28efb2d79bc2b16dff3e8e MD5: d37b49b0a53fd07895ca4dc956cbc459 SHA256: 43c6aef23a90c742274d6db2148a5cb5027c82e94ba2db4ae4b4184956e370b5
• Blackbitbgidfeegbg43_browsingExe.exe SHA1: 3cac81473dd91e7adf4516f1805bc5bdfeb562e4 MD5: bf528ecf7601043fe7931ed1fdd1d081 SHA256: b3324b629febeefb17201abb52bc66094b4ffb292f8aa3a549f39e7e11c63694
• Blackbitbgidfeegbg44_browsingExe.exe SHA1: 7fd07c934ce9b7c4ad902408ed528acf4ce32ddb MD5: 90bae9356dc021172d0ff06603e7a4cf SHA256: 1d2db070008116a7a1992ed7dad7e7f26a0bfee3499338c3e603161e3f18db2f

Tonto Team Using Anti-Malware Related Files for DLL Side-Loading

The Tonto Team, a threat group distributing Bisonal malware in Korea, has been found using anti-malware products to bypass detection, according to AhnLab Security Emergency Response Center.

IOC:

• Tontobgidbaicie3_browsingDll.dll SHA1: 1bc18fc26b65fce0e85553e602c42af20e878ab6 MD5: fe1161885005ac85f89accf703ce27bb SHA256: c643598b4ee0e9b3b70dae19437bbec01e881a1ad3b2ec1f6f5c335e552e5d6e
• Tontobgidbaicie1_browsingHtml.html SHA1: 7a29e8b959994183296d12603a54f5e117b4ff4c MD5: 59f7a3fe0453ca6d27ba3abe78930fdf SHA256: b3a8ea3b501b9b721f6e371dd57025dc14d117c29ce8ee955b240d4a17bc2127
• Tontobgidbaicie3_edrDll.dll SHA1: 1bc18fc26b65fce0e85553e602c42af20e878ab6 MD5: fe1161885005ac85f89accf703ce27bb SHA256: c643598b4ee0e9b3b70dae19437bbec01e881a1ad3b2ec1f6f5c335e552e5d6e

FIN7 Tradecraft Seen in Attacks Against Veeam Backup Servers

WithSecure Intelligence has identified a threat actor using the same tradecraft observed in attacks against Veeam Backup & Replication servers in late March 2023. The group behind these attacks has been attributed to FIN7.

IOC:

• Fin_browsing7bgidbaidca6Ps1.ps1 SHA1: 8687b6b1508a93556d6e30d14e5c4ee9971f2d80 MD5: 501c1d4e27b01fb8ca9e369df0094b37 SHA256: 16daecf77f7537b525c3488108cedb1827a30e65867caff330be6fa4a7d3fa38
• Fin_edr7bgidbaidca6Ps1.ps1 SHA1: 8687b6b1508a93556d6e30d14e5c4ee9971f2d80 MD5: 501c1d4e27b01fb8ca9e369df0094b37 SHA256: 16daecf77f7537b525c3488108cedb1827a30e65867caff330be6fa4a7d3fa38 URL: http://217.12.206.176

ChatGPT-Themed Scam Attacks Are on the Rise

ChatGPT, a natural language processing (NLP) chatbot developed by OpenAI, has seen a significant increase in monthly registrations, making it one of the fastest-growing consumer applications. Scammers have taken notice and are leveraging various techniques such as hosting fake websites, creating copycat chatbots, typo squatting domain registration.
Attackers Gaining Access to the Kubernetes Cluster Through a Misconfigured API Server

The attackers were able to gain unauthorized access to Kubernetes resources and establish a backdoor for persistent access and malicious activities. This includes deploying a cryptominer on compromised servers. The attack was facilitated by a misconfigured API server that granted privileges to anonymous users without requiring authentication.

IOC:

• Kubecryptobgidabihjb1_browsingElf.elf SHA1: 75612233d32768186d0557dd39abbbd3284a2a29 MD5: 2833c82055bf2d29c65cd9cf6684449a SHA256: 3928c5874249cc71b2d88e5c0c00989ac394238747bb7638897fc210531b4aab
• Kubecryptobgidabihjb1_edrElf.elf SHA1: 75612233d32768186d0557dd39abbbd3284a2a29 MD5: 2833c82055bf2d29c65cd9cf6684449a SHA256: 3928c5874249cc71b2d88e5c0c00989ac394238747bb7638897fc210531b4aab

 

Attackers Gaining Access to the Kubernetes Cluster Through a Misconfigured API Server

The attackers were able to gain unauthorized access to Kubernetes resources and establish a backdoor for persistent access and malicious activities. This includes deploying a cryptominer on compromised servers. The attack was facilitated by a misconfigured API server that granted privileges to anonymous users without requiring authentication.

IOC:

• Kubecryptobgidabihjb1_browsingElf.elf SHA1: 75612233d32768186d0557dd39abbbd3284a2a29 MD5: 2833c82055bf2d29c65cd9cf6684449a SHA256: 3928c5874249cc71b2d88e5c0c00989ac394238747bb7638897fc210531b4aab
• Kubecryptobgidabihjb1_edrElf.elf SHA1: 75612233d32768186d0557dd39abbbd3284a2a29 MD5: 2833c82055bf2d29c65cd9cf6684449a SHA256: 3928c5874249cc71b2d88e5c0c00989ac394238747bb7638897fc210531b4aab

 

Analysis of the DevOpt Multifunctional Backdoor

DevOpt is a multi-functional backdoor that is written using Free Pascal and was discovered on a Russian website. This malware is capable of running without user interaction and possesses advanced capabilities such as keylogging, stealing browser credentials, and clipper functionality. The operator behind DevOpt continues to enhance the malware, introducing new capabilities in different versions, some of which can operate without user interaction.

IOC:

• Analysisbgicjfagac_browsing71Exe.exe SHA1: 077e7c6ae21ed517e87de07cc8f312f141802bee MD5: db14d40d780853f80b93e21e92617680 SHA256: ba8829ba443bb9ec41c6c190b355c422dd0aa830f93a619f67f19a2e4ebc57b4
• Analysisbgicjfagac_browsing72Exe.exe SHA1: a5d6ca8d95104146479ce7dd4a17fff175c45082 MD5: 391c894616dd0e8b372b801cbbc0a790 SHA256: 9ccd5224013cc1cb95dc63b4d686647a6fd3ed720c9a9c0c2ea1b3b6637775f0
• Analysisbgicjfagac_browsing73Exe.exe SHA1: d40a579545c7d2e50dcedf87b5bc1640e8c55270 MD5: e42198e7c0647238b999a2b2133daac2 SHA256: 1453894f248a7effb0d71b074f18483ca199d51e3b572a01bb30adb19e940996

 

 

That’s all for now.
Stay cyber safe!