Tag Archive for: firms

Advanced Espionage Malware “Stealth Soldier” Hits Libyan Firms

/in


The Stealth Soldier campaign marks the possible reappearance of a threat actor known as “The Eye on the Nile” since its last operation in 2019.

Check Point Research has recently uncovered a series of highly-targeted espionage attacks in Libya, shedding light on a previously undisclosed backdoor called Stealth Soldier. This sophisticated malware operates as a custom modular backdoor with surveillance functionalities, including file exfiltration, screen and microphone recording, keystroke logging, and stealing browser information.

The campaign, which appears to be targeting Libyan organizations, marks the possible re-appearance of a threat actor known as “The Eye on the Nile” since its last operation in 2019.

Advanced Espionage Malware "Stealth Soldier" Hits Libyan Firms

Stealth Soldier, an implant used in limited and targeted attacks, has shown active maintenance with the latest version, Version 9, compiled in February 2023. Check Point Research’s investigation began with the discovery of multiple files submitted to VirusTotal between November 2022 and January 2023 from Libya.

These files, named in Arabic, such as “هام وعاجل.exe” (Important and Urgent.exe) and “برقية 401.exe” (Telegram 401.exe), turned out to be downloaders for different versions of the Stealth Soldier malware.

The execution flow of Stealth Soldier starts with the downloader, which triggers the infection chain. Although the delivery mechanism of the downloader remains unknown, social engineering is suspected.

The malware’s infection process involves downloading multiple files from the Command and Control (C&C) server, including the loader, watchdog, and payload. These components work together to establish persistence and execute the surveillance functionalities.

First, the loader downloads an internal module called PowerPlus to enable PowerShell commands and create persistence. Then, the watchdog periodically checks for updated versions of the loader and runs it accordingly. Finally, the payload collects data, receives commands from the C&C server, and executes various modules based on the attacker’s instructions.

The victim’s information collected by the Stealth Soldier’s payload includes the…

Source…

Iranian Hackers Deploy New Ransomware Against Israeli Firms

/in


Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime
,
Ransomware

Researchers Discover Moneybird Ransomware Strain, Warn of Growing Sophistication

Anviksha More (AnvikshaMore) •
May 25, 2023    

Iranian Hackers Deploy New Ransomware Against Israeli Firms
Image: Shutterstock

Security researchers have discovered an Iran-linked APT group carrying out a new chain of ransomware attacks using a new strain of malware against Israeli organizations.

See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources

Researchers at Check Point found a ransomware strain called Moneybird that is reminiscent of the Iranian Agrius group’s previous campaigns.

Agrius gained notoriety for targeting Israel-based entities with wiper variants, masking the intrusions as ransomware attacks to confuse defenders.

According to Check Point investigators, the new Moneybird strain is an upgrade to previous Agrius attacks that used its custom-built Apostle wiper malware. The upgrade is indicative of the group’s relentless expansion efforts. “The use of a new ransomware written in C++ is noteworthy as it demonstrates the group’s expanding capabilities and ongoing effort in developing new tools,” Check Point said.

The latest attack involves web shells positioned on vulnerable servers using known VPN service nodes, which are used as the entry point. Following the deployment of web shells, the threat actor used several publicly available tools to move laterally through the affected system.

The malicious files are then downloaded for ransomware execution and data exfiltration activities through some common services.

Other tools are also deployed for similar intentions, such as…

Source…

3CX Hackers Also Compromised Critical Infrastructure Firms

/in


A supply chain attack which targeted 3CX en route to its customers also compromised two energy firms and two financial traders, according to Symantec.

The security vendor explained the news in a blog post the day after Mandiant revealed that the original 3CX supply chain attack was enabled by a previous compromise of futures trading software.

As reported by Infosecurity, suspected North Korean threat actors trojanized the “X_Trader” software produced by Trading Technologies. Once installed on the computer of a 3CX employee, that app subsequently provided the hackers with a backdoor into the firm’s network.

However, Symantec claimed that the same Trojan also infected two critical infrastructure organizations in the energy sector – one in the US and one based in Europe. A further pair of organizations working in the financial trading sector were also breached, it said.

“It appears likely that the X_Trader supply chain attack is financially motivated, since Trading Technologies, the developer of X_Trader, facilitates futures trading, including energy futures,” the blog noted.

“Nevertheless, the compromise of critical infrastructure targets is a source of concern. North Korean-sponsored actors are known to engage in both espionage and financially motivated attacks and it cannot be ruled out that strategically important organizations breached during a financial campaign are targeted for further exploitation.”

Read more on the original 3CX attack: North Korean Hackers Use Trojanized 3CX DesktopApp in Supply Chain Attacks.

Symantec said that once the legitimate X_Trader executable is installed, it side-loads two malicious DLLs. The first, “winscard.dll,” contains code to load and execute a payload from the second, “msvcr100.dll,” which is a modular backdoor called “VeiledSignal.”

The security vendor claimed that the process for installing the final payload is almost the same as that used with the Trojanized 3CX app: two side-loaded DLLs being used to extract a payload from an encrypted blob.

“The discovery that 3CX was breached by another, earlier supply chain attack made it highly likely that further organizations would be impacted by this…

Source…

83% of ransomware-hit firms paid ransom at least once

/in


  • An alarming 83% of the individuals who were targeted acknowledged having paid the ransom on at least one occasion.
  • The data reveals a link between cybersecurity debt and occurrences of ransomware incidents.

The debate over whether organizations should pay ransoms in ransomware incidents often centers around the importance of promoting cybersecurity awareness. Last week, news emerged about Australian financial company Latitude Group Holdings, which announced its decision not to succumb to criminals’ ransom demands following a cyberattack the previous month. They asserted that doing so would harm customers and the broader community by encouraging more attacks.

While a few companies may have followed Latitude’s example by refusing to pay ransoms, a striking 83% of those who fell victim admitted to paying the ransom at least once, according to ExtraHop’s 2023 Global Cyber Confidence Index: Cybersecurity Debt Drives Up Costs and Ransomware Risk report.

The study, contrasting IT leaders’ cybersecurity practices with the actual attack landscape, revealed a significant rise in ransomware incidents – from an average of four attacks over five years in 2021 to four attacks within just one year in 2022.

Now, the costs of data breaches continue to increase yearly. Ransomware payments are also not getting any cheaper, especially with most ransoms being paid in cryptocurrency. Businesses will eventually realize that the cost of paying ransom is actually a lot more than implementing and improving their cybersecurity. Backup and data recovery services need to be prioritized as well as increasing the cybersecurity awareness among employees.

As organizations face a growing number of attacks, the data shows they are overwhelmed by cybersecurity debt – unresolved security vulnerabilities such as unpatched software, unmanaged devices, shadow IT, and insecure network protocols that serve as entry points for malicious actors.

Apart from that, most organizations have not moved on from outdated cybersecurity practices and are lacking good cyber hygiene. Both of these may not be the major cause of ransomware but are contributing factors that can enable cybercriminals to easily launch…

Source…