Tag Archive for: Payloads

Flax Typhoon targeting Taiwan, Ransomware Emphasizing Linux-Centric Payloads

/in


Flax Typhoon: Microsoft Uncovers Espionage Tactics Targeting Taiwan       

Microsoft has detected malicious activities primarily targeting Taiwanese organizations by a nation-state actor named Flax Typhoon, which is believed to be based in China.[1] The actor’s tactics suggest intentions of espionage and long-term access to various industries. Despite extensive activities, Flax Typhoon does not seem to have a clear end-goal in this campaign, as Microsoft did not observe data-collection or exfiltration objectives. 

Active since mid-2021, Flax Typhoon has targeted government, education, manufacturing, and IT sectors in Taiwan, with some victims in Southeast Asia, North America, and Africa. The actor’s focus is on persistence, lateral movement, and credential access. Flax Typhoon employs living-off-the-land techniques, using tools such as China Chopper web shell, Metasploit, Juicy Potato, Mimikatz, and SoftEther VPN client. The actor gains initial access by exploiting vulnerabilities in public facing servers. The group uses tools like Juicy Potato, to establish persistence via (Remote Desktop Protocol), and SoftEther VPN to set up command and control. Once established, Flax Typhoon accesses credentials using tools like Mimikatz to target the LSASS process memory and SAM registry hive.  

The techniques deployed by Flax Typhoon can easily be reused in targeted attacks. Defenders should hunt for signs of compromise shared by Microsoft and adhere to basic security hygiene including but not limited to vulnerability and patch management, hardening on public-facing servers, and enforcing strong multifactor authentication (MFA) policies. 

*** This is a Security Bloggers Network syndicated blog from EclecticIQ Blog authored by Jörg Abraham. Read the original post at: https://blog.eclecticiq.com/flax-typhoon-targeting-taiwan-ransomware-emphasizing-linux-centric-payloads

Source…

BATLOADER Malware Uses Google Ads to Deliver Vidar Stealer and Ursnif Payloads

/in


Mar 11, 2023Ravie LakshmananCyber Threat Intelligence

BATLOADER Malware

The malware downloader known as BATLOADER has been observed abusing Google Ads to deliver secondary payloads like Vidar Stealer and Ursnif.

According to cybersecurity company eSentire, malicious ads are used to spoof a wide range of legitimate apps and services such as Adobe, OpenAPI’s ChatGPT, Spotify, Tableau, and Zoom.

BATLOADER, as the name suggests, is a loader that’s responsible for distributing next-stage malware such as information stealers, banking malware, Cobalt Strike, and even ransomware.

One of the key traits of the BATLOADER operations is the use of software impersonation tactics for malware delivery.

This is achieved by setting up lookalike websites that host Windows installer files masquerading as legitimate apps to trigger the infection sequence when a user searching for the software clicks a rogue ad on the Google search results page.

Vidar Stealer and Ursnif Payloads

These MSI installer files, when launched, execute Python scripts that contain the BATLOADER payload to retrieve the next-stage malware from a remote server.

This modus operandi marks a slight shift from the previous attack chains observed in December 2022, when the MSI installer packages were used to run PowerShell scripts to download the stealer malware.

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.

RESERVE YOUR SEAT

Other BATLOADER samples analyzed by eSentire have also revealed added capabilities that allow the malware to establish entrenched access to enterprise networks.

“BATLOADER continues to see changes and improvement since it first emerged in 2022,” eSentire said.

“BATLOADER targets various popular applications for impersonation. This is no accident, as these applications are commonly found in business networks and thus, they would yield more valuable footholds for monetization via fraud or hands-on-keyboard intrusions.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Source...


[the_ad_group id="27628"]

Bumblebee Malware Loader’s Payloads Significantly Vary by Victim System

/in


A new analysis of Bumblebee, a particularly pernicious malware loader that first surfaced this March, shows that its payload for systems that are part of an enterprise network is very different from its payload for standalone systems.

On systems that appear to be part of a domain — for example, systems that might share the same Active Directory server — the malware is programmed to drop sophisticated post-exploitation tools such as Cobalt Strike. On the other hand, when Bumblebee determines it has landed on a machine that is part of a workgroup — or peer-to-peer LAN — the payload generally tends to be banking and information stealers.

Different Malware

“While the victim’s geographical location didn’t seem to have any effect on the malware behavior, we observed a very stark difference between the way Bumblebee behaves after infecting machines,” Check Point said in a report this week based on a recent analysis of the malware.

“If the victim is connected to WORKGROUP, in most cases it receives the DEX command (Download and Execute), which causes it to drop and run a file from the disk,” Check Point said. However, if the system is connected to an AD domain, the malware uses Download and Inject (DIJ) or Download shellcode and Inject (SHI) commands to download advanced payloads such as Cobalt, Strike, Meterpreter, and Silver.

Check Point’s analysis adds to the growing volume of research around Bumblebee in the six months or so since researchers first observed the malware in the wild. The malware has garnered attention for several reasons. One of them is its relatively widespread use among multiple threat groups. In an April 2022 analysis, researchers from Proofpoint said they had observed at least three distinct threat groups distributing Bumblebee to deliver different second-stage payloads on infected systems, including ransomware such as Conti and Diavol. Google’s threat analysis group identified one of the actors distributing Bumblebee as an initial access broker they are tracking as “Exotic Lily.”

Proofpoint and other security researchers have described Bumblebee as being used by threat actors previously associated with BazaLoader, a prolific malware loader that among other…

Source…

Update on Red Curl. TA406’s high 2021 optempo. Ephemeral payloads in a spearphishing campaign. Code-signing boot camp.

/in


Attacks, Threats, and Vulnerabilities

Seeing Red (Domain Tools) The DomainTools Research team came across a batch of malicious-looking PDFs that stretched back to July 30, 2021. While containing no malicious content, they did link to dozens of short-lived Glitch apps hosting a SharePoint phishing page containing obfuscated JavaScript designed to harvest credentials.

Chinese Cyberespionage Bootcamps Training Recruits in the Art of Supply Chain Attacks for Over a Decade (Yahoo Finance) New report from Venafi shows Chinese threat actors targeting code signing certificates for use in software supply chain attacks

APT41 Perfects Code Signing Abuse to Escalate Supply Chain Attacks | Venafi

(Venafi) Learn about the infamous APT41 group and why they are abusing code signing keys and certificates as powerful weapons to steal and exploit data. Find out which industries are they targeting, the anatomy of their attack and who’s really behind them.

Group-IB report: “RedCurl. The pentest you didn’t know about” (Group-IB) Research of the new espionage APT-group RedCurl and its elaborate attacks on enterprise companies in North America, Europe and CIS

RedCurl hacking group returns with new attacks (The Record by Recorded Future) Even after its operations were publicly exposed in August 2020, the RedCurl hacking group has continued to carry out new intrusions and has breached at least four companies this year, according to a new report from security firm Group-IB.

Hackers Targeting Myanmar Use Domain Fronting to Hide Malicious Activities (The Hacker News) Hackers Targeting Myanmar Use Domain Fronting to Hide Malicious Activities

Previously unreported North Korean espionage part of busy 2021 for country’s hackers (CyberScoop) A North Korean cyber espionage group known primarily for targeting think tanks, advocacy groups, journalists and others related to Pyongyang’s adversaries around the world has been quite prolific in 2021, according to email security firm Proofpoint.

State-sponsored North Korean hackers responsible for blitz of attacks in 2021 (The Record by Recorded Future) Suspected government-backed hackers from North Korea launched…

Source…