Security Affairs Malware Newsletter Round 46
The latest issue of Security Affairs Malware newsletter is out now, featuring a curated selection of the best articles and research on malware in the international landscape. In this edition, we delve into the anatomy of a double-extortion gang, explore how a trusted IT tool became a malicious delivery vector, and uncover hidden threats of dual-function malware in Chrome extensions.
One of the standout stories in this issue is the discovery of Sarcoma Ransomware, a new strain that has been linked to a double-extortion gang. Our article takes a deep dive into the anatomy of this malware, exploring its tactics, techniques, and procedures (TTPs), as well as its impact on organizations worldwide.
Another notable piece in this issue is an investigation into the RVTools Bumblebee malware attack, which highlights how a trusted IT tool can be exploited to deliver malicious payloads. Our analysis reveals the weaknesses in the system that allowed this malware to spread and the consequences it has had for affected organizations.
The newsletter also features a probe into malicious 'Checker' packages on PyPI (Python Package Index), highlighting the need for better vetting processes to prevent such threats from reaching users. Additionally, our article examines the rise of RedisRaider, a malware that weaponizes misconfigured Redis to mine cryptocurrency at scale.
A growing concern in this issue is the discovery of hidden threats of dual-function malware found in Chrome extensions. Our research reveals how these malicious tools can be used to steal sensitive data and pose significant risks to user security.
Furthermore, we report on a multi-year attack by Chinese hackers on a Saudi organization, which highlights the ongoing threat landscape in the Middle East. The attackers deployed MarsSnake backdoor, allowing them to maintain access to the compromised systems for years.
The newsletter also features an investigation into LummaC2 malware, which is used to exfiltrate sensitive data from organizations. Our analysis provides insights into the tactics and techniques employed by threat actors using this malware.
Another notable piece in this issue is our examination of Pure Harm: PureRAT, a highly versatile infostealer that has been used in numerous attacks against Russian organizations. We break down its delivery techniques and capabilities to provide a comprehensive understanding of this threat.
A Brief History of DanaBot
DanaBot is a notorious ecrime juggernaut that has been active since 2015. Our article provides a brief history of the group, tracing their evolution from initial operations to more sophisticated attacks and eventual disruption by Operation Endgame.
In other news, we report on a recent Bumblebee malware attack distributed via Zenmap and WinMRT, highlighting the vulnerability of legitimate software to exploitation for malicious purposes. We also investigate SEO poisoning 60 malicious npm packages, which leaked network and host data in an active malware campaign.
Follow the Spiders: Investigating Lactrodectus Malware
Our latest investigation takes a closer look at Lactrodectus malware, a relatively unknown threat that has been linked to several high-profile attacks. We examine its tactics and techniques, as well as the methods used by attackers to spread it.
Russian GRU Targeting Western Logistics Entities and Technology Companies
The Russian GRU (Main Intelligence Directorate) has been identified as a key player in a series of cyberattacks targeting Western logistics entities and technology companies. Our analysis provides an overview of the tactics, techniques, and procedures employed by this threat actor.
3AM Ransomware Actors Deploy Virtual Machine with Vishing and Quick Assist
The 3AM ransomware actors have been spotted using a unique tactic: deploying a virtual machine to carry out vishing attacks and Quick Assist sessions. We delve into the details of this attack, exploring its impact and implications for organizations.
From Banks to Battalions: SideWinder’s Attacks on South Asia's Public Sector
The SideWinder group has been linked to a series of attacks targeting South Asia's public sector. Our article provides an overview of their tactics, techniques, and procedures, as well as the impact of these attacks on organizations in the region.
UAT-6382 Exploits Cityworks Zero-Day Vulnerability to Deliver Malware
The UAT-6382 exploit has been used by attackers to deliver malware via a zero-day vulnerability in Cityworks software. We examine the details of this attack, exploring its impact and implications for organizations.
Consistent and Compatible Modelling of Cyber Intrusions and Incident Response Demonstrated in the Context of Malware Attacks on Critical Infrastructure
This article demonstrates the importance of consistent and compatible modelling in incident response, using malware attacks on critical infrastructure as a case study. Our analysis highlights the need for better preparedness and response strategies.
Malware Families Discovery via Open-Set Recognition on Android Manifest Permissions
Our latest research uses open-set recognition to identify malware families based on Android manifest permissions. This innovative approach provides insights into the ways in which attackers use permission manipulation to evade detection.