CyberSecurity news

FlagThis - #kaspersky

Kaspersky@Securelist //
The Librarian Ghouls APT group, also known as Rare Werewolf, is actively targeting Russian entities, with additional victims reported in Belarus and Kazakhstan. According to a recent report by Kaspersky, this sophisticated threat actor employs a range of techniques to compromise systems, including the use of RAR archives and BAT scripts. The group leverages legitimate software and multiple communication channels like email, Facebook, and Telegram to deliver malicious payloads, often operating during night hours to minimize detection. The APT has been consistently targeting Russian companies, with attacks continuing almost unabated since 2024, with a slight decline in December followed by a new wave of attacks.

The primary initial infection vector for Librarian Ghouls involves targeted phishing emails containing password-protected archives with executable files inside. These malicious emails are typically disguised as messages from legitimate organizations, containing attachments that appear to be official documents or payment orders. Once the victim opens the archive and extracts the files, the infection process begins. The group's objective is to establish remote access to compromised hosts, steal credentials, and deploy the XMRig cryptocurrency miner.

Rare Werewolf stands out for its preference for legitimate third-party software over developing its own malicious binaries. For example, in some attacks, a legitimate tool called 4t Tray Minimizer is used. The malicious functionality is implemented through command files and PowerShell scripts. A salient aspect of their tactics is launching a PowerShell script that wakes up the victim system at 1 a.m. local time and allows the attackers remote access to it for a four-hour window via AnyDesk, before shutting down the machine at 5 a.m.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • Securelist: Sleep with one eye open: how Librarian Ghouls steal data by night
  • Catalin Cimpanu: Mastodon post mentioning Librarian Ghouls Stealing data at night
Classification:
Mike Moore@techradar.com //
A new wave of cyberattacks is targeting Internet of Things (IoT) devices through both the Mirai botnet and BadBox 2.0 malware. Cybersecurity researchers have discovered a new variant of the Mirai botnet that exploits a critical vulnerability, CVE-2024-3721, in TBK DVR devices. This vulnerability allows attackers to remotely deploy malicious code on digital video recording systems commonly used for surveillance. Kaspersky GReAT experts have described the new features of this Mirai variant, noting that the latest botnet infections specifically target TBK DVR devices.

Simultaneously, the FBI has issued a warning about the dangerous BadBox 2.0 malware, which has already infected over a million devices, including smart TVs, streaming boxes, digital projectors, and tablets. These devices, often cheap, off-brand, Android-powered units, are being hijacked to form a global botnet used for malicious activities such as ad fraud, click fraud, and distributed denial-of-service (DDoS) attacks. The compromised devices are turned into residential proxies, which are then sold or provided for free to cybercriminals, enabling a wide range of illicit activities.

The Mirai botnet leverages a vulnerability in TBK DVR devices, enabling unauthorized system command execution. Attackers send targeted POST requests to vulnerable endpoints, containing encoded shell commands to download and execute ARM32 binary payloads. This streamlined approach allows for efficient infection, bypassing traditional reconnaissance phases. Meanwhile, BadBox 2.0 often comes preloaded on devices or is transferred through malicious firmware updates and Android applications. Once infected, devices become part of a botnet that cybercriminals exploit for various nefarious purposes, highlighting the persistent threat IoT devices pose to cybersecurity.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • cyberpress.org: New Mirai Botnet Variant Exploits TBK DVR Vulnerability to Deploy Malicious Code
  • The Record: TV streaming devices, digital projectors and other IoT devices are being infected with BadBox 2.0 malware after the original campaign was stifled by German law enforcement.
  • Securelist: Analysis of the latest Mirai wave exploiting TBK DVR devices with CVE-2024-3721
  • cyberinsider.com: New Mirai Botnet Variant Targets Flaw in 50,000 Exposed TBK DVRs
  • therecord.media: TV streaming devices, digital projectors and other IoT devices are being infected with BadBox 2.0 malware after the original campaign was stifled by German law enforcement.
  • Cyber Security News: Cybersecurity researchers have discovered a new variant of the notorious Mirai botnet that exploits a critical vulnerability in TBK DVR devices to deploy malicious code remotely.
  • gbhackers.com: New Mirai Variant Exploits TBK DVR Flaw for Remote Code Execution
  • securityonline.info: New Mirai Botnet Variant Targets DVR Systems via CVE-2024-3721
  • securityonline.info: New Mirai Botnet Variant Targets DVR Systems via CVE-2024-3721
  • gbhackers.com: New Mirai Variant Exploits TBK DVR Flaw for Remote Code Execution
  • www.bleepingcomputer.com: A new variant of the Mirai malware botnet is exploiting a command injection vulnerability in TBK DVR-4104 and DVR-4216 digital video recording devices to hijack them.
  • CyberInsider: New Mirai Botnet Variant Targets Flaw in 50,000 Exposed TBK DVRs
  • securityaffairs.com: BadBox 2.0 botnet infects millions of IoT devices worldwide, FBI warns
  • securityaffairs.com: New Mirai botnet targets TBK DVRs by exploiting CVE-2024-3721
Classification:
@poliverso.org //
Chinese-speaking IronHusky hackers are actively targeting government organizations in Russia and Mongolia using an upgraded version of the MysterySnail remote access trojan (RAT) malware. Security researchers at Kaspersky's Global Research and Analysis Team (GReAT) recently discovered this updated implant during investigations into attacks utilizing a malicious MMC script disguised as a Word document. This script downloads second-stage payloads and establishes persistence on compromised systems, indicating a continued focus on espionage and data theft by the APT group.

This new version of MysterySnail RAT includes an intermediary backdoor that facilitates file transfers between command and control servers and infected devices, allowing attackers to execute commands. The IronHusky group is abusing the legitimate piping server (ppng[.]io) to request commands and send back their execution results. This technique helps the attackers to evade detection by blending malicious traffic with normal network activity, highlighting the sophisticated methods employed by the threat actor.

The MysterySnail RAT, initially discovered in 2021, has undergone significant evolution, demonstrating its adaptability and the persistent threat it poses. Despite a period of relative obscurity after initial reports, the RAT has re-emerged with updated capabilities targeting specific geopolitical interests. The continuous refinement and deployment of this malware underscores the ongoing cyber espionage activities carried out by the IronHusky APT group, with a particular focus on Russian and Mongolian government entities.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • Securelist: MysterySnail RAT attributed to IronHusky APT group hasn’t been reported since 2021. Recently, Kaspersky GReAT detected new versions of this implant in government organizations in Mongolia and Russia.
  • The DefendOps Diaries: The MysterySnail RAT: An Evolving Cyber Threat
  • BleepingComputer: Chinese-speaking IronHusky hackers are targeting Russian and Mongolian government organizations using upgraded MysterySnail remote access trojan (RAT) malware.
  • Know Your Adversary: 108. Hunting for Node.js Abuse
  • bsky.app: Chinese-speaking IronHusky hackers are targeting Russian and Mongolian government organizations using upgraded MysterySnail remote access trojan (RAT) malware.
  • www.kaspersky.com: Provides threat intelligence about the IronHusky APT group.
  • poliverso.org: IronHusky updates the forgotten MysterySnail RAT to target Russia and Mongolia
  • threatmon.io: Threatpost reports on Chinese APT IronHusky Deploys Updated MysterySnail RAT on Russia
  • hackread.com: Kaspersky researchers report the reappearance of MysterySnail RAT, a malware linked to Chinese IronHusky APT, targeting Mongolia and…
  • securityonline.info: IronHusky APT Resurfaces with Evolved MysterySnail RAT
  • securityonline.info: IronHusky APT Resurfaces with Evolved MysterySnail RAT
  • Talkback Resources: The MysterySnail RAT, linked to Chinese IronHusky APT, has resurfaced targeting government entities in Mongolia and Russia with a new version capable of executing 40 commands for malicious activities and deploying a modified variant named MysteryMonoSnail.
  • securityaffairs.com: Chinese APT IronHusky Deploys Updated MysterySnail RAT on Russia
  • securelist.com: Kaspersky report on IronHusky updates the forgotten MysterySnail RAT
  • www.scworld.com: Stealthy multi-stage malware attack, updated MysterySnail RAT uncovered
  • securityaffairs.com: Malicious payloads have been distributed as part of a new covert multi-stage intrusion while Chinese advanced persistent threat operation IronHusky has been targeting Russian and Mongolian government entities with an upgraded MysterySnail RAT variant, reports The Hacker News.
Classification: