CyberSecurity news
FlagThis - #rapid7
|
Tyler McGraw@Rapid7 Cybersecurity Blog
//
The BlackSuit ransomware group is continuing its campaign of social engineering attacks, a tactic that cybersecurity experts believe they adopted from the Black Basta ransomware group. This shift in tactics comes after Rapid7 observed a significant decrease in social engineering attacks attributed to Black Basta since late December 2024, possibly indicating a change in Black Basta's operations due to internal conflicts or other factors. BlackSuit's persistence in employing social engineering highlights the ongoing threat landscape where ransomware groups readily adapt and evolve their methods to maximize their success in breaching target networks.
The social engineering tactics employed by BlackSuit echo those previously used by Black Basta, including email bombing and Microsoft Teams phishing. According to a report from ReliaQuest in June 2025, attackers have recently begun incorporating Python scripts alongside these techniques, utilizing cURL requests to retrieve and deploy malicious payloads. This demonstrates an increasing sophistication in their approach, aimed at establishing persistent access to targeted systems and evading traditional security measures. These attacks often masquerade as legitimate communications, such as help desk personnel, to trick unsuspecting users into divulging sensitive information or executing malicious code. ReliaQuest's findings reveal that a substantial portion of Teams phishing attacks originated from onmicrosoft[.]com domains or breached domains, making it difficult to distinguish malicious traffic from legitimate network activity. The affected sectors include finance, insurance, and construction. This transition towards more sophisticated and stealthy methods poses a significant challenge to organizations, as they must enhance their detection capabilities to identify and mitigate these evolving threats effectively.
Share:
References :
Classification:
@cyberinsider.com
//
Cybersecurity researchers have uncovered a sophisticated malware campaign distributing the Winos 4.0 framework through trojanized installers of popular applications such as LetsVPN and QQBrowser. The campaign, active since February 2025, primarily targets Chinese-speaking environments and showcases careful, long-term planning by a capable threat actor. The attackers use fake software installers to trick users into installing the malware, which grants remote access to compromised systems.
The Winos 4.0 malware is delivered using a multi-layered infection chain called the Catena loader. This loader employs multi-stage reflective loaders and in-memory payload delivery techniques to evade traditional antivirus tools. The infection process begins with seemingly legitimate NSIS installers bundled with signed decoy applications and malicious components like shellcode embedded in ".ini" files and reflective DLLs. This modular approach allows the attackers to adapt quickly to detection pressures, as observed in the evolution of tactics from February to April 2025. Once installed, Winos 4.0 connects to attacker-controlled servers, predominantly hosted in Hong Kong, to receive follow-up instructions or additional malware. The malware framework, built atop the foundations of Gh0st RAT, is written in C++ and utilizes a plugin-based system to harvest data, provide remote shell access, and launch distributed denial-of-service (DDoS) attacks. This campaign highlights the ongoing risk posed by trojanized software and emphasizes the importance of verifying software sources to prevent malware infections.
Share:
References :
Classification: |