Cyware Weekly Threat Intelligence - December 26–29

Weekly Threat Briefing • December 29, 2023
Weekly Threat Briefing • December 29, 2023
Space missions are sensitive operations. To keep its security measures on the cutting edge, NASA released the Space Security Guide. In the wake of rising attacks in the healthcare sector, the HHS shared four new pointers. Additionally, Pakistan's PTA launched the 2023-2028 Cyber Security Strategy, focusing on telecom sector resilience.
A new ransomware group has emerged as a force to be reckoned with. Named DragonForce, the group claimed to attack Ohio Lottery and Yakult Australia and obtain large troves of data from both firms. Xeinadin, Ubisoft, and LoanCare are among the other major victims of the week.
On the malware side, APT28's phishing campaign was found deploying a Python malware called MASEPIE, McAfee uncovered the Xamalicious Android backdoor, and Carbanak added ransomware capability. Whereas, Barracuda's ESG devices were spotted with zero-day flaws.
Security researchers from McAfee have discovered a new Android backdoor called Xamalicious, implemented using the Xamarin open-source framework. The malware tries to gain accessibility privileges through social engineering and then communicates with a command-and-control server to download a second-stage payload. This payload can take full control of the infected device and perform fraudulent actions such as clicking on ads and installing apps without the user's consent.
The Mallox ransomware group has updated their PowerShell script to bypass anti-virus AMSI detection component, allowing them to execute malicious code without being detected. The script uses a technique developed by a researcher in 2022, which involves patching the Windows Defender registered DLL for AMSI with a shellcode to overwrite the function that scans PowerShell scripts.
According to cybersecurity firm NCC Group, Carbanak, a notorious banking malware, has evolved to incorporate ransomware attacks with updated tactics. In recent attacks observed in November 2023, Carbanak was distributed through compromised websites, impersonating various business-related software such as HubSpot, Veeam, and Xero. The malware, initially known for banking fraud, has been utilized by the FIN7 cybercrime syndicate.
Barracuda Networks discovered two zero-day vulnerabilities in its Email Security Gateway Appliance (ESG) devices, which were exploited by the China Nexus actor UNC4841. The two vulnerabilities, tracked as CVE-2023-7102 and CVE-2023-7101, exist in the Spreadsheet::ParseExcel third-party library. Barracuda has issued patches for these flaws to prevent an arbitrary code execution threat.
AhnLab analyzed attack campaigns targeting poorly managed Linux SSH servers, shedding light on the tactics employed by threat actors. The attackers use malware loaders like ShellBot, Tsunami, ChinaZ DDoS Bot, and XMRig CoinMiner. The analysis reveals the use of an ID and password list for SSH brute force attacks, with threat actors deploying various tools, including port scanners, banner grabbers, and SSH dictionary attack tools.
Ukraine's CERT reported a phishing campaign by the Russian state-sponsored hacking group APT28 (Fancy Bear) delivering new malware. The campaign featured a new Python malware downloader named 'MASEPIE,' which establishes persistence on infected devices, downloads additional malware, and steals data. APT28 also employed PowerShell scripts ('STEELHOOK') for data theft from Chrome-based browsers and a C# backdoor ('OCEANMAP') for stealthy command execution and retrieval.
The North Korean group Kimsuky has been observed using spear-phishing attacks to deliver various backdoors and tools, including AppleSeed, Meterpreter, and TinyNuke, to compromise targeted machines. Cybersecurity firm AhnLab attributed the activity to Kimsuky. The group's espionage campaigns involve spear-phishing attacks with malicious lure documents that deploy different malware families, with a notable Windows backdoor being AppleSeed.
Cybercriminals breached the fan expansion "Downfall" for the game Slay the Spire, distributing the Epsilon info-stealer malware through the Steam update system. The compromised package was a standalone modified version, not a mod installed via Steam Workshop. The attackers compromised one of the developers' Steam and Discord accounts, allowing them to control the mod's Steam account. The malware collects cookies, saved passwords, credit card details, and more from browsers, as well as Steam and Discord information.