Cyware Weekly Threat Intelligence - June 24–28
Weekly Threat Briefing • Jun 28, 2024
The Good
In a bold alliance, the NCA and the FBI embark on a relentless pursuit to dismantle the Qilin ransomware gang. This elusive group, seemingly shielded by Russian government approval, has wreaked havoc on global healthcare providers. Meanwhile, on the frontlines of data privacy, the CPPA and CNIL forge a strategic partnership. This transatlantic collaboration promises a robust framework for joint research and education on emerging technologies and data protection.
-
The U.K's National Crime Agency (NCA) and the FBI have joined forces to track down and disrupt the activities of the Qilin ransomware gang. The agencies are trying to identify and apprehend the criminals behind Qilin, which has been operating with the apparent approval of the Russian government. The Qilin ransomware gang has targeted global healthcare providers, causing widespread disruption and leaking sensitive patient data.
-
The California Privacy Protection Agency (CPPA) signed a partnership agreement with France’s Commission Nationale de l'Informatique et des Libertés (CNIL) to conduct joint research on data privacy issues and share investigative learnings. The declaration establishes a general framework of cooperation to facilitate joint internal research and education related to new technologies and data protection issues, share best practices, and convene periodic meetings.
The Bad
In a diabolical dance of cyber mayhem, the Unfurling Hemlock threat actor deployed malware cluster bombs. Over 50,000 such files, meticulously crafted, target systems primarily in the U.S., Germany, Russia, and others. Additionally, the UAC-0184 waged a digital war on Ukraine using the XWorm RAT. In a parallel nightmare, the polyfill[.]io domain, once benign, now serves malware to over 100,000 websites.
-
The Unfurling Hemlock threat actor is using a malware cluster bomb technique to deliver multiple types of malware to compromised systems, providing high levels of redundancy and persistence. Over 50,000 cluster bomb files linked to the threat group have been identified, with the attacks targeting systems primarily in the U.S., as well as in Germany, Russia, Turkey, India, and Canada. The attacks begin with the execution of a file named 'WEXTRACT.EXE', which contains nested compressed cabinet files, each containing a malware sample. The final stage executes the extracted files in reverse order.
-
Cyble identified the Russia-linked threat actor group UAC-0184 targeting Ukraine with the XWorm RAT. The campaign begins with a malicious LNK shortcut file disguised as an Excel document, which executes a PowerShell script to download and execute malicious files. The attackers use DLL sideloading and a tool called Shadowloader to inject the XWorm RAT into a running process. The XWorm RAT has various capabilities, including data theft, DDoS attacks, and cryptocurrency manipulation.
-
The polyfill[.]io domain, previously used for JavaScript polyfills, has been compromised and is now serving malicious code to over 100,000 websites. The domain was bought by a Chinese organization, leading to a supply chain attack that infected visitors' browsers with malware. The malicious code is dynamically generated based on the website's HTTP headers, making it difficult to detect and block. Google has started blocking Google Ads for affected websites to reduce traffic and potential victims.
-
SpyMax, an Android RAT, has been spotted targeting Telegram users. It does not require rooted devices, making it easier for threat actors to gather private information and control victims' devices. The malware pretends to be the Telegram app and requests Accessibility Service permission, acting as a trojan with keylogger capabilities. It collects location information and communicates with a C2 server to send compressed data and receive system commands and APK payload.
-
A supply chain attack on WordPress plugins led to the compromise of five plugins, allowing attackers to create unauthorized admin accounts and inject SEO spam on affected websites. The affected plugins include Social Warfare, Blaze Widget, Wrapper Link Element, Contact Form 7 Multi-Step Addon, and Simply Show Hooks. The injected malware attempts to create a new administrative user account and sends those details back to an attacker-controlled server. The malware also injects malicious JavaScript into the footer of websites, which appears to add SEO spam throughout the website
-
North Korean hackers are actively using the HappyDoor malware in spear-phishing email attacks to steal sensitive information and gain remote access. HappyDoor is a malware used by the Kimsuky group, a North Korean hacking group, since 2021 and is still active as of 2024. The evolving HappyDoor malware operates via regsvr32.exe in three stages and has functions such as screen capture, key logging, file leakage, and communication with C&C servers using HTTP.
New Threats
A new breed of malware masquerades as cracks and commercial tools, each download spawning a uniquely hashed menace, yet all bearing the same nefarious capabilities. This digital chameleon, named InnoLoader, utilizes InnoSetup to present a deceptive installer interface. Discovered vulnerabilities in Sensor Net Connect device and Thermoscan IP desktop application could elevate a regular user to administrator status, endangering sensitive medical data and inviting denial-of-service attacks on critical monitoring systems. In Southeast Asia, a stealthy adversary named Snowblind has been preying on banking customers, wreaking financial havoc.
- A new type of malware disguised as cracks and commercial tools is being distributed, where a unique malware is created upon each download attempt with different hash values but the same malicious functions. The malware is created using InnoSetup and is dubbed InnoLoader. It displays an installer UI and executes malicious behaviors when the user clicks the "Next" button during installation. The malware can download and execute various payloads from the C2 server, including infostealers, proxy tools, and adware.
- Vulnerabilities discovered in the Sensor Net Connect device and Thermoscan IP desktop application could allow a non-administrator user to gain administrator privileges, potentially compromising medical data systems. These vulnerabilities could lead to denial-of-service attacks on the medical monitoring infrastructure. The vendor, Plug&Track, has not responded to the researchers' attempts to disclose the vulnerabilities, so no official patch has been provided. Recommended mitigation steps include segregating access, monitoring logs and accounts, and implementing strict access controls until a permanent fix is available.
- A new malware called Snowblind is targeting banking customers in Southeast Asia, resulting in financial losses and fraud. Snowblind uses a unique technique that disables Android banking apps' ability to detect malicious modifications, making it difficult to detect the malware. It exploits accessibility services on apps, which are designed to help users with disabilities use their devices effectively.
- XLab researchers spotted k4spreader, a new tool developed by the "8220" cryptomining gang that first appeared in February 2024. It is an installer written in CGO mode that provides system persistence, downloads and updates itself, and releases other malware for execution. The tool is used to deploy payloads like the Tsunami botnet and PwnRig miner. It is capable of closing the firewall and cleaning up other malicious processes.
- A critical security vulnerability, CVE-2024-5806, has been identified in MOVEit Transfer, which can allow attackers to bypass authentication and gain unauthorized access to the system. The vulnerability is caused by improper validation of user-supplied input during the authentication process. The affected versions include MOVEit Transfer 2023.0.0 to 2023.0.10, 2023.1.0 to 2023.1.5, and 2024.0.0 to 2024.0.1. Progress strongly urges all MOVEit Transfer customers to immediately upgrade to the latest patched versions: 2023.0.11, 2023.1.6, and 2024.0.2.