- Initial Access: The attack likely begins with a phishing email containing a malicious LNK file (VenomLNK).
- Execution: The LNK file executes an obfuscated batch script, which downloads and executes various payloads, including RevC2 and Venom Loader. Venom Loader utilizes DLL side-loading and JavaScript for execution.
- Persistence: Venom Loader establishes persistence by adding a PowerShell script to the autorun registry key.
- Command and Control: RevC2 uses WebSockets (ws://208.85.17[.]52:8082) for C2 communication, while More_eggs lite uses HTTP POST requests (/api/infos).
- Defense Evasion: Both RevC2 and Venom Loader employ obfuscation to hinder analysis. Venom Loader also uses DLL side-loading.
- Collection: RevC2 steals cookies, passwords, and takes screenshots.
- Exfiltration: Stolen data is exfiltrated over the C2 channel.
Category: Engage Reports
CleverSoar x China & Vietnam users
Adversaries are modifying legitimate installers of the CleverSoar application to deliver malware. This specific campaign targets Chinese and Vietnamese users. The exact malware payload and its functionalities are unknown at this time, but it likely grants the attackers initial access to victim systems.
Undetected Playground for Malware
- Threat actors embedded malicious GDScript code within the Godot Engine, a legitimate software.
- Upon execution of the Godot Engine, the GDScript is loaded, which then downloads and executes a malicious payload.
- This technique has been successful in remaining undetected by most antivirus tools.
CyberVolk | A Deep Dive into the Hacktivists, Tools and Ransomware Fueling Pro-Russian Cyber Attacks
T1566 – CyberVolk has been observed utilizing phishing emails and LinkedIn messages to distribute malicious links to targets.
T1490 – The ransomware terminates processes associated with Microsoft Management Console (MMC) or Task Manager.
T1486 – The ransomware displays a payment screen with a decryption timer and payment details, including BTC and USDT options. The ransom amount is set to $1000.00, and the timer is set to 5 hours.
Bored BeaverTail & InvisibleFerret Yacht Club – A Lazarus Lure
T1566.001 – The attacker sends a phishing email containing a malicious link to a GitHub repository disguised as a legitimate project.
T1133 – The attacker hosts malicious code, disguised as an NPM package, on a public GitHub repository.
T1059.003 – The victim, a developer, uses the npm install command to install the malicious NPM package from the GitHub repository.
T1543 – The malicious NPM package contains a script that executes a malicious JavaScript file (‘test.js’) located in the ‘.vscode’ folder, establishing persistence on the victim’s machine.
T1071.001 – The malicious JavaScript file uses the cURL command to communicate with the attacker’s C2 server over HTTP to download additional payloads.
T1041 – The attacker uses the established C2 channel to exfiltrate sensitive data from the victim’s machine.
Financially Motivated Chinese Threat Actor SilkSpecter Targeting Black Friday Shoppers
- SilkSpecter used spearphishing emails with malicious attachments (T1566) to target Black Friday shoppers.
- The attachments likely contained malware, which, when executed, established a connection to the threat actor’s command-and-control (C2) server using common protocols like HTTP or HTTPS (T1071).
- This allowed the attackers to steal sensitive information like credit card details and personally identifiable information (PII) and send it back to their C2 server (T1041).
CVE-2024-38178 MS Scripting Engine
- The attacker targeted Windows users running specific software with a built-in web viewer.
- They created a domain similar to a legitimate ad agency, serving malicious JavaScript code within their ads.
- This domain was then registered with the targeted software vendor, rendering the malicious ads in the software’s ad pop-up process.
- When users launched the software, the malicious ads would trigger a type confusion vulnerability (CVE-2024-38178) in the JScript9.dll engine, leading to remote code execution.
DONOT APT Attack
- The attacker sends a spearphishing email containing a malicious Office document that exploits the vulnerability CVE-2017-11882.
- Upon opening the document, the exploit triggers, allowing the attacker to execute a command that launches the next stage of the attack.
- A scheduled task named “Schedule” is created to execute a malicious DLL file via
rundll32.exeevery 5 minutes, ensuring persistence. - The scheduled task establishes communication with the attacker’s command-and-control (C2) server using the HTTP protocol.
- The attacker sends commands and exfiltrates data over the established C2 channel.
Pygmy goat Backdoor
Pygmy Goat uses the LD_PRELOAD environment variable to inject itself into the sshd process, ensuring it’s loaded and executed whenever the SSH daemon starts.
Hunting the Emperor – Engage Game of Emperor
Earth Estries exploited vulnerabilities in public-facing servers, such as CVE-2023-46805 and CVE-2024-21887 in Ivanti Connect Secure VPN, and CVE-2022-3236 in Sophos Firewall, to gain initial access. They then used web shells like GHOSTSPIDER and SNAPPYBEE for persistence and command and control, allowing them to maintain long-term access to the victim’s network.