Lazarus group actors are actively targeting specific industries with tailored spearphishing attacks, utilizing trojanized remote access tools and a complex infection chain involving multiple malware stages and C2 communication for persistent access and data exfiltration.
Tag: T1071
Threat Hunting Scenario based on the Cyber Anarchy Squad (C.A.S) Attacks
C.A.S actors gain initial access through the exploitation of public-facing applications, establish persistence, escalate privileges, and utilize various tools and techniques to achieve their objectives, including data exfiltration, encryption, and destruction.
Exploitation of Firefox and Windows zero-day vulnerabilities
The RomCom threat actors are actively exploiting Firefox and Windows zero-day vulnerabilities to compromise systems, escalate privileges, establish persistence, and exfiltrate sensitive data.
China shopping for Black Friday Gains
SilkSpecter actors are targeting online shoppers during the Black Friday period with spearphishing emails containing malicious attachments. These attachments likely contain obfuscated malware designed to evade detection and exfiltrate sensitive information like credit card details.
Pygmy goat Backdoor
Pygmy Goat uses the LD_PRELOAD environment variable to inject itself into the sshd process, ensuring it’s loaded and executed whenever the SSH daemon starts.
Nsocks Botnet Activity
The Nsocks botnet leverages vulnerabilities in specific Internet-facing applications, such as VMWare Horizon servers with a known critical vulnerability (CVE-2021-21972). Once compromised, the attacker uses a custom protocol over TCP for command and control (C2) communication. This protocol involves various commands to manage the botnet, including downloading and executing files, launching DDoS attacks, and stealing credentials.
Extracting CrossC2 Configurations
The CrossC2 framework generates obfuscated Cobalt Strike payloads for Unix-like systems. These payloads contain encrypted configurations and potentially Malleable C2 profiles within an appended overlay. The payload itself may be packed with UPX and further obfuscated with techniques like LLVM string encryption. The configurations are encrypted using AES-128 CBC with a hardcoded key and IV.