Researchers have uncovered new attacks by a North Korean advanced persistent threat actor – Andariel APT group – targeting Korean corporations and other organizations. The victims include educational institutions and companies in the manufacturing and construction sectors. The attackers employed keyloggers, infostealers, and proxy tools alongside backdoors to control and extract data from compromised systems, said researchers at the AhnLab Security Intelligence Center (ASEC). The malware used in these attacks includes strains previously attributed to the Andariel APT group, including the backdoor "Nestdoor." Additional tools include web shells and proxy tools linked to the North Korean Lazarus group that now contain modifications compared to earlier versions. Researchers first observed a confirmed attack case where a malware was distributed via a web server running an outdated 2013 version of Apache Tomcat, which is vulnerable to various attacks. "The threat actor used the web server to install backdoors, proxy tools, etc.," the researchers said. [caption id="attachment_73866" align="aligncenter" width="1000"] Apache Tomcat compromised to spread malware by Andariel APT. (Credit: Ahnlab)[/caption]

Malware Used by Andariel APT in this Campaign

The first of the two malware strains used in the latest campaign was Nestdoor, a remote access trojan (RAT) that has been active since May 2022. This RAT can execute commands from the threat actor to control infected systems. Nestdoor has been found in numerous Andariel attacks, including those exploiting the VMware Horizon product’s Log4Shell vulnerability (CVE-2021-44228). The malware is developed in C++ and features capabilities such as file upload/download, reverse shell, command execution, keylogging, clipboard logging, and proxy functionalities. A specific case in 2022 involved Nestdoor being distributed alongside TigerRAT using the same command and control (C&C) server. Another incident in early 2024 saw Nestdoor disguised as an OpenVPN installer. This version maintained persistence via the Task Scheduler and communicated with a C&C server. The Andariel APT has been developing new malware strains in the Go language for each campaign. Dora RAT, a recent discovery is one such malware strain. The backdoor malware supports reverse shell and file transfer operations and exists in two forms: a standalone executable and an injected process within "explorer.exe." The latter variant uses an executable in WinRAR SFX format, which includes an injector malware. The Dora RAT has been signed with a valid certificate from a UK software developer in an attempt to make it look legitimate.

Additional Malware Strains

• Keylogger/Cliplogger: Performs basic functions like logging keystrokes and clipboard contents, stored in the “%TEMP%” directory.
• Stealer: It is designed to exfiltrate files from the system, potentially handling large quantities of data.
• Proxy: Includes both custom-created proxy tools and open-source Socks5 proxy tools. Some proxies are similar to those used by the Lazarus group in past attacks.

The Andariel group, part of the larger Lazarus umbrella, has shifted from targeting national security information to also pursuing financial gains. Last month, the South Korean National Police Agency revealed a targeted campaign of the Andariel APT aimed at stealing the country’s defense technology. Andariel APT hackers gained access to defense industry data by compromising an employee account, which was used in maintaining servers of a defense industry partner. The hackers injected malicious code into the partner’s servers around October 2022, and extracted stored defense technology data. This breach exploited a loophole in how employees used their personal and professional email accounts for official system access. Andariel APT's initial attack methodology primarily includes spear phishing, watering hole attacks, and exploiting software vulnerabilities. Users should remain cautious with email attachments from unknown sources and executable files from websites. Security administrators are advised to keep software patched and updated, including operating systems and browsers, to mitigate the risk of malware infections, the researchers recommended.

IoCs to Watch for Signs of Andariel APT Attacks

IoCs to monitor for attacks from Andariel APT group include: MD5s – 7416ea48102e2715c87edd49ddbd1526: Nestdoor – Recent attack case (nest.exe) – a2aefb7ab6c644aa8eeb482e27b2dbc4: Nestdoor – TigerRAT attack case (psfile.exe) – e7fd7f48fbf5635a04e302af50dfb651: Nestdoor – OpenVPN attack case (openvpnsvc.exe) – 33b2b5b7c830c34c688cf6ced287e5be: Nestdoor launcher (FirewallAPI.dll) – 4bc571925a80d4ae4aab1e8900bf753c: Dora RAT dropper (spsvc.exe) – 951e9fcd048b919516693b25c13a9ef2: Dora RAT dropper (emaupdate.exe) – fee610058c417b6c4b3054935b7e2730: Dora RAT injector (version.dll) – afc5a07d6e438880cea63920277ed270: Dora RAT injector (version.dll) – d92a317ef4d60dc491082a2fe6eb7a70: Dora RAT (emaupdate.exe) – 5df3c3e1f423f1cce5bf75f067d1d05c: Dora RAT (msload.exe) – 094f9a757c6dbd6030bc6dae3f8feab3: Dora RAT (emagent.exe) – 468c369893d6fc6614d24ea89e149e80: Keylogger/Cliplogger (conhosts.exe) – 5e00df548f2dcf7a808f1337f443f3d9: Stealer (msload.exe) C&Cs – 45.58.159[.]237:443: Nestdoor – Recent attack case – 4.246.149[.]227:1443: Nestdoor – TigerRAT attack case – 209.127.19[.]223:443: Nestdoor – OpenVPN attack case – kmobile.bestunif[.]com:443 – Dora RAT – 206.72.205[.]117:443 – Dora RAT

The notorious Russian hacktivist collective UserSec is actively seeking specialists to join its ranks, signaling a new recruitment drive within the hacking community. The group, known for its anti-NATO stance and pro-Russian sentiments, recently posted a UserSec recruitment drive plan on Telegram channels, emphasizing the need for individuals skilled in multiple hacking techniques and virus handling. In addition to traditional hacking roles, UserSec is also launching a specialized training program focused on website defacement techniques. This initiative includes updated materials, new tools, and bonus resources for recruits. The group aims to expand its capabilities and bolster its operations through this recruitment effort.

UserSec Recruitment Drive for Hackers

[caption id="attachment_73253" align="alignnone" width="972"] Source: Dark Web[/caption] The UserSec recruitment drive plan comes amidst ongoing tensions between Russia and NATO, with UserSec previously declaring a cyber campaign targeting NATO member states. Notably, the group has collaborated with other pro-Russian hacking groups, such as KillNet, to orchestrate coordinated attacks against NATO. Talking about the recruitment plan, the threat actor stated they are “looking for promising specialists” to join their teams, including individuals who are interested in pen testing, social engineering, reverse engineers, and “people who know how to work with viruses”. UserSec, a pro-Russian hacking group active since at least 2022, has gained notoriety for its Distributed Denial of Service (DDoS) attacks and collaboration with other like-minded groups. In May 2023, UserSec made headlines by declaring a cyber campaign aimed at NATO member states, forming an alliance with KillNet to carry out coordinated attacks.

UserSec’s Plans for Unified Collaborative Environment 

The recent recruitment drive highlights UserSec's plan to create a unified environment for hackers. By seeking specialists in various hacking techniques and offering training in website defacement, UserSec aims to attract individuals who can contribute to its objectives of disrupting adversaries and advancing its pro-Russian agenda. The collaboration between UserSec and KillNet further highlights a concerning trend in cyber warfare, where hacking groups align themselves to target politically significant entities. By leveraging Distributed Denial of Service (DDoS) attacks, UserSec demonstrates its disruptive capabilities and willingness to engage in cyber warfare for geopolitical purposes. The targeting of NATO member states raises questions about the potential implications for international security, emphasizing the urgent need for enhanced cybersecurity measures. As hacking groups continue to evolve and collaborate to launch large-scale attacks, governments and organizations must prioritize cybersecurity to mitigate the threat posed by groups like UserSec. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Its disclosure came after RansomHub claimed responsibility for the cyberattack and threatened to release client data on the dark web.

© Li Qiang for The New York Times

Media reports claim that cybersecurity experts have recently unveiled new details about a remote access trojan (RAT) named Deuterbear, employed by the China-linked hacking group BlackTech. This sophisticated Deuterbear RAT malware is part of a broader cyber espionage operation targeting the Asia-Pacific region throughout the year.   Advancements Over Waterbear Deuterbear exhibits notable advancements over […]

The post Deuterbear RAT: China-Linked Hackers’ Cyber Espionage Tool appeared first on TuxCare.

The post Deuterbear RAT: China-Linked Hackers’ Cyber Espionage Tool appeared first on Security Boulevard.

Microsoft has uncovered a new “FakePenny” ransomware variant being deployed by a North Korean threat actor to target organizations in the software, information technology, education and defense industrial base sectors for both espionage and monetary gains. The threat actor, which Microsoft tracks as Moonstone Sleet, was first observed delivering a new custom ransomware variant in April, to an undisclosed company whose networks it compromised a couple of months earlier. The ransomware is straightforward and contains a loader and an encryptor module. North Korean threat actor groups have previously developed such custom ransomware, but “this is the first time we have observed this threat actor deploying ransomware,” the tech giant said.

“Microsoft assesses that Moonstone Sleet’s objective in deploying the ransomware is financial gain, suggesting the actor conducts cyber operations for both intelligence collection and revenue generation.”

FakePenny ransomware demands exorbitant ransoms, with recent demands reaching $6.6 million in Bitcoin. “This is in stark contrast to the lower ransom demands of previous North Korea ransomware attacks, like WannaCry 2.0 and H0lyGh0st,” Microsoft said. Notably, the ransom note used by FakePenny ransomware closely resembles the one employed in the infamous NotPetya ransomware attack, which is attributed to the North Korean group Seashell Blizzard. This continuity in tactics highlights the interconnected nature of North Korean cyber operations.

Moonstone Sleet’s Strategy and Tradecraft

Moonstone Sleet has a diverse set of operations supporting its financial and espionage objectives. This group has been observed creating fake companies, employing trojanized versions of legitimate tools, and even developing malicious games to infiltrate targets. Their ability to conduct concurrent operations and quickly evolve and adapt their techniques is notable. The threat actor, as noted earlier, has several different tradecrafts under its belt. In early August 2023, Moonstone Sleet delivered a compromised version of PuTTY, an open-source terminal emulator, through platforms like LinkedIn, Telegram, and freelancing websites. The trojanized software decrypted and executed the embedded malware when the user provided an IP and password mentioned in a text document contained in the malicious Zip file that the threat actor sent. The same technique was used by another North Korean actor Diamond Sleet. Moonstone Sleet has also targeted victims using malicious “npm” packages distributed through freelancing sites and social media. These packages often masqueraded as technical assessments, lead to additional malware downloads when executed. Since February 2024, Moonstone Sleet has also taken a different approach by using a malicious game called DeTankWar to infect devices. The group approached targets posing as a game developer or fake company, presenting the game as a blockchain project. Upon launching the game, additional malicious DLLs were loaded, executing a custom malware loader known as “YouieLoad.” This loader performs network and user discovery and browser data collection.

Fake Companies and Work-for-Hire Schemes

Since January 2024, Moonstone Sleet has created several fake companies, including StarGlow Ventures and C.C. Waterfall, to deceive targets. These companies posed as software development and IT service firms, often related to blockchain and AI, to establish trust and gain access to organizations. Moonstone Sleet has also pursued employment opportunities in legitimate companies, which is consistent with reports of North Korea using remote IT workers to generate revenue. Recently, U.S. charged North Korean job fraud nexus that was amassing funds to support its nuclear program. The nexus scammed more than 300 U.S. companies and accumulated at least $6.8 million. This employment tactic could also provide another avenue for gaining unauthorized access to organizations. Moonstone Sleet’s notable attacks include compromising a defense technology company to steal credentials and intellectual property and deploying ransomware against a drone technology firm.

“Despite being new, Moonstone Sleet has demonstrated that it will continue to mature, develop, and evolve, and has positioned itself to be a preeminent threat actor conducting sophisticated attacks on behalf of the North Korean regime.”

Defending Against Moonstone Sleet

To defend against Moonstone Sleet, Microsoft recommends endpoint detection and response (EDR), implementing attack surface reduction rules to block executable content from email clients and webmail, preventing executable files from running unless they meet specific criteria, use advanced protection against ransomware, and block credential stealing from LSASS. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Russian hackers were found using legitimate remote monitoring and management software to spy on Ukraine and its allies. The malicious scripts required for downloading and running the RMM program on the victims’ computers are hidden among the legitimate Python code of the “Minesweeper” game from Microsoft. The Government Computer Emergency Response Team of Ukraine (CERT-UA), operating under the State Special Communications Service, warned that Russian cybercriminals are using the legitimate SuperOps RMM software program to gain unauthorized access to Ukrainian organizations’ information systems, particularly those in the financial sector. The Cyber Security Center of the National Bank of Ukraine (CSIRT-NBU) and CERT-UA recorded and analyzed phishing emails sent to victims with a Dropbox link containing an executable file (.SCR) that was about 33 megabytes in size. The emails were sent from the address “support@patient-docs-mail.com,” which impersonated a medical center and had the subject line “Personal Web Archive of Medical Documents.” The .SCR file contained a Python clone of the Minesweeper game along with malicious Python code that downloads additional scripts from a remote source “anotepad.com.” The Minesweeper code contained a function named “create_license_ver” which is repurposed to decode and execute the hidden malicious code. The legitimate SuperOps RMM program is eventually downloaded and installed from a ZIP file, granting attackers remote access to the victim’s computer. The CERT-UA found five similar files, named after financial and insurance institutions in Europe and the USA, indicating that these cyberattacks, which took place between February and March 2024, have a wide geographic reach. CERT-UA tracked this threat activity to an actor it identified as UAC-0188. UAC-0118, also known as FRwL or FromRussiaWithLove, is a Russian state-aligned hacktivist threat actor group that emerged during the Russia-Ukraine war in 2022. They primarily targeted critical infrastructure, media, energy and government entities. FRwL has been previously linked to the use of the Vidar stealer and Somnia ransomware, which they employ as a data wiper rather than for financial gain. While there is no direct evidence linking FRwL to the Russian Main Intelligence Directorate, it is possible that they coordinate activities with state-aligned hacktivist groups.

Possible Defense Against Ongoing Remote Monitoring Campaign

CERT-UA recommends the following:

• Organizations not using SuperOps RMM should verify the absence of network activity associated with the domain names: [.]superops[.]com, [.]superops[.]ai.
• Improve employee cyber hygiene.
• Use and constantly update anti-virus software.
• Regularly update operating systems and software.
• Use strong passwords and change them regularly.
• Back up important data.

Ukrainian Financial Institutions Also on Smokeloader’s Radar

The financially motivated group UAC-0006 has actively launched phishing attacks targeting Ukraine through 2023. CERT-UA reported the resurfacing of UAC-0006 in spring 2024, with hackers attempting to distribute Smokeloader, a common malware in the group’s toolkit. This threat group’s goal has primarily been to steal credentials and execute unauthorized fund transfers, posing a significant risk to financial systems. SmokeLoader is a malicious bot application and trojan that can evade security measures to infect Windows devices. It can then install other malware, steal sensitive data and damage files, among other issues. Throughout 2023, UAC-0006 conducted several phishing campaigns against Ukraine, exploiting financial lures and using ZIP and RAR attachments to distribute Smokeloader CERT-UA last week issued another warning about a significant surge in UAC-0006 activity. Hackers have conducted at least two campaigns to distribute Smokeloader, displaying similar patterns to previous attacks. The latest operations involve emails with ZIP archives containing images that include executable files and Microsoft Access files with macros that execute PowerShell commands to download and run other executable files. After initial access, the attackers download additional malware, including TALESHOT and RMS. The botnet currently consists of several hundred infected computers. CERT-UA anticipates an increase in fraudulent operations involving remote banking systems and thus, strongly recommends enhancing the security of accountants’ automated workstations and ensuring the implementation of necessary policies and protection mechanisms to reduce infection risks. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Source: thehackernews.com – Author: . May 24, 2024NewsroomEndpoint Security / Threat Intelligence The MITRE Corporation has revealed that the cyber attack targeting the not-for-profit company towards late December 2023 by exploiting zero-day flaws in Ivanti Connect Secure (ICS) involved the actor creating rogue virtual machines (VMs) within its VMware environment. “The adversary created their own […]

La entrada Hackers Created Rogue VMs to Evade Detection in Recent MITRE Cyber Attack – Source:thehackernews.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Source: thehackernews.com – Author: . May 24, 2024The Hacker NewsCybersecurity Webinar Don’t be fooled into thinking that cyber threats are only a problem for large organizations. The truth is that cybercriminals are increasingly targeting smaller businesses, and they’re getting smarter every day. Join our FREE webinar “Navigating the SMB Threat Landscape: Key Insights from Huntress’ […]

La entrada How Do Hackers Blend In So Well? Learn Their Tricks in This Expert Webinar – Source:thehackernews.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Inglorious Basta(rds): 16 days on, huge hospital system continues to be paralyzed by ransomware—and patient safety is at risk.

The post Black Basta Ascension Attack Redux — can Patients Die of Ransomware? appeared first on Security Boulevard.

For two weeks at the 140-hospital system, doctors and nurses have had little access to digital records for patient histories, resorting to paper and faxes to treat people.

© Lauren Justice for The New York Times

Будет! Russian ransomware rascals riled a Roman Catholic healthcare organization.

The post FBI/CISA Warning: ‘Black Basta’ Ransomware Gang vs. Ascension Health appeared first on Security Boulevard.

Declining sales and a cyberattack ignite new worries at spring art auctions.

The auctioneer’s website was taken offline on Thursday evening and remained down on Friday, days before its spring auctions were set to begin.

© Dia Dipasupil/Getty Images

Several lawmakers questioned whether the company had become so large — with tentacles in every aspect of the nation’s medical care — that the effects of the hack were outsize.

© Ting Shen for The New York Times

“We will be attacked,” the official responsible for fending off cyberthreats said. To prepare, organizers have been hosting war games and paying “bug bounties” to hackers.

© Pierre-Philippe Marcou/Agence France-Presse — Getty Images

Digital security is about so much more than malware. That wasn’t always the case. 

When I started Malwarebytes more than 16 years ago, malware was the primary security concern—the annoying pop-ups, the fast-spreading viruses, the catastrophic worms—and throughout our company’s history, Malwarebytes routinely excelled against this threat. We caught malware that other vendors missed, and we pioneered malware detection methods beyond the signature-based industry standard.  

I’m proud of our success, but it wasn’t just our technology that got us here. It was our attitude.  

At Malwarebytes, we believe that everyone has the right to a secure digital life, no matter their budget, which is why our malware removal tool was free when it launched and remains free today. Our ad blocking tool, Browser Guard is also available to all without a charge. This was very much not the norm in cybersecurity, but I believe it was—and will always be—the right thing to do.  

Today, I am proud to add to our legacy of empowering individuals regardless of their wallet by releasing a new, free tool that better educates and prepares people for modern threats that abuse exposed data to target online identities. I’d like to welcome everyone to try our new Digital Footprint Portal.  

See your exposed data in our new Digital Footprint Portal.

By simply entering an email address, anyone can discover what information of theirs is available on the dark web to hackers, cybercriminals, and scammers. From our safe portal, everyday people can view past password breaches, active social media profiles, potential leaks of government ID info, and more.  

More than a decade ago, Malwarebytes revolutionized the antivirus industry by prioritizing the security of all individuals. Today, Malwarebytes is now also revolutionizing digital life protection by safeguarding the data that serves as the backbone of your identity, your privacy, your reputation, and your well-being online.  

Why data matters 

I can’t tell you how many times I’ve read that “data is the new oil” without reading any explanations as to why people should care.  

Here’s my attempt at clarifying the matter: Too much of our lives are put online without our control.  

Creating a social media account requires handing over your full name and birthdate. Completing any online shopping order requires detailing your address and credit card number. Getting approved for a mortgage requires the exchange of several documents that reveal your salary and your employer. Buying a plane ticket could necessitate your passport info. Messaging your doctor could involve sending a few photos that you’d like to keep private.  

As we know, a lot of this data is valuable to advertisers—this is what pundits focus on when they invoke the value of “oil” in discussing modern data collection—but this data is also valuable to an entirely separate group that has learned to abuse private information in novel and frightening ways: Cybercriminals.  

Long ago, cybercriminals would steal your username and password by fooling you with an urgently worded phishing email. Today, while this tactic is still being used, there’s a much easier path to data theft. Cybercriminals can simply buy your information on the dark web.  

That information can include credit card numbers—where the risk of financial fraud is obvious—and even more regulated forms of identity, like Social Security Numbers and passport info. Equipped with enough forms of “proof,” online thieves can fool a bank into routing your money elsewhere or trick a lender into opening a new line of credit in your name.  

Where the risk truly lies, however, is in fraudulent account access.  

If you’ve ever been involved in a company’s data breach (which is extremely likely), there’s a chance that the username and password that were associated with that data breach can be bought on the dark web for just pennies. Even though each data breach involves just one username and password for each account, cybercriminals know that many people frequently reuse passwords across multiple accounts. After illegally purchasing your login credentials that were exposed in one data breach, thieves will use those same credentials to try to log into more popular, sensitive online accounts, like your online banking, your email, and your social media.  

If any of these attempts at digital safe-cracking works, the potential for harm is enormous.  

With just your email login and password, cybercriminals can ransack photos that are stored in an associated cloud drive and use those for extortion. They can search for attachments that reveal credit card numbers, passport info, and ID cards and then use that information to fool a bank into letting them access your funds. They can pose as you in bogus emails and make fraudulent requests for money from your family and friends. They can even change your password and lock you out forever. 

This is the future of personal cybercrime, and as a company committed to stopping cyberthreats everywhere, we understand that we have a role to play in protecting people.  

We will always stop malware. We will always advise to create and use unique passwords and multifactor authentication. But today, we’re expanding our responsibility and helping you truly see the modern threats that could leverage your data.  

With the Digital Footprint Portal, who you are online is finally visible to you—not just cybercriminals. Use it today to understand where your data has been leaked, what passwords have been exposed, and how you can protect yourself online.  

Digitally safe 

Malwarebytes and the cybersecurity industry at large could not have predicted today’s most pressing threats against online identities and reputations, but that doesn’t mean we get to ignore them. The truth is that Malwarebytes was founded with a belief broader than anti-malware protection. Malwarebytes was founded to keep people safe.  

As cybercriminals change their tactics, as scammers needle their way onto online platforms, and as thieves steal and abuse the sensitive data that everyone places online, Malwarebytes will always stay one step ahead. The future isn’t about worms, viruses, Trojans, scams, pig butchering, or any other single scam. It’s about holistic digital life protection. We’re excited to help you get there.