LATEST THREAT INTELLIGENCE.
Astrill VPN: New IPs Publicly Released on VPN Service Heavily Used by North Korean Threat Actors
Description: North Korean threat actors, particularly from the Lazarus Group, continue to utilize Astrill VPN to conceal their IP addresses during attacks. Recent infrastructure and logs from the 'Contagious Interview' subgroup confirmed ongoing use of Astrill VPN in their operations. Google's Mandiant and Recorded Future's Insikt Group have also reported on DPRK threat actors' preference for this VPN service. Silent Push analysts have developed a 'Bulk Data Feed' of Astrill VPN IPs, updated in real-time, to help protect against threats. The research includes confirmation of Astrill VPN usage in recent attacks, including the $1.4 billion ByBit heist. A sample list of active Astrill VPN IP addresses is provided, with more comprehensive data available to enterprise users.
Created at: 2025-03-01T18:36:14.364000
Updated at: 2025-04-02T00:04:46.454000
Qilin affiliates spear-phish MSP ScreenConnect admin, targeting customers downstream
Description: In January 2025, a Managed Service Provider administrator was targeted by a sophisticated phishing attack impersonating a ScreenConnect authentication alert. The attackers, affiliated with Qilin ransomware and tracked as STAC4365, used an adversary-in-the-middle technique to bypass multi-factor authentication and gain access to the MSP's ScreenConnect environment. They deployed their own ScreenConnect instance across multiple customer networks, performed reconnaissance, collected and exfiltrated data, and ultimately deployed Qilin ransomware. This attack matches a pattern of similar incidents dating back to 2022, utilizing fake ScreenConnect domains and the evilginx framework to intercept credentials and session cookies. The attackers employed various tools for lateral movement and defense evasion, including PsExec, NetExec, and WinRM.
Created at: 2025-04-01T15:24:41.705000
Updated at: 2025-04-01T17:39:42.954000
The Shelby Strategy
Description: The SHELBY malware family exploits GitHub for command-and-control operations, employing sophisticated techniques to evade detection. The malware consists of a loader (SHELBYLOADER) and a backdoor (SHELBYC2), both obfuscated using Obfuscar. SHELBYLOADER employs various sandbox detection methods and uses GitHub for initial registration and key retrieval. SHELBYC2 communicates with the attacker's infrastructure using GitHub API, allowing for file uploads, downloads, and command execution. The campaign targets Iraqi telecommunications and potentially UAE airports, utilizing highly targeted phishing emails. Despite its sophistication, the malware's design has a critical flaw: anyone with the embedded Personal Access Token can control infected machines, exposing a significant security vulnerability.
Created at: 2025-04-01T14:48:12.579000
Updated at: 2025-04-01T17:35:06.404000
Delivering Trojans Via ClickFix Captcha
Description: A new social engineering technique exploiting ClickFix Captcha has emerged as an effective method for delivering various types of malware, including Quakbot. This technique deceives users and bypasses security measures by utilizing a seemingly harmless captcha. The process involves redirecting users to a ClickFix captcha that tricks them into executing a malicious command on their local machine. The command downloads and executes obfuscated PowerShell scripts, which then retrieve and deploy the actual malware payload. The attackers use sophisticated obfuscation techniques, including fake ZIP files and PHP-based droppers, to evade detection and analysis. This method's success lies in exploiting user trust in captchas and legitimate-looking websites, increasing the likelihood of unknowing malware execution.
Created at: 2025-04-01T14:48:06.639000
Updated at: 2025-04-01T17:22:40.685000
TsarBot Trojan Hits 750+ Banking & Crypto Apps!
Description: A newly discovered Android banking Trojan, TsarBot, targets over 750 applications globally, including banking, finance, cryptocurrency, and e-commerce apps. It spreads through phishing sites masquerading as legitimate financial platforms and is installed via a dropper disguised as Google Play Services. TsarBot employs overlay attacks to steal credentials, records and remotely controls screens, and uses a fake lock screen to capture device lock credentials. It communicates with its C&C server using WebSocket across multiple ports to receive commands, send stolen data, and execute on-device fraud. The malware's capabilities include screen recording, keylogging, and SMS interception. Evidence suggests the threat actor behind TsarBot is likely of Russian origin.
Created at: 2025-04-01T14:48:05.908000
Updated at: 2025-04-01T17:20:18.808000
SVG Phishing Malware Being Distributed with Analysis Obstruction Feature
Description: A sophisticated phishing malware using Scalable Vector Graphics (SVG) format has been identified. The malware embeds malicious scripts within SVG files, using Base64 encoding to bypass detection. It employs various techniques to obstruct analysis, including blocking automation tools, preventing specific keyboard shortcuts, disabling right-clicks, and detecting debugging attempts. The malware redirects users to a fake CAPTCHA page, which, when interacted with, leads to further malicious actions, potentially a phishing site impersonating Microsoft login pages. This evolving threat highlights the need for increased user vigilance, especially when dealing with SVG files from unknown sources.
Created at: 2025-04-01T14:48:03.321000
Updated at: 2025-04-01T17:11:22.931000
Analysis of Konni RAT: Stealth, Persistence, and Anti-Analysis Techniques
Description: Konni RAT, a sophisticated remote access Trojan targeting Windows systems, employs a multi-stage attack process using batch files, PowerShell scripts, and VBScript. It exploits Windows Explorer limitations, obfuscates file paths, dynamically generates URLs, and uses temporary files to erase activity traces. The malware efficiently exfiltrates critical data to remote servers and maintains persistence through registry modifications. Key tactics include exploiting file extension hiding, the 260-character limit in LNK files, and complex variables for detection evasion. Konni RAT's modular design and advanced strategies present substantial risks to system security, highlighting the need for robust cybersecurity measures and proactive defense strategies.
Created at: 2025-04-01T14:48:02.435000
Updated at: 2025-04-01T17:09:45.760000
Remcos RAT Malware Disguised as Major Carrier's Waybill
Description: A sophisticated malware campaign has been discovered, utilizing the Remcos RAT disguised as a shipping company waybill. The attack begins with an email containing an HTML script, which when executed, downloads a JavaScript file. This file creates and downloads several components, including a configuration file, an encoded Remcos binary, a legitimate AutoIt loader, and a malicious AutoIt script. The AutoIt script employs evasion techniques, establishes persistence, decrypts the Remcos binary, and executes shellcode. The shellcode injects Remcos into a legitimate process (RegSvcs.exe) using various API calls. The Remcos RAT, once active, can steal information and execute remote commands based on C2 instructions. The campaign demonstrates the evolving tactics of cybercriminals, emphasizing the need for caution when handling emails from unknown sources.
Created at: 2025-04-01T14:47:59.708000
Updated at: 2025-04-01T17:05:12.804000
Evolution of Sophisticated Phishing Tactics: The QR Code Phenomenon
Description: Since late 2024, attackers have employed new tactics in phishing documents containing QR codes. These include concealing final phishing destinations using legitimate websites' redirection mechanisms and adopting Cloudflare Turnstile for user verification. Some phishing sites specifically target credentials of particular victims. QR code phishing, or quishing, embeds phishing URLs into QR codes, enticing recipients to scan them with smartphones. This bypasses traditional security measures and targets personal devices. Attackers use URL redirection, exploit open redirects, and incorporate human verification within redirects to evade detection. The phishing operations typically involve redirection, human verification, and credential harvesting. These evolving tactics challenge both security detection mechanisms and user awareness.
Created at: 2025-04-01T15:36:08.886000
Updated at: 2025-04-01T15:50:17.396000
From Contagious to ClickFake Interview: Lazarus leveraging the ClickFix tactic
Description: Lazarus, a North Korean state-sponsored threat actor, has launched a new campaign called ClickFake Interview targeting cryptocurrency job seekers. This campaign, an evolution of the previously documented Contagious Interview, uses fake job interview websites to deploy the GolangGhost backdoor on Windows and macOS systems. The infection chain leverages the ClickFix tactic, downloading and executing malicious payloads during the interview process. The campaign primarily targets centralized finance (CeFi) entities, aligning with Lazarus' focus on cryptocurrency-related targets. Notable changes include targeting non-technical roles and using ReactJS-based websites for the fake interviews. The malware provides remote control and data theft capabilities, including browser information exfiltration.
Created at: 2025-04-01T14:59:29.783000
Updated at: 2025-04-01T15:08:34.862000
