LATEST THREAT INTELLIGENCE.

Threat Bulletin: Weaponized Software Targets Chinese-Speaking Organizations

Description: A series of attacks targeting Chinese-speaking regions has been identified, utilizing a multi-stage loader named PNGPlug to deliver ValleyRAT payload. The attack begins with a phishing webpage encouraging victims to download a malicious MSI package disguised as legitimate software. The installer deploys a benign application and extracts an encrypted archive containing malware components. The PNGPlug loader sets up the environment for malware execution, including patching ntdll.dll and injecting payloads from PNG files. ValleyRAT, attributed to the Silver Fox APT, employs advanced techniques like shellcode execution, obfuscation, and persistence mechanisms. The campaign stands out due to its focus on Chinese-speaking victims across China, Hong Kong, and Taiwan, treating these regions as a unified target despite their political differences.

Created at: 2025-01-20T11:09:40.818000

Updated at: 2025-01-20T11:17:19.183000

MintsLoader: StealC and BOINC Delivery

Description: The eSentire Threat Response Unit identified a campaign involving MintsLoader, a PowerShell-based malware loader, delivering payloads like Stealc and BOINC client. MintsLoader uses a Domain Generation Algorithm and anti-VM techniques to evade detection. The infection process begins with a spam email link downloading a JScript file, which then executes PowerShell commands to retrieve and execute the malware stages. StealC, an information stealer, is delivered as the final payload, targeting sensitive data from browsers, applications, and crypto-wallets. The campaign affected organizations in the US and Europe, primarily in the Electricity, Oil & Gas, and Legal Services industries.

Created at: 2025-01-20T11:09:04.825000

Updated at: 2025-01-20T11:14:34.344000

The great Google Ads heist: criminals ransack advertiser accounts via fake Google ads

Description: Cybercriminals are targeting Google Ads advertisers through phishing campaigns, impersonating Google Ads via fraudulent ads. The scheme involves stealing advertiser accounts by redirecting victims to fake login pages, with the goal of reselling these accounts on blackhat forums. The operation uses compromised accounts to perpetuate the campaign, affecting thousands of Google customers worldwide. Victims include individuals and businesses looking to advertise on Google Search. The attacks involve sophisticated techniques, including the use of Google Sites for impersonation and phishing kits to collect user data. Two main groups have been identified: one based in Brazil and another in Asia, possibly China. The stolen accounts are valuable for further malvertising campaigns, scams, and malware distribution.

Created at: 2025-01-20T11:08:33.187000

Updated at: 2025-01-20T11:09:30.926000

IoT Botnet Linked to Large-scale DDoS Attacks Since the End of 2024

Description: An IoT botnet has been orchestrating large-scale DDoS attacks globally since late 2024, targeting companies in Japan and other countries. The botnet, comprising Mirai and Bashlite variants, infects IoT devices by exploiting vulnerabilities and weak credentials. It uses various DDoS attack methods, can update malware, and enable proxy services. Attack targets are geographically dispersed, with a focus on North America and Europe. The primary infected devices are wireless routers and IP cameras from well-known brands. The botnet's infection process includes downloading and executing malware payloads that connect to C&C servers for attack commands. Different command usage patterns were observed between domestic and international targets, impacting various industry sectors.

Created at: 2025-01-17T18:13:49.299000

Updated at: 2025-01-20T10:48:48.395000

Threat Research Report: Malicious Domain Activity During the Los Angeles Wildfires

Description: During the 2025 Los Angeles wildfires, cybercriminals exploited the disaster through various phishing campaigns. Analysis of 119 domains registered between January 8-13, 2025, revealed themes targeting emergency assistance, legal services, and reconstruction efforts. GoDaddy was the most used registrar, and .com the prevalent TLD. Fraudulent GoFundMe campaigns, fake merchandise stores, and wildfire-themed cryptocurrencies were identified. The scams aimed to cause financial losses, harvest personal information, and spread misinformation. Compared to Hurricane Helene, the wildfire scams were more reactive and locally focused. Mitigation strategies include stringent rules for fundraising platforms, continuous monitoring of fake websites, and caution against unverified cryptocurrencies.

Created at: 2025-01-17T18:13:51.043000

Updated at: 2025-01-20T09:28:57.495000

Mid-year Doppelganger information operations in Europe and the US

Description: This investigation delves into information operations conducted by Russian actors known as Doppelgänger, focusing on their activities from early June to late-July 2024. It examines their tactics, associated infrastructure, and motivations, particularly in relation to the unexpected snap general election in France during this period. The analysis reveals a persistent and complex effort to disseminate disinformation through social media, impersonating legitimate news websites and employing intricate redirection chains. The operations primarily target conservative and nationalist sentiments, aiming to destabilize Western democracies by exploiting existing societal and political divisions.

Created at: 2024-07-30T14:44:01.273000

Updated at: 2025-01-20T07:15:10.596000

Rspack npm Packages Compromised with Crypto Mining Malware in Supply Chain Attack

Description: Two npm packages, @rspack/core and @rspack/cli, were compromised in a supply chain attack, allowing the publication of malicious versions containing cryptocurrency mining malware. The attack targeted specific countries and aimed to execute XMRig cryptocurrency miner on Linux hosts. The malicious versions have been unpublished, and version 1.1.8 is now considered safe. The incident highlights the need for stricter safeguards in package managers to protect developers. The Rspack project maintainers have taken steps to secure their infrastructure, including invalidating tokens and auditing source code. An investigation into the root cause of the token theft is ongoing.

Created at: 2024-12-20T15:25:35.779000

Updated at: 2025-01-19T15:00:16.594000

Araneida Scanner: Cracked Acunetix Web App & API Scanner Discovered

Description: Silent Push Threat Analysts have uncovered the Araneida Scanner, a cracked version of Acunetix being used for illegal purposes. The scanner is employed for offensive reconnaissance, user data scraping, and vulnerability exploitation. It was detected during a partner's reconnaissance effort, prompting an investigation. The tool is being promoted on Telegram, where actors boast about taking over thousands of websites and selling stolen credentials. A separate Chinese-language panel, also likely using cracked Acunetix software, was discovered. Both tools pose significant threats for reconnaissance prior to sophisticated attacks. The investigation revealed multiple IP addresses hosting Araneida customer panels and the continued sale of the scanner through a specific domain.

Created at: 2024-12-20T08:49:35.421000

Updated at: 2025-01-19T08:00:44.082000

Attackers exploiting a FortiClient EMS vulnerability in the wild

Description: Kaspersky's GERT team identified an attack exploiting a patched vulnerability (CVE-2023-48788) in FortiClient EMS versions 7.0.1 to 7.0.10 and 7.2.0 to 7.2.2. The attackers used SQL injection to infiltrate a company's network through an exposed Windows server. They deployed remote access tools like ScreenConnect and AnyDesk, performed network enumeration, credential theft, and defense evasion. The vulnerability allows unauthorized code execution via specially crafted data packets. Multiple threat actors have been observed exploiting this vulnerability globally, targeting various companies and consistently altering ScreenConnect subdomains. The analysis highlights the importance of timely patching and implementing additional security controls to prevent such attacks.

Created at: 2024-12-19T14:41:34.868000

Updated at: 2025-01-18T14:01:17.715000

Security Brief: Threat Actors Gift Holiday Lures to Threat Landscape

Description: As the holiday season approaches, threat actors are exploiting people's desires for deals, jobs, and end-of-year bonuses. Researchers have observed an increase in themed content delivering malware, fraud, and credential phishing campaigns. Examples include a 'Winter Holiday Promotion' campaign delivering Remcos RAT, credential phishing campaigns impersonating HR departments to steal login information, and employment fraud schemes targeting universities. These attacks use timely lures such as holiday promotions, bonus announcements, and seasonal job offers to manipulate victims into risky online behaviors. The campaigns employ various techniques, including compressed executables, QR codes, and specially crafted OOXML files to bypass detection and harvest user credentials.

Created at: 2024-12-19T14:41:32.820000

Updated at: 2025-01-18T14:01:17.715000