Weekly Threat Landscape Digest – Week 51

DarkGate Malware Delivered via Microsoft Teams Vishing

A sophisticated vishing attack via Microsoft Teams was used to deliver DarkGate malware, exploiting social engineering techniques to compromise a victim’s system.
The attacker impersonated an IT representative during a Teams call, convincing the victim to install AnyDesk. This allowed remote access, facilitating the deployment of DarkGate, which utilized AutoIt scripts for system discovery, command-and-control (C&C) connections, and potential data exfiltration.

• Execution: AutoIt script (script.a3x) decrypted itself in memory, injecting into legitimate processes like MicrosoftEdgeUpdateCore.exe.

Indicators of Compromise (IoCs)

Reference: https://www.trendmicro.com/en_us/research/24/l/darkgate-malware.html 

Hackers Use Google Ads to Target Graphic Design Professionals 

A threat actor has been exploiting Google Ads to distribute malware through deceptive advertisements, specifically targeting graphic design and CAD professionals. The campaigns redirect users to malicious websites that deliver harmful payloads.

Campaign Infrastructure:

• IP Addresses:
  • 185.11.61[.]243 (active since July 29, 2024, hosting 109 domains)
  • 185.147.124[.]110 (active since November 25, 2024, hosting 85 domains)
• Domains Used:
  • frecadsolutions[.]com
  • freecad-solutions[.]net
  • onshape3d[.]org
  • frecad3dmodeling[.]org

Timeline:

• November 13, 2024: Campaigns began with frecadsolutions[.]com.
• November 26, 2024: Malicious domains migrated to a second IP address, 185.147.124[.]110.
• December 10, 2024: Campaign launched using frecad3dmodeling[.]org.

Delivery Method: Ads redirect users to malicious sites that exploit vulnerabilities in web browsers and ad networks.

Indicators of Compromise (IoCs):

Reference: https://gbhackers.com/hackers-abuse-google-ads/ 

New Glutton Malware Targets Popular PHP Frameworks

Cybersecurity researchers have identified a new PHP-based malware called Glutton, targeting systems in China, the U.S., Cambodia, Pakistan, and South Africa. Linked with moderate confidence to the Chinese APT group Winnti (APT41), Glutton leverages vulnerabilities in PHP frameworks such as Laravel, ThinkPHP, Baota (BT), and Yii to deploy backdoors and execute malicious payloads.

Modular Framework: Infects PHP files, deploys backdoors, and fetches additional payloads via the task_loader module.

Stealthy Techniques:

• Executes entirely within PHP or PHP-FPM processes, leaving no file-based artifacts.
• Employs HackBrowserData to exfiltrate sensitive information.

Capabilities:

• Supports 22 commands for C2 switching, file manipulation, shell execution, and arbitrary PHP code execution.

Persistence Mechanisms:

• Modifies system files (e.g., /etc/init.d/network).
• Uses ELF-based backdoors disguised as FastCGI Process Manager (/lib/php-fpm).

Mitigation Recommendations:

• Update PHP Frameworks: Patch vulnerabilities in PHP-based applications regularly.
• Monitor Network Traffic: Detect unusual C2 connections (e.g., TCP/UDP switching).
• Secure Systems: Implement robust endpoint and server monitoring to detect unauthorized modifications (e.g., /etc/init.d/network).
• Restrict Access: Limit access to critical files and deploy web application firewalls (WAFs) to block exploitation attempts.

Reference:  https://thehackernews.com/2024/12/new-glutton-malware-exploits-popular.html 

Investment Scam Uses AI and Social Media to Deceive Victims Globally

Cybercriminals are running an advanced investment scam called Nomani, which combines AI-generated testimonials, malvertising on social media, and phishing websites to steal victims’ personal information and money. Targeting victims worldwide, the scam exploits trust through fake endorsements and fraudulent cryptocurrency platforms.

Malvertising Channels:

• Fraudulent ads on social media platforms like Facebook, Messenger, and Threads.
• Fake profiles impersonating small businesses, government entities, and influencers.
• Deceptively positive reviews on Google.

Phishing Techniques:

• Fake websites imitating local news outlets or reputable organizations.
• Use of branding from Europol, INTERPOL, or fake cryptocurrency solutions (e.g., Bitcoin Trader, Quantum Bumex).

Scam Tactics:

• Data harvested via phishing is used for direct manipulation via phone calls.
• Victims are tricked into making investments, taking loans, or installing remote access tools.
• Fraudsters demand additional fees and sensitive details, disappearing with the victims’ money and data.

Mitigation Recommendations:

• Verify Sources: Avoid engaging with unsolicited investment offers or clicking on suspicious ads.
• Strengthen Authentication: Use robust verification methods for financial transactions.
• Educate Employees and Users: Train individuals to spot phishing and malvertising tactics.
• Report Scams: Share incidents with local cybersecurity authorities or platforms to disrupt malicious activity

Reference: https://thehackernews.com/2024/12/new-investment-scam-leverages-ai-social.html 

390,000 WordPress Credentials Compromised in Sophisticated Supply Chain Attack

A year-long supply chain attack, dubbed MUT-1244, compromised 390,000 WordPress credentials by leveraging phishing campaigns and trojanized GitHub repositories. This operation targeted security researchers, pentesters, and developers, delivering second-stage payloads to steal sensitive information and deploy cryptocurrency miners.

Attack Vectors:

• Trojanized GitHub Repositories: Fake proof-of-concept (PoC) exploits tricked victims into installing malicious payloads.
• Phishing Campaign: Victims were duped into downloading fake kernel updates.

Impact:

• Exfiltration of sensitive data, including SSH private keys and AWS access keys.
• Compromised dependencies in enterprise codebases via malicious password-checker functions.
• Credential theft from 390,000 WordPress sites.

Targets:

• Academic researchers, red teamers, pentesters, and even malicious threat actors using stolen credentials.

Mitigation Recommendations:

• Verify Dependencies: Use advanced security tools to scan code dependencies for hidden threats.
• Monitor Repositories: Validate the legitimacy of repositories and PoCs before integrating them.
• Strengthen Security Pipelines: Deploy automated security scanning solutions to identify suspicious behaviors in code libraries.
• Educate Teams: Train employees on phishing tactics and the risks of downloading code from untrusted sources.

Reference: https://www.scworld.com/news/390000-wordpress-credentials-compromised-via-phishing-github-repos 

Malicious Ads Distribute Lumma Stealer via Fake CAPTCHA Pages

A large-scale malvertising campaign, dubbed DeceptionAds, is pushing the Lumma Stealer info-stealing malware by tricking users into executing malicious PowerShell commands. The operation leverages the Monetag ad network, serving fake CAPTCHA pages across over 3,000 websites.

Infection Chain:

• Ads redirect users to fake CAPTCHA pages via the BeMob cloaking service.
• CAPTCHA pages silently copy malicious PowerShell commands to the clipboard.
• Users are instructed to execute the command, downloading Lumma Stealer.

Capabilities of Lumma Stealer:

• Steals credentials, cookies, credit cards, and browser data.
• Targets cryptocurrency wallets and sensitive text files (seed.txt, wallet.txt, etc.).
• Sends stolen data to the attacker for exploitation or resale.

Scope of Campaign:

• 1 million ad impressions daily via Monetag ad network.
• Initial campaign disrupted by Monetag and BeMob in December 2024 but resurfaced on December 11.

Mitigation Recommendations:

• Avoid Suspicious Commands: Never execute commands from websites, especially CAPTCHA solutions.
• Use Trusted Platforms: Avoid pirated software or illegal streaming sites prone to malicious ads.
• Enable Browser Protections: Use ad-blockers and script blockers to prevent malvertising.
• Monitor Systems: Regularly audit devices for unauthorized scripts or data exfiltration.

Reference: https://www.bleepingcomputer.com/news/security/malicious-ads-push-lumma-infostealer-via-fake-captcha-pages/ 

New VIPKeyLogger Delivered via Weaponized Office Documents

A new info-stealing malware, VIPKeyLogger, is being distributed through phishing campaigns leveraging weaponized Microsoft Office documents. This malware, similar to Snake Keylogger, targets login credentials, financial information, and system data, posing a severe threat to victims.

Delivery Mechanism:

• Phishing Emails: Attachments disguised as Microsoft 365 files or archives.
• Malicious Documents: RTF files exploiting CVE-2017-11882 to download malicious executables via embedded URLs.

Execution and Capabilities:

• Obfuscation: Uses steganography to hide malicious code within image files.
• Data Exfiltration: Collects:
  • System details, clipboard content, screenshots, browsing history, cookies, and email credentials.
  • Keystrokes logged via the embedded keylogger.
• Command-and-Control (C2):
  • Communicates via Telegram bots.
  • Transmits stolen data to DuckDNS servers for attacker control.

Mitigation Recommendations:

Email Security:

• Block suspicious attachments and links at the lure stage.
• Employ advanced filtering to detect malicious RTF or Office files.

Endpoint Protection:

• Deploy tools to block persistence mechanisms, such as file drops in system folders.
• Monitor clipboard activity and prevent unauthorized keystroke logging.

Network Monitoring:

• Detect and block C2 communication with Telegram bots or DuckDNS servers.

Employee Awareness:

• Train employees to identify phishing attempts and avoid interacting with unsolicited attachments.

Reference: https://gbhackers.com/__trashed-2/