Fog of Cyber Warfare: Cloud Atlas Spies Attack Russian Companies Under the guise of Supporting NWO Participants

Cloud Atlas is a pro-government advanced persistent threat (APT) group that specializes in cyber espionage and theft of confidential information. The group has been active since at least 2014 and is known for targeting organizations in Russia, Belarus, Azerbaijan, Turkey, and Slovenia. They have been observed using various tactics and techniques to carry out their attacks, including spear-phishing emails with malicious attachments and exploiting vulnerabilities in popular software.

In a recent campaign, Cloud Atlas targeted a Russian agro-industrial enterprise and a state-owned research company. The hackers sent their victims phishing emails with malicious attachments, which were carefully crafted to mimic government statements, media articles, business proposals, or advertisements. The attackers used reconnaissance documents to gather the IP information of the victims and exploited a vulnerability in CVE-2017-11882 via RTF template injection to gain initial access to the targets' systems.

Cloud Atlas is known for its simple but effective methods in carrying out spear-phishing campaigns. The group has not been observed using open-source implants in its recent campaigns, possibly to be less discriminating. The group's toolkit has not changed for years, and they continue to refine their attacks to avoid detection

IoC

    MD5

• 0957edfec31dd2dd05d484eed90593c7
• 0a850c27c8ce24c0a6fa5bcf7504dc30
• 27d49df3e0122152dc9a3f752a099f39
• 2e950fe4bd76088f89433a6f2146cb67
• 7bdb049cb0cc3623e4fa1d8e2574f1ce
• 965d5dc42ee1efdcbc52d061624526c7
• 9c5a6ede9b0ca906cbc121cc5496b714
• b0de9d6133d73c32b243cf716a7c614c
• b1995d8a9df9bd8ce23d38b0ab454580
• b3de2f04ceb97f8e9164399649433e1e
• cd8141f094cfb0dae11747ee9dc74a2f
• ddbc081392ffa41bcb3e7a007edf727b
• efd493e8ebcd66f9404338532519eb90
• f611cb1a320a9d3b5df4b70b37b0fd73

    SHA1

• 07735f3da5f5847e9df43034459e3ead4c1f3f35
• 151e9e6defac4a67be8916a1e119917b69e053ac
• 3375772e3bc60614e3e398fd019c8931d2ad83c9
• 3b2109317985de28d16aef6306ba5a788eb121bf
• 44a21627eed099a55e5592509e6e3333c5d3d339
• 53cea3a93a481a710e821d9c3e087fc18fb989f9
• 6efed9d4e8ae02808bed488566f90a4ecc361546
• 7329424eba132feebba57e239000331e886b1656
• 7c8479a818ea21fc228334dfdd55044866a95026
• 85a24692089d1a8dc6354a88b6f1e08567db6b0d
• 877f95ee15adb5540d0b50509a14d1cdf89fe3e1
• a03a699031e956b4fde1ced6309b67853a54602a
• a176a164e728c929f70ab2ffa44213625ae17172
• d59f3f2b5132ff23e3fa6d88f1b97b299af38507

REFERENCES

• https://thehackernews.com/2023/12/cloud-atlas-spear-phishing-attacks.html
• https://therecord.media/cloud-atlas-targets-russian-orgs-war-phishing
• https://www.facct.ru/blog/cloud-atlas/
• https://otx.alienvault.com/pulse/658c94713412afcbac226057

TAGS

Cloud Atlas, apt, phishing, vbs, rtf, maldoc, CVE-2017-11882, HTA

Threat Actor 'UAC-0099' Continues to Target Ukraine

The threat actor "UAC-0099" has been targeting Ukraine since mid-2022. This actor has been observed leveraging various tactics and techniques to carry out cyber attacks, including the use of a high-severity WinRAR flaw (CVE-2023-38831) to deliver the LONEPAGE malware. The group targets Ukrainian employees working for companies outside of Ukraine and has been linked to attacks against state organizations and media entities for espionage motives. The attacks involve different infection vectors, such as phishing messages containing HTA, RAR, and LNK file attachments, leading to the deployment of the LONEPAGE malware, a Visual Basic Script (VBS) capable of contacting a command-and-control (C2) server, stealing information, and taking screenshots. The threat actor's activities have been documented by the Computer Emergency Response Team of Ukraine (CERT-UA), and their attacks continue to evolve, demonstrating a high level of sophistication.

IoC

    SHA256

• 0aa794e54c19dbcd5425405e3678ab9bc98fb7ea787684afb962ee22a1c0ab51
• 0acd4a9ef18f3fd1ccf440879e768089d4dd2107e1ce19d2a17a59ebed8c7f5d
• 2a3da413f9f0554148469ea715f2776ab40e86925fb68cc6279ffc00f4f410dd
• 2c2fa6b9fbb6aa270ba0f49ebb361ebf7d36258e1bdfd825bc2faeb738c487ed
• 38b49818bb95108187fb4376e9537084062207f91310cdafcb9e4b7aa0d078f9
• 39d56eab8adfe9eb244914dde42ec7f12f48836d3ba56c479ab21bdbc41025fe
• 4e8de351db362c519504509df309c7b58b891baf9cb99a3500b92fe0ef772924
• 53812d7bdaf5e8e5c1b99b4b9f3d8d3d7726d4c6c23a72fb109132d96ca725c2
• 54458ebfbe56bc932e75d6d0a5c1222286218a8ef26face40f2a0c0ec2517584
• 61a5b971a6b5f9c2b5e9a860c996569da30369ac67108d4b8a71f58311a6e1f1
• 659abb39eec218de66e2c1d917b22149ead7b743d3fe968ef840ef22318060fd
• 6a638569f831990df48669ca81fec37c6da380dbaaa6432d4407985e809810da
• 6f5f265110490158df91ca8ad429a96f8af69ca30b9e3b0d9c11d4fef74091e8
• 736c0128402d83cd3694a5f5bb02072d77385c587311274e3229e9b2fd5c5af7
• 762c7289fb016bbcf976bd104bd8da72e17d6d81121a846cd40480dbdd876378
• 86549cf9c343d0533ef80be2f080a7e3c38c77a1dfbde0a2f89048127979ec2a
• 87291b918218e01cac58ea55472d809d8cdd79266c372aebe9ee593c0f4e3b77
• 8aca535047a3a38a57f80a64d9282ace7a33c54336cd08662409352c23507602
• 96ab977f8763762af26bad2b6c501185b25916775b4ed2d18ad66b4c38bd5f0d
• 986694cad425c8f566e4e12c104811d4e8b30ce6c4c4d38f919b617b1aa66b05
• a10209c10bf373ed682a13dad4ff3aea95f0fdcd48b62168c6441a1c9f06be37
• d21aa84542303ca70b59b53e9de9f092f9001f409158a9d46a5e8ce82ab60fb6
• e34fc4910458e9378ea357baf045e9c0c21515a0b8818a5b36daceb2af464ea0
• f5f269cf469bf9c9703fe0903cda100acbb4b3e13dbfef6b6ee87a907e5fcd1b
• f75f1d4c561fcb013e262b3667982759f215ba7e714c43474755b72ed7f9d01e

    IPv4

• 147.78.46.40
• 196.196.156.2
• 2.59.222.98

REFERENCES

• https://www.deepinstinct.com/blog/threat-actor-uac-0099-continues-to-target-ukraine
• https://otx.alienvault.com/pulse/658c7d1e6e6bd875e46d467e

TAGS

powershell, uac0099, winrar, docx, ukraine, vbs, phishing, CVE-2023-38831

Analysis of Kimsuky Group's AppleSeed Malware Attack Trends

The Kimsuky Group, a North Korean-based cyber-attack group, has been known to use AppleSeed malware in their attacks since 2022. The group constantly launches spear-phishing attacks against South Korean users and has been observed using various methods to distribute malware, including JavaScript, Excel macro malware, and shortcut-type malware in LNK file format. The group has also been known to use Meterpreter and TinyNuke malware to seize control of compromised machines.

AppleSeed is a backdoor that can receive instructions from an actor-controlled server, drop additional payloads, and exfiltrate sensitive data such as files, keystrokes, and screenshots. A variant of AppleSeed named AlphaSeed, which was developed in Golang and uses chromedp for communications with the command-and-control server, has also been observed in use. The group typically uses RDP to control the infected systems, but they have also been observed installing Chrome Remote Desktop in recent cases.

The Kimsuky Group's attacks aim to steal internal information and technology from organizations. While the group typically uses spear-phishing attacks for initial access, most of their recent attacks involve the use of shortcut-type malware in LNK file format. Although LNK malware comprise a large part of recent attacks, cases using JavaScripts or malicious documents are also being detected.

IoC

    IPv4

• 104.168.145.83
• 159.100.6.137

    MD5

• 02843206001cd952472abf5ae2b981b2
• 0cce02d2d835a996ad5dfc0406b44b01
• 153383634ee35b7db6ab59cde68bf526
• 1f7d2cbfc75d6eb2c4f2b8b7a3eec1bf
• 232046aff635f1a5d81e415ef64649b7
• 4511e57ae1eacdf1c2922bf1a94bfb8d
• 4cb843f2a5b6ed7e806c69e6c25a1025
• 52ff761212eeaadcd3a95a1f8cce4030
• 58fafabd6ae8360c9d604cd314a27159
• 5d3ab2baacf2ad986ed7542eeabf3dab
• 6a968fd1608bca7255c329a0701dbf58
• 76831271eb117b77a57869c80bfd6ba6
• 7a7937f8d4dcb335e96db05b2fb64a1b
• 8aeacd58d371f57774e63d217b6b6f98
• ac99b5c1d66b5f0ddb4423c627ca8333
• ae9593c0c80e55ff49c28e28bf8bc887
• b5d3e0c3c470d2d41967229e17259c87
• b6ab96dc4778c6704b6def5db448a020
• b6f17d59f38aba69d6da55ce36406729
• c560d3371a16ef17dd79412f6ea99d3a
• cacf04cd560b70eaaf0e75f3da9a5e8f
• cafc26b215550521a12b38de38fa802b
• d4ad31f316dc4ca0e7170109174827cf
• d94c6323c3f77965451c0b7ebeb32e13
• db5fc5cf50f8c1e19141eb238e57658c
• e34669d56a13d607da1f76618eb4b27e
• e582bd909800e87952eb1f206a279e47
• ee76638004c68cfc34ff1fea2a7565a7

REFERENCES

• https://thehackernews.com/2023/12/kimsuky-hackers-deploying-appleseed.html
• https://asec.ahnlab.com/en/60054/
• https://thehackernews.com/2023/12/kimsuky-hackers-deploying-appleseed.html
• https://otx.alienvault.com/pulse/658c565578c6361b0ed9617a?utm_userid=xopxe&utm_medium=InProduct&utm_source=OTX&utm_content=Email&utm_campaign=new_pulse_from_subscribed

TAGS

kimsuky, phishing, LNK, javascript, appleseed, macro, excel, alphaseed, chrome remote desktop, backdoor, infostealer, TightVNC, TinyNuke, meterpreter

Akira, again: The ransomware that keeps on taking

Akira is a ransomware family that has been active since March 2023. It is known for its highly experienced and skilled operators who use various tactics to gain initial access, persistence, and evade defenses. The operators have been observed using compromised VPN credentials, targeting vulnerable Cisco VPNs, and creating a new domain account on the compromised system. They also use PowerTool or a KillAV tool that abuses the Zemana Discovery, PCHunter, SharpHound, AdFind, net Windows command, nltest, Advanced IP Scanner, and MASSCAN to gather system and domain information. The ransomware is named after a 1988 anime movie with the same name, and its operators use a cyberpunk aesthetic on their leak site. The ransomware targets corporate networks worldwide, encrypting sensitive files and demanding huge sums of money to retrieve the data and stop it from spreading. According to Trend Micro's open-source intelligence research, Akira ransomware actors compromised 107 organizations between April 1 to August 31, 2023. The ransomware remains active and continues to evolve.

IoC

    IPv4

• 45.227.254.26
• 80.66.88.203

    SHA256

• 1c1ef7736dd95ea9aa2dc5784dc51977a1d890c92159e16315ef15546556bcdf
• 2b02d732c6c46d8cb3758851c9e79a52761956109f55407c1a5d693a8a1af1f3
• 681697c35dbb1beba9886f5c44882ccca32dd7e9e483a381e981e7409a0e35cb
• b711f7617f507053a131a75b0971409f76663b404aa1c51bfbe2cd32f2ac8fb8
• be8257317bea80a1ed670d70eb4f21bba246c266a59724185b366c2dcfb2b8ea
• dfee389e1ffa09ed81adcf0d0f165d859e0c045ad7d90f6edcf3f96dfcceba2b

    IPv4

• 152.89.196.111
• 185.11.61.114
• 194.26.29.102
• 91.240.118.29

REFERENCES

• https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-akira
• https://darktrace.com/blog/akira-ransomware-how-darktrace-foiled-another-novel-ransomware-attack
• https://www.sentinelone.com/anthology/akira/
• https://www.trellix.com/about/newsroom/stories/research/akira-ransomware/
• https://otx.alienvault.com/pulse/658c45ad9b174d9cf1b26ce0

TAGS

winrar, winscp, veam, mega, ransomware, anydesk, ngrok

Stealth Backdoor “Android/Xamalicious” Actively Infecting Devices

According to McAfee Mobile Research Team, a new Android backdoor called "Android/Xamalicious" has been identified. It is implemented with Xamarin, an open-source framework that allows building Android and iOS apps with .NET and C#. The backdoor tries to gain accessibility privileges with social engineering and then communicates with the command-and-control server to evaluate whether or not to download a second-stage payload that’s dynamically injected as an assembly DLL at runtime level to take full control of the device and potentially perform fraudulent actions such as clicking on ads, installing apps among other actions financially motivated without user consent. The second stage payload can take full control of the infected device due to the powerful accessibility services that were already granted during the first stage which also contains functions to self-update the main APK which means that it has the potential to perform any type of activity like a spyware or banking trojan without user consent. Based on the number of installations, these apps may have compromised at least 327,000 devices from Google Play plus the installations coming from third-party markets that continually produce new infections based on the detection telemetry of McAfee clients around the world. This threat remains very active.

IoC

    MD5

• 359bbd612d493176603d04c07a85c2a3
• 54b9c0431e2c2d450d54b7307af1b94e
• 93ec54584746e28873614e2e8e34876f
• 9c25f99768fd9af907d7dd10410c58c2
• a28da4ba0f525691b41c0c27f747b938
• aae0796b4aac163ddb7b65754a446710
• d1547228961d30c5bbb2ee3f103afed6

    SHA1

• 0b50afd999b01712edce2f03c3fa76768591bd40
• 5a1e9d7fd2205d19298ec2b8990e487543a18580
• 61bed88a02468f90f8d871455ede227240c68e36
• 6bf2bf331b8ca2e265d4017e7271fb57ccd0625a
• c10445557bd3b554175e34e5cd38e4c4381be9d9
• c2477323b60f9d95203bc2110e6951ccc2c2c187
• cfdafb9945fb2153c2e0ac94e8b5b0ef8da1bbfa

    SHA256

• 01c56911c7843098777ec375bb5b0029379b0457a9675f149f339b7db823e996
• 117fded1dc51eff3788f1a3ec2b941058ce32760acf61a35152be6307f6e2052
• 19ffe895b0d1be65847e01d0e3064805732c2867ce485dfccc604432faadc443
• 1bfc02c985478b21c6713311ca9108f6c432052ea568458c8bd7582f0a825a48
• 22803693c21ee17667d764dd226177160bfc2a5d315e66dc355b7366b01df89b
• 28a4ae5c699a7d96e963ca5ceec304aa9c4e55bc661e16c194bdba9a8ad847b7
• 3201785a7de8e37e5d12e8499377cfa3a5b0fead6667e6d9079d8e99304ce815
• 5fffb10487e718634924552b46e717bbcbb6a4f9b1fed02483a6517f9acd2f61
• 6953ba04233f5cf15ab538ae191a66cb36e9e0753fcaeeb388e3c03260a64483
• 6a3455ff881338e9337a75c9f2857c33814b7eb4060c06c72839b641b347ed36
• 7149acb072fe3dcf4dcc6524be68bd76a9a2896e125ff2dddefb32a4357f47f6
• 81a9a6c86b5343a7170ae5abd15f9d2370c8282a4ed54d8d28a3e1ab7c8ae88e
• 8927ff14529f03cbb2ebf617c298f291c2d69be44a8efa4e0406dea16e53e6f9
• 899b0f186c20fdbfe445b4722f4741a5481cd3cbcb44e107b8e01367cccfdda3
• 9b4dc1e80a4f4c798d0d87a52f52e28700b5b38b38a532994f70830f24f867ba
• 9c646516dd189cab1b6ced59bf98ade42e19c56fc075e42b85d597449bc9708b

REFERENCES

• https://www.mcafee.com/blogs/other-blogs/mcafee-labs/stealth-backdoor-android-xamalicious-actively-infecting-devices/
• https://otx.alienvault.com/pulse/658c40da58889532fbfe245c

TAGS

google play, rsa key, android, cash magnet, xamalicious, xamarin, updater, pixel, tarot

Bandook - A Persistent Threat That Keeps Evolving

 Bandook is a remote access trojan that has been continuously developed since it was first detected in 2007. It has been used in various campaigns by different threat actors over the years. Recently, FortiGuard Labs identified a new Bandook variant being distributed via a PDF file that contains a shortened URL that downloads a password-protected .7z file. After the victim extracts the malware with the password in the PDF file, the malware injects its payload into msinfo32.exe. This new variant of Bandook is being distributed via a Spanish PDF file.

IoC

    MD5

• 5b49b856ed078c80306a6f190c445138
• 695ebe3e45a89552d7dabbc2b972ed66
• cc9283299523aed18b5c82c22b0b9f27
• d3577d76430cf9910df854e066331f56

    SHA1

• 33c172779ac7117e30d37a6fe26361b2175cae03
• 89f1e932cc37e4515433696e3963bb3163cc4927
• 90e8f60e0b1f19da57011fba19c04fab0614e757
• efbeec9846500b7d54d7fbc51de78b92976d1bbc

    SHA256

• 2e7998a8df9491dad978dee76c63cb1493945b9cf198d856a395ba0fae5c265a
• 3169171e671315e18949b2ff334db83f81a3962b8389253561c813f01974670b
• 430b9e91a0936978757eb8c493d06cbd2869f4e332ae00be0b759f2f229ca8ce
• 8904ce99827280e447cb19cf226f814b24b0b4eec18dd758e7fb93476b7bf8b8
• cd78f0f4869d986cf129a6c108264a3517dbcf16ecfc7c88ff3654a6c9be2bca
• d3e7b5be903eb9a596b9b2b78e5dd28390c6aadb8bdd4ea1ba3d896d99fa0057
• e87c338d926cc32c966fce2e968cf6a20c088dc6aedf0467224725ce36c9a525

    IPv4

• 45.67.34.219
• 77.91.100.237

REFERENCES

• https://www.fortinet.com/blog/threat-research/bandook-persistent-threat-that-keeps-evolving
• https://otx.alienvault.com/pulse/658c37500d4737e0ef37ec5c

TAGS

remote access trojan, bandook, appdata, c2 server, init function

Smoke and Mirrors : Understanding The Workings of Wazawaka

The "Smoke and Mirrors: Understanding The Workings of Wazawaka" report provides a detailed analysis of Wazawaka, also known as Mikhail Pavlovich Matveev, and his alleged involvement in cybercriminal activities. The report delves into Wazawaka's background, affiliations, and tactics within the threat landscape, shedding light on his team and close relations with other threat actors. It is suggested that the contents of the report can be used as admissible proof before legal authorities. Wazawaka has recently gained prominence within the Threat Intelligence (TI) community, raising concerns across the cyber realm. The research is aimed at information security leaders seeking to enhance their risk management. The report is significant for understanding the dynamics of the digital threat landscape and the individuals and groups operating within it.

IoC

    IPv4

• 79.124.59.178

    MD5

• 11d211ce3fa615ce35bff30fa37e9251

    SHA1

• eba816d7dc084d5702ad5d222c9b6429755b25fd

    SHA256

• 040037bd66b2b9062cffd925999718af97d36685968b875433af2bf4fa81a7e6
• 048e32d46b1d6f55b66a5b28be17546593c5da2ce2fc1fe99dc08aab7523ccb1
• 0787a93d583bb25cae5aaee759e1ab725f6e12723c5d86d22f46c31749cce1ea
• 12f53ffe90611f2519a1f83fbde6f9e43bef30fae9a1094b4753ace971e91d5e
• 138d1a9a3083aa0ac951a519a454cb8cae330733d6cbade36afc565207557af5
• 15fa94281eef6141ea969d0f551d05d6a2bcb127fa53b76a52916c1216cbfe76
• 1df868f1cf6a25d55fc7968a400a807563b934023316a0ccd8f98365931f630f
• 22e937ff2ec6206fa37d7418c18bb0e65c71849b43b5f43e563125678856b1ba
• 39d76f2d68f3c37f9b4ff33f7268dc7b58da4bcf4181262128e81a97f5f78037
• 4090a0034626ad8b0c658f68df7fbba452bb7711109e3d2843a6b56aad41e36f
• 46f1a4c77896f38a387f785b2af535f8c29d40a105b63a259d295cb14d36a561
• 49badc9a57d097f70bc4ef377102b93bea75936ac341c5855e3910f308c46434
• 4a8e2484f09047a497ec077b1687eac12e02414640e4592a17e1cf154a4f4274
• 5748cf3f7a4b5b0a817c4c54ab0bea007a5e4b8149126f6e5dc05971243e57d3
• 602eaae3b2b19f55c5311c6966b135f1149f291f7f60fdebf9a1d2c6888ba7f6
• 6f35a245e42135a6f6ff15fc9b4058a3600ebcaacdbedddda01baaaaa5022b77
• 815e7f1fc846529ba84dd43d1c4a02fc572d6c953b2eba3a2b4e7f91e92a252f

REFERENCES

• https://resources.prodaft.com/wazawaka-report
• https://cert.gov.ua/article/3761104
• https://25491742.fs1.hubspotusercontent-eu1.net/hubfs/25491742/WAZAWAKA_TLPCLEAR_Report.pdf
• https://otx.alienvault.com/pulse/658b00f1732e5418858a1b63

TAGS

ransomware, monti, tor, lockbit, raas, trigona, conti, vpn brute force, powershell

Android Banking Trojan Chameleon can now bypass any Biometric Authentication

The Android Banking Trojan Chameleon has recently been updated with new features, including the ability to bypass any biometric authentication. This variant of the Chameleon malware has been active since early 2023 and initially targeted mobile banking applications in Australia and Poland, but has since expanded its reach to the UK and Italy. The updated Chameleon variant has two notable new features:

Bypassing Biometric Authentication: The malware uses an HTML page to guide the victim through a manual step-by-step process to enable the Accessibility service on their device. This allows the malware to perform Device Takeover (DTO) and bypass biometric authentication, such as fingerprint locks. This bypass method provides underground actors with two advantages: the ability to steal PINs, passwords, or graphical keys through keylogging functionalities, as biometric data remains inaccessible to them, and the ability to unlock devices using previously stolen PINs or passwords.

Task Scheduling: The updated Chameleon variant introduces task scheduling using the AlarmManager, allowing the malware to perform unauthorized actions on the user's behalf at specific times.

These new features make the Chameleon malware more sophisticated and adaptable, posing a significant threat to the mobile security landscape. It is essential to maintain robust cybersecurity measures to mitigate the risk of malware delivery and social engineering attacks.

IoC

    SHA256

• 0a6ffd4163cd96d7d262be5ae7fa5cfc3affbea822d122c0803379d78431e5f6
• 2211c48a4ace970e0a9b3da75ac246bd9abaaaf4f0806ec32401589856ea2434

REFERENCES

• https://www.securityweek.com/chameleon-android-malware-can-bypass-biometric-security/
• https://www.threatfabric.com/blogs/android-banking-trojan-chameleon-is-back-in-action
• https://siliconangle.com/2023/12/24/new-chameleon-android-malware-variant-emerges-fingerprint-lock-bypass-capability/
• https://otx.alienvault.com/pulse/6585a108d98cf0b320927060

TAGS

android, chameleon, zombinder, device takeover, trojan, html page, chameleon banking

BattleRoyal, DarkGate Cluster Spreads via Email and Fake Browser Updates

The "BattleRoyal" cluster, as identified by Proofpoint researchers, is a cyber threat activity involving the use of DarkGate and NetSupport malware. The cluster has been associated with at least 20 email campaigns from September to November 2023, utilizing diverse delivery methods such as emails, Microsoft Teams, Skype, malvertising, and fake updates. The campaigns have demonstrated a transition from DarkGate to NetSupport, indicating a strategic shift or a response to the evolving threat landscape. The actor behind the BattleRoyal cluster has employed multiple attack chains, including the use of both email and compromised websites with fake update lures to deliver the DarkGate malware. This highlights a new trend among cybercriminals, showcasing increasingly creative and varied attack strategies. The campaigns have also been notable for their exploitation of CVE-2023-36025 and the use of a RogueRaticate fake update activity cluster. The threat posed by the BattleRoyal cluster underscores the importance of robust cybersecurity measures to mitigate the risk of malware delivery and social engineering attacks.

IoC

    CVE

CVE-2023-36025

    SHA256

• 2f5af97b13b077a00218c60305b4eee5d88d14a9bd042beed286434c3fc6e084
• 7562c213f88efdb119a9bbe95603946ba3beb093c326c3b91e7015ae49561f0f
• 96ca146b6bb95de35f61289c2725f979a2957ce54761aff5f37726a85f2f9e77
• e2a8a53e117f1dda2c09e5b83a13c99b848873a75b14d20823318840e84de243
• ea8f893c080159a423c9122b239ec389939e4c3c1f218bdee16dde744e08188f
• fce452bcf10414ece8eee6451cf52b39211eb65ecaa02a15bc5809c8236369a4

    IPv4

• 5.181.159.29
• 79.110.62.96

    DOMAIN

• heilee.com
• kairoscounselingmi.com
• nathumvida.org
• searcherbigdealk.com
• zxcdota2huysasi.com

    URL

• http://5.181.159.29:80/Downloads/12.url
• http://5.181.159.29:80/Downloads/evervendor.zip/evervendor.exe
• http://79.110.62.96:80/Downloads/bye.zip/bye.vbs
• http://searcherbigdealk.com:2351/msizjbicvmd
• http://searcherbigdealk.com:2351/zjbicvmd
• https://heilee.com/qxz3l

REFERENCES

• https://www.infosecurity-magazine.com/news/battleroyal-cluster-signals/
• https://cyware.com/news/battleroyal-threat-cluster-spread-darkgate-rat-via-email-and-fake-browser-updates-99a80b43
• https://www.proofpoint.com/us/blog/threat-insight/battleroyal-darkgate-cluster-spreads-email-and-fake-browser-updates
• https://otx.alienvault.com/pulse/65855c8bd0709c708a894ca2

TAGS

BattleRoyal, DarkGate, Fake Browser Updates

New MetaStealer malvertising

The "New MetaStealer" malvertising campaigns involve the distribution of a piece of malware called MetaStealer through malicious online advertisements. MetaStealer is a type of info-stealer malware that is designed to exfiltrate sensitive information from infected systems. The campaigns have been observed leveraging previous code base from RedLine and have been distributed through various channels, including malspam and malvertising. The developers of MetaStealer have announced the release of a new and improved version of the malware, indicating ongoing development and potential future threats. The campaigns have targeted users through ads for popular software such as Notepad++ and AnyDesk. These malvertising campaigns represent a significant threat to online security, as they can lead to the compromise of sensitive information and the potential for further malicious activity.

IoC

    MD5

• 2a4b0b65897e7fd494ad0aced7f42aeb
• 8ba7059cc766798bc3993b720f561c11

    SHA1

• 7cdcbd78194eeaa4e3793c5b19d84537ff71bb3c
• 891ad3e89d469f55245738a99c3e71e8a2a4fa42

    SHA256

• 949c5ae4827a3b642132faf73275fb01c26e9dce151d6c5467d3014f208f77ca
• 99123063690e244f95b89d96759ec7dbc28d4079a56817f3152834047ab047eb
• c5597da40dee419696ef2b32cb937a11fcad40f4f79f9a80f6e326a94e81a90f

    URL

• http://rawnotepad.com/notepad++.zip
• http://startworkremotely.com/Anydesk.zip

    DOMAIN

• cewgwsyookogmmki.xyz

REFERENCES

• https://cyware.com/news/new-metastealer-malvertising-campaigns-spotted-f4f882cc
• https://www.malwarebytes.com/blog/threat-intelligence/2023/12/new-metastealer-malvertising-campaigns
• https://www.malwarebytes.com/blog/threat-intelligence/2023/12/new-metastealer-malvertising-campaigns/amp
• https://otx.alienvault.com/pulse/658469e72f85cfbf44de42a6

TAGS

metastealer, malvertising

Modus operandi UAC-0177 (JokerDPR) on the example of one of the cyber attacks

The provided links do not contain the specific details of the "Modus operandi UAC-0177 (JokerDPR)" cyber attack. As a result, I'm unable to provide the example of the cyber attack. If you have access to other sources that provide details about this cyber attack, I would be happy to help you analyze the information and provide insights.

IoC

    IPv4

• 179.43.162.29
• 185.196.9.215
• 80.78.22.194

    URL

• http://edisk.ukr.net.ssl2.link/shared/

    DOMAIN

• authcheck.in
• authssl.in
• authssl.link
• authssl.online
• authssl.org
• authssl.site
• certifiedauth.in
• connectssl.in
• exmo.day
• getssl.click
• getssl.ink
• goaccount.link
• hsts.online
• personlog.in
• ssl1.online
• ssl1.site
• ssl2.in
• ssl2.link
• ssl2.online
• ssl2.site
• ssl3.online
• ssl3.site
• ssl4.online
• ssl4.site

    HOSTNAME

• account.certifiedauth.in
• account.coinbase.exmo.day

REFERENCES

• https://cert.gov.ua/article/6276799
• https://otx.alienvault.com/pulse/6584684fa9224d5643a0e891

TAGS

phishing, credential stealing