Ransomware/Malware Activity
DISGOMOJI Linux Malware Commanded by Emojis
Researchers at Volexity have recently reported on a Linux malware strain named "DISGOMOJI" which has been observed targeting government agencies in India. The threat actor behind the campaign is believed to be a Pakistan-based threat actor dubbed "UTA0137". UTA0137 leverages an open-source command-and-control (C2) project "discord-c2", which uses Discord as the C2 server. The attackers communicate with DISGOMOJI malware via emojis, coding each emoji to represent a command. Examples include an emoji of a man running which executes a command on the victim's device, an emoji of a camera which takes a screenshot of the victim's screen, and a fire emoji which finds and sends all files matching an extension list to the attacker. Other capabilities of the DISGOMOJI malware includes zipping Firefox profiles on the victim's device and downloading/uploading additional files. The malware has been observed as part of a phishing campaign targeting government agencies in India. Volexity believes that the malware was built to target a custom Linux distribution named BOSS which Indian government agencies use for their desktop. The campaign begins with a spear-phishing email that contains a ZIP archive. When unzipped, a Golang ELF binary downloads the DISGOMOJI malware from a remote server while displaying a benign PDF document consistent with the attacker's pretext. Volexity notes that UTA0137 has been improving the DISGOMOJI over time, and that the malware has been successfully deployed in several attacks. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.
- Bleeping Computer: New Linux Malware is Controlled through Emojis
- The Hacker News: Pakistani Hackers Use DISGOMOJI Malware
Threat Actor Activity
Hacker from Scattered Spider Arrested
Spanish authorities, in collaboration with the FBI, detained a 22-year-old British man at Palma Airport who is suspected of being the ringleader of the notorious Scattered Spider hacking group. This group has been implicated in high-profile cyber incidents, including a devastating attack on MGM Resorts in 2023 that resulted in a $100 million loss. Unlike traditional cybercrime organizations, Scattered Spider operates more as a collective, employing social engineering tactics like SIM swapping and phishing to infiltrate networks of major companies such as Coinbase and LastPass. The arrest underscores the increasing effectiveness of international law enforcement efforts against cybercriminals who, until recently, have operated with a sense of impunity, hiding behind the anonymity of the internet. This development follows the earlier apprehension of another group affiliate, Noah Urban, in Florida, highlighting a broader crackdown on members of Scattered Spider and associated entities. Further investigation revealed that the apprehended individual in Spain, known under the alias "Tyler," played a significant role in the group's operations, specializing in SIM swapping—a technique used to hijack victims' phone numbers and intercept secure messages. Tyler, identified as Tyler Buchanan from Scotland, is the second member of Scattered Spider to face arrest after Urban. These arrests are part of ongoing efforts to dismantle the group, which has evolved from credential harvesting and SIM swapping to ransomware and data theft extortion schemes. Scattered Spider, also linked to other monikers like 0ktapus and UNC3944, has shifted focus towards encryption-less extortion attacks, targeting software-as-a-service (SaaS) applications to exfiltrate sensitive data. Their sophisticated tactics include leveraging legitimate cloud synchronization utilities and abusing Okta permissions to conduct internal reconnaissance and expand their scope of intrusion. The group's targeting of CyberArk's Privileged Access Security solution highlights their methodical approach to compromising corporate networks. CTIX analysts recommend heightened monitoring of SaaS applications, centralizing logs from important services, increasing multi-factor authentication (MFA) re-registrations, and implementing more stringent access policies within cloud tenants.
- The Record: Scattered Spider Article
- The Hacker News: Scattered Spider Article
- Bleeping Computer: Scattered Spider Article
Vulnerabilities
ASUS Patches Critical Vulnerabilities in Multiple Routers
ASUS has released firmware updates to address critical vulnerabilities in several popular router models. One major flaw, tracked as CVE-2024-3080 (CVSS 9.8/10), is an authentication bypass vulnerability allowing remote attackers to log into devices without authentication. Affected models include ZenWiFi XT8, RT-AX57, RT-AC86U, and RT-AC68U, with specific firmware updates provided to mitigate the issue. Another critical vulnerability, tracked as CVE-2024-3912 (CVSS 9.8/10), allows remote attackers to execute system commands via arbitrary firmware upload. Impacted models include DSL-N17U, DSL-N55U, and DSL-AC56U. Some older models will not receive updates due to end-of-life status, and users are advised to disable remote access features if they cannot immediately replace these devices. Additionally, ASUS updated Download Master to version 3.1.0.114 to fix several medium to high-severity issues, enhancing overall security. CTIX analysts urge users to update their firmware and follow recommended security practices, such as using strong passwords and disabling remote access features.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.