Executive Summary
The Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Wrap-Up is a collection of high-level cyber intelligence summaries pertaining to current or emerging cyber events in May 2024, originally published in CTIX FLASH Updates throughout May. This publication includes malware threats, threat actor activity, and newly identified vulnerabilities impacting a wide range of industries and victims. The CTIX FLASH Update is a semi-weekly newsletter that provides a timely snapshot of cyber events, geared toward cyber professionals and end users with varying levels of technical knowledge. The events published in the FLASH typically occurred close in time to publication of the report.
To stay up to date on the latest cyber threat activity, sign up for our weekly newsletter: the Ankura CTIX FLASH Update.
MALWARE ACTIVITY
Fake Web Browser Updates Used to Deploy LummaC2 and BitRAT
Reported in the June 4th, 2024, FLASH Update
- Researchers at eSentire's Threat Response Unit (TRU) have reported on a malware campaign active in May 2024 which is using fake Chrome update webpages to trick users into downloading information-stealing malware. In this latest campaign, users are directed to a fake Chrome browser update page after visiting a compromised website. Users are urged to click a link to download the update, which downloads a zip file called "Update.zip". Once opened, a malicious JavaScript file "Update.js" executes PowerShell scripts that retrieve malicious files that serve as the loaders, persistence mechanisms, and final payloads of BitRAT and LummaC2 (aka Lumma Stealer). BitRAT is categorized as a Remote Access Tool, but also includes XMR miner for cryptocurrency mining, webcam live feed, keylogger functionality, and file manager with zip compression among other capabilities. LummaC2 is a very popular infostealer which targets web browsers, crypto wallets, and other sensitive data repositories. LummaC2 has been available to threat actors as a Malware-as-a-Service since August 2022 and rose to be one of the most prevalent information stealers in 2023. While spreading malware via fake browser updates is not new, it is worth reporting to stress the importance of security awareness training for end users. eSentire notes that in April 2024 fake updates were also used to lure victims into installing FakeBat, and prior to that SocGholish was also spread using a similar technique. CTIX analysts recommend that organizations educate users on these types of malware campaigns. CTIX analysts will continue to report on new and emerging malware and associated campaigns.
New version of TargetCompany Ransomware Targets Linux OS in VMware ESXi Environments
Reported in the June 7th, 2024, FLASH Update
- Researchers at Trend Micro have observed a new Linux variant of TargetCompany ransomware built to infect VMware ESXi environments. TargetCompany is a ransomware operation that mostly targets organizations in Taiwan, South Korea, India, and Thailand. TargetCompany (aka Mallox) has been known for attacking databases (MySQL, Oracle, SQL Server) since June 2021. The new Linux variant of the ransomware performs a check to determine whether it is running in a VMWare ESXi environment as well as checking whether it is being run with administrator privileges. The ransomware uses a custom shell script for payload execution and delivery, which is coded to exfiltrate data to two different servers for redundancy. TargetCompany encrypts files that have extensions related to virtual machines and appends them with the extension ".locked". The ransom note is a text file named "HOW TO DECRYPT.txt" and instructs victims to access a dark web chatroom to receive payment details for the ransom. Once encryption is complete, it deletes itself using the command "fm -f x" to hinder post-exploitation analysis by incident responders. Trend Micro has provided the Indicators of Compromise (IoCs) associated with the ransomware in their blog post of their analysis. CTIX analysts will continue to report on new and emerging strains of malware and associated campaigns.
SickSync Malware Campaign Targets Ukranian Defense Forces
Reported in the June 11th, 2024, FLASH Update
- The Computer Emergency Response Team of Ukraine (CERT-UA) released an advisory last week about a new malware campaign targeting Ukranian defense forces. The "SickSync" campaign is named after its tactic of abusing a legitimate file-syncing software – SyncThing – to steal sensitive information from its targets. The attack begins with a phishing email with a ".rar" attachment that extracts a PDF document, an installer "sync.exe", and BAT script. The BAT script executes the "sync.exe" installer which downloads SyncThing and SPECTR malware. SPECTR malware can grab screenshots of targeted program windows every ten (10) seconds, copy files from local directories and connected USBs, and steal authentication data from browsers and instant messaging applications. The information SPECTR steals is copied to a folder on the victim machine linked to SyncThing, which syncs the data back to the attacker's systems. The hacking group behind this campaign is thought to be the "Vermin" group, which is tracked by CERT-UA, and attributed by CERT-UA to employees of law enforcement agencies of the occupied Luhansk region. CERT-UA includes a full listing of Indicators of Compromise in their notice. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.
WARMCOOKIE Backdoor Distributed via Fake Job Offers
Reported in the June 14th, 2024, FLASH Update
- Researchers at Elastic Security Labs have reported on an ongoing malware campaign pushing the "WARMCOOKIE" Windows backdoor via fake employment opportunities. The victims of the campaign are initially sent an email purportedly from a company interested in hiring the individual. The email encourages the victim to click on a link to take them to the company's internal recruitment platform to learn more. The link directs victims to a landing page which prompts the victim to solve a CAPTCHA prior to downloading a JavaScript file containing malicious code. The JavaScript file leverages Window's Background Intelligence Transfer Service (BITS) to download the WARMCOOKIE DLL file which is executed via rundll32.exe. WARMCOOKIE collects background information on the infected host which is encrypted and sent to the attacker C2. The backdoor's main capabilities include capturing screenshots, enumerating the registry key, executing arbitrary commands, dropping files, and reading file contents. It is important to note that the backdoor can be a gateway to other malicious forms of malware. This is not the first time WARMCOOKIE has been observed, as it was previously discovered by researchers at eSentire around June 2023. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.
To view the full article click here
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.