Ransomware/Malware Activity
New Threat Actor Releases Malware Cluster Bombs
Researchers at Outpost24's KrakenLabs have concluded that several recent reports and articles regarding a novel infection technique distributing multiple types of malware are likely linked to a single threat actor group: "Unfurling Hemlock". Notable characteristics linking these recent attacks include using cabinet files for malware distribution, the file "WEXTRACT.EXE .MUI", and the use of a common autonomous system related to hosting services seen used by Eastern European cybercriminals. The researchers refer to the infection method as a "malware cluster bomb", as the initial compressed file unfurls itself into multiple payloads using a nesting pattern up to seven nodes deep. The malware distributed in a single attack can include Redline, Mystic Stealer, RisePro, Amadey, and SmokeLoader. Researchers have found at least 50,000 sample files sharing this malware campaign's characteristics from attacks around the world. Based on samples uploaded to VirusTotal, the United States is the country most commonly targeted in these campaigns, with 50% of samples uploaded from the US. Luckily for defenders, the aggressive nature of the Unfurling Hemlock cluster bombs means that Next-Gen AntiVirus and EDR security tools should be able to easily detect this attack. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.
Threat Actor Activity
North Korean "Kimsuky" Hacking Group Behind Fake Google Translate Malware Campaign
A North Korean threat actor known as Kimsuky has been linked to a new malicious Google Chrome extension named "TRANSLATEXT", designed to steal sensitive information such as email addresses, usernames, passwords, cookies, and browser screenshots. This activity, observed by Zscaler ThreatLabz in early March 2024, targets South Korean academia, particularly those focused on North Korean political affairs. Kimsuky, active since at least 2012, is notorious for cyber espionage and financially motivated attacks. Recent campaigns have exploited a security flaw in Microsoft Office and used job-themed lures to drop espionage tools. The attack begins with a ZIP archive containing a Hangul Word Processor document and an executable, leading to the retrieval of a PowerShell script and the exfiltration of data. TRANSLATEXT, disguised as Google Translate, bypasses security measures, captures sensitive data, and communicates with a Blogger Blogspot URL for further commands. Kimsuky aims to gather intelligence on academic and government personnel. CTIX analysts will continue to monitor the activity of both financially motivated and state sponsored threat actors.
Vulnerabilities
New regreSSHion Flaw Leaves Certain Linux Systems Vulnerable to RCE Attacks
OpenSSH maintainers have released security updates to patch a critical vulnerability known as "regreSSHion", which allows unauthenticated remote code execution (RCE) with root privileges on glibc-based Linux systems. Discovered by Qualys researchers, this flaw tracked as CVE-2024-6387, is a signal handler race condition in the sshd component, affecting versions 8.5p1 to 9.7p1 and versions prior to 4.4p1 unless patched. If a client fails to authenticate within the default LoginGraceTime of 120 seconds, sshd's SIGALRM handler is called asynchronously, enabling arbitrary code execution. The vulnerability impacts over 14 million potentially exposed instances, with 700,000 confirmed as vulnerable. Exploitation requires continuous connections over six (6) to eight (8) hours and is challenging, though AI tools could increase success rates. Successful exploitation may lead to consequences that include full system takeover, malware installation, data manipulation, and creation of backdoors. Mitigation strategies include updating to OpenSSH version 9.8p1, restricting SSH access, and implementing network segmentation. While the flaw does not impact OpenBSD systems, its potential effects on macOS and Windows require further analysis. CTIX analysts recommend that all administrators responsible for glibc-based Linux systems ensure their instances are patched or ensure that mitigations have been implemented to harden security and prevent successful exploitation.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
We operate a free-to-view policy, asking only that you register in order to read all of our content. Please login or register to view the rest of this article.