The freshly minted ransomware gang is customizing leaked Babuk source code to go after cyber targets in the US and South Korea — and it’s expanding its operations quickly.
Related Posts
CrowdStrike update crashes Windows systems, causes outages worldwide
CrowdStrike update crashes Windows systems, causes outages worldwide
A faulty component in the latest CrowdStrike Falcon update is crashing Windows systems, impacting various organizations and services across the world, including airports, TV stations, and hospitals. […] Read More
TP-Link fixes critical RCE bug in popular C5400X gaming router
TP-Link fixes critical RCE bug in popular C5400X gaming router
The TP-Link Archer C5400X gaming router is vulnerable to security flaws that could enable an unauthenticated, remote attacker to execute commands on the device. […] Read More
Hackers Use New Set of Hacking Tools to Attack Organizations in U.S
Hackers Use New Set of Hacking Tools to Attack Organizations in U.S
Hackers often target US organizations due to the country’s economic and technological dominance, seeking valuable data for the following purposes:-
Financial gain
Cyber espionage
Geopolitical motivations,
Desire to exploit technological vulnerabilities
The cybersecurity researchers at Unit 42 recently noted that hackers are actively attacking US organizations with the help of new hacking tools.
Besides the organizations based in the USA, hackers are also targeting organizations in the following countries:-
Middle East
Africa
The new hacking tools that the hackers used were used to perform the following illicit activities:-
Establish backdoor capabilities
For command and control (C2)
Steal user credentials
Exfiltrate confidential information
Compromised Organizations’ Industries
Here below, we have mentioned all the compromised organizations that belonged to the following industries:-
Education
Real estate
Retail
Non-profit organizations
Telecom companies
Governments
New Set of Hacking Tools
Threat actors deployed tools in the following directories across organizations, using consistent filenames for batch and PowerShell scripts:-
C:WindowsTemp
C:Temp
Here below, we have mentioned all the similar filenames for batch and PowerShell scripts:-
c:windowstempcrs.ps1
c:windowstempebat.bat
c:windowstempinstall.bat
c:windowstempmslb.ps1
c:windowstemppb.ps1
c:windowstemppb1.ps1
c:windowstemppscan.ps1
c:windowstempset_time.bat
c:windowstempusr.ps1
Attackers deployed the following tools and malware and after each session, the cleanmgr.exe was used to clear up the environment:-
Ntospy (Used across the affected organizations)
Mimilite (Limited to nonprofit and government-related organizations)
Agent Racoon (Limited to nonprofit and government-related organizations)
To steal credentials, the threat actor utilized a custom DLL as a Network Provider module, a known technique documented since 2004.
Named Ntospy by Unit 42, the malware family hijacks the authentication process, accessing user credentials upon authentication attempts.
Threat actor installs the DLL module via credman Network Provider, using C:WindowsTempinstall.bat script with reg.exe.
Besides this, the DLL path is set to:-
c:windowssystem32ntoskrnl.dll
Researchers linked DLL modules to the same malware family based on shared static traits like RichPE header hash and PE sections.
Samples with identical RichPE header hashes were compiled in the same environment. Even those with different build environments exhibit similar behavior but vary in implementation.
Threat actors use a customized Mimikatz tool named Mimilite for credentialing and data gathering.
The tool decrypts its payload using a command-line argument as a key, verifying integrity with an MD5 hash check before execution.
Dumped credentials are stored in C:WindowsTempKB200812134.txt, disguising the activity as a Microsoft update.
The .NET-based Agent Racoon malware creates a DNS covert channel for C2 communication, earning its name from embedded references discovered by Unit 42 researchers.
Here below, we have mentioned all the functionalities of Agent Racoon:-
Command execution
File uploading
File downloading
Alongside email data, Unit 42 found Roaming Profile exfiltration. The threat actor compressed the directory using 7-Zip dropped via certutil.exe, splitting the file into 100 MB chunks for exfiltration.
Moreover, researchers have not yet associated this tool set with a specific threat actor or threat group.
The post Hackers Use New Set of Hacking Tools to Attack Organizations in U.S appeared first on Cyber Security News.
Cyber Security News