Dr. Bilyana Lilly sits down with Dave to discuss her co-authored paper for CyCon: “Business @ War: The IT Companies Helping to Defend Ukraine.” This week, Ben’s story follows the U.S. government declassifying a report on buying troves of data about United States citizens. Dave’s story is on how and why deepfakes are entering into U.S. politics. Read More
MDR: Empowering Organizations with Enhanced Security
Managed Detection and Response (MDR) has emerged as a crucial solution for organizations looking to bolster their security measures. MDR allows businesses to outsource the management of Endpoint Detection and Response (EDR) products deployed across their network domain. With real-time threat-hunting capabilities, MDR services detect and mitigate malicious activities on individual endpoints while Read More
The Hacker News | #1 Trusted Cybersecurity News Site
DragonRank Black Hat SEO Campaign Targeting IIS Servers Across Asia and Europe
A “simplified Chinese-speaking actor” has been linked to a new campaign that has targeted multiple countries in Asia and Europe with the end goal of performing search engine optimization (SEO) rank manipulation.
The black hat SEO cluster has been codenamed DragonRank by Cisco Talos, with victimology footprint scattered across Thailand, India, Korea, Belgium, the Netherlands, and China.
” Read More
USB Malware Chained with Text Strings on Legitimate Websites Attacks Users
[[{“value”:”
Despite the evolution of several tools and tactics, threat actors still go with the traditional approach to attack victims for malicious purposes. One such threat actor is UNC4990, which uses USB devices to exploit victims. UNC4990 is a financially motivated threat actor and has been conducting campaigns since 2020.
There has been a continuous evolution of this threat actor’s activities. With that being said, the recent tactics involved the use of popular and legitimate websites such as GitHub, GitLab, Ars Technica and Vimeo.
In addition, the threat actor has been using EMPTYSPACE downloader and QUIETBOARD backdoor. EMPTYSPACE is capable of executing any payload served from the command and control servers, and QUIETBOARD is also delivered using EMPTYSPACE.
Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .
USB Malware Chained with Text Strings
Initial Vector
According to the reports shared with Cyber Security News, the threat actor begins the infection chain by delivering the USB drives to the victims by any means of social engineering. Once the victim connects the USB to their device, the USB removable device is shown with a shortcut (.LNK extension) under the vendor name.
Infection Chain | Source : Mandiant
When the victims open this malicious LNK shortcut file, it executes a PowerShell script (explorer.ps1), which contains the following command.
“C:WINDOWSSystem32WindowsPowerShellv1.0powershell.exe -windowstyle has hidden -NoProfile -nologo -ExecutionPolicy ByPass -File explorer.ps1”
The explorer.ps1 is an encoded PowerShell script that checks for specific conditions and fetches the Runtime Broker.exe, which is the EMPTY SPACE downloader.
Timeline
From the beginning of 2023, the threat actor replaced GitHub with Vimeo, a video-sharing website. A video was added to Vimeo in which the description had the hard-coded payload. However, this video was removed now. Additionally, the Vimeo URL was also embedded inside the explorer.ps1 script.
In mid of December 2023, it was discovered that the threat actor had been using Ars Technica by using an image embedded with the payload. As a backup, the threat actor had also updated the EMPTY SPACE serving URL, which had an additional string.
Furthermore, there have been several versions of EMPTYSPACE loader used by the threat actor, such as the Node JS version, .NET version, and Python version alongside QUIETBOARD.
This Python-based backdoor can execute arbitrary code, cryptocurrency theft, USB drive infection, screenshotting, information gathering, and C2 communications.