New Stealer-as-a-Ransomware Delivered Through Fake Updates

SugarGh0st RAT Attacking Organizations & Individuals in AI Research

The cybersecurity company Proofpoint has found a new operation using the SugarGh0st Remote Access Trojan (RAT) that is going after AI research organizations in the United States.

The operation, linked to a threat cluster known as UNK_SweetSpecter, went after businesses, universities, and government agencies.

Attack Method: Emails with AI-themed bait

UNK_SweetSpecter’s campaign in May 2024 used a free email account to send emails with AI-themed traps to people who might be victims. These emails had a zip archive file to get people to open it.

The zip file dropped an LNK shortcut file that used a JavaScript dropper as soon as it was launched.

ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service

This dropper is then put in the SugarGh0st RAT code.

The attack chain was very similar to a method that Cisco Talos had already reported.

It included a fake document, an ActiveX tool for sideloading, and a base64-encrypted binary file.

The JavaScript dropper was put in a library that later let JavaScript run a multi-stage shellcode, which was what released the SugarGh0st payload.

This payload was meant for data exfiltration, command and control (C2) heartbeat protocol, and keylogging.

Lure email

Analysis of Networks and Attribution

Proofpoint’s study of the network showed that UNK_SweetSpecter had moved its C2 communications to new domains, such as accounts. gommask[.]online, which shared hosting with domains that had already been reported.

It looks like AS142032 is where the infrastructure for these activities is located.

Cisco Talos’s first look at SugarGh0st RAT suggested that it was used by threat actors who spoke Chinese.

Proofpoint’s study of earlier UNK_SweetSpecter campaigns proved these mistakes in the language.

Proofpoint isn’t sure the campaigns were directed at a specific state goal.

Still, the fact that they were very specific and focused on AI experts suggests that the government might have been trying to get private information about generative AI.

A recent Reuters story said that the U.S. government is stepping up its efforts to prevent China from using generative AI.

This campaign is happening simultaneously, which makes it more likely that cybercriminals with ties to China will target people who have access to AI technologies to help them reach their growth goals.

Why it’s important

Enterprise defenders must monitor specific threat actors, which is difficult but necessary.

This campaign shows how important it is to set baselines to detect malicious behavior, even if the threat isn’t currently part of an organization’s threat model.

The fact that common tools are used as the first step in highly targeted spearphishing campaigns shows how important it is to be careful and have strong cybersecurity means in place.

The Yahoo! Paranoids Advanced Cyber Threats Team and Proofpoint’s collaboration was very helpful in locating this operation.

As cyber threats change, partnerships like these and thorough threat research will continue to be essential for protecting against complex attacks.

Indicators of compromise 

Indicator Description First Observed da749785033087ca5d47ee65aef2818d4ed81ef217bfd4bc07be2d0bf105b1bf SHA256 
some problems.zip 2024-05-08 71f5ce42714289658200739ce0bbe439f6ef6fe77a5f6757b1cf21200fc59af7 SHA256 
some problems.lnk 2024-05-08 fc779f02a40948568321d7f11b5432676e2be65f037acfed344b36cc3dac16fc SHA2256 
~235232302.js 2024-05-08 4ef3a6703abc6b2b8e2cac3031c1e5b86fe8b377fde92737349ee52bd2604379 SHA256 
libeay32.dll 2022-02-18 feae7b2b79c533a522343ac9e1aa7f8a2cdf38691fbd333537cb15dd2ee9397e SHA256 
some_problems.docx 2024-05-08 account.gommask[.]online SugarGh0st RAT C2 Domain 2024-05-08 43.242.203[.]115 SugarGh0st RAT C2 IP 2024-05-08 

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

The post SugarGh0st RAT Attacking Organizations & Individuals in AI Research appeared first on Cyber Security News.

 Read More 

American Express warns customers about third party data breach

[[{“value”:”

American Express has sent affected customers a warning that “a third party service provider engaged by numerous merchants experienced unauthorized access to its system.”

In a subsequent update, American Express explained that it was not a service provider, but a merchant processor that suffered the breach.

The account information of some card holders may have fallen into the wrong hands. The accessed information includes account numbers, names, and card expiration dates.

Further details about which merchant processor was involved and how, are not available at the time of writing.

American Express said it notified the required regulatory authorities and is alerting impacted customers. The company also told BleepingComputer that if a card member’s credit card is used to make fraudulent purchases, customers won’t be responsible for the charges.

American Express is advising customers to carefully review their account for fraudulent activity. Below are some steps you can take to protect your account.

Login to your account at americanexpress.com/MYCA to review your account statements carefully and remain vigilant in doing so, especially over the next 12 to 24 months.

If your card is active, sign up to receive instant notifications of potential suspicious activity by enabling Notifications in the American Express Mobile app, or signing up for email or text messaging at americanexpress.com/accountalerts.

Make sure American Express has your correct mobile phone number and email address so the company can contact you if needed.

If you receive an email relating to American Express that you believe could be fraudulent, immediately forward it to UKemailfraud@americanexpress.com. Do not include your account number in the email.

Beware of scammers

Scammers are always on the lookout for data breaches as it presents an opportunity for phishing. There are a few tips to keep in mind.

American Express will never ask for sensitive account details by email or phone.

Do not install software when asked out of the blue, especially if it reaches you as an email attachment.

Scammers will always invoke a feeling of urgency. Don’t let scammers rush you into making wrong decisions.

Keep your anti-malware software and security patches up-to-date to prevent fraudsters accessing your details via your computer.

If you’re an Android user, be wary of screen overlays on your devices that could capture entered information while you think you are in the actual app. Screen overlays are hard to recognize but on Android you can check Settings > Apps & notifications > Special access > Draw over other apps. (Note that the path may be slightly different depending on your Android version and the phone vendor.) Once there you can review all apps that have the option to “draw over” other apps and see whether or not they have the permission to do so.

Data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.

Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.

Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.

Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.

Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.

Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Digital Footprint scan

If you want to find out how much of your own data is currently exposed online, you can try our free Digital Footprint scan. Fill in your email address (it’s best to submit the one you most frequently use) and we’ll send you a report.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.

“}]]   Read More 

Malwarebytes 

GitHub Warns that Lazarus Hacker Group Targeting Developers User Account

A North Korea based threat actor targeting personal accounts of technology firms through low-profile social engineering attempts.

This campaign utilizes a combination of repository invitations and a malicious npm package to target the victim’s accounts associated with blockchain, cryptocurrency, or online gambling sectors.

According to the latest article by Github, this campaign actor is linked up with a group likely known as Jade Sleet by Microsoft Threat Intelligence and TraderTraitor by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). 

GitHub confirmed that no GitHub accounts or npm systems accounts were compromised in this campaign. 

Lazarus Group Attack Process

Initially, the threat actor impersonates a developer or recruiter by creating professional profiles on Github and some other social media websites.

They utilize both personal accounts as well as compromised accounts by jade sleet to contact the victims.

The actor may initiate contact on one platform and then switch the conversation to another platform.

Once connected with a target, the threat actor invites the target to collaborate on a GitHub repository and manipulates the target to clone and execute its contents. 

In some cases, the actor may send the malicious software straight through a messaging or file-sharing service, skipping the step of inviting people to the repository and cloning it.

The software in the GitHub source has malicious npm dependencies. Some of the software used by the threat actor are media players and tools for selling cryptocurrencies.

These malicious npm packages download second-stage malware on the victim’s computer. 

The threat actor usually doesn’t post their malicious packages until they send a fake repository invitation. 

Github has suspended npm and GitHub accounts associated with the campaign and shared IOC details on their blog.

The best practice to avoid this campaign is to be cautious of social media solicitations to collaborate on or install npm packages or software that depends on them.

Stay up-to-date with the latest Cyber Security News; follow us on GoogleNews, Linkedin, Twitter, and Facebook.

The post GitHub Warns that Lazarus Hacker Group Targeting Developers User Account appeared first on Cyber Security News.

   Read More 

Cyber Security News