threat actor Archives

AppWizard

February 20, 2025

Russian Groups Target Signal Messenger in Spy Campaign

Multiple Russian threat groups are targeting the Signal Messenger application, focusing on individuals likely to engage in sensitive military and governmental communications during the conflict in Ukraine. Researchers from Google's Threat Intelligence Group have identified these attacks as primarily aimed at individuals of interest to Russian intelligence services. The two main cyber-espionage groups involved are UNC5792 (tracked by Ukraine's CERT as UAC-0195) and UNC4221 (UAC-0185). Their goal is to deceive victims into linking their Signal accounts to devices controlled by the attackers, granting access to incoming messages. UNC5792 uses invitations that resemble legitimate Signal group invites with malicious QR codes, while UNC4221 employs a phishing kit that mimics Ukraine's Kropyva app and includes harmful QR codes on fake sites. Other Russian and Belarusian groups, including Sandworm (APT44) and Turla, are also targeting Signal Messenger in various ways, such as stealing messages from databases or local storage. Additionally, Belarus-linked group UNC1151 uses the Robocopy tool to duplicate Signal messages for future theft. The increased activity against Signal reflects a broader interest in secure messaging apps used by individuals in espionage and intelligence roles. These apps' strong security features make them attractive to at-risk individuals and communities but also high-value targets for adversaries. Russian groups are also targeting Telegram and WhatsApp, with a recent report detailing attacks by the Russian group Star Blizzard on WhatsApp accounts of government officials and diplomats.

Winsage

February 14, 2025

Microsoft Windows GUI 0-Day Vulnerability Actively Exploited in the Wild

A vulnerability in Microsoft Windows, identified by ClearSky Cyber Security, is being actively exploited by the Chinese APT group Mustang Panda. This low-severity vulnerability affects how Windows processes files from compressed RAR archives, making extracted files invisible in the Windows Explorer GUI while still accessible via command-line tools. Mustang Panda uses this vulnerability to hide malicious files within archives, facilitating stealthy attacks through phishing campaigns. Despite its exploitation, Microsoft has rated the vulnerability as low-severity, which may indicate limited potential damage. Cybersecurity experts warn that such vulnerabilities can have significant implications when used in larger attack strategies.

Winsage

February 13, 2025

The BadPilot campaign: Seashell Blizzard subgroup conducts multiyear global access operation

Microsoft has reported on the Russian state actor subgroup known as Seashell Blizzard, focusing on the "BadPilot campaign," which has been active since at least 2021. This campaign targets Internet-facing infrastructure to support broader operations, expanding its reach from Eastern Europe to a global scale. The subgroup has successfully infiltrated sensitive sectors like energy, telecommunications, arms manufacturing, and government entities, particularly exploiting vulnerabilities in software such as ConnectWise ScreenConnect and Fortinet FortiClient EMS since early 2024. Since the conflict in Ukraine began, there has been an increase in targeting international organizations significant to geopolitical interests, with at least three destructive cyberattacks attributed to this subgroup since 2023. The subgroup employs sophisticated cyber intrusion techniques, adapting its strategies to respond to evolving goals. Seashell Blizzard is linked to the Russian Military Intelligence Unit 74455 (GRU) and has been associated with various high-profile cyber incidents since its emergence in 2013. The subgroup's operations have evolved to include targets in the United States, Canada, and the United Kingdom, reflecting a strategic pivot to exploit vulnerabilities across different regions. The subgroup has demonstrated three primary exploitation patterns: deploying remote management and monitoring suites for persistence, using tunneling utilities to establish covert access, and modifying infrastructure to collect credentials. Organizations are advised to remain vigilant for indicators of compromise related to Seashell Blizzard's activities.

AppWizard

December 5, 2024

MOONSHINE Kit Exploiting Android Messaging Apps Flaw To Inject Backdoor

A sophisticated exploit kit named MOONSHINE targets Android messaging applications to implant backdoors into users' devices. The entity behind these attacks, Earth Minotaur, focuses on the Tibetan and Uyghur communities by distributing crafted messages through instant messaging platforms, encouraging victims to click on malicious links, redirecting them to servers hosting the MOONSHINE exploit kit, and installing a cross-platform backdoor called DarkNimbus. The upgraded MOONSHINE kit uses pre-configured attack links, browser version verification, multiple Chromium exploits, and phishing for downgrade techniques. It can target various Android applications, including WeChat, Facebook, Line, and QQ. The DarkNimbus backdoor has both Android and Windows versions, with features for gathering device information, extracting personal data, and facilitating surveillance. MOONSHINE has been linked to other Chinese operations, including POISON CARP and UNC5221, indicating a shared ecosystem among Chinese threat actors. Users are advised to be cautious with suspicious links and keep applications updated to mitigate vulnerabilities.

Winsage

December 4, 2024

PoC Exploit Released for Windows Task Scheduler Zero-day Flaw, Exploited in Wild

A proof-of-concept (PoC) exploit has been released for a critical zero-day vulnerability in the Windows Task Scheduler, designated as CVE-2024-49039, which has a high CVSS score of 8.8. This privilege escalation flaw allows attackers to execute arbitrary code on affected systems with potential for zero-click exploitation. The exploitation of this vulnerability has been traced back to the Russia-aligned threat actor RomCom. Between October 10 and November 4, 2024, potential victims were mainly in Europe and North America, with some regions having up to 250 affected targets. The PoC exploit, available on GitHub, targets the WPTaskScheduler.dll component and demonstrates the ability to bypass restricted token sandboxes. Microsoft has released a patch for CVE-2024-49039, modifying the RPC Interface Security in WPTaskScheduler.dll to require at least Medium Integrity for access. Security experts recommend that Windows users and administrators apply the latest updates and adopt defense-in-depth strategies.

Winsage

November 30, 2024

Windows Warning As New 0-Click Backdoor Russian Cyber Attack Confirmed

Security researchers have confirmed a cyber attack attributed to the Russian state-sponsored threat group RomCom, exploiting two zero-day vulnerabilities in Mozilla Firefox and Windows operating systems. The vulnerabilities are CVE-2024-9680, a use-after-free memory flaw in Firefox, and CVE-2024-49039, a privilege escalation flaw in Windows. The attack primarily affects users in Europe and North America and allows for the installation of a backdoor on Windows systems without user interaction. RomCom has expanded its focus to include industries such as pharmaceuticals, insurance, and legal sectors in the US and Germany. Mozilla and Microsoft have released patches to address these vulnerabilities, with Mozilla patching Firefox within a day and Microsoft addressing the Windows vulnerability in the latest Patch Tuesday updates. Experts warn that organizations must keep their software updated to mitigate ongoing risks from RomCom attackers.

Winsage

November 28, 2024

RomCom exploits Firefox and Windows zero days in the wild

ESET researchers discovered a critical vulnerability, CVE-2024-9680, in Mozilla products exploited by the Russia-aligned group RomCom. This vulnerability, with a CVSS score of 9.8, affects various versions of Firefox, Thunderbird, and the Tor Browser, allowing code execution within the browser's restricted context. When combined with another Windows vulnerability, CVE-2024-49039, attackers can execute arbitrary code in the context of the logged-in user. The exploit can be triggered simply by visiting a malicious web page, enabling the installation of RomCom's backdoor without user interaction. RomCom has been linked to the exploitation of significant zero-day vulnerabilities, including the earlier use of CVE-2023-36884 via Microsoft Word in June 2023. The newly identified vulnerability was reported to Mozilla on October 8th, 2024, and patched the following day. The vulnerability is a use-after-free bug in Firefox's animation timeline. Further investigation revealed CVE-2024-49039, a privilege escalation bug in Windows, which Microsoft patched on November 12th, 2024. RomCom has targeted various sectors in 2024, including governmental entities in Ukraine, the pharmaceutical sector in the US, and the legal sector in Germany, among others. The compromise chain begins with a fake website that redirects victims to a server hosting the exploit. ESET identified multiple command-and-control servers used by RomCom, employing deceptive naming schemes to obscure their intentions. The exploit utilizes shellcode that executes arbitrary code by manipulating animation objects in Firefox. The vulnerability was patched by Mozilla within a day of its discovery. The RomCom backdoor is capable of executing commands and downloading additional modules onto the victim's machine. Indicators of compromise include specific JavaScript files and DLLs associated with the exploit.

Winsage

November 28, 2024

Firefox and Windows zero-days exploited by Russian RomCom hackers

The Russian-based RomCom cybercrime group has exploited two zero-day vulnerabilities to target Firefox and Tor Browser users in Europe and North America. The first vulnerability, CVE-2024-9680, is a use-after-free bug in Firefox's animation timeline feature, allowing code execution within the browser's sandbox. Mozilla issued a patch for this on October 9, 2024. The second vulnerability, CVE-2024-49039, is a privilege escalation flaw in the Windows Task Scheduler service, which Microsoft addressed on November 12. RomCom combined these vulnerabilities into a zero-day chain exploit that enables remote code execution without user interaction, requiring victims only to visit a malicious website. The attacks specifically targeted Tor Browser users, particularly versions 12 and 13. ESET estimates the campaign's scale could affect between one and 250 victims per country. RomCom has a history of exploiting zero-day vulnerabilities, including an incident in July 2023 targeting organizations at the NATO Summit. The group is linked to various financially motivated campaigns and is currently targeting organizations in Ukraine, Europe, and North America across multiple sectors.

Winsage

November 17, 2024

LodaRAT Malware Attacking Windows Users To Steal Login Details

A new variant of the LodaRAT malware is targeting Windows users globally to steal sensitive information, including login credentials and browser cookies. Discovered by Rapid7, this updated version has enhanced functionalities for data exfiltration, malware delivery, screen capture, and remote control of the victim's camera and mouse. The malware is being distributed through tools like DonutLoader and CobaltStrike and has been found on systems already infected with other malware families. Victims are reported worldwide, with approximately 30% of samples from the United States. LodaRAT ensures persistence on infected systems by adding entries to the Windows registry, creating scheduled tasks, and disguising itself as legitimate software. It conducts reconnaissance to gather system information, which is sent to a command and control server. Key features of the latest version include downloading additional payloads, remote command execution, mouse and keyboard control, screen capture, browser credential theft, Windows Firewall manipulation, file exfiltration, audio recording, and local user account creation. To mitigate the risk of infections, users are advised to keep software updated, implement email filtering, use antivirus solutions, educate employees on phishing risks, back up data, and monitor for unusual activity.

Winsage

November 7, 2024

Hackers increasingly use Winos4.0 post-exploitation kit in attacks

Hackers are targeting Windows users with the Winos4.0 framework, which is distributed through seemingly harmless game-related applications. This toolkit has capabilities similar to well-known post-exploitation frameworks like Sliver and Cobalt Strike. Initially, a threat actor named Void Arachne attracted victims with modified software like VPNs and Google Chrome for the Chinese market, but recent tactics involve using games and game-related files. The infection process begins when a legitimate installer is executed, downloading a DLL file from “ad59t82g[.]com.” This triggers a multi-step infection process involving the download of a DLL named you.dll, which fetches additional files and modifies the Windows Registry for persistence. The second phase involves injected shellcode that loads APIs and connects to a command-and-control (C2) server, while the third phase retrieves encoded data from the C2 server. The final stage includes loading a login module that performs various malicious actions, such as collecting system information, checking for anti-virus software, gathering data on cryptocurrency wallet extensions, maintaining a backdoor connection to the C2 server, and exfiltrating sensitive information through methods like taking screenshots and stealing documents. Winos4.0 can identify various security tools, including Kaspersky, Avast, and Malwarebytes, allowing it to adjust its behavior based on the environment. Fortinet describes Winos4.0 as a powerful tool for controlling compromised systems, with reports from Fortinet and Trend Micro providing indicators of compromise (IoCs) related to this threat.