The Good | GRU Spy Network, Major RAT Infrastructure, and Back-to-Back FBI Ops Disrupt
The FBI has achieved two victories this week in its battle against malicious activities carried out by state-sponsored hackers and cybercriminals.
The Warzone remote access Trojan (RAT ) was the first component of a massive cybercrime operation that the Bureau dismantled. Daniel Meli, a 27-year-old Maltese who was connected to the operation, was detained for his part in the malware‘s spread. Since its inception in 2018, warzone RAT has frequently been used in attacks involving keylogging, reverse proxies, remote shells, UAC bypassing, cookie and password theft, as well as hidden remote desktops.
Warzone RAT’s main website, warzone [. ], was taken over after Meli was arrested. ws ] is the outcome of international cooperation between US DoJ and Maltese authorities. He is accused of conspiring to commit various computer intrusion offenses, illegally selling and advertising electronic interception devices, and damaging protected computers without authorization. He faces a 15-year prison sentence.
A botnet containing Ubiquiti Edge OS routers infected with Moobot malware was destroyed during Operation Dying Ember, which the FBI announced as successful just days later. According to reports, Russia’s Main Intelligence Directorate of the General Staff ( GRU), also known as APT28 or Fancy Bear, was responsible for the malware.
The GRU’s use of pre-existing malware, such as Moobot, challenges conventional threat detection techniques by blurring the lines between cybercriminal and state-sponsored strategies. The GRU hackers used the malware in this instance to effectively repurpose the botnet so they could use it to launch their own unique cyber espionage tool. Since then, FBI agents have retaliated against hackers by using Moobot to remove malware, malicious files, and stolen data before preventing remote access that could have allowed GRU attacks to infect the routers again.
The Bad: New Tool Launched by RansomHouse Attackers to Automate VMware ESXI Attacks
In order to automate the deployment of RansomHouse‘s data encrypter across various VMware ESXi hypervisors, the company recently unveiled a new tool called” MrAgent.” Since its inception in March 2022, ransomware as a service ( RaaS ) operators have been known to target big businesses and high-value victims. Due to their function as hosts for virtual computers that frequently house important data and business applications, ESXi servers are a popular target for ransomware groups.
According to the most recent research reports, MrAgent automates the simultaneous deployment of ransomware across multiple hypervisors in order to streamline RansomHouse’s attacks on ESXi systems. This tool allows for the deployment of customized ransomware and the execution of local commands on the hypervisor by supporting custom configurations received from the command-and-control ( C2 ) server. To increase the impact of the attack campaign, it works by simultaneously targeting all reachable virtual machines (VMs) while reducing the likelihood of detection.
Threat actors will keep concentrating on automating their strategies to run campaigns more quickly and successfully. SentinelLabs, for instance, identified threat actors this week who moved workloads handled by conventional web servers to the cloud in order to spam phishing links with SNS Sender, a Python script that uses the AWS Simple Notification Service ( SNS ).
Threat actors can scale their operations and launch attacks quickly thanks to automation. By streamlining their time and resources, maintaining consistency across attack campaigns, and increasing their chances of success. Threat actors can spend more time creating sophisticated attack strategies and creative ways to avoid detection by automating repetitive tasks.
Microsoft Zero-Day to Target Financial Traders: The Ugly | Water Hydra APT
An advanced persistent threat ( APT ) actor by the name of Water Hydra ( also known as DarkCasino ) is actively exploiting a zero-day vulnerability ( CVE-2024- 21412 ) that circumvents Microsoft Defender SmartScreen. Cybersecurity experts revealed the threat actor’s current strategies for using the flaw to spread the DarkMe malware in a report this week.
I discovered a Microsoft Defender SmartScreen 0 Day, marked as CVE 2024- 21412, being exploited in the wild, according to @MsftSecIntel. A Water Hydra ( DarkCasino ) campaign aimed at financial traders includes this security bypass. Microsofthttps: //t#patchtuesday co/LDVNm0GmEw
13 February 2024, Peter Girnus ( @gothburz )
CVE-2024-21412 revolves around the processing of Internet Shortcut Files (.url
) and a technology called ‘Mark of the Web’ (MOTW). Applications that download files from the internet are supposed to tag them with the MOTW attribute to indicate their origin. When these files are executed, the presence of the MOTW attribute tells Windows Defender SmartScreen to alert users if the file is potentially malicious or to take other security measures. Water Hydra attackers discovered that the MOTW attribute is not attached to a file when it is executed through a series of shortlinks, and thus the file bypasses examination by Windows Defender SmartScreen.
Currently, the attack campaign uses Telegram channels and forex trading forums to spread malicious internet shortcut files to financial market traders. Water Hydra deceives victims into running the malware, which has the potential for further exploitation and data exfiltration, using social engineering techniques. After registering with a command-and-control ( C2 ) server, the attackers deliver the Visual Basic trojan DarkMe malware, which downloads and executes additional instructions. Attackers using Water Hydra can list folder contents, execute shell commands, and create and delete folders using DarkMe.
Another high-severity vulnerability ( CVSS score: 7.8 ) in the WinRAR software was used by Water Hydra in a previous attack campaign to install malware and breach online cryptocurrency trading accounts.
These campaigns highlight Water Hydra’s skill at identifying and taking advantage of zero-day vulnerabilities as well as the fact that threat actors continue to prey on a close connection between security software and the OS vendor.