Malware/ransomware activity
New NullMixer malware campaign spreading via cracked software websites
Kaspersky researchers recently discovered a pop-up campaign that spreads the “NullMixer” malware. NullMixer exfiltrates victims’ credentials, addresses, credit card details, cryptocurrencies, as well as Facebook and Amazon account credentials by capturing all information entered using the device’s keyboard. The researchers highlighted that 47,500 people have currently been targeted with NullMixer and the malware is distributed via cracked software websites. NullMixer operators were observed using “Professional SEO [search engine optimization] tools” to get their websites to appear in the first results of an online search. It’s common for those who illegally download content to receive adware or other low-end malware, but NullMixer is described as “much more dangerous ” because of its ability. to download many malicious files at once (such as “downloaders, spyware, backdoors, bankers and other threats”), which can lead to a large-scale infection of a victim network. The chain infection involves the victim trying to download software from a malware. and repeatedly redirected to a page containing a password-protected archived program with detailed instructions. Following the instructions leads victims to download NullMixer, which has the potential to download software infamous malware such as “RedLine Stealer” and “Disbuk” (also known as “Socelar”). Researchers noted that the most targeted countries of this campaign are the States United States, Germany, France, Italy, Turkey, Russia, Egypt, India and Brazil. C TIX analysts recommend that all users download legitimate software from trusted websites to help mitigate the risk of threat actors using their machine as an initial access point to their network.
Threat actor activity
Threat Profile: Metador
An emerging threat group called Metador has explicitly targeted universities, telecommunications companies and Internet service providers across Africa and the greater Middle East. Named after a code signature in one (1) of its attacks, Metador is an emerging threat group believed to be conducting collection operations on behalf of a nation-state, but still have not been attributed to a specific country. Attributed malware used by Metador includes “metaMain” and “Mafalda” which operate solely within the Windows memory space and never write to disk, making it difficult for anti-virus defenses to detect. Additional payloads discovered in the Metador attacks are “CryShell”, a network connection bounce for command and control (C2) communications, and an unnamed Linux malware that routes materials stolen from machines to Mafalda. Although Metador has not been attributed to any country or government entity at this time, indicators reveal that the threat actors are fluent in English and Spanish and refer to British punk music and Argentine political animations. CTIX will continue to monitor activity around the Metador group and other threat organizations worldwide and provide updates accordingly.
Vulnerabilities
Sophos Firewall vulnerable to critical zero-day RCE attack
Security software and hardware provider Sophos has patched a critical zero-day firewall vulnerability that is being actively exploited in the wild, targeting a specific set of organizations in the South Asia region. The flaw, tracked as CVE-2022-3236 (with a CVSS score of 9.8/10), is a code injection vulnerability discovered in the user portal and web administration components of the Sophos Firewall product. If exploited, this flaw could allow malicious attackers to perform arbitrary remote code execution (RCE). Specific technical details about the attacks have not yet been released due to Sophos’ post-compromise investigation, and a proof-of-concept (PoC) exploit is likely to be released in the coming weeks. This isn’t the first Sophos firewall vulnerability this year; in March, another Sophos Firewall zero-day flaw tracked as CVE-2022-1040 (also with a CVSS score of 9.8/10) was actively exploited in an attack campaign “highly oriented”. Threat actors were able to exploit CVE-2022-1040, an authentication bypass vulnerability, to perform RCE, allowing them to conduct a man-in-the-middle (MITM) attack to steal data sensitive networks. Post-compromise analysis of the March attack attributed the activity to a Chinese state-sponsored threat actor known as “DriftingCloud,” and coincidentally, the threat group was also targeting a victim specific to South Asia without a name. This suggests that the two (2) campaigns may be associated with the same actor and/or the same campaign, but this cannot be said with great confidence until the details of the latter vulnerability are made public so that the tactics, techniques and procedures (TTP). ) of the two (2) attacks can be compared. Sophos has patched this vulnerability, and customers using the company’s firewall products should ensure they are running the most up-to-date version of the software to avoid the exploit. In the event that firewalls cannot be updated immediately, Sophos has provided manual mitigation techniques, urging its customers to “Disable WAN access to User Portal and Webadmin following device access best practices and instead , use VPN and/or Sophos Central (preferred) for remote access and management.” CTIX analysts will continue to monitor this vulnerability and an update may be released in future issues.
[ad_2]
Source link
