Ransomware/Malware Activity
Threat Actors Use Latrodectus Malware in Phishing Campaign
The malware known as Latrodectus, emerging in email phishing campaigns since late November 2023, represents a sophisticated evolution in the cyber threat landscape, closely related to the previously identified IcedID loader. Discovered and analyzed by researchers from Proofpoint and Team Cymru, Latrodectus exhibits advanced sandbox evasion capabilities and is designed to download and execute arbitrary commands, marking it as a dynamic and formidable downloader. It appears to be the brainchild of the same threat actors behind IcedID, aimed at facilitating the deployment of additional malware through initial access brokers, notably TA577 and TA578. These campaigns cleverly leverage spoofed legal threat communications to distribute a JavaScript file, which subsequently deploys the Latrodectus payload. This malware verifies its operating environment by checking for a valid MAC address and a sufficient number of running processes, ensuring stealth operation. Beyond its technical prowess, Latrodectus's infrastructure shows clear operational ties to IcedID, including shared backend infrastructure and methodologies, suggesting a strategic evolution by these threat actors to maintain their nefarious activities. The emergence of Latrodectus signifies a notable shift in the cybercriminal toolkit, potentially increasing the threat level for organizations worldwide, especially those previously targeted by IcedID-related campaigns.
Threat Actor Activity
New Phishing Campaign Targets Latin America with Advanced Evasion Techniques
Threat actors have been observed conducting a sophisticated phishing campaign aimed at the Latin American region, specifically targeting Windows systems with malicious payloads. The campaign begins with phishing emails containing ZIP files that, upon extraction, reveal HTML files directing users to download disguised malicious invoices. These emails appear to originate from a domain employing "temporary[.]link" and are tailored to evade detection by behaving differently based on the recipient's IP address' geolocation, particularly targeting users in Mexico. The malware involved in this campaign is complex, designed to gather system information, check for antivirus defenses, and deploy additional malicious files from Dropbox. This operation bears resemblance to the tactics used in past Horabot malware campaigns, which also focused on Spanish-speaking users in Latin America. In addition to this phishing scheme, cybersecurity researchers have also uncovered a malvertising campaign exploiting Microsoft Bing users with counterfeit NordVPN ads leading to the download of a remote access trojan called SectopRAT, as well as a fake Java Access Bridge installer that deploys a cryptocurrency miner. Furthermore, a Golang-based malware has been discovered in recent campaigns, showcasing advanced evasion techniques such as geolocation checks and installing a root certificate for secure communication with its command-and-control (C2) server. These incidents underscore the evolving sophistication of cyber threats and the need for vigilance among users and cybersecurity professionals alike, especially in the context of region-specific targeting and the exploitation of popular software and services.
Vulnerabilities
Critical Vulnerability in Magento eCommerce Websites Actively Exploited
UPDATE: Cybersecurity researchers have identified a novel exploit targeting Magento websites, utilizing a critical vulnerability. Magento is a platform with built-in PHP, which helps users to create eCommerce websites. Adobe characterized this vulnerability, tracked as CVE-2024-20720 (CVSS score of 9.1/10), as an improper neutralization of special elements issue, which could lead to arbitrary code execution if exploited. The flaw was patched in updates issued on February 13, 2024. The exploit involves a sophisticated attack where a malicious layout template inserted into the database automatically injects code, enabling attackers to execute system commands via the Magento layout parser and the beberlei/assert package. This method triggers when the checkout cart page is accessed, deploying a backdoor for code execution and installing a Stripe payment skimmer to steal financial data. The discovery coincides with the Russian government charging six individuals for deploying skimmer malware to pilfer credit card details from international e-commerce platforms since late 2017, leading to the illegal acquisition and sale of information from nearly 160,000 payment cards. CTIX analysts recommend that all Magento users ensure they have installed the latest update to prevent future exploitation.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the CTIX Team (ctix@ankura.com) if additional context is needed.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
