Ransomware/Malware Activity
New Threat Actor Releases Malware Cluster Bombs
Researchers at Outpost24’s KrakenLabs have concluded that several recent reports and articles regarding a novel infection technique distributing multiple types of malware are likely linked to a single threat actor group: “Unfurling Hemlock”. Notable characteristics linking these recent attacks include using cabinet files for malware distribution, the file “WEXTRACT.EXE .MUI”, and the use of a common autonomous system related to hosting services seen used by Eastern European cybercriminals. The researchers refer to the infection method as a “malware cluster bomb”, as the initial compressed file unfurls itself into multiple payloads using a nesting pattern up to seven nodes deep. The malware distributed in a single attack can include Redline, Mystic Stealer, RisePro, Amadey, and SmokeLoader. Researchers have found at least 50,000 sample files sharing this malware campaign’s characteristics from attacks around the world. Based on samples uploaded to VirusTotal, the United States is the country most commonly targeted in these campaigns, with 50% of samples uploaded from the US. Luckily for defenders, the aggressive nature of the Unfurling Hemlock cluster bombs means that Next-Gen AntiVirus and EDR security tools should be able to easily detect this attack. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.
Threat Actor Activity
North Korean "Kimsuky" Hacking Group Behind Fake Google Translate Malware Campaign
A North Korean threat actor known as Kimsuky has been linked to a new malicious Google Chrome extension named “TRANSLATEXT”, designed to steal sensitive information such as email addresses, usernames, passwords, cookies, and browser screenshots. This activity, observed by Zscaler ThreatLabz in early March 2024, targets South Korean academia, particularly those focused on North Korean political affairs. Kimsuky, active since at least 2012, is notorious for cyber espionage and financially motivated attacks. Recent campaigns have exploited a security flaw in Microsoft Office and used job-themed lures to drop espionage tools. The attack begins with a ZIP archive containing a Hangul Word Processor document and an executable, leading to the retrieval of a PowerShell script and the exfiltration of data. TRANSLATEXT, disguised as Google Translate, bypasses security measures, captures sensitive data, and communicates with a Blogger Blogspot URL for further commands. Kimsuky aims to gather intelligence on academic and government personnel. CTIX analysts will continue to monitor the activity of both financially motivated and state sponsored threat actors.
Vulnerabilities
New regreSSHion Flaw Leaves Certain Linux Systems Vulnerable to RCE Attacks
OpenSSH maintainers have released security updates to patch a critical vulnerability known as "regreSSHion", which allows unauthenticated remote code execution (RCE) with root privileges on glibc-based Linux systems. Discovered by Qualys researchers, this flaw tracked as CVE-2024-6387, is a signal handler race condition in the sshd component, affecting versions 8.5p1 to 9.7p1 and versions prior to 4.4p1 unless patched. If a client fails to authenticate within the default LoginGraceTime of 120 seconds, sshd's SIGALRM handler is called asynchronously, enabling arbitrary code execution. The vulnerability impacts over 14 million potentially exposed instances, with 700,000 confirmed as vulnerable. Exploitation requires continuous connections over six (6) to eight (8) hours and is challenging, though AI tools could increase success rates. Successful exploitation may lead to consequences that include full system takeover, malware installation, data manipulation, and creation of backdoors. Mitigation strategies include updating to OpenSSH version 9.8p1, restricting SSH access, and implementing network segmentation. While the flaw does not impact OpenBSD systems, its potential effects on macOS and Windows require further analysis. CTIX analysts recommend that all administrators responsible for glibc-based Linux systems ensure their instances are patched or ensure that mitigations have been implemented to harden security and prevent successful exploitation.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence about current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence about recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the CTIX Team (ctix@ankura.com) if additional context is needed.
© Copyright 2024. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice
