Ransomware/Malware Activity
Nefarious Job Applicants Trick HR Professionals into Downloading More_eggs Malware
Researchers at Trend Micro have recently reported on a malware campaign targeting HR professionals with the “more_eggs” malware. More_eggs is a backdoor sold as Malware-as-a-Service (Maas) attributed to the Golden Chickens (aka Venom Spider) threat group. More_eggs is capable of stealing credentials, delivering additional payloads, and establishing command-and-control (C2) with the attacker. Researchers at eSentire also reported on a similar campaign in June 2024 that delivered more_eggs malware to recruiters via fake job applications. Given more_eggs is available for purchase by cybercriminals, multiple different groups could be behind these recent campaigns. The attack reported by Trend Micro begins with a spear-phishing email to a recruiter from a fake job-seeker purportedly interested in an inside sales engineer role. This led the recruiter to click on a URL named after the bogus candidate, which opened a professional-looking personal website with another link to “Download CV”. The download includes a LNK file and a jpeg file. The LNK file contains obfuscated commands which in turn execute a malicious DLL that drops the more_eggs malware onto the victim device. Submissions of similar LNK files to VirusTotal suggests that this is an ongoing campaign with two variations. The first variation includes LNK files typically named after a screenshot or document, uses string substitution for obfuscation, and includes additional PowerShell or Visual Basic scripts in the attack chain. The second variation includes LNK files typically named after a person, utilizes variable substitution for obfuscation, and does not use additional scripts in the infection chain. CTIX analysts recommend that recruiters use caution when downloading files from personal websites and consider compressed files or files with unexpected extensions to be particularly suspicious. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.
- The Hacker News: More_eggs Article
- TrendMicro: More_eggs
- Bleeping Computer: Evil Corp Article
- The Hacker News: LockBit Evil Corp Article
- The Record: Aleksandr Ryzhenkov Article
- The Record: Eduard Benderskiy Article
Threat Actor Activity
International Efforts Lead to Further Sanctions Against Evil Corp Members and LockBit Affiliates
Recent international efforts against the notorious Evil Corp cybercrime syndicate and its affiliates have intensified, resulting in multiple arrests, new sanctions, and the exposure of key figures involved in ransomware attacks. The U.S. Department of Justice unsealed an indictment against Aleksandr Ryzhenkov, a key member of Evil Corp and an identified LockBit affiliate, for deploying BitPaymer ransomware against U.S. companies since 2017. Ryzhenkov, along with other individuals, has been sanctioned by the U.S. Treasury's Office of Foreign Assets Control (OFAC), prohibiting transactions with them and freezing their assets. These sanctions extend to entities associated with Evil Corp, such as Vympel-Assistance LLC and Solar-Invest LLC, owned by Eduard Benderskiy, a former Russian intelligence officer linked to the group. Evil Corp, known for its creation of the Dridex banking Trojan and various ransomware strains, has been active for over a decade, targeting financial institutions globally. Despite previous sanctions in 2019, the group adapted its tactics, using ransomware variants like DoppelPaymer and WastedLocker to evade detection. The group's deep ties to Russian intelligence, facilitated by figures like Benderskiy, have provided them with protection from Russian authorities. This week's actions also include the arrest of a suspected LockBit developer in France, two (2) alleged money launderers in the U.K., and a bulletproof hosting service administrator in Spain. These moves are part of Operation Cronos, which aims to dismantle the infrastructure supporting ransomware operations. The coordinated international response involving the United States, United Kingdom, and Australia, underscores the ongoing commitment to disrupt the activities of cybercriminal groups. By targeting the individuals and infrastructure behind these operations, authorities hope to mitigate the impact of ransomware on critical infrastructure and protect citizens from cyber threats.
- Bleeping Computer: Evil Corp Article
- The Hacker News: LockBit Evil Corp Article
- The Record: Aleksandr Ryzhenkov Article
- The Record: Eduard Benderskiy Article
Vulnerabilities
CISA Warns that Critical Ivanti Endpoint Manager Vulnerability Under Active Exploitation
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about a critical vulnerability in Ivanti’s Endpoint Manager (EPM), tracked as CVE-2024-29824, which is being actively exploited by malicious threat actors to conduct remote code execution (RCE). This flaw, with a CVSS score of 9.6/10, is an SQL Injection vulnerability in the EPM’s Core server that allows unauthenticated attackers within the same network to execute arbitrary code on unpatched systems, exploiting how SQL queries are handled in a function called "RecordGoodApp()" within the "PatchBiz.dll" file. Ivanti released a patch in May 2024, but recent reports indicate that attackers are leveraging the vulnerability through "xp_cmdshell" commands. Horizon3.ai published a proof-of-concept (PoC) exploit in June, and Ivanti has since confirmed that a limited number of customers have been impacted. As a result, CISA added the flaw to its Known Exploited Vulnerabilities (KEV) catalog mandating that all Federal Civilian Executive Branch (FCEB) agencies patch no later than October 23, 2024. This is the fourth Ivanti vulnerability exploited within a month, highlighting the increasing threat landscape. Given Ivanti’s widespread use across over 40,000 companies globally, organizations are urged to prioritize patching to safeguard their systems from ongoing attacks. CTIX analysts recommend that any affected users ensure their Ivanti EPM is running the most recent patch.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the CTIX Team (ctix@ankura.com) if additional context is needed.
© Copyright 2024. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
