Malware Activity
Venom Spider Develops Malware-as-a-Service Offering
Venom Spider, the financially motivated threat actor also known as Golden Chickens, has been developing a malware toolset under its Malware-as-a-Service (MaaS) business. Cybersecurity researchers have discovered and analyzed recent campaigns leveraging a novel backdoor and loader named after Venom Spider’s toolset. Venom Spider’s malware has been linked to cybercrime groups Cobalt and Fin6, and CTIX analysts reported on the use of the “More_eggs” backdoor linked to Venom Spider in recent campaigns this year. The two (2) new malware variants recently uncovered are Venom Loader and a backdoor named RevC2. The RevC2 backdoor uses WebSockets for command-and-control (C2) communications, enabling the transfer of stolen data such as browser cookies and passwords and remote code execution (RCE). The RevC2 backdoor was observed in a campaign that used API documentation as a lure. The backdoor can also take screenshots of the victim’s system and proxy network data. Venom Loader is notable for its novel use of the victim’s computer name to encode its payloads. Venom Loader was discovered in campaigns using a cryptocurrency lure where Venom Loader was used to dispatch a JavaScript backdoor with RCE capabilities. Venom Loader uses a DLL file that is custom built for the victim environment and uses the system’s computer name as the XOR key to encode its attack stages. Venom Spider’s MaaS capabilities are expected to expand, as these recent findings suggest the toolset is in active development. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.
Threat Actor Activity
Law Enforcement Dismantles MATRIX Communication Service, Used for Cybercrime
As part of an uptick in international law enforcement disruption operations, an operation codenamed 'Operation Passionflower' successfully dismantled MATRIX, an encrypted messaging service used by criminals for illicit activities such as drug trafficking, arms trafficking, and money laundering. Coordinated by Europol and Eurojust, the operation involved French, Dutch, Italian, Lithuanian, Spanish, and German authorities. MATRIX, different from the legitimate “matrix[.]org”, was discovered on the phone of a criminal involved in the 2021 murder of Dutch journalist Peter R. de Vries. Over three (3) months, authorities intercepted and deciphered more than 2.3 million messages in thirty-three (33) languages. MATRIX had around 8,000 users who paid between $1,350 and $1,700 for a Google Pixel-based device and a six-month subscription. The service, also known as Mactrix, Totalsec, X-quantum, and Q-safe, allowed users to make encrypted calls, track transactions, and browse the internet anonymously. The platform operated over forty (40) servers, primarily located in France and Germany. During the takedown, simultaneous raids resulted in the arrest of five (5) suspects, including the suspected Lithuanian owner, and the seizure of €145,000 in cash, €500,000 in cryptocurrency, 970 encrypted phones, and four (4) vehicles. The MATRIX operation is part of a broader effort to combat encrypted communication services used by criminals, following previous takedowns of platforms like Sky ECC, EncroChat, Exclu, and Ghost. These operations demonstrate law enforcement's capability to penetrate technically sophisticated networks, despite the belief among criminals that such services offer superior security. Other notable recent law enforcement distribution operations include Germany's Federal Criminal Police Office dismantling Crimenetwork, the largest German-speaking cybercrime platform. Additionally South Korean authorities arrested six (6) individuals for adding DDoS capabilities to satellite receivers. CTIX analysts will continue to stay ahead of prevalent trends amongst threat actor activities.
Vulnerabilities
PoC Exploit Present for Progress WhatsUp Gold Vulnerability
A critical remote code execution vulnerability in Progress WhatsUp Gold, a widely used network monitoring tool, has been disclosed, with a proof-of-concept (PoC) exploit now publicly available. This flaw, tracked as CVE-2024-8785, present in NmAPI.exe in versions prior to 24.0.1, allows unauthenticated attackers to modify Windows registry paths and redirect the software's configuration directory to attacker-controlled locations. Exploiting this vulnerability enables the execution of arbitrary code during service restarts, granting attackers persistent access and the ability to fully compromise the affected system. Rated as Critical with a maximum CVSS score of 9.8/10, the vulnerability is easily exploitable without requiring authentication or user interaction. Progress Software has issued a patch in version 24.0.1, addressing this and other vulnerabilities. CTIX analysts strongly urge administrators to update immediately to protect their systems, as WhatsUp Gold has recently been a frequent target of threat actors leveraging public exploits to gain access to corporate networks. Failure to patch could expose organizations to severe security risks, including unauthorized system control and data compromise.
© Copyright 2024. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice
