Malware Activity
Fake Video Conferencing Apps Spread Crypto-Stealing Malware
A crypto-stealing malware campaign named “Meeten” has been active since September 2024 and uses fake video conferencing platforms to infect both Windows and macOS operating systems. The threat actors target individuals working in the Web3 space under the guise of scheduling a business meeting, often reaching out via Telegram to discuss an investment opportunity. The victims are directed to join the meeting by downloading fake conferencing software, hosted on a website crafted to appear legitimate under product names such as “Meetone”, “Meetio”, “Clusee”, and “Cuesee”. The threat actors go so far as to populate social media accounts for the fake software with AI-generated content to trick victims into believing its legitimacy. There are two versions of the Realst payload developed to infect both Windows and macOS systems. The MacOS version of the malware is delivered through a backage named “CallCSSetup.pkg” which uses the command-line tool osascript to prompt the user to enter their password, escalating privileges. The malware collects Telegram and Keychain credentials, banking card details, Ledger and Trezor wallets, Browser cookies and autofill credentials which are stored locally in a zipped folder before exfiltration. The Windows version of Realst is deployed via an NSIS file named “MeetenApp.exe” and uses a stolen certificate. The Windows version can extract the same information from the victim system as its macOS counterpart but can also steal Phantom and Binance wallets and is able to persist between reboots. This campaign is particularly notable for its use of AI-generated content to quickly craft fake website content and garner a social media following. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.
Threat Actor Activity
Romanian Electricity Distributor Hit by Cyber Attack Following Annulled Presidential Election
Electrica Group, a Romanian energy services provider, is currently dealing with an ongoing ransomware attack. Serving over 3.8 million customers across Transilvania and Muntenia, Electrica is a crucial entity in the Romanian electricity distribution and supply market, having been listed on both the Bucharest and London stock exchanges since 2014. The company announced to investors that it is working closely with national cybersecurity authorities to manage and resolve the cyberattack, which was still active earlier today. Electrica CEO Alexandru Aurelian Chirita assured that the company's critical systems remain unaffected, with disruptions in consumer interactions being due to protective measures for the internal infrastructure. These measures are temporary and aim to ensure the system's overall security, while the company prioritizes maintaining electricity distribution and supply continuity and safeguarding personal and operational data. The Romanian Ministry of Energy identified the attack as ransomware, however the nature of the attack remains officially undisclosed, with speculation about potential pro-Russian involvement. The cyberattack follows Romania's Constitutional Court decision to annul the presidential elections due to alleged Russian interference via a TikTok influence campaign. Additionally, a report from Romania's Intelligence Service revealed over 85,000 cyberattacks on the country's election infrastructure during the election period, from November 19th through 25th, 2024.
Vulnerabilities
Clickless Critical Zero-Day Vulnerability in Windows NTLM Unofficially Patched by 0patch
A recently discovered critical zero-day vulnerability enables attackers to steal Windows New Technology LAN Manager (NTLM) credentials by simply having users view a malicious file in Windows Explorer. At this time there is no CVE identifier for the vulnerability. Identified by the 0patch team, the flaw affects all Windows versions from Windows 7 and Server 2008 R2 to Windows 11 24H2 and Server 2022. Exploitation requires no file opening, and merely viewing the file in File Explorer triggers an outbound NTLM connection, sending the user's NTLM hashes to a remote attacker. These hashes can be cracked to expose login credentials. Despite being reported, Microsoft has not released an official fix, continuing a trend noted by 0patch, which has flagged similar unresolved vulnerabilities, such as the Mark of the Web (MotW) bypass and a Windows Themes exploit. To mitigate the risk, 0patch has released a free micropatch for registered users, while alternative measures include disabling NTLM authentication via Group Policy or registry changes. However, administrators caution that these mitigations could disrupt NTLM networking. Microsoft has acknowledged the report and is investigating. CTIX analysts recommend that administrators install the 0patch fix until an official Windows patch is released.
© Copyright 2024. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice
