Malware Activity
Several new malicious campaigns uncovered
Several malicious campaigns have been uncovered, targeting various systems and individuals. Ransomware actors are leveraging SSH tunneling to persist on VMware ESXi bare metal hypervisors, while a North Korean threat group, Andariel, is using a technique called RID hijacking to trick Windows into treating low-privileged accounts as administrator accounts. Additionally, a threat actor has been targeting low-skilled hackers with a fake malware builder that secretly infects them with a backdoor, allowing the attacker to steal data and take over computers. Meanwhile, a malware campaign is utilizing a PowerShell-based loader called MintsLoader to distribute secondary payloads, including the StealC information stealer and the legitimate BOINC network computing platform, targeting the electricity, oil and gas, and legal services sectors in the US and Europe. These campaigns highlight the importance of monitoring system logs, restricting tool execution, and protecting accounts with multi-factor authentication, as well as the need to be cautious when downloading and installing software, especially from untrusted sources. Researchers have been able to disrupt some of these campaigns, but many devices remain compromised, emphasizing the need for continued vigilance and proactive security measures to prevent and detect these types of attacks. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
- BleepingComputer: Ransomware Gang Uses SSH Tunnels article
- BleepingComputer: Hackers Use Windows RID Hijacking article
- BleepingComputer: Hacker Infects 18000 Script Kiddies article
- TheHackerNews: Mintsloader Delivers Stealc Malware and BOINC article
Threat Actor Activity
Cyber Espionage: GamaCopy Adopts Gamaredon Tactics to Target Russian Entities
A new cyber threat actor, dubbed "GamaCopy," has been identified mimicking the tactics of the Kremlin-aligned Gamaredon group in attacks targeting Russian-speaking entities. GamaCopy is linked to another group known as Core Werewolf (also called Awaken Likho and PseudoGamaredon) and utilizes military-themed lures to deploy UltraVNC for remote access to compromised systems. These attacks involve self-extracting archive files to deliver payloads, with measures like naming malware "OneDrivers.exe" to avoid detection. The group’s methods resemble Core Werewolf's campaigns, which similarly use open-source tools and spear-phishing to compromise targets. GamaCopy is one of several actors exploiting the ongoing Russo-Ukrainian conflict, joining others like Sticky Werewolf and Venture Wolf in conducting phishing and data theft campaigns.
Vulnerabilities
Subaru Starlink Vulnerability Allows Hackers to Hijack Cars in the USA and Canada
Security researchers uncovered a severe vulnerability in Subaru's Starlink service that could have allowed attackers to take over accounts and control vehicles in the U.S., Canada, and Japan using only a license plate. Discovered by Sam Curry and Shubham Shah in November 2024, the flaw enabled unauthorized access to customer accounts, allowing hackers to start or stop vehicles, retrieve precise location data, access location history, and obtain sensitive personal information. The issue stemmed from a "resetPassword.json" API endpoint that lacked adequate security measures, making it possible to bypass two-factor authentication and gain full access to the admin dashboard. The researchers demonstrated the vulnerability's potential, which Subaru patched within 24 hours of being notified. Fortunately, there is no evidence that the flaw was exploited maliciously. Similar issues have also been identified in other vehicle systems, like Kia’s dealer portal.
© Copyright 2025. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice
