Malware Activity
Emerging Cyber Threats: Malware Campaigns and Vulnerability Exploits
A recent campaign has been observed targeting Internet Information Services (IIS) servers in Asia, primarily in countries such as India, Thailand, Vietnam, Philippines, Singapore, Taiwan, South Korea, Japan, and Brazil, with the goal of installing BadIIS malware as part of a search engine optimization (SEO) manipulation scheme. This campaign is believed to be financially motivated and involves compromising IIS servers associated with government, universities, technology companies, and telecommunications sectors, and using them to serve altered content, including redirects to illegal gambling websites, malware, or credential harvesting pages. Additionally, Microsoft has warned of a type of malware attack that involves injecting malicious code into ViewState using static ASP.NET machine keys that are readily available online, which can allow attackers to execute remote code execution (RCE) and deploy additional malicious payloads. Hackers are also actively exploiting vulnerabilities in SimpleHelp RMM clients to create administrator accounts, drop backdoors, and potentially lay the groundwork for ransomware attacks. Furthermore, cybersecurity researchers have discovered two malicious machine learning (ML) models on the Hugging Face platform that utilize a novel technique called "nullifAI" to evade detection, containing "broken" pickle files that execute malicious Python code, specifically a platform-aware reverse shell that connects to a hard-coded IP address. These incidents highlight the importance of securing applications, restricting access to trusted IP ranges, and monitoring for suspicious activity to prevent unauthorized access and potential ransomware attacks, as well as the need for developers to generate unique machine keys, encrypt sensitive data, and upgrade to ASP.NET 4.8 to enable Antimalware Scan Interface (AMSI) capabilities. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
- TheHackerNews: DragonRank Exploits IIS Servers article
- BleepingComputer: Attackers Use Exposed ASPNet Keys article
- BleepingComputer: Hackers Exploit SimpleHelp RMM Flaws article
- TheHackerNews: Malicious ML Models Found On Hugging Face article
Threat Actor Activity
North Korean Kimsuky Hackers Using Custom RDP Wrapper in Recent Attacks
The North Korean hacking group Kimsuky has been observed using a custom-built RDP Wrapper and proxy tools in recent attacks, marking a shift in their tactics. This evolution sees Kimsuky adopting a diverse set of customized remote access tools rather than solely relying on traditional backdoors like PebbleDash. Kimsuky's latest attack strategy involves spear-phishing emails containing malicious shortcut (.LNK) file attachments, disguised as PDFs or Word documents. These emails are personalized, featuring the recipient's name and correct company names, indicating prior reconnaissance. Upon opening the .LNK file, PowerShell or Mshta is triggered to download additional payloads from an external server. The payloads include PebbleDash for initial system control, a modified version of the RDP Wrapper tool for persistent RDP access and security measures bypass, and proxy tools to navigate around private network restrictions. The RDP Wrapper, originally an open-source tool for enabling RDP on Windows versions that do not support it natively, has been altered by Kimsuky to evade antivirus detection and signature-based defenses. This tool allows the group to maintain a low profile by treating RDP connections as legitimate, providing a more user-friendly remote-control interface and bypassing firewalls or NAT restrictions through relays. Once Kimsuky establishes a foothold on a network, they deploy secondary payloads, including a keylogger that captures keystrokes, an infostealer (forceCopy) for extracting web browser credentials, and a PowerShell-based ReflectiveLoader for in-memory payload execution. These tools underscore Kimsuky's persistence and evolution as a significant cyber-espionage threat group from North Korea, dedicated to intelligence gathering. These findings highlight Kimsuky's shift towards stealthier remote access methods, enabling prolonged dwell times within compromised networks. This adaptation reflects the group's ongoing efforts to enhance their espionage capabilities while evading detection for extended periods.
Vulnerabilities
XE Group Hacker Exploit Zero-Day Vulnerabilities to Maintain Persistent Access to Targeted Infrastructure
Threat actors are exploiting multiple security vulnerabilities in software products such as Progress Telerik UI for ASP.NET AJAX and Advantive VeraCore to deploy web shells and maintain persistent access to compromised systems. The XE Group, a Vietnamese cybercrime entity active since at least 2010, has been attributed to the zero-day exploitation of VeraCore vulnerabilities, shifting its focus from credit card skimming to targeted information theft in manufacturing and distribution supply chains. The attackers are leveraging vulnerabilities like CVE-2024-57968 and CVE-2025-25181 to deploy ASPXSpy web shells and Meterpreter payloads for reconnaissance and data exfiltration. This marks a significant escalation in XE Group's tactics, as they now exploit zero-day vulnerabilities alongside older flaws in Telerik UI. Concurrently, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added five (5) security vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, mandating all Federal Civilian Executive Branch (FCEB) agencies to patch systems by February 27, 2025. Other cybercriminals, including Russian and Chinese threat actors, are also actively exploiting these weaknesses for malware distribution and espionage campaigns, emphasizing the ongoing need for timely security updates. CTIX analysts recommend that organizations leveraging these products follow the guidance in the CISA advisory linked below.
© Copyright 2025. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice
