Cybersecurity Threats Affecting Businesses in April 2024

The global cyber threat level has continued to increase as a function of general global political unrest around the middle east, Ukraine and China-Taiwan. The number of cybersecurity incidents continues to rise and their impact continues to increase. Organizations of all sizes and in all sectors need to increase their awareness of both the overall threat environment and threats specifically relevant to their organization or industry. Threat hunting, offered as part of Marcum Technology’s Managed Security Services, can help provide this visibility in identifying potential risks to an organization.

Below are the top four threats that emerged over the past month.

Staying Ahead of Threat Actors in the Age of AI

While some financial analysts worry about a potential bubble driven by Artificial Intelligence (AI), rooted in the failure of the technology to deliver on its lofty promises, security analysts remain steadfast that threat actors will see exactly the kind of increase in capability, speed, and scale of operations that they most fear.

Over the last year we have seen the speed, scale, and sophistication of attacks increase in not-so-surprising conjunction with LLMs (Large Language Models). Thankfully, however, AI can and is being leveraged by defenders if they are quick to adopt it.

AI has the potential to largely eliminate classic grammar/spelling errors in phishing emails. Add that the complexity/power of any given script that an actor wants to create is now increased with this help, and the potential for successful attacks is raised significantly.

With AI able to accurately translate material, explain concepts given to them, and generate solutions to problems, the language barrier between threat actors that may not speak English natively and the rest of the internet continues to dwindle. The ability of AI to offer sound advice and solve problems when prompted correctly can be remarkable and continues to lower the overhead of any given attack.

On the obvious front of phishing, the Emerald Sleet cybercrime group from North Korea has been mounting spear-phishing attacks against foreign individuals possessing information of value. This group also uses AI to study known vulnerabilities, troubleshoot technical issues, and even tech support of sorts, using it to help them learn various technologies.

Crimson Sandstorm is another cyber crime group, from Iran, also using AI for the first and most obvious purpose of writing phishing emails, and to good effect. For their purposes, they are attempting to lure political dissidents to websites to divulge information. Another very powerful use is the LLM generation of scripts and code snippets to create malware. Furthermore, the use of AI for assistance in developing obfuscation/detection evasion code was noted.

The Charcoal Typhoon cybercrime group, out of China, targets government, higher education, communications, oil and gas, and IT industries. This group has been using AI in much the same way. Combined with their previously demonstrated attack capabilities and desire to create LLMs of their own, this is a particularly concerning threat.

The bottom line is that while AI won’t solve all of one’s problems, it will enable much more efficient and effective solving. Like any tool, it will be used on both sides of any conflict, either for productive and defensive uses or for malicious purposes by threat actors that are growing increasingly prolific. As threat actors of all sizes are made more dangerous and capable with this technology, however, there is another concerning AI-enabled cyber-threat quietly winning a war that few seem to even know is taking place. In 2022 it was estimated that around 50% of Internet traffic was bot-generated. Of that 50%, 30 was malicious bot traffic. For the most part, this was scalping tickets, promoting scams, or otherwise engaging in spam.

With the introduction of AI, however, an odd trend is emerging: entirely fake social media profiles engaging in social media conversations and comments with no apparent scam, sales pitch, or motivation other than appearing to be a real person in a real conversation. This is perhaps most concerning of all, as while cybersecurity experts are trying to put out fires started by threat actors engaging in espionage or financially-motivated attacks, the most serious threat is going mostly unnoticed. The long-term impacts of such a trend can hardly be imagined, let alone easily countered.

VCURMS and STRRAT Phishing Campaign

FortiGuard Labs uncovered a phishing campaign distributing a malicious Java downloader to spread new VCURMS and STRRAT remote access trojans (RATs). Attackers stored malware on public services like AWS and GitHub, using a commercial protector to evade detection.

Phishing emails targeted staff, prompting them to click a button to verify payment information, which downloaded a harmful JAR file. The JAR files, obfuscated with the “Sense Shield Virbox Protector,” downloaded additional malware.

One of these, called VCRUMS, is a distinct RAT with the file name “windows.jar,” which communicates via Protonmail email addresses for command and control. It also replicated itself into the Startup folder and identified victims through computer name and Volume ID. The keyloggers and password recovery malware that the RAT would use were also hosted on AWS and disguised with .jpg extensions. VCRUMS ultimately steals account information from apps and collects cookies, autofill data, browsing history, and passwords from browsers including Discord, Steam, Brave, Chrome, Edge, Firefox, Opera, OperaGX, Vivaldi, and Yandex.

STRRAT, employing Allatori obfuscation and Branchlock obfuscator, was also utilized. The configuration file decrypted with AES Algorithm revealed the command-and-control server and ID “Khonsari”.

This multifaceted attack operation deployed various malicious programs simultaneously, emphasizing obfuscation techniques to evade detection and utilizing email for command and control communication.

In late December, FortiGuard’s detection system identified three Python Package Index (PyPI) packages, which install a CoinMiner on Linux when used. These are named modularseven-1.0, driftme-1.0, and catme-1.0, released by a user named “sastra”. These new packages resemble the “culturestreak” package – which went rampant in the latter half of 2023 – as the associated attack phases are very similar.

PyPI Packages Install CoinMiners on Linux Machines

The attack begins with the package’s __init__.py file, which triggers a processor.py module to decode a string into a shell command. This command retrieves a script, “unmi.sh”, hosting the second attack stage. The “unmi.sh” script downloads two key items: a “config.json” for the mining settings, as well as the CoinMiner executable, which is where the damage is truly done.

The attacker ensures persistence with older machines and operating systems by appending commands to the ~/.bashrc file, so the malware reactivates during new Bash sessions. The CoinMiner ELF file that is downloaded alongside the config.json file is already known as malicious by a significant number of security vendors, according to VirusTotal.

The packages’ indicators of compromise (IoCs) match those of “culturestreak,” with files hosted on the domain “papiculo.net” and a GitLab repository previously associated with a blocked user. The IoCs suggest that the attacker behind this PyPI malware might the same that was behind culturesneak when it was active, but now operating under a new account.

These packages show advancements in concealing their payload and maintaining function, notably by using an external “unmi.sh” file to evade detection and inserting malicious commands into ~/.bashrc for persistence. This indicates that attackers are enhancing tactics to prolong and conceal exploitation.

The trend of these packages calls for heightened detection abilities within the security community and stresses the importance of diligence when dealing with code from unverified sources. The case exemplifies the ongoing evolution of malware tactics and the necessity for continuous vigilance. Remember to only run code on your system if it is from a verified source, where it can be ensured that the code is clean and does not contain malicious processes.

New Mustang Panda Malware Packages

During the ASEAN (Association of Southeast Asian Nations)-Australia Special Summit in March 2024, researchers discovered evidence of cyber threats targeting Asian countries. Two distinct malware packages specifically coincided with the summit and have been attributed to the threat actor known as Mustang Panda, a.k.a. Camaro Dragon, Earth Preta, and Stately Taurus.

The first package, named “Talking_Points_for_China.zip,” was created on March 4, 2024, and distributed to entities in the Philippines, Japan, and Singapore. This ZIP archive contained two files, including an executable masquerading as a legitimate anti-keylogging program. Upon execution, the malware sideloaded a malicious DLL and initiated connections to potentially harmful IP addresses.

In a shift of tactics, the second package, labeled “Note PSO.scr,” emerged on March 5, 2024, targeting an entity in Myanmar. Unlike previous methods, this package utilized a screensaver executable (SCR) file extension to deliver its payload. Upon opening, it attempted to download malicious files from specific URLs, disguising itself as a benign program to evade detection.

In addition, recently uncovered network connections between ASEAN-affiliated entities and Chinese APT group command and control (C2) infrastructure, indicate compromised environments. This underscores the attractiveness of ASEAN entities as espionage targets due to their involvement in sensitive regional affairs.

A timeline analysis revealed distinct patterns of activity, with notable lulls during holidays and special working days in China. This consistent behavior suggests organized and deliberate cyber espionage efforts. Organizations are urged to utilize this information to bolster their defenses against such threats, emphasizing the importance of proactive cybersecurity measures.

If you’re facing challenges related to cybersecurity threats, breaches, and bad actors, or are interested in learning more about identifying potential threats to your organization, contact Marcum Technology today.