Tag Archive for: linked

Sophisticated Latrodectus Malware Linked to 2017 Strain

/in


Cybercrime
,
Fraud Management & Cybercrime
,
Governance & Risk Management

New Malware With Ties to IcedID Loader Evades Detection, Gains Persistence

Prajeet Nair (@prajeetspeaks) •
April 5, 2024    

Sophisticated Latrodectus Malware Linked to 2017 Strain
Image: Shutterstock

Security researchers are warning about a relatively new malware called Latrodectus, believed to be an evolutionary successor to the IcedID loader. It has been detected in malicious email campaigns since November 2023, and recent enhancements make it harder to detect and mitigate.

See Also: OnDemand | Overcoming the Limitations of Addressing Insider Threat in Banking: Real Solutions for Real Security Challenges

Proofpoint’s Threat Research team, in partnership with Team Cymru S2 Threat Research, spotted nearly a dozen campaigns delivering Latrodectus beginning in February 2024. The malware, used by initial access brokers, downloads payloads and executes arbitrary commands.

While initial analysis suggested Latrodectus is a new variant of IcedID, subsequent research found that it is a new malware most likely named Latrodectus because of a string identified in the code. Latrodectus employs infrastructure used in historic IcedID operations, indicating potential ties to the same threat actors. IcedID, first discovered in 2017, has been described as a banking Trojan and remote access Trojan.

Researchers discovered insights into the activities of threat actors TA577 and TA578 – the primary distributors of Latrodectus that illustrate the evolving tactics threat actors have used over time.

TA577, previously…

Source…

China linked to UK cyber-attacks on voter data, Dowden to say

/in


  • By James Gregory & Iain Watson, political correspondent
  • BBC News

Image caption,

Deputy Prime Minister Oliver Dowden is expected to address MPs on the threat

The UK government is expected to link cyber-attacks which accessed personal details of millions of voters to China.

The attacks on the Electoral Commission took place in August 2021 but were only revealed last year.

Several MPs and peers who have been critical of Beijing are thought to have also been targeted in cyber-attacks.

The prime minister called China “the greatest state-based challenge to our national security”.

Rishi Sunak said: “China represents an economic threat to our security and an epoch-defining challenge.

“So it is right we take steps to protect ourselves.”

The BBC understands other Western nations will set out similar concerns.

Acknowledging the attacks last August, the Electoral Commission said unspecified “hostile actors” had gained access to copies of the electoral registers and broken into its emails and “control systems”, but added that it had neither had any impact on any elections nor anyone’s registration status.

The commission said last August that they weren’t able to predict exactly how many people could be affected, but that the register for each year contained the details of around 40 million people.

Deputy Prime Minister Oliver Dowden will address Parliament on Monday about the threat.

It is now thought that Mr Dowden will suggest those behind the attack had links to Beijing, as well as laying out how the UK will respond to what it deems a wider threat.

Publicly identifying the attackers lays the groundwork for potential legal and political actions, such as sanctions or diplomatic protests.

Linking the attackers to China, a fellow member of the UN Security Council, would be an escalation in the diplomatic tension between the two countries.

The prime minister then was David Cameron, who is now the foreign secretary after taking a seat in the House of Lords last year.

China’s foreign ministry spokesperson Lin Jian said the government cracked down and punished all types of malicious cyber activities.

He called on all parties to “stop spreading false information and…

Source…

macOS Backdoor RustDoor likely linked to Alphv/BlackCat ransomware operations

/in


macOS Backdoor RustDoor likely linked to Alphv/BlackCat ransomware operations

Pierluigi Paganini
February 10, 2024

Bitdefender Researchers linked a new macOS backdoor, named RustDoor, to the Black Basta and Alphv/BlackCat ransomware operations.

Researchers from Bitdefender discovered a new macOS backdoor, dubbed RustDoor, which appears to be linked to ransomware operations Black Basta and Alphv/BlackCat.

RustDoor is written in Rust language and supports multiple features. The malware impersonates a Visual Studio update and was designed to support Intel and Arm architectures.

The malware has been active since at least November 2023, but it was fist spotted on February 2nd 2024.

Researchers identified multiple RustDoor variants, and most of the samples share the same core functionalities with minor variations. The experts grouped these variants into Variant 1, 2 and Zero.

All the variants support commands that allow operators to gather and upload files, and gather information about the machine.

The first variant of the backdoor that was detected in November 2023 was likely a test version that did not support a persistence mechanism. The researchers noticed that the backdoor contained a plist file named ‘test’.

The second variant was spotted at the end of November, it contained a complex JSON configuration as well as an embedded Apple script used for exfiltration.

“We identified multiple variants of the embedded Apple script, but all of them are meant for data exfiltration.” reads the report published by Bitdefender. “The script is used to exfiltrate documents with specific extensions and sizes from Documents and Desktop folders, as well as the notes of the user, stored in SQLITE format”

RustDoor
RustDoor

The configuration files included a list of applications for impersonation, the backdoor used this trick to spoof the administrator password presenting dialog.

“Some configurations also include specific instructions about what data to collect, such as the maximum size and maximum number of files, as well as lists of targeted extensions and directories, or directories to  exclude” Bitdefender continues.

The “Variant Zero,” first spotted on 02.11.2023, is less…

Source…