Welcome to our bi-weekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our weekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

You’ve been kept in the dark (web): exposing Qilin’s RaaS program

Source: Group-IB

Group-IB’s Hi-Tech Crime Trends 2022/2023 Report recently revealed that the impact of ransomware attacks will continue to grow in 2023 and beyond, with trends such as the Ransomware-as-a-Service market (RaaS), the publication of stolen data on dedicated leak sites (DLS), and an increase in affiliate programs shaping this trajectory. Read more.

IceFire Ransomware Returns | Now Targeting Linux Enterprise Networks

Source: SentinelLABS

SentinelLabs recently observed a novel Linux version of the IceFire ransomware being deployed in mid February against enterprise networks. The iFire file extension is associated with known reports of IceFire, a ransomware family noted by MalwareHunterTeam in March 2022. Read more.

CLR SqlShell Malware Targets MS SQL Servers for Crypto Mining and Ransomware

Source: The Hacker News

Poorly managed Microsoft SQL (MS SQL) servers are the target of a new campaign that’s designed to propagate a category of malware called CLR SqlShell that ultimately facilitates the deployment of cryptocurrency miners and ransomware. Read more.

PyPI temporarily pauses new users, projects amid high volume of malware

Source: Bleeping Computer

PyPI, the official third-party registry of open source Python packages has temporarily suspended new users from signing up, and new projects from being uploaded to the platform until further notice. Read more.

Guerrilla malware is preinfected on 8.9 million Android devices, Trend Micro says

Source: CSO

Cybercrime gang Lemon Group has managed to get malware known as Guerrilla preinstalled on about 8.9 million Android-based smartphones, watches, TVs, and TV boxes globally, according to Trend Micro. Read more.

CapCut Users Under Fire

Source: Cyble

CRIL recently discovered a series of phishing websites posing as video editing software. These fraudulent sites lure users into downloading and executing various types of malware families such as stealers, RAT, etc. In these campaigns, TAs specifically targeted the CapCut video editing tool, a product of ByteDance, the same parent company that owns TikTok. Read more.

Profile of an Adversary – FIN7

Source: deepwatch

FIN7 has been known to be in operation since 2012 (although some estimates put them being active as far back as 2011), when TrustWave SpiderLabs first observed threat behavior that became much more prolific after 2015. Read more.

SparkRAT Being Distributed Within a Korean VPN Installer

Source: ASEC

ASEC has recently discovered SparkRAT being distributed within the installer of a certain VPN program. SparkRAT is a RAT developed with GoLang. When installed on a user’s system, it can perform a variety of malicious behaviors, such as executing commands remotely, controlling files and processes, downloading additional payloads, and collecting information from the infected system like by taking screenshots. Read more.

NIST Launches Cybersecurity Initiative for Small Businesses

Source: Security Intelligence

To help smaller organizations face the growing cyber threat, NIST recently launched its Small Business Cybersecurity Community of Interest (COI). Here’s how this new association can help your organization move forward with a cyber readiness plan today. Read more.

BlackCat Ransomware Deploys New Signed Kernel Driver

Source: Trend Micro

In this blog post, we will provide details on a BlackCat ransomware incident that occurred in February 2023, where we observed a new capability, mainly used for the defense evasion phase, that overlaps with the earlier malicious drivers disclosed by the three vendors. BlackCat affiliates have been known to use multiple techniques during the defense evasion phase, impairing defenses by disabling and modifying tools or using techniques as safe mode boot. Read more.

The Dangers of Google’s .zip TLD

Source: Medium

This week, Google launched a new TLD or “Top Level Domain” of .zip, meaning you can now purchase a .zip domain, similar to a .com or .org domain for only a few dollars. The security community immediately raised flags about the potential dangers of this TLD. In this short write-up, we’ll cover how an attacker can leverage this TLD, in combination with the @ operator and unicode character ? (U+2215) to create an extremely convincing phish. Read more.

Microsoft reports jump in business email compromise activity

Source: CSO

“BEC attacks stand apart in the cybercrime industry for their emphasis on social engineering and the art of deception,” said Vasu Jakkal, corporate vice president of security, in a blog post. “Successful BEC attacks cost organizations hundreds of millions of dollars annually.” Read more.

CloudWizard APT: the bad magic story goes on

Source: Secure List

While looking for implants bearing similarities with PowerMagic and CommonMagic, we identified a cluster of even more sophisticated malicious activities originating from the same threat actor. What was most interesting about it is that its victims were located not only in the Donetsk, Lugansk and Crimea regions, but also in central and western Ukraine. Read more.

Rust-Based Info Stealers Abuse GitHub Codespaces

Source: Trend Micro

In January 2023, we shared a proof of concept showing how an attacker could abuse a feature allowing the exposure of ports on GitHub CS to deliver malware with open directories. It should be noted that open directories aren’t new and threat actors have been documented using these for serving malicious content such as ransomware, exploit kits, malware samples, and the like. Read more.