HomeCII/OTMUT-1244 for Security Professionals and Adversarial Operators

MUT-1244 for Security Professionals and Adversarial Operators

Published on

spot_img

A threat actor known as MUT-1244 has been actively targeting academics, pentesters, red teamers, security researchers, and other threat actors with the intent of stealing sensitive data such as AWS access keys and WordPress account credentials. The tactics employed by MUT-1244 include phishing emails, the ClickFix tactic, and the use of GitHub repositories containing malicious exploits.

Despite their efforts to remain undetected, MUT-1244 has been somewhat reckless in their activities, allowing researchers from DataDog and Checkmarx to track and connect their operations. The ultimate goal of MUT-1244 is to deliver a payload known as xmrdropper, which not only updates a cryptocurrency miner but also backdoors systems and exfiltrates valuable information.

One of the methods used by MUT-1244 involved scraping email addresses from research papers published on the arXiv open-access archive and sending out phishing emails from October 5 to October 21, 2024. The emails encouraged recipients to install a CPU microcode update by executing a script that was provided.

In a notable development, a ClickFix-type attack was documented for the first time that targeted Linux systems. When victims executed the malicious command from the GitHub repository opencompiled-oss/kernel-patch, the xmrdropper payload was dropped onto their systems.

Additionally, MUT-1244 targeted security researchers and offensive actors by creating malicious GitHub repositories with fake or trojanized PoC exploit code. This led to the download and execution of xmrdropper on the compromised systems. Furthermore, a trojanized GitHub project offered a tool for validating WordPress credentials but also required the installation of a malicious npm package that facilitated the deployment of xmrdropper.

Checkmarx researchers highlighted that the malicious npm package has been hosted on the NPM registry since October 2023 without being flagged as malicious. The malware not only steals sensitive data but also mines cryptocurrency on infected systems, with up to 68 compromised systems actively mining cryptocurrency at the time of investigation.

DataDog researchers have warned that hundreds of victims have been compromised by MUT-1244, with indicators of compromise being shared by both companies to assist potential victims in assessing if they have been affected. This ongoing campaign represents a serious threat to the cybersecurity community, underscoring the importance of vigilance and proactive defense measures against evolving threats.

Source link

Latest articles

Navigating Identity, Access, and Data Protection for AI Agents Webinar

Navigating the Complexities of AI Security: Insights from Okta and Zscaler In today's rapidly advancing...

Criminals Impersonate Interpol in Phishing Emails to Distribute Ransomware

Cybercriminals Masking as Law Enforcement Agencies Launch Phishing Campaign Targeting Businesses In a worrying development...

Argo CD Vulnerability Highlights the Need to Treat GitOps Infrastructure as Tier Zero

Evaluating Security Measures in GitOps Infrastructure: The Insights from Experts In the realm of modern...

The Shadow AI Issue Begins in the C-Suite

Executives Are More Likely to Use Unapproved AI Tools Than Their Teams A recent report...

More like this

Navigating Identity, Access, and Data Protection for AI Agents Webinar

Navigating the Complexities of AI Security: Insights from Okta and Zscaler In today's rapidly advancing...

Criminals Impersonate Interpol in Phishing Emails to Distribute Ransomware

Cybercriminals Masking as Law Enforcement Agencies Launch Phishing Campaign Targeting Businesses In a worrying development...

Argo CD Vulnerability Highlights the Need to Treat GitOps Infrastructure as Tier Zero

Evaluating Security Measures in GitOps Infrastructure: The Insights from Experts In the realm of modern...