HomeCII/OTMUT-1244 for Security Professionals and Adversarial Operators

MUT-1244 for Security Professionals and Adversarial Operators

Published on

spot_img

A threat actor known as MUT-1244 has been actively targeting academics, pentesters, red teamers, security researchers, and other threat actors with the intent of stealing sensitive data such as AWS access keys and WordPress account credentials. The tactics employed by MUT-1244 include phishing emails, the ClickFix tactic, and the use of GitHub repositories containing malicious exploits.

Despite their efforts to remain undetected, MUT-1244 has been somewhat reckless in their activities, allowing researchers from DataDog and Checkmarx to track and connect their operations. The ultimate goal of MUT-1244 is to deliver a payload known as xmrdropper, which not only updates a cryptocurrency miner but also backdoors systems and exfiltrates valuable information.

One of the methods used by MUT-1244 involved scraping email addresses from research papers published on the arXiv open-access archive and sending out phishing emails from October 5 to October 21, 2024. The emails encouraged recipients to install a CPU microcode update by executing a script that was provided.

In a notable development, a ClickFix-type attack was documented for the first time that targeted Linux systems. When victims executed the malicious command from the GitHub repository opencompiled-oss/kernel-patch, the xmrdropper payload was dropped onto their systems.

Additionally, MUT-1244 targeted security researchers and offensive actors by creating malicious GitHub repositories with fake or trojanized PoC exploit code. This led to the download and execution of xmrdropper on the compromised systems. Furthermore, a trojanized GitHub project offered a tool for validating WordPress credentials but also required the installation of a malicious npm package that facilitated the deployment of xmrdropper.

Checkmarx researchers highlighted that the malicious npm package has been hosted on the NPM registry since October 2023 without being flagged as malicious. The malware not only steals sensitive data but also mines cryptocurrency on infected systems, with up to 68 compromised systems actively mining cryptocurrency at the time of investigation.

DataDog researchers have warned that hundreds of victims have been compromised by MUT-1244, with indicators of compromise being shared by both companies to assist potential victims in assessing if they have been affected. This ongoing campaign represents a serious threat to the cybersecurity community, underscoring the importance of vigilance and proactive defense measures against evolving threats.

Source link

Latest articles

Hackers Exploit Trusted Microsoft Domain and One-Time Codes to Hijack Corporate Accounts

Rising Phishing Threat Exploits Microsoft Authentication Flows A new phishing technique has surfaced, capitalizing on...

NCA Warns Parents About Exploitation of Shared Child Photos by AI

The National Crime Agency (NCA) has initiated a significant campaign aimed at educating parents...

Single Points of Failure Are Problematic: The SaaS Layer Is No Exception

Lessons in IT Resilience: The Inevitable Nature of Failure and the Case for Redundancy In...

AI Isn’t Bridging the Skills Gap — It’s Highlighting the Validation Gap

AI and Cybersecurity: A Growing Concern Amidst Rapid Deployment The advent of artificial intelligence (AI)...

More like this

Hackers Exploit Trusted Microsoft Domain and One-Time Codes to Hijack Corporate Accounts

Rising Phishing Threat Exploits Microsoft Authentication Flows A new phishing technique has surfaced, capitalizing on...

NCA Warns Parents About Exploitation of Shared Child Photos by AI

The National Crime Agency (NCA) has initiated a significant campaign aimed at educating parents...

Single Points of Failure Are Problematic: The SaaS Layer Is No Exception

Lessons in IT Resilience: The Inevitable Nature of Failure and the Case for Redundancy In...