HomeCII/OTMUT-1244 for Security Professionals and Adversarial Operators

MUT-1244 for Security Professionals and Adversarial Operators

Published on

spot_img

A threat actor known as MUT-1244 has been actively targeting academics, pentesters, red teamers, security researchers, and other threat actors with the intent of stealing sensitive data such as AWS access keys and WordPress account credentials. The tactics employed by MUT-1244 include phishing emails, the ClickFix tactic, and the use of GitHub repositories containing malicious exploits.

Despite their efforts to remain undetected, MUT-1244 has been somewhat reckless in their activities, allowing researchers from DataDog and Checkmarx to track and connect their operations. The ultimate goal of MUT-1244 is to deliver a payload known as xmrdropper, which not only updates a cryptocurrency miner but also backdoors systems and exfiltrates valuable information.

One of the methods used by MUT-1244 involved scraping email addresses from research papers published on the arXiv open-access archive and sending out phishing emails from October 5 to October 21, 2024. The emails encouraged recipients to install a CPU microcode update by executing a script that was provided.

In a notable development, a ClickFix-type attack was documented for the first time that targeted Linux systems. When victims executed the malicious command from the GitHub repository opencompiled-oss/kernel-patch, the xmrdropper payload was dropped onto their systems.

Additionally, MUT-1244 targeted security researchers and offensive actors by creating malicious GitHub repositories with fake or trojanized PoC exploit code. This led to the download and execution of xmrdropper on the compromised systems. Furthermore, a trojanized GitHub project offered a tool for validating WordPress credentials but also required the installation of a malicious npm package that facilitated the deployment of xmrdropper.

Checkmarx researchers highlighted that the malicious npm package has been hosted on the NPM registry since October 2023 without being flagged as malicious. The malware not only steals sensitive data but also mines cryptocurrency on infected systems, with up to 68 compromised systems actively mining cryptocurrency at the time of investigation.

DataDog researchers have warned that hundreds of victims have been compromised by MUT-1244, with indicators of compromise being shared by both companies to assist potential victims in assessing if they have been affected. This ongoing campaign represents a serious threat to the cybersecurity community, underscoring the importance of vigilance and proactive defense measures against evolving threats.

Source link

Latest articles

The Evolving Role of the CISO as the Future CFO

The Pressing Question of Cybersecurity Assurance: Is the CISO Role Sustainable? In the fast-evolving landscape...

Why the Gentlemen Ransomware Challenges Identity and Recovery Controls

Emerging Threat: The Gentlemen Ransomware Group Targeting Enterprises Globally A recent report by cybersecurity firm...

Chinese Cyberespionage Targets University Roundcube Servers

Espionage Campaign Targets University Departments with Advanced Cyber Tactics A sophisticated cyber-espionage campaign has recently...

Visa Threat Platform Tackles Payment Fraud

Visa Launches Advanced Threat Intelligence Platform to Combat Payment Fraud In a significant move to...

More like this

The Evolving Role of the CISO as the Future CFO

The Pressing Question of Cybersecurity Assurance: Is the CISO Role Sustainable? In the fast-evolving landscape...

Why the Gentlemen Ransomware Challenges Identity and Recovery Controls

Emerging Threat: The Gentlemen Ransomware Group Targeting Enterprises Globally A recent report by cybersecurity firm...

Chinese Cyberespionage Targets University Roundcube Servers

Espionage Campaign Targets University Departments with Advanced Cyber Tactics A sophisticated cyber-espionage campaign has recently...