A new Linux backdoor named “SprySOCKS” has been identified by cybersecurity company Trend Micro. The backdoor is being used by the China-aligned threat actor known as “Earth Lusca” and is based on the open-source Windows malware Trochilus. According to Trend Micro, SprySOCKS is still under development, as evidenced by the presence of two different version numbers within the payloads. The backdoor appears to have drawn inspiration from the Linux variant of the Derusbi malware and is primarily targeting public-facing servers belonging to government departments involved in foreign affairs, technology, and telecommunications. The threat actor is focusing on countries in Southeast Asia, Central Asia, and the Balkans.
In other news, Microsoft has issued a warning about an ongoing Iranian cyberespionage campaign dubbed “Peach Sandstorm.” Microsoft, which previously tracked the campaign as “HOLMIUM,” reveals that Peach Sandstorm has been conducting password-spraying campaigns against thousands of organizations since February 2023. The campaign primarily targets organizations in the satellite, defense, and pharmaceutical sectors, with the objective of espionage. In some instances, the threat actor has successfully breached organizations and exfiltrated data. Of particular concern is the use of legitimate credentials obtained through password spray attacks, which allows Peach Sandstorm to authenticate to targets’ systems, persist within their environments, and deploy additional tools. The campaign also involves the creation of new Azure subscriptions to carry out attacks in other organizations’ environments.
Microsoft is also shining a spotlight on cyber threats originating from East Asia. The company’s research indicates that Chinese influence operations have become more effective over the past year, with China-aligned social media networks engaging directly with authentic users on social media platforms and posing as American voters. The Chinese state-affiliated multilingual social media influencer initiative has also successfully engaged target audiences in over 40 languages, accumulating an audience of more than 103 million. China’s cyber operations in 2023 have primarily focused on countries surrounding the South China Sea, the US defense industrial base, and critical infrastructure in the US. Meanwhile, North Korean cyber operations have grown more sophisticated, particularly in their efforts to steal information related to maritime technology research.
A recent cryptocurrency theft from CoinEx worth $31 million has been attributed to North Korea’s Lazarus Group by researchers at Elliptic. This is not the first time Elliptic has observed funds stolen from CoinEx being mixed with funds stolen by Lazarus, suggesting a pattern of behavior by the threat actor. Lazarus Group previously engaged in fund laundering using stolen funds from Stake.com. The recent cryptocurrency theft adds to the group’s track record of cybercriminal activities.
Netskope has discovered a new version of the Python-based NodeStealer malware that targets Facebook business accounts. The malware steals not only Facebook credentials but also all available cookies and credentials stored by the victim’s browser. The new variant of NodeStealer is distributed via Facebook Messenger, with the malware payload disguised as an attachment in messages containing images of defective products. Unlike previous campaigns, this version of NodeStealer uses a batch file as the initial payload, deviating from the typical use of an executable.
Security company SentinelOne has published an analysis of MetaStealer, a malware family designed specifically for macOS. MetaStealer is distributed through social engineering techniques and primarily targets business users. This represents a departure from typical macOS malware distribution, which often occurs through torrent sites or suspicious third-party software distributors. Once installed, MetaStealer attempts to exfiltrate data, with a particular focus on stealing passwords from the keychain.
Symantec’s Threat Hunter Team has identified a new ransomware family called “3AM” that has been used in a limited fashion. In one instance, the ransomware was deployed as a fallback by a LockBit affiliate when its attempts to deploy LockBit ransomware were blocked. 3AM was only partially successful, being deployed to three machines on the target’s network and being blocked on two of them. However, the fact that 3AM was used as a fallback indicates that it may be of interest to attackers and could reappear in the future.
Microsoft has released a report outlining the activities of a criminal access broker known as “Storm-0324.” This threat actor uses phishing lures distributed through Microsoft Teams messages to deliver a variety of malware strains, with a particular focus on the Sangria Tempest ransomware. Storm-0324’s email chains are highly evasive and employ traffic distribution systems to tailor user traffic and evade detection by security solutions. The sophistication of the attack methods employed by this financially motivated threat actor is notable.
In conclusion, the cybersecurity landscape continues to be rife with various threats and attacks originating from different threat actors around the world. These include the activities of Earth Lusca, Peach Sandstorm, Lazarus Group, NodeStealer, MetaStealer, 3AM ransomware, and the criminal access broker Storm-0324. Security researchers and organizations must remain vigilant and proactive in their efforts to combat these cyber threats and protect sensitive information and systems from compromise.