Jonathan Care’s Post

Cisco Talos discloses new data theft campaign “LilacSquid” targeting information technology organizations building software for the research and industrial sectors in the United States, organizations in the energy sector in Europe and the pharmaceutical sector in Asia. This campaign uses MeshAgent, an open-source remote management tool, and a customized version of QuasarRAT we’re calling “PurpleInk”. This campaign leverages vulnerabilities in public-facing application servers and compromised remote desktop protocol (RDP) credentials to orchestrate the deployment of a variety of open-source tools, such as MeshAgent and SSF, alongside customized malware, such as "PurpleInk," and two malware loaders we are calling "InkBox" and "InkLoader.”  

Cisco Talos is disclosing a new suspected data theft campaign, active since at least 2021, we attribute to an advanced persistent threat actor (APT) we’re calling “LilacSquid.”  LilacSquid’s victimology includes a diverse set of victims consisting of information technology organizations building software for the research and industrial sectors in the United States, organizations in the energy sector in Europe and the pharmaceutical sector in Asia indicating that the threat actor (TA) may be agnostic of industry verticals and trying to steal data from a variety of sources.  This campaign uses MeshAgent, an open-source remote management tool, and a customized version of QuasarRAT we’re calling “PurpleInk” to serve as the primary implants after successfully compromising vulnerable application servers exposed to the internet.  This campaign leverages vulnerabilities in public-facing application servers and compromised remote desktop protocol (RDP) credentials to orchestrate the deployment of a variety of open-source tools, such as MeshAgent and SSF, alongside customized malware, such as "PurpleInk," and two malware loaders we are calling "InkBox" and "InkLoader.”  The campaign is geared toward establishing long-term access to compromised victim organizations to enable LilacSquid to siphon data of interest to attacker-controlled servers. Read the full 'Dragon News Byte' #DNB from Team Cymru: https://lnkd.in/dC-hDmii #infosec #threatintel #threatintelligence #cybersec #cybersecurity

The newly identified cyber espionage group LilacSquid has been conducting data theft campaigns since 2021, targeting sectors in the U.S., Europe, and Asia. Victims include IT firms in the U.S., European energy companies, and more. LilacSquid gains long-term access to victims' systems by exploiting known vulnerabilities in internet-facing applications or using compromised RDP credentials. They deploy tools like MeshAgent, which installs a modified Quasar RAT called PurpleInk. In some cases, RDP credentials lead to deploying InkLoader, which subsequently installs PurpleInk. PurpleInk is versatile, enabling file operations, system information retrieval, remote shell access, and command-and-control connections. LilacSquid's tactics mirror those of North Korean APT groups, notably the Andariel subgroup of Lazarus. They also use Secure Socket Funneling (SSF) to maintain secondary access. The campaign's comprehensive use of open-source and custom malware tools emphasizes its advanced, persistent threat nature. https://lnkd.in/gfvrVpGr

A new data theft campaign orchestrated by the advanced persistent threat (APT) actor "#LilacSquid" has been uncovered. Here's what you need to know: 1.LilacSquid's targets span across continents and industries, indicating a broad victimology strategy aimed at pilfering data from various sectors worldwide. 2. Utilizing open-source tools like MeshAgent and customized malware such as "PurpleInk," LilacSquid infiltrates vulnerable application servers and compromised RDP credentials to establish long-term access. 3. LilacSquid employs two primary infection chains - exploiting web app vulnerabilities and compromised RDP credentials - showcasing sophisticated tactics akin to North Korean APT groups like Andariel and Lazarus. Read more: https://lnkd.in/dCDeNhyJ #CyberSecurity #DataTheftThreats #malware #PurpleInk

Ngioweb Remains Active 7 Years LaterExecutive Summary Seven years after its first appearance, the proxy server botnet Ngioweb continues its impactful presence on the internet with barely any relevant changes in its original code. Threat actors have continued to actively use Nbioweb extensively to scan for vulnerable devices (including a new arsenal of exploits) which can be turned into new proxies. All infected systems are then sold in the black market for pennies as residential proxies via Nsocks. Key Takeaways: Nsocks offers 30,000 IPs globally and sells them for prices under $1.50 for 24hours of access. The main targets are residential ISP users, representing more than 75% of the infected users. The threat actors behind Ngioweb are using dedicated scanners per vulnerability/device to avoid exposing their whole arsenal. Linear eMerge, Zyxel routers, and Neato vacuums are some of the most targeted devices, but there are many other routers, cameras, and access control systems being targeted. Ngioweb Background In August 2018, Check Point published a report and deep analysis on a new multifunctional proxy server botnet named Ngioweb. The proxy service was being loaded by the banking malware family Ramnit. In their report, Check Point reported that the first sample was observed in the second half of 2017. After the publication of that initial report, additional articles were released.  Netlab wrote two blogs that took a deep-dive into the available Ngioweb samples, describing the domain generating algorithm (DGA), communication protocols, command and control (C&C) infrastructure, exploited CVEs for D-Link and Netgear devices, its updated features, and more. For details on the nature of Ngioweb, read Netlab’s blog which includes coverage that remains valid today.[t1] [PA2] Most recently, in 2024 TrendMicro reported how cybercriminals and nation states are leveraging residential proxy providers to perform malicious actions. For example, one of these nation-state actors, Pawn Storm, had been using a network of hundreds of small office and home office (SOHO) routers through January 2024, when the FBI neutralized part of the botnet. During TrendMicro’s investigation of several EdgeOS infected systems, they identified that in addition to Pawn Storm, the Canadian Pharmacy gang and a threat actor using Ngioweb malware were also abusing the infected device. Malware Analysis This last spring 2024, LevelBlue Labs identified scanning activity on vulnerable devices and those devices were carrying Ngioweb as the delivered payload. Depending on the targeted system, the exploit used a downloader for several CPU architectures or directly contained the specific payload for the targeted system. One of the samples obtained during 2024 (be285b77211d1a33b7ae1665623a9526f58219e20a685b6548bc2d8e857b6b44) allowed LevelBlue Labs to determine that the Ngioweb trojan our researchers identified works very similarly to how Ngioweb worked in 2019, with only a few, s

Recently,BlackBerry published an in-depth article on the evolution of LightSpy spyware, a tool linked to the Chinese cyber-espionage group APT41, also known as "Double Dragon." While the article highlights advancements in LightSpy, let’s explore the broader implications of this threat actor’s operations and their impact on cybersecurity. APT41: Beyond LightSpy APT41 is a highly adaptive group associated with China’s Ministry of State Security (MSS). It is known for combining state-sponsored espionage and financially motivated cybercrime, and its operations are prolific and multifaceted. Key Capabilities: 1. Modular Malware Frameworks: APT41’s portfolio, including LightSpy and DeepData, leverages modular designs to target multiple platforms (Windows, Android, iOS), enabling credential theft, communication monitoring, and more. 2. Sophisticated Tactics: Utilising watering hole attacks, trojanized apps, and phishing campaigns, APT41 efficiently delivers malware, often bypassing early detection mechanisms. 3. Strategic Targeting: Focusing on Asia-Pacific, the group targets industries like telecommunications, healthcare, and technology, as well as individuals such as political activists and journalists. 4. Advanced Data Collection: Tools like DeepData enable the exfiltration of credentials, communications, geolocation, and sensitive files, aligning with state-sponsored intelligence goals. Why LightSpy Matters LightSpy and DeepData signify a shift toward modular malware frameworks. Their capabilities go beyond traditional spyware by integrating plugins for tasks like keystroke logging, browser data extraction, and cross-platform surveillance. This sophistication challenges traditional cybersecurity defences, necessitating new approaches. Broader Implications Cross-Platform Threats: The ability to target diverse devices underscores the need for unified security solutions across mobile, desktop, and IoT ecosystems. 1. Economic Espionage: APT41’s activities align with strategic national interests, leveraging stolen data for economic and technological advantage. 2. Persistent Infrastructure: With evolving command-and-control (C2) systems and frequent updates, APT41 demonstrates a commitment to long-term operations. What Organizations Can Do 1. Adopt Zero Trust Architectures: Segregate sensitive systems and enforce strict access controls to limit breaches. 2. Enhance Detection: CTAM can serve as a robust shield against advanced persistent threats (APTs), ensuring businesses remain secure in an ever-evolving cyber landscape. 3. Patch Regularly: Update software and devices to close vulnerabilities often exploited by attackers. Connect with 63SATS Sales team to understand how we can protect your organization. #CyberSecurity #APT41 #LightSpy #63SATS #CTAM https://lnkd.in/gS3jD_XT

Cybercriminals Exploit CrowdStrike Update Mishap to Distribute Remcos RAT Malware. The attack chains involve distributing a ZIP archive file named "crowdstrike-hotfix.zip," which contains a malware loader named Hijack Loader (aka DOILoader or IDAT Loader) that, in turn, launches the Remcos RAT payload. Specifically, the archive file also includes a text file ("instrucciones.txt") with Spanish-language instructions that urges targets to run an executable file ("setup.exe") to recover from the issue. "Notably, Spanish filenames and instructions within the ZIP archive indicate this campaign is likely targeting Latin America-based (LATAM) CrowdStrike customers," the company said, attributing the campaign to a suspected e-crime group. On Friday, CrowdStrike acknowledged that a routine sensor configuration update pushed to its Falcon platform for Windows devices on July 19 at 04:09 UTC inadvertently triggered a logic error that resulted in a Blue Screen of Death (BSoD), rendering numerous systems inoperable and sending businesses into a tailspin. https://lnkd.in/gP4fnVJn

Indicators of Compromise Malicious actors operating covertly within networks, gathering information, and establishing botnets are well-known phenomena. On average, these actors remain undetected for approximately 90 days before discovery. During this period, they execute various activities, including data exfiltration, persistence maintenance, and malware deployment, among potentially other actions. Although identifying breaches may seem straightforward in theory, it often proves challenging in practice. This is where indicators of compromise (IOCs) become invaluable. They serve as crucial components of digital forensics, signaling potential breaches. IOCs are instrumental for threat hunters and analysts in uncovering malicious activities. These indicators can be obtained through various means, including past incident analyses, open-source intelligence (OSINT), closed-source intelligence (CSINT), or formulated based on hypotheses derived from threat hunting efforts Let's look at a few examples... RDP - Not unusual on any network, and we see that from administrative endpoints to user endpoints. What about from a user to an admin endpoint? It could be the system admin at a user's desk reaching back for a file or tool, or could it? Outbound traffic - Tens of thousands of packets an hour. Not at all unusual to see GET requests to web sites. But what about large outbound data to a site like Pastebin? DNS - Again, another normal protocol to see. In larger organizations you'll have a DNS server, or it could be the gateway, maybe Google. But what about unusual domains like "gjij46.com" or "12.102.64.155.jker65k.com". Maybe an increase in volume of DNS activity, or increased number of failures. Scripts - Its not unusual to see PowerShell, Bash, or Python scripts running. Suppose you pull Windows system logs and find several Event 4104's? Looking at the script block shows that PowerShell is executing 7Zip. File requests - Again, nothing unusual here. How about large numbers of file requests for the same file? This is a concise list of IOCs and is not intended to be exhaustive. Many modern solutions are capable of identifying a significant portion of these indicators. However, it is important to recognize that threat actors often strive to maintain stealth and employ various techniques to evade detection, such as recompiling malware or employing encryption. Additionally, they may utilize methods like unhooked processes. Vigilance and comprehensive security measures are essential in mitigating these risks. Just some things to get the mind working! Stay safe, stay alert. #cybersecuirty #threathunting #securityawareness

Breaking News: Operation Crimson Palace 🚨 According to the Sophos report, Operation Crimson Palace was marked by the use of new malware tools, over 15 dynamic link library (DLL) sideloading efforts, and innovative evasion techniques. The attackers, organised into three distinct threat clusters, each played specialised roles in the broader attack chain, likely under the direction of a single entity. This meticulous teamwork enabled the theft of a significant volume of files and emails, including strategic documents related to the contested South China Sea—a region of long-standing territorial disputes between the unidentified government and China. Chinese APTs have historically shared infrastructure and malicious code, but the level of inter-APT collaboration seen in Operation Crimson Palace is unprecedented. The operation’s origins trace back to March 2022, when the Mustang Panda group deployed the “Nupakage” data exfiltration tool on the victim’s network. In December of the same year, DLL stitching was used to covertly deploy backdoors against targeted domain controllers. Cluster Alpha: From March to August 2023, this group conducted reconnaissance, mapping server subnets, identifying administrator accounts, and probing Active Directory infrastructure. They disabled antivirus protections using a variant of the Eagerbee backdoor from Emissary Panda and leveraged five different malware tools for command and control (C2). Cluster Bravo: Active for only a few weeks in March 2023, Cluster Bravo spread laterally using legitimate accounts, establishing C2 communications and dumping credentials with a novel backdoor called CCoreDoor. Cluster Charlie: Operating from March 2023 to April 2024, this group specialised in access management, performing network ping sweeps to map users and endpoints, and capturing credentials from domain controllers. They used a novel backdoor named PocoProxy for C2 purposes and exfiltrated large volumes of sensitive data. Sophos researchers noted that the tools and infrastructure used in Operation Crimson Palace overlap with those of several known Chinese threat actors, including Worok and the APT41 subgroup Earth Longzhi. While the evidence strongly suggests Chinese government involvement, Sophos refrained from attributing the attack to a specific group. Chester Wisniewski, director and global field CTO at Sophos, emphasised that focusing too much on attribution can be counterproductive. He pointed out that multiple groups might share stolen credentials and tools, making it difficult to predict future attacks based on past activity. “Once you’re breached by one of these adversaries, all bets are off,” Wisniewski said. “You have to assume all those things are happening.” Visit www.convergex.co.uk for expert cybersecurity services including malware detection, security training, and more. #Convergex #WebDevelopment #CybersecurityAwareness #CyberEssentials #SecurityTraining #MalwareDetection

Villain or Hero ? 🤔 TryHackMe AOC-24 Day 1 & 2 In the tech-savvy town of Wareville, the much-anticipated SOC-mas🎄 celebration was just around the corner. But underneath the festive excitement, something dark was brewing. Mayor Malware 🦠, the town’s seemingly charming leader, had a hidden agenda—he plotted to sabotage the celebration and take full control over the town’s digital infrastructure. McSkidy Software, the town's brilliant cybersecurity expert, traces suspicious activity. This investigation revealed a cleverly disguised malware campaign hidden behind a seemingly legitimate YouTube-to-MP3 converter. By analyzing suspicious files, we uncovered a malicious PowerShell script designed to steal sensitive data. The script's signature, "Created by the one and only M.M.," became a vital clue, leading us to GitHub repositories linked to the attacker. As McSkidy analyzed the logs, she uncovered a series of failed login attempts—clear signs of a brute-force attack. One attempt succeeded, using the account service_admin, followed by coordinated PowerShell commands firing across multiple machines. At first, it seemed malicious, but a closer look revealed the commands were enforcing critical Windows updates. Tracing the source, McSkidy realized it wasn’t an attack, someone defending the town from the shadows. The Glitch, an elusive figure residing on Mount Hackit, was a mystery to most, feared and misunderstood by the residents. But in reality, he was the town’s hidden guardian. The people of Wareville were unaware that their protector. Meanwhile, deeper analysis uncovered the real culprit: Mayor Malware. Poor OPSEC practices—like reusing handles and leaving incriminating metadata—exposed their identity and provided insight into their operations. This case emphasized how even small mistakes can unravel a cybercriminal's cover, reinforcing the importance of thorough digital investigations. #Tryhackme #AdventOfCyber24 #OPSEC #LogAnalysis #SOC #CyberSecurity #ELK