1. SideWinder APT Attacks Pakistan Government
Sangfor FarSight Labs recently reported new attacks conducted by the SideWinder APT group on the government of Pakistan. Sidewinder, also known as APT-C-17 or T-APT-04, is an APT (Advanced Persistent Threat) group from South Asia and has been active since 2012. This group mainly engages in cyber espionage activities targeting Asian countries such as China and Pakistan. In the case of Pakistan, the group mainly targets government and military institutions.
In this latest attack, SideWinder used spear-phishing emails to attack government organizations. The emails contain a PDF attachment named Adv-16-2023, which masquerades as a security advisory issued by the Pakistani Cabinet Division.
The phishing document pretends to be protected by Microsoft Azure Cloud Security and tricks users into downloading a password-protected compressed file. This compressed file contains a malicious LNK file, which downloads the second-stage payload, an HTA script. Through the exploitation of DLL side-loading, the attacker hijacks both the local OneDrive program and its update program, leading to the deployment of Cobalt Strike, a commonly used remote control program in penetration testing to take control of the compromised machine. The scheduled task for OneDrive's regular updates on the user's machine becomes a persistent item used by SideWinder to maintain a foothold. This attack process differs significantly from previously disclosed attacks, as it is simpler and has lower sample production costs.
Read the full article here.
2. Over 100,000 ChatGPT Accounts Compromised by Infostealers
Over the past year, 101,134 devices running ChatGPT accounts have been compromised by information stealer (infostealer) malware traded on the dark web. This is according to an article from Group-IB published on June 20.
Infostealers are designed to extract various types of sensitive information from web browsers installed on compromised computers. This includes saved credentials, bank card details, crypto wallet information, cookies, browsing history, as well as data from instant messengers, emails, and detailed device information. The stolen data is then sent to the malware operator.
The Group-IB article found that the Raccoon Stealer was responsible for breaching the highest number of accounts, with 78,348 affected, followed by the Vidar and
RedLine stealers, which impacted 12,984 and 6,773 accounts respectively. The prevalence of Raccoon stealer comes despite the decline of the group behind its development. This indicates that infostealers remain a significant threat once they are traded on the dark web.
In terms of geographical impact, the Asia-Pacific region suffered the highest number of stolen ChatGPT accounts between June 2022 and May 2023. India accounted for the majority of the stolen accounts, with 12,632 compromised. The remaining countries that make up the top 10 affected are Pakistan, Brazil, Vietnam, Egypt, the United States, France, Morocco, Indonesia, and Bangladesh.
The findings from Group-IB suggest that ChatGPT accounts have gained considerable popularity within underground communities.
3. 8Base Ransomware Group Exposes the Data of 67 Victims
The most recent Threat Pulse report by NCC Group reveals that a significant number of organizations fell victim to ransomware attacks. In May 2023 alone, 436 organizations were affected, representing a 24% increase compared to April 2023 and a substantial 56% increase compared to May 2022. One of the contributing factors to this rise is the 8Base ransomware group, which exposed data from 67 organizations it targeted between April 2022 and May 2023.
According to a recent report by cyber threat intelligence firm, ThreatMon, 8Base is a Ransomware-as-a-Service (RaaS) that has been operational since April 2022. Their primary focus is on small and medium-sized businesses (SMBs) in sectors such as business services, finance, manufacturing, and information technology. The report finds that 8Base has carried out one major attack on Türkiye.
The ransomware group employs a strategy known as double extortion, where they not only encrypt victim data but also steal it. The 8Base ransomware is distributed through various methods, including phishing emails, drive-by downloads, and exploit kits. It is worth noting that the group's communication style bears similarities to that of RansomHouse, another ransomware group that emerged in May 2022.
4. Millions of GitHub Repositories Vulnerable to RepoJacking
In a report released on June 21, cloud-native security company Aqua stated that millions of software repositories on GitHub potentially have a supply chain vulnerability called RepoJacking. This includes repositories from organizations such as Google, Lyft, and others.
RepoJacking allows attackers to take over expired organization or user names and execute malicious code by releasing trojanized versions of repositories. On GitHub, organizations have usernames and repository names, which may be modified in cases of management changes or rebranding. However, the dependencies associated with the old repositories are retained, creating an opportunity for attackers to exploit this vulnerability. They can create users with the same old usernames, compromising the dependencies.
Aqua's research team randomly selected a sample from June 2019, compiling a list of 125 million unique repository names. They extracted 1% of the repositories (1.25 million repository names) and checked each one to determine their vulnerability to RepoJacking attacks. The results showed that 36,983 repositories were vulnerable to RepoJacking, with a success rate of 2.95%. Considering GitHub's official claim of having over 330 million repositories, it can be inferred that millions of repositories are at risk of attack across the entire GitHub platform.
5. Trojanized Super Mario Game Used to Spread Malware
According to a June 25 report from BleepingComputer, the game "Super Mario 3: Forever Mario" has been leveraged for spreading malware, resulting in the infection of numerous players' devices.
Researchers from Cyble have discovered that cyber attackers are distributing modified samples of the game's installation program through various channels, including game forums, social media groups, and malicious advertisements.
The trojanized installer is in the form of a self-extracting archive that contains three executables. One executable, named super-mario-forever-v702e.exe, installs the legitimate Mario game, while the other two (java.exe and atom.exe) are secretly installed in the victim's AppData directory during the game installation process. These malicious executables then run an XMR (Monero) miner and a SupremeBot mining client.
The SupremeBot mining client subsequently downloads Umbral Stealer, an open-source information stealer (infostealer) written in C#. It has been available on GitHub since April 2023. Umbral Stealer collects various types of data from the infected Windows device, such as stored passwords, cookies with session tokens from web browsers, credentials, and authentication tokens for platforms like Discord, Minecraft, Roblox, and Telegram. It can also capture screenshots of the victim's desktop and record media using connected webcams. The stolen data is stored locally and later sent to a command-and-control (C2) server for exfiltration.
To avoid detection by Windows Defender, Umbral Stealer disables the program if tamper protection is not enabled. If tamper protection is enabled, it adds its process to Defender's exclusion list. Additionally, the malware modifies the Windows hosts file to interfere with communication between popular antivirus products and their respective company sites, thereby hindering their normal functioning and effectiveness.
