For final payloads the actors used the RedLine stealer and various remote access trojans: AsyncRAT, NanoCore RAT, njRAT, QuasarRAT, and WarzoneRAT.Īs threat actors increasingly abuse popular cloud services, it is not always feasible to block all their staging domains. It detects and impairs antivirus solutions and checks for debugging environment, achieves persistence through startup folder, and runs the payload using process hollowing technique. SYK crypter is being loaded into memory where it decrypts its configuration and the next stage payload using hardcoded keys and various encryption methods. If a targeted user activates the phishing attachment, it starts the DNetLoader malware that reaches out to the hardcoded Discord CDN link and downloads a next stage crypter such as newly-discovered SYK crypter. Morphisec researchers discovered a new campaign abusing popular messaging platform Discord content distribution network (CDN). SYK Crypter Distributing Malware Families Via Discord Keep your system updated, and employ mitigation strategies when updates for critical vulnerabilities are not available. However small your government or NGO organization is, it still needs protection from advanced cyber actors. It also relied on mass scanning for known vulnerabilities (ProxyShell, Log4Shell) and using commodity tools for encryption, internal scanning, and lateral movement. The group utilized its own custom binaries including a Fast Reverse Proxy client (FRPC) written in Go. Their ransomware operations appear to be a low-scale, hands-on approach with rare tactics such as sending a ransom note to a local printer. In 2022, Cobalt Mirage deployed BitLocker ransomware on a US charity systems, and exfiltrated data from a US local government network. These actors are likely part of a larger group, Charming Kitten (Phosphorus, APT35, Cobalt Illusion).
Secureworks researchers describe campaigns by Iran-sponsored group Cobalt Mirage. COBALT MIRAGE Conducts Ransomware Operations in U.S.
0 kommentar(er)
