Weekly Summary Cyberattacks 28 Nov-04 dec
North Korean threat group Kimsuky uses Russian email addresses for credential-stealing attacks
The North Korean hacker group Kimsuky has been linked to a series of phishing attacks, in which fraudulent emails are sent from Russian addresses to steal credentials. Initially, the attacks were sent from mail services in Japan and Korea until early September, but from that month onwards, the emails started coming from Russian addresses, using domains such as mail.ru, bk.ru and others associated with VK and Mail.ru. The emails pretended to be from financial institutions and internet portals, such as Naver, and included malicious links to trick users. In some cases, the attacks mimicked Naver's MYBOX cloud storage service, prompting users to urgently delete malicious files.
Two new malwares discovered: Venom Loader and RevC2, attributed to the Venom Spider threat group
Cybersecurity researchers have identified two new malware families, RevC2 and Venom Loader, used in campaigns between August and October 2024. These threats, developed by the Venom Spider group, known for offering Malware-as-a-Service (MaaS) tools, show an advance in cybercrime tactics. RevC2, distributed via a decoy API documentation, uses WebSockets to communicate with command and control (C2) servers, stealing cookies, passwords and executing remote code. Venom Loader, deployed via a cryptocurrency transaction bait, loads custom malware such as the ‘More_eggs lite’ backdoor with remote execution capabilities. Both campaigns rely on malicious files, such as LNK and BAT scripts, which decrypt and execute payloads.
New phishing campaign uses damaged Word documents
Researchers have detected an innovative phishing campaign that exploits Microsoft Word's document recovery feature. Attackers send corrupted Word files as attachments in emails disguised as communications from payroll and human resources departments. Although the files are corrupted, Word allows their recovery, displaying a document that prompts the user to scan a QR code that redirects to a phishing site that looks like a Microsoft login. The aim is to steal victims' credentials.
Cyber-attack exploits official React Native documentation to distribute malicious package
A cyber-attack has recently been discovered that exploited the official React Native documentation to distribute a malicious package. React Native is an open-source development framework for creating mobile apps for iOS and Android using JavaScript and the React library. An attacker published a package called ‘rtn-centered-text’ in the npm registry, copying an example from the official React Native guide on native Fabric components, a feature of this framework. This attack was based on a minor inaccuracy in the package upgrade instructions, which recommended using the ‘yarn upgrade rtn-centered-text’ command. However, this command first queries the npm registry before the local files, which allowed the attacker to make his package appear as a legitimate upgrade. The vulnerability was spotted by a community member, who quickly alerted to the problem.
'CleverSoar', a sophisticated malware targeting users in China and Vietnam, detected
Cybersecurity researchers identified in early November a new malware installer, called CleverSoar, designed to target Chinese and Vietnamese-speaking users. This malware deploys advanced components such as the Winos4.0 framework and the Nidhogg rootkit, used for espionage through keylogging techniques, data exfiltration and remote system control. The malware selects its victims by checking the language settings of the operating system, and if it does not detect Chinese or Vietnamese, it stops its execution. CleverSoar is distributed via msi files disguised as legitimate software, such as game-related applications. In addition, it uses complex evasion techniques, such as detecting virtual environments, disabling Windows defenses and manipulating system privileges. It also establishes persistence on the system through scheduled tasks and disables the Windows firewall, hiding its activities.