Weekly summary cyberattacks Dec 26 - Jan 2

U.S. sanctions Iranian and Russian entities for election interference with AI and cyber-attacks 

The U.S. Treasury Department has sanctioned organizations in Iran and Russia for attempting to interfere in the 2024 presidential election. According to authorities, these entities, linked to the Islamic Revolutionary Guard Corps (IRGC) and Russia's Main Intelligence Directorate (GRU), used disinformation and artificial intelligence tools to divide the population and manipulate election results. In particular, Iran was singled out for cyberespionage operations and hacks aimed at obtaining sensitive data, while Russia, through the Geopolitical Expertise Center, employed generative AI to create fake content disseminated on websites pretending to be legitimate media. The sanctions include seven individuals responsible for cyber-attacks and influence campaigns in 2020 and 2024, against a backdrop of systematic efforts by the Kremlin to destabilize U.S. democracy through covert operations.  

New DoubleClickjacking attack threatens account security on popular websites   

Security researchers have disclosed a new vulnerability called “DoubleClickjacking,” which exploits a double-click sequence to bypass clickjacking protections, affecting numerous major websites. This method exploits the interval between the first and second click to manipulate user interface elements and perform account hijacking attacks with minimal user interaction. The attack begins when a malicious site induces the user to double-click, usually under the guise of common actions such as verifying a CAPTCHA. During the process, the attacker redirects to a malicious page, achieving permission authorization without the user noticing. The finding underscores the evolution of clickjacking tactics and exposes the need for more advanced solutions to protect users.  

New “OtterCookie” malware detected in fake job offers targeting developers   

Cybersecurity researchers have identified a new malware called OtterCookie, used by North Korean actors in the “Contagious Interview” campaign, which aims to deceive software developers through fake job offers. This operation, active since December 2022, uses OtterCookie to steal sensitive information, complementing other malware such as BeaverTail. OtterCookie is distributed via Node.js projects, npm packages, and files created with Qt or Electron, often obtained from platforms such as GitHub. Once the device is infected, OtterCookie communicates with attacker-controlled servers using WebSocket, allowing them to execute commands to steal data such as cryptocurrency keys, documents, and more.

New campaign distributing DarkVision RAT identified   

A campaign has been identified distributing the DarkVision RAT remote access Trojan, which uses the PureCrypter loader to infiltrate networks and compromise data from key sectors such as finance, healthcare and government. This malware, distributed using phishing and advanced obfuscation techniques, allows attackers to gain remote access, log keystrokes, capture audio and video, and manipulate system processes to ensure persistence. DarkVision RAT evades detection with tactics such as process injections and communications on non-standard ports, making it difficult for common firewalls to identify. Recommended mitigation measures include constant monitoring of system logs, protection of anti-virus configurations and hardening of authentication policies.

Analysis of Bashe (APT73) ransomware group published   

Bashe, formerly known as APT73 or Eraleig, is a ransomware group that emerged in 2024 and employs double extortion tactics to attack key sectors in developed countries. Through a data leak site on the Dark Web, Bashe combines file encryption with the threat of publishing stolen information to pressure victims to pay up. Although its operations are still at an early stage, the group has been linked to attacks in the United States, United Kingdom, France, Germany, India and Australia, targeting industries such as technology, healthcare and finance. The group employs techniques such as phishing and exploitation of vulnerabilities to gain access, followed by exfiltration of sensitive data. Its infrastructure, while less sophisticated than that of the infamous LockBit ransomware group, shows similarities in design and strategy, suggesting a possible connection or imitation. As of December 2024, Bashe has claimed 63 victims.