On install they decrypt Fernet encrypted code, which loads further code from https://funcaptcha[.]ru/paste2?package=asyncioo (replace the parameter with the package name).
I was blocked from accessing that code (am on mobile right now, so I don't have the means to investigate for real, Fernet decryption was already fun :abloblamp: ).
The Kremlin has accused the International Olympic Committee (IOC) of “racism and neo-Nazism” over its decision to bar athletes from Russia and Belarus from participating in the opening ceremony of the Paris Olympics this summer.
Ukrainischer Skeleton-Profi Heraskewytsch übt Kritik am IOC
Bei den Olympischen Spielen 2022 sorgte der ukrainische Athlet Heraskewytsch mit seinem Protest gegen Krieg für Schlagzeilen. Heute warnt er davor, dass die nächsten Wettbewerbe nicht zu einer Show für russische Propaganda werden dürfen.
BitDefender identified a MacOS backdoor written in Rust that has possible link to ALPHV/BlackCat ransomware group. "Specifically, three out of the four command and control servers have been previously associated with ransomware campaigns targeting Windows clients. ALPHV/BlackCat is a ransomware family (also written in Rust), that first made its appearance in November 2021, and that has pioneered the public leaks business model." IOC provided.
🔗 https://www.bitdefender.com/blog/labs/new-macos-backdoor-written-in-rust-shows-possible-link-with-windows-ransomware-group/
This week's feature guest is CISA's assistant director for cybersecurity Eric Goldstein. He'll talk about CISA ordering USG agencies to disconnect their Ivanti equipment, the Volt Typhoon campaign and a Politico report into CISA's Joint Cyber Defense Collaborative. Up later today
Trustwave discovered Ov3r_Stealer, an infostealer distributed using Facebook advertising and phishing emails. Their report provides an in-depth dive into Ov3r_Stealer, exposing what the Threat Hunt team learned about the threat actors, their techniques, tactics, and procedures and how the malware functions. Observed IOC listed.
Rapid7 found notable similarities between BlackHunt ransomware and LockBit, which suggested that it uses leaked code of Lockbit. In addition, it uses some techniques similar to REvil ransomware. Rapid7 provided a technical analysis of a BlackHunt sample, describing functionalities and MITRE ATT&CK techniques. IOC provided.
🔗 https://www.rapid7.com/blog/post/2024/02/05/exploring-the-not-so-secret-code-of-blackhunt-ransomware-2/
Akamai provided details about a new variant of the FritzFrog botnet, which abuses the 2021 Log4Shell vulnerability CVE-2021-44228 (10.0 critical). The vulnerability is exploited in a brute-force manner that attempts to target as many vulnerable Java applications as possible. The malware also now also includes a module to exploit CVE-2021-4034, a privilege escalation in the polkit Linux component. This module enables the malware to run as root on vulnerable servers. IOC provided.
🔗 https://www.akamai.com/blog/security-research/2024/feb/fritzfrog-botnet-new-capabilities-log4shell
Unit 42 reports on a new variant of Mispadu Stealer, an infostealer targeting specific regions and URLs associated with Mexico. The infostealer was discovered while hunting for the SmartScreen CVE-2023-36025 security feature bypass vulnerability. They provided a sample analysis, and IOC.
🔗 https://unit42.paloaltonetworks.com/mispadu-infostealer-variant/
Cloudflare blog on Thanksgiving 2023 security incident:
"Based on our collaboration with colleagues in the industry and government, we believe that this attack was performed by a nation state attacker with the goal of obtaining persistent and widespread access to Cloudflare’s global network."
**Sekoia reports on DiceLoader (aka Icebot), a malware used by cybercriminal group FIN7 since 2021. They detail how DiceLoader is dropped by a PowerShell script along with other malware of the intrusion set’s arsenal such as Carbanak RAT. A technical analysis of DiceLoader describes its features and C2 communication and infrastructure. "Surprisingly the analysed sample does not have any technique for anti-analysis" as well as lacking sandbox detection. IOC and Yara rules provided.
🔗 https://blog.sekoia.io/unveiling-the-intricacies-of-diceloader/
Ukraine's CERT-UA provides IOC and technical instructions for removing DIRTYMOE malware, which has worm-like capabilities and creates a DDoS botnet. The DIRTYMOE/Purple Fox infection of 2000+ affected computers and activity is tracked by the identifier UAC-0027.
🔗https://cert.gov.ua/article/6277422
The Russian Olympic team has been officially stripped of its gold medal in the team figure skating event at the 2022 Winter Olympic Games, following the four-year suspension of team member Kamila #Valieva for doping.
Fortinet reports on the FAUST variant of Phobos ransomware, providing insights into the process of downloading the payload file from an MS Excel document embedded with VBA script. Their analysis uncovered a threat actor employing a fileless attack to deploy shellcode, injecting the final FAUST payload into the victim's system. The FAUST variant exhibits the ability to maintain persistence in an environment and creates multiple threads for efficient execution. IOC provided.
🔗 https://www.fortinet.com/blog/threat-research/phobos-ransomware-variant-launches-attack-faust
Unit 42: BianLian group is one of the most active and prevalent extortion groups (top 10 most active). Maintaining their TTPs of infiltrating corporate networks, the BianLian group has shown adaptiveness to the ransomware market demands. They have shifted from double-extortion into being focused solely on extortion efforts, pressuring their victims into paying the ransom without encrypting their files. A possible connection to the Makop ransomware group was also found, due to their mutual use of a custom tool. IOC provided.
🔗 https://unit42.paloaltonetworks.com/bianlian-ransomware-group-threat-assessment/
Russia accuses Olympic Committee of ‘racism and neo-Nazism’ over opening ceremony decision (kyivindependent.com)
The Kremlin has accused the International Olympic Committee (IOC) of “racism and neo-Nazism” over its decision to bar athletes from Russia and Belarus from participating in the opening ceremony of the Paris Olympics this summer.