| Category | Details |
|---|---|
| Threat Actors | CloudSorcerer, BlindEagle, Tropic Trooper, Twelve, DARKSTAR, Key Group, Mallox, Head Mare, Loki, Tusk, SambaSpy. |
| Campaign Overview | Multiple campaigns targeting governments, organizations, and industries globally, leveraging phishing, malware, and ransomware. |
| Target Regions | Russia, Latin America, Middle East, Italy, and globally. |
| Methodology | Phishing, DLL side-loading, C2 via cloud platforms, use of public utilities (e.g., ngrok, gTunnel), and exploit kits. |
| Product Targeted | Windows, macOS, and Android systems; CMS platforms (e.g., Umbraco), enterprise applications, and cloud services. |
| Malware Reference | CloudSorcerer, AsyncRAT, PlugY, DRBControl, HijackLoader, LockBit, Babuk, HZ Rat, PhantomDL, PhantomCore, SambaSpy. |
| Tools Used | Dropbox APIs, GitHub C2, ngrok, gTunnel, HijackLoader, phishing kits, and leaked ransomware variants. |
| Vulnerabilities Exploited | CVE-2023-38831 (WinRAR); DLL hijacking in CMS platforms; outdated ESXi systems exploited for ransomware. |
| TTPs | Modular malware, cloud C2 servers, social engineering, multi-stage infections, and RATs for surveillance and control. |
| Attribution | High confidence: Tropic Trooper to Chinese-speaking actors; CloudSorcerer to a new APT group. Hacktivist ties: Twelve, DARKSTAR. |
| Recommendations | Use supported software versions, implement EDR solutions, restrict access to cloud APIs, and educate against phishing. |
| Source | Securelist by Kaspersky |
Read full article: https://securelist.com/malware-report-q3-2024/114678/
Disclaimer: The above summary has been generated by an AI language model
Leave a Reply