Tony Lambert presentation on Detecting and responding to stealer malware in 2024: https://www.youtube.com/watch?v=Pt4GXFhIt4s

#informationstealer #threatdetection

Cybercriminals Abusing Stack Overflow to Distribute Malware

Date: May 30, 2024

CVE: Not specified

Vulnerability Type: Social Engineering, Malware Distribution

CWE: [[CWE-494]], [[CWE-434]], [[CWE-22]]

Sources: BleepingComputer

Synopsis

Cybercriminals are exploiting Stack Overflow to distribute malware by posing as helpful users and promoting malicious packages as solutions to programming queries.

Issue Summary

Cybercriminals are posing as users on Stack Overflow to answer questions with solutions that involve installing a malicious PyPi package named 'pytoileur'. This package, part of the "Cool package" campaign, targets Windows users by installing information-stealing malware.

Technical Key Findings

The malicious package 'pytoileur' includes a setup script that contains an obfuscated Base64 encoded command. This command, when decoded, downloads and executes a malware executable disguised as 'runtime.exe'. This malware is designed to steal sensitive information like cookies, passwords, browser history, and other data from web browsers.

Vulnerable Products

• Windows operating systems targeted via the PyPi package 'pytoileur'.

Impact Assessment

The malware can steal a wide range of personal and sensitive data, including login credentials, financial information, and personal documents. This data can be sold on dark web markets or used for further cyberattacks.

Patches or Workaround

Developers should always verify the authenticity of packages before installation and inspect the code for any obfuscated or unusual commands. No specific patches are provided, but vigilance in package verification is crucial.

Tags

#Malware #PyPi #Windows #StackOverflow #InformationStealer #Cybersecurity #SocialEngineering #SoftwareDevelopment #PythonPackages

TA547 Shifts Tactics: Leveraging Rhadamanthys Stealer in German-Specific Campaigns

Date: April 10, 2024

CVE: Not applicable

Vulnerability Type: Information Stealer

CWE: N/A

Sources: Proofpoint

Issue Summary

TA547, a financially motivated cybercriminal group, recently initiated an email campaign targeting German organizations, deploying the Rhadamanthys malware. This marks TA547's first recorded use of [[Rhadamanthys stealer]], an advanced information stealer previously utilized by multiple threat actors. The campaign featured emails impersonating the German retail giant Metro, with malicious attachments designed to execute Rhadamanthys without writing to disk, thereby evading typical file-based detection methods.

Technical Key Findings

The attack chain involves emails with a password-protected ZIP file attachment containing an LNK file. Execution of the LNK file triggers a PowerShell script that decodes and runs the [[Rhadamanthys stealer]] directly in memory. Notably, the PowerShell script exhibited signs of being generated by a Large Language Model (LLM), indicative of TA547's potential use of advanced AI tools for crafting malware delivery mechanisms.

Vulnerable products

• Windows platforms targeted via malicious email attachments

Impact assessment

[[Rhadamanthys stealer]] is designed to steal sensitive information, including credentials and financial data. Successful deployment within organizations can lead to significant data breaches, financial loss, and reputational damage.

Patches or workaround

While the report does not specify patches, organizations are advised to enhance email filtering, educate employees on phishing, and deploy behavior-based detection mechanisms to mitigate threats posed by memory-resident malware and sophisticated delivery scripts.

Tags

#TA547 #Rhadamanthys #InformationStealer #Germany #Cybercrime #MalwareCampaign #PowerShell #AI_Malware

@kienbigmummy shared his slides on Qakbot; one of the most active malware family. QakBot is famous about stealing information. @kienbigmummy reveals secrets on this malware where he made an excellent presentation at Security Bootcamp 2023 (SBC2023).

https://kienmanowar.wordpress.com/2023/09/11/unveiling-qakbot-exploring-one-of-the-most-active-threat-actors/

https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot

#malware #qakbot #informationstealer

#InformationStealer Discovered Capable of Stealing RDP Files

Source: https://blog.cyble.com/2023/02/01/vector-stealer-a-gateway-for-rdp-hijacking/

Cyble observed an information-stealing #malware capable of stealing .rdp files, passwords, and cookies. #Cybercriminals can exfiltrate sensitive information from the victim's machine using SMTP, Discord, and Telegram. With the capability to steal RDP files, cybercriminals can use the stolen files to perform RDP hijacking, enabling them to gain unauthorized remote access without credentials. The stealer surfaced in cybercrime forums in the second half of 2022 and is sold through publicly available platforms.

#CTI #threatintel