The Computer Emergency Response Team of Ukraine (CERT-UA) has detailed a new malicious email campaign targeting government agencies, enterprises, and military entities.
"The messages exploit the appeal of integrating popular services like Amazon or Microsoft and implementing a zero-trust architecture," CERT-UA said. "These emails contain attachments in the form of Remote Desktop Protocol ('.rdp'

Cyber Attack / Threat Intelligence

The Computer Emergency Response Team of Ukraine (CERT-UA) has detailed a new malicious email campaign targeting government agencies, enterprises, and military entities.

"The messages exploit the appeal of integrating popular services like Amazon or Microsoft and implementing a zero-trust architecture," CERT-UA said. "These emails contain attachments in the form of Remote Desktop Protocol ('.rdp') configuration files."

Once executed, the RDP files establish a connection with a remote server, enabling the threat actors to gain remote access to the compromised hosts, steal data, and plant additional malware for follow-on attacks.

Infrastructure preparation for the activity is believed to have been underway since at least August 2024, with the agency stating that it's likely to spill out of Ukraine to target other countries.

CERT-UA has attributed the campaign to a threat actor it tracks as UAC-0215. Amazon Web Service (AWS), in an advisory of its own, linked it to the Russian nation-state hacking group known as APT29.

"Some of the domain names they used tried to trick the targets into believing the domains were AWS domains (they were not), but Amazon wasn't the target, nor was the group after AWS customer credentials," CJ Moses, Amazon's chief information security officer, said. "Rather, APT29 sought its targets' Windows credentials through Microsoft Remote Desktop."

The tech giant said it also seized the domains the adversary was using to impersonate AWS in order to neutralize the operation. Some of the domains used by APT29 are listed below -

*   ca-west-1.mfa-gov\[.\]cloud
*   central-2-aws.ua-aws\[.\]army
*   us-east-2-aws.ua-gov\[.\]cloud
*   aws-ukraine.cloud
*   aws-data.cloud
*   aws-s3.cloud
*   aws-il.cloud
*   aws-join.cloud
*   aws-meet.cloud
*   aws-meetings.cloud
*   aws-online.cloud
*   aws-secure.cloud
*   s3-aws\[.\]cloud
*   s3-fbi\[.\]cloud
*   s3-nsa\[.\]cloud, and
*   s3-proofpoint\[.\]cloud

The development comes as CERT-UA also warned of a large-scale cyber attack aimed at stealing confidential information of Ukrainian users. The threat has been cataloged under the moniker UAC-0218.

The starting point of the attack is a phishing email containing a link to a booby-trapped RAR archive that purports to be either bills or payment details.

Present within the archive is a Visual Basic Script-based malware dubbed HOMESTEEL that's designed to exfiltrate files matching certain extensions ("xls," "xlsx," "doc," "docx," "pdf," "txt," "csv," "rtf," "ods," "odt," "eml," "pst," "rar," and "zip") to an attacker-controlled server.

"This way criminals can gain access to personal, financial and other sensitive data and use it for blackmail or theft," CERT-UA said.

Furthermore, CERT-UA has alerted of a ClickFix\-style campaign that's designed to trick users into malicious links embedded in email messages to drop a PowerShell script that's capable of establishing an SSH tunnel, stealing data from web browsers, and downloading and launching the Metasploit penetration testing framework.

Users who click the link are directed to a fake reCAPTCHA verification page that prompts them to verify their identity by clicking on a button. This action copies the malicious PowerShell script ("Browser.ps1") to the user's clipboard and displays a popup window with instructions to execute it using the Run dialog box in Windows.

CERT-UA said it has an "average level of confidence" that the campaign is the work of another Russian advanced persistent threat actor known as APT28 (aka UAC-0001).

The cyber offensives against Ukraine come amidst a report from Bloomberg that detailed how Russia's military intelligence agency and Federal Security Service (FSB) systematically targeted Georgia's infrastructure and government as part of a series of digital intrusions between 2017 to 2020. Some of the attacks have been pinned on Turla.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

CERT-UA Identifies Malicious RDP Files in Latest Attack on Ukrainian Entities

A cybersecurity researcher discovered a massive data leak exposing over 115,000 sensitive documents associated with the UN Trust…

A cybersecurity researcher discovered a massive data leak exposing over 115,000 sensitive documents associated with the UN Trust Fund to End Violence against Women. The leaked data includes personal information, financial records, and victim testimonies, posing a serious risk to privacy and security.

Cybersecurity researcher Jeremiah Fowler discovered a misconfigured database affecting the United Nations (UN) Trust Fund to End Violence against Women. According to Fowler’s investigation, reported shared with Hackread.com, the exposed database was unsecured and unprotected by a password or any other security authentication, making it easily accessible to anyone with an internet connection.

The database contained over 115,000 records and 228 GB of sensitive data, including financial reports, staff documents, email addresses, contracts, and personal information of victims and charity workers in PDF, .XML, .JPG, and PNG formats. 

The leaked documents revealed a wide range of confidential information, such as:

*   **Staff information: Names, tax data, salary information, and job roles**
*   **Victim information: Names, email addresses, and personal experiences**
*   **Financial details: Bank account information, audits, and financial reports**
*   **Organizational docs: Contracts, certifications, and registration documents**

The records indicated a connection with UN Women and the UN Trust Fund to End Violence against Women, with reference letters, UN logos, and file names indicating their association.

Screenshot from the exposed data via Jeremiah Fowler

> _“Although the records indicated the files belonged to the UN Women agency, it is not known if they owned and managed the non-password-protected database or if it was under the control of a third-party contractor.”_
> 
> Jeremiah Fowler

This breach poses a serious risk to the privacy and safety of those involved in the organization’s efforts to combat gender-based violence. The exposed data could potentially be used by malicious actors to target individuals and organizations associated with the UN Trust Fund.

For example, criminals can launch phishing attacks, identity theft, or blackmail attempts. The information exposed could be used for various malicious purposes, including identity theft, fraud, targeted phishing attacks, blackmail, extortion of funds from the UN Trust Fund, and harassment. 

Victims, charity workers, and UN staff could be targeted to steal their identities, commit fraud, blackmail, or extort money from the UN Trust Fund. The breach also poses a security risk to **vulnerable populations**, which the UN Trust Fund is working to protect, as the exposure of personal information could lead to further harm or exploitation. 

Moreover, exposed internal documents “could potentially provide criminals with insights into how the organizations operate, their key management, financial structures, and other details that may not have been intended to be public,” Fowler **noted**.

It is unclear who was managing the database, how it was left unprotected, and for how long it remained exposed. The good news is that UN Women secured the database after receiving a responsible disclosure notice from Fowler. The organization has also issued a **scam alert** and is working to mitigate the risks associated with the data exposure and to ensure that similar incidents do not occur in the future.

Nevertheless, this incident highlights the importance of strong cybersecurity measures to protect sensitive data, especially in the context of humanitarian organizations working in vulnerable regions.

1.  **Facial DNA provider leaks biometric data via WordPress folder**
2.  **3TB of clips from exposed home security cameras posted online**
3.  **“BreedReady” database of 1.8m Chinese women surfaced online**
4.  **Gender Diversity in Cybercrime Forums: Women Users on the Rise**
5.  **iCloud phishing scam – Man stole private photos of 620,000 women**

Misconfigured UN Database Exposes 228GB of Gender Violence Victims’ Data

Cisco Talos reveals TA866’s (also known as Asylum Ambuscade) sophisticated tactics and its link to the new WarmCookie…

Cisco Talos reveals TA866’s (also known as Asylum Ambuscade) sophisticated tactics and its link to the new WarmCookie malware from the BadSpace family. Learn about the threat actor’s persistent attacks, sophisticated tactics, and the advanced tools used to compromise systems.

Cybersecurity researchers at Cisco Talos have revealed new information about the sophisticated operations of TA866, also known as Asylum Ambuscade, a threat actor known for its persistent and adaptable attack strategies. 

TA866 has been active since 2020, focusing on financially motivated malware campaigns and espionage. The group uses numerous tools and techniques, including commodity and custom-built ones as part of its attack.

The group has also adopted a calculated approach, seeking to maintain their presence in compromised environments, carefully assessing the situation, and deploying tools as needed to achieve their objectives.

****The Infection Chain: A Multi-Stage Process****

According to Cisco Talos’ investigation, TA866’s attacks involve a multi-stage infection chain, beginning with the delivery of a malicious JavaScript downloader, which acts as a gateway, retrieving subsequent payloads from attacker-controlled servers. These payloads often take the form of MSI packages, which contain malware such as WasabiSeed.  

WasabiSeed is a crucial downloader component in the infection chain, ensuring persistence by establishing itself on compromised systems using an LNK shortcut. It can continuously poll for additional payloads from attacker-controlled servers, allowing TA866 to deliver subsequent attack stages.

TA866 also uses the Screenshotter malware family to capture periodic screenshots of the infected system. These screenshots provide valuable insights into the victim’s activities and allow TA866 to identify sensitive information or potential targets for further exploitation.  

In addition, TA866 frequently deploys AHK Bot, a modular malware family that uses AutoHotKey scripts to perform various functions such as system enumeration, screenshot capture, domain identification, keystroke logging, credential theft, and more. AHK Bot’s modular nature allows TA866 to customize its capabilities based on the specific needs of each attack.

****WarmCookie and TA866 Connection****

Cisco Talos’ research also highlights connections between WarmCookie malware and TA866, including similar lure themes, overlapping infrastructure, the deployment of CSharp-Streamer-RAT, Cobalt Strike as a follow-on payload, and the use of programmatically generated SSL certificates.

WarmCookie, a notorious malware family also called BadSpace, emerged in April 2024 and has been distributed through malspam and malvertising campaigns. It serves as a backdoor, allowing threat actors long-term access to compromised systems. It offers a wide range of functions like payload deployment, file manipulation, command execution, screenshot collection, and persistence.

> _“We assess that WarmCookie was likely developed by the same threat actor(s) as Resident backdoor, a post-compromise implant previously deployed in intrusion activity that Cisco Talos attributes to TA866.”_
> 
> Cisco Talos Research Team

Researchers also revealed how it is consistently used in invoice-related and job agency themes to lure victims to access hyperlinks in email bodies or attached documents like PDFs. A recent WarmCookie campaign used malspam and invoice lures to distribute malicious PDF attachments. These PDFs redirected victims to JavaScript downloaders on servers linked to the LandUpdates808 infrastructure.

Screenshot: Cisco Talos

TA866’s evolution highlights the complex challenges faced by organizations in defending against cyber threats. Organizations need to stay informed about the latest threat intelligence and implement advanced security measures to mitigate the risks posed by this advanced threat actor.

1.  **Fake CAPTCHA Pages Spread Lumma Stealer Fileless Malware**
2.  **Chinese “ChamelGang” Uses Attacks for Disruption, Data Theft**
3.  **Octo2 Malware Uses Fake NordVPN, Chrome Apps in its Attacks**
4.  **Advanced Espionage Malware “Stealth Soldier” Hits Libyan Firms**
5.  **Fake ESET Emails Used to Target Israeli Firms with Wiper Malware**

TA866 Group Linked to New WarmCookie Malware in Espionage Campaign

Not long ago, the ability to remotely track someone’s daily movements just by knowing their home address, employer, or place of worship was considered a powerful surveillance tool that should only be in the purview of nation states. But a new lawsuit in a likely constitutional battle over a New Jersey privacy law shows that anyone can now access this capability, thanks to a proliferation of commercial services that hoover up the digital exhaust emitted by widely-used mobile apps and websites.

The Global Surveillance Free-for-All in Mobile Ad Data

WarmCookie is a malware family that emerged in April 2024 and has been distributed via regularly conducted malspam and malvertising campaigns.

Wednesday, October 23, 2024 06:02

*   WarmCookie is a malware family that emerged in April 2024 and has been distributed via regularly conducted malspam and malvertising campaigns. 
*   WarmCookie, observed being used for initial access and persistence, offers a means for continuous long-term access to compromised environments and is used to facilitate delivery of additional malware such as CSharp-Streamer-RAT and Cobalt Strike. 
*   Post-compromise intrusion activity associated with WarmCookie overlaps with previously observed activity we attribute to TA866.  
*   We assess that WarmCookie was likely developed by the same threat actor(s) as Resident backdoor, a post-compromise implant previously deployed in intrusion activity that Cisco Talos attributes to TA866.  

**What is WarmCookie? **

WarmCookie, also known as BadSpace, is a malware family that has been distributed since at least April 2024. Throughout 2024, we have observed several distribution campaigns conducted using a variety of lure themes to entice victims to take actions that result in malware infection.  

These campaigns typically rely on malspam or malvertising to initiate the infection process that results in the delivery of WarmCookie. WarmCookie offers a variety of useful functionality for adversaries including payload deployment, file manipulation, command execution, screenshot collection and persistence, making it attractive to use on systems once initial access has been gained to facilitate longer-term, persistent access within compromised network environments.  

In previously analyzed intrusion activity involving WarmCookie, we have observed that it is used as an initial payload and that CSharp-Streamer-RAT and Cobalt Strike were delivered following the initial WarmCookie infection.  

While analyzing the campaigns, intrusion activity, and infrastructure associated with WarmCookie over the course of 2024, we also identified multiple overlaps with activity conducted by TA866 in 2023. 

**Typical infection chains **

As previously mentioned, we have observed WarmCookie campaigns being conducted since at least April 2024. These campaigns rely on malspam or malvertising to facilitate the delivery of malicious content.  

In the case of malspam, we have observed consistent use of invoice-related and job agency themes that entice victims to access hyperlinks present in either the email body, or within attached documents, such as PDFs.  

Examples of common message subjects observed in campaigns conducted between April and August 2024 are listed below. 

*   United Rentals Inc: Invoice# [0-9]{9}\-[0-9]{3} 
*   Invoice and Remittance

In a recent campaign conducted in August, the messages contained PDF attachments. The attachment filenames were randomized but typically use the following format. 

*   Attachment_[0-9]{3}\-[0-9]{3}\.pdf

While there have been variations over time, below is a representative example of one of these emails and the associated PDF attachment. 

__WarmCookie emails and attachments.__

The PDFs contain hyperlinks that direct victims to web servers hosting malicious JavaScript files that continue the infection process. 

We have also observed WarmCookie campaigns leveraging infrastructure associated with traffic distribution and malware delivery systems. In one early campaign, we observed the use of the LandUpdates808 cluster of infrastructure described here. In observed cases, malicious JavaScript downloaders were being hosted at the following paths on servers associated with the LandUpdates808 cluster of web servers. 

/wp-content/upgrade/update\[.\]php

Regardless of whether the delivery stage of the attack was conducted via malspam or malvertising, an obfuscated JavaScript downloader is delivered that is responsible for continuing the infection process. We have observed the use of ZIP archives to compress the JavaScript file and the delivery of the JavaScript file directly from the distribution infrastructure.  

When executed, it deobfuscates and executes a PowerShell command that uses Bitsadmin to retrieve and execute the WarmCookie DLL using syntax, like that shown below. 

__PowerShell execution.__

We have observed a relatively small number of distribution servers hosting WarmCookie DLLs compared to the infrastructure used in earlier stages of the infection chain.  

**WarmCookie **

The main WarmCookie payload has been extensively analyzed in prior reporting here and here. While performing this research, newly observed WarmCookie samples were reported on social media during September 2024. We observed significant additions and changes in this latest version that demonstrate the threat actor is continuing to improve their tooling.  

We observed changes to the way the malware is executed and how persistence is achieved on infected systems. As described in prior reporting, the malware is typically delivered and executed as a PE DLL or a PE EXE. If the payload is in the DLL format, it is typically executed with specific command-line parameters that determine whether persistence should be achieved.  

In previous WarmCookie samples the execution was consistent with the following: 

rundll32.exe <DLL\_Filename>,Start /p

In the latest samples analyzed, this command-line syntax has been modified as follows: 

rundll32.exe <DLL\_Filename>,Start /u

Additionally, the user agent used during C2 communications in previous WarmCookie samples featured extraneous spaces not consistent with normal user agent strings seen in the wild. This allowed for easy detection of WarmCookie C2 activity via network traffic inspection. In the latest WarmCookie samples, this mistake has been corrected. Below is a comparison between the old and new user agent strings used during C2 communications. 

Old User Agent: 

Mozilla / 4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;.NET CLR 1.0.3705)

New User Agent: 

Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0

We also observed the inclusion of a new self-updating mechanism that would enable an attacker to dynamically deliver updates to WarmCookie via the C2 server, however, this functionality did not appear to be fully implemented in the analyzed sample at the time. 

In the latest sample, changes were made to the sandbox detection mechanism present in the malware where some checks present in previous versions have been removed. 

__WarmCookie sandbox detection.__

Several changes to the C2 commands supported by the malware have also been made in the latest WarmCookie samples analyzed. The command to remove persistence and the malware itself has been deleted. New commands have been added as follows: 

*   **Command 0x8:** Supports the creation of a DLL file received from the C2 server that is assigned a temporary filename and then executed by WarmCookie.   
*   **Command 0xA**: Appears to be a prepared update command, it is like Command 0x8, but adds hardcoded parameters to the DLL:    
    C:\Windows\System32\rundll32.exe <tmpfilename.dll> Start /update
*   **Command 0xB**: Supports moving the malware to a temporary file name and location and deletes the previously scheduled task. It prepends the string ‘dat’ to the temporary filename. It also exits the C2 loop, leading to termination of the malware process. 

During the malware’s initialization and startup phase, the /update parameter of the Command 0xA is checked to determine if the parameter was set. Regardless of the result of this check, the same function is executed, as shown below. 

WarmCookie update parameter. 

Analysis suggests that the malware will continue to evolve moving forward as the threat actor continues to improve on it and adds additional functionality as needed. 

**Links to past intrusion activity **

While analyzing the distribution campaigns, infrastructure used, and post-compromise intrusion activity associated with WarmCookie, we identified multiple overlaps with previously observed malicious activity.  

In earlier WarmCookie distribution campaigns, threat actors relied on lures that appear as if they were associated with talent/job search agencies. As mentioned here, the lure documents and landing pages associated with this campaign are like those used by distributors of Ursnif in past campaigns.  

While analyzing intrusion activity associated with WarmCookie, we observed the deployment of CSharp-Streamer-RAT as a follow-on payload following the initial system compromise. CSharp-Streamer-RAT is a full-featured remote access trojan that offers robust functionality as described here.  

In this case, the sample reached out to a C2 server that was configured to use an SSL certificate that appeared to have been programmatically generated with several fields randomly populated. Using Regular Expressions to identify other servers with similar SSL characteristics, we identified three additional C2 servers, all previously associated with CSharp-Streamer-RAT samples. One of these C2 servers was observed being used by a CSharp-Streamer-RAT sample we identified in a previous intrusion that we assess with high confidence was conducted by TA866.  

The screenshot below shows the relevant fields present within the SSL certificate associated with the CSharp-Streamer-RAT C2 server observed in previous intrusion activity we attribute to TA866.  

__Previous CSharp-Streamer-RAT C2 SSL certificate.__

Below is an example of one of the SSL certificates associated with the CSharp-Streamer-RAT C2 server observed in recent WarmCookie intrusion activity. 

__Recent CSharp-Streamer-RAT C2 SSL certificate.__

Based on analysis of the system involved in this prior intrusion activity, we assess with high confidence that TA866/Asylum Ambuscade deployed CSharp-Streamer-RAT while directly operating on the system leading up to, during, and after its deployment. In the recent WarmCookie case, we also assess with high confidence that the attacker who deployed WarmCookie also deployed CSharp-Streamer-RAT following the initial compromise.

**WarmCookie vs. Resident backdoor **

As referenced here, and in prior reporting, TA866/Asylum Ambuscade has been observed delivering a post-compromise implant called Resident backdoor in prior intrusion activity. Prior reporting on WarmCookie has alluded to observed links between Resident backdoor and WarmCookie.

We performed a code and function level analysis of Resident backdoor samples from previous intrusion activity and WarmCookie samples from September 2024 and observed several notable similarities in the way core functionality has been implemented across both malware families. WarmCookie appears to contain much of the same functionality as Resident backdoor but has been significantly extended to support additional functionality.  

We assess that both were likely developed by the same entity based on the following analysis findings: 

*   The RC4 implementation is consistent across both malware families. 
*   The RC4 string decryption function implementation is consistent across both malware families. 
*   Mutex management is performed consistently across both malware families. 
*   Both malware families use GUID-like strings for the mutex. 
*   The way in which various functions were constructed and the coding conventions used is consistent. 
*   The definition of scheduled tasks to achieve persistence is consistent. 
*   Both malware families wait one minute before executing the scheduled task. 
*   The directory, file schema and parameters are similar in both malware families.  
*   The initial startup logic and command line parameter implementation are similar. 

**Code similarity analysis **

We conducted a similarity analysis of the code execution flow between both Resident backdoor and a recent WarmCookie sample that was shared on social media. We observed consistent implementation of core functionality across both as well as consistent use of coding conventions across both malware families. 

**Task Scheduler implementation **

If the malware is initially executed without supplying any parameters, both Resident and WarmCookie first determine if the initially launched application was a PE DLL or an PE EXE. Depending on the result, they either create a filename with the extension “.dll" or “.exe". Also based on the results of this test, they both create a scheduled task via the Windows Task Scheduler, which spawns a copy of the malware after waiting for 60 seconds. In the case that the initially launched application was a PE DLL, rundll32.exe is used to launch the malware. In the case of a PE EXE file, it is executed directly.  

They both attempt this in the %ALLUSERSPROFILE% directory, if that fails, they try it again in %ALLDATA% directory. 

__WarmCookie startup parameters.__

__WarmCookie persistence mechanism.__

__Resident backdoor startup parameters.__

__Resident backdoor persistence mechanism.__

__Resident backdoor persistence mechanism (cont’d).__

The overall startup logic is also the same in both Resident backdoor and WarmCookie. At the beginning of the startup process both check to determine if the malware was executed with a command line switch. In the case of the Resident backdoor, it is ‘/p’; in the case of WarmCookie it is ‘/u’. This parameter tells the application whether it is the first instance of itself or if the running version is the former copied version, which was previously made persistent via the Task Scheduler. This prevents multiple scheduled tasks from being created once the malware has achieved persistence.  

__WarmCooke startup logic.__

__Resident backdoor startup logic.__

One slight difference is that Resident uses the hardcoded string ‘RtlUpd’ to generate the filename for the scheduled task, whereas WarmCookie uses a hardcoded list of company names and randomly selects one, as shown below: 

__WarmCookie filename list.__

Based on our analysis of Resident backdoor and WarmCookie, we assess that they were likely developed by the same entity. While there are significant overlaps in the code and functionality implementations across Resident backdoor and WarmCookie, WarmCookie contains significantly more robust functionality and command support compared to Resident backdoor. Additionally, while WarmCookie has typically been deployed as an initial access payload in intrusion activity we have analyzed, Resident backdoor was deployed post-compromise following the deployment of several other components such as WasabiSeed, Screenshotter and AHK Bot.  

Given the differences in functionality and where each is encountered in the attack lifecycle, we classify Resident and WarmCookie as separate malware families that have been developed by the same threat actor. 

**Coverage **

Ways our customers can detect and block this threat are listed below. 

 Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here. 

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protection with context to your specific environment and threat data are available from the Firewall Management Center. 

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

The following Snort rule(s) have been developed to detect activity associated with this malicious activity.  

*   Snort 2 SIDs: 64139, 64140, 64141, 64142, 64143, 64144, 64145, 64146, 64147, 64148, 64149, 64150, 64151, 64152, 64153, 64154, 64155, 64156, 64157, 64158, 64159, 64160, 64161, 64162. 
*   Snort 3 SIDs: 64153, 64154, 64155, 64156, 64157, 64158, 64159, 64160, 64161, 64162, 301044, 301045, 301046, 301047, 301048, 301049, 301050.  

The following ClamAV signatures have been developed to detect activity associated with this malicious activity.  

*   Js.Downloader.Agent-10022279-0  
*   Vbs.Downloader.Agent-10022291-0  
*   Win.Trojan.WasabiSeed-10022304-0  
*   Js.Trojan.Screenshotter-10022306-0  
*   Js.Trojan.Agent-10022307-0  
*   Win.Trojan.Lazy-10022308-0  
*   Win.Trojan.Screenshotter-10022309-0  
*   PUA.Win.Tool.NetPing-10022493-0  
*   Win.Malware.CobaltStrike-10022494-0  
*   PUA.Win.Tool.AutoHotKey-10022305-1  
*   PUA.Win.Tool.RemoteUtilities-9869515-0  
*   PUA.Win.Tool.AdFind-9962378-0   
*   Txt.Downloader.AHKBot-10024463-0  
*   Ps1.Malware.CobaltStrike-10024466-0  
*   Win.Infostealer.Rhadamanthys-10024467-0  
*   Txt.Infostealer.Rhadamanthys-10024468-0  
*   Win.Backdoor.Agent-10025011-0  
*   Vbs.Trojan.Screenshotter-10025015-0  
*   Win.Malware.Warmcookie-10036688-0 
*   Win.Malware.CSsharpStreamer-10036641-0 

**Indicators of Compromise **

Indicators of compromise associated with WarmCookie/BadSpace activity can be found in our GitHub repository here.

Threat Spotlight: WarmCookie/BadSpace

TA866 (also known as Asylum Ambuscade) is a threat actor that has been conducting intrusion operations since at least 2020.

Highlighting TA866/Asylum Ambuscade Activity Since 2021

Two malware families that suffered setbacks in the aftermath of a coordinated law enforcement operation called Endgame have resurfaced as part of new phishing campaigns.
Bumblebee and Latrodectus, which are both malware loaders, are designed to steal personal data, along with downloading and executing additional payloads onto compromised hosts.
Tracked under the names BlackWidow, IceNova, Lotus,

Malware / Threat Intelligence

Two malware families that suffered setbacks in the aftermath of a coordinated law enforcement operation called Endgame have resurfaced as part of new phishing campaigns.

Bumblebee and Latrodectus, which are both malware loaders, are designed to steal personal data, along with downloading and executing additional payloads onto compromised hosts.

Tracked under the names BlackWidow, IceNova, Lotus, or Unidentified 111, Latrodectus, is also considered to be a successor to IcedID owing to infrastructure overlaps between the two malware families. It has been used in campaigns associated with two initial access brokers (IABs) known as TA577 (aka Water Curupira) and TA578.

In May 2024, a coalition of European countries said it dismantled over 100 servers linked to several malware strains such as IcedID (and, by extension, Latrodectus), SystemBC, PikaBot, SmokeLoader, Bumblebee, and TrickBot.

"Although Latrodectus was not mentioned in the operation, it was also affected and its infrastructure went offline," Bitsight security researcher João Batista noted back in June 2024.

Cybersecurity firm Trustwave, in an analysis published earlier this month, described Latrodectus as a "distinct threat" that has received a boost following Operation Endgame.

"While initially impacted, Latrodectus quickly rebounded. Its advanced capabilities filled the void left by its disabled counterparts, establishing itself as a formidable threat," the cybersecurity company said.

Attack chains typically leverage malspam campaigns, exploiting hijacked email threads and impersonating legitimate entities like Microsoft Azure and Google Cloud to activate the malware deployment process.

The newly observed infection sequence by Forcepoint and Logpoint takes the same route, with the DocuSign-themed email messages bearing PDF attachments containing a malicious link or HTML files with embedded JavaScript code that are engineered to download an MSI installer and a PowerShell script, respectively.

Regardless of the method employed, the attack culminates in the deployment of a malicious DLL file that, in turn, launches the Latrodectus malware.

"Latrodectus leverages older infrastructure, combined with a new, innovative malware payload distribution method to financial, automotive, and business sectors," Forcepoint researcher Mayur Sewani said.

The ongoing Latrodectus campaigns dovetail with the return of the Bumblebee loader, which employs a ZIP archive file likely downloaded via phishing emails as a delivery mechanism.

"The ZIP file contains an LNK file named 'Report-41952.lnk' that, once executed, starts a chain of events to download and execute the final Bumblebee payload in memory, avoiding the need to write the DLL on disk," Netskope researcher Leandro Fróes said.

The LNK file is intended to execute a PowerShell command to download an MSI installer from a remote server. Once launched, the MSI samples, which masquerade as installers from NVIDIA and Midjourney, serve as a channel to launch the Bumblebee DLL.

"Bumblebee uses a stealthier approach to avoid the creation of other processes and avoids writing the final payload to disk," Fróes pointed out.

"It does so by using the SelfReg table to force the execution of the DllRegisterServer export function present in a file in the File table. The entry in the SelfReg table works as a key to indicate what file to execute in the File table and in our case it was the final payload DLL."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Bumblebee and Latrodectus Malware Return with Sophisticated Phishing Strategies

A hacker known as “TAINTU” is advertising a “Top Secret U.S. Space Force Military Technology Archive” for sale,…

A hacker known as “TAINTU” is advertising a “Top Secret U.S. Space Force Military Technology Archive” for sale, allegedly containing classified data on advanced space-based defence systems and AI-driven weapons.

A hacker using the alias “TAINTU” is offering what they claim to be 1.45 TB of “top secret USSF military technology archives” for sale, priced at $15,000 in Bitcoin (BTC) or Monero (XMR) cryptocurrency.

The acronym USSF stands for the United States Space Force, the space operations branch of the U.S. Armed Forces. The USSF is responsible for organizing, training, and equipping military personnel for space-related operations.

The ad, viewed by _**Hackread.com**_, was initially posted on the data breach and cybercrime platform Breach Forums on Saturday, October 19, 2024. However, it was removed by the hacker on the same day. When _**Hackread.com**_ inquired about the removal, the hacker explained that the data remains available for sale through underground channels, citing the lack of “seriousness” from users on Breach Forums.

Partial screenshot from the now deleted post (Screenshot: Hackread.com)

**What’s in the Archive?**

The hacker’s use of the term “archive” implies a comprehensive collection of information rather than just a single piece of file/data. The sample data published by the hacker appears to be contains classified leaks from the United States Space Force (USSF), detailing advanced military technologies, space-based weapon systems, future developments, and simulated battle scenarios.

The trove of data also allegedly also includes in-depth technical analyses, project files, and system diagrams from ongoing USSF development programs, with a focus on next-generation orbital defence.

This collection, described as “dozens of files,” holds critical military data, technical diagrams, and performance simulations. It reportedly provides unprecedented insight into next-generation weaponry and space-based defence systems, including the following:

**Directed Energy Weapons (DEW):** Advanced systems optimized for targeting satellites and enemy space infrastructure using high-energy lasers. 

**Quantum Cyber Warfare:** Cutting-edge encryption-breaking technology for intercepting and neutralizing enemy satellite communications. 

**Electromagnetic Pulse (EMP) Systems:** Area-wide electronic grid disruptors, capable of disabling enemy communication, radar, and missile systems over a vast range. 

**AI-Controlled Weapons:** Autonomous targeting systems using advanced machine learning algorithms for real-time satellite interception and space warfare scenarios. 

The archive allegedly contains leaked content such as project files with technical breakdowns and financial allocations for the development of Directed Energy Weapons (DEW), AI-based orbital weapons, and quantum cybersecurity systems. It also includes research on future technologies like antimatter energy and quantum teleportation, schematics and diagrams outline high-orbit defence systems and missile interception strategies, while CSV data files provide comprehensive simulation data on energy consumption and AI response times.

In addition, the files appears to be contain over 20 technical PDF reports covering satellite communication encryption, EMP defence, and AI targeting systems, as well as classified intelligence on adversarial capabilities from nations like China and Russia, and countermeasures for hypersonic missile threats.

The sample files published by the hacker are claimed to be "technical samples extracted directly from the archive." These include PDF files detailing “Phase 3 testing of the Helios *** laser platform,” CSV files containing detailed test results related to high-tech weapons or defence systems—apparently involving directed energy weapons (DEWs) or similar technologies—and a project file snippet outlining the budget and technical progress report for the DEW-\*\*\*1.

The data also includes several diagrams, including one titled “Orbital Defense and Interception Scenarios,” which details a “beam divergence analysis for orbital defence” among other related information. However, due to security concerns and the potential implications of this being a national security breach for the United States, **_Hackread.com_** is refraining from publishing any images or details that could compromise the security of the institution.

**“Exclusive Access and Direct Breach”**

When asked whether the alleged data breach involving a third-party contractor, as seen in the April 2024 case of US defence contractor Acuity Inc., where an Intel Broker hacker leaked ICE and USCIS data, the hacker claimed it was a “direct data breach,” with no third-party firm involved.

“This archive offers exclusive access to classified military technologies currently in development by the USSF. The data covers cutting-edge research, including highly advanced AI-controlled defence systems and quantum-based communication, which are reshaping the future of warfare,” the hacker told _**Hackread.com**_.

“These documents are invaluable to anyone interested in military technology or defence strategies, providing insights into the most advanced space-based weapon systems on the planet.”

The authenticity of the breach has yet to be confirmed. _**Hackread.com**_ has reached out to the Cybersecurity and Infrastructure Security Agency (CISA) for comment. However, the hacker remains confident in the legitimacy of the archive.

1.  **Crimson Palace: Chinese Hackers Stole Military Secrets**
2.  **Military Satellite Access Sold on Russian Forum for $15,000**
3.  **Intel Broker Claims Cisco Breach, Selling Data from Major Firms**
4.  **Russian National Jailed for Smuggling US Military Tech to Russia**
5.  **S3 Buckets Exposed US Military’s Social Media Spying Campaign**

1.  \* indicates redacted information ↩︎

Hacker Advertises “Top Secret US Space Force (USSF) Military Technology Archive”

Helper is an enumerator written in PHP that helps identify directories on webservers that could be targets for things like cross site scripting, local file inclusion, remote shell upload, and remote SQL injection vulnerabilities.

Helper 0.1

The "Code-on-Toast" supply chain cyberattacks by APT37 delivered data-stealing malware to users in South Korea who had enabled Toast pop-up ads.

Source: Eric Anthony Johnson via Alamy Stock Photo

The North Korea-backed advanced persistent threat known as APT37 exploited a zero-day vulnerability in Microsoft's Internet Explorer Web browser over the summer, using it to mount a zero-click supply chain campaign on South Korean targets, researchers revealed.

While IE reached end of life in 2022 and many organizations don't use it anymore, there are plenty of legacy applications that do. In this case, APT37 (aka RedAnt, RedEyes, ScarCruft, and Group123) specifically targeted a Toast ad program that is usually installed alongside various free software, according to AhnLab SEcurity intelligence Center (ASEC). "Toasts" are pop-up notifications that appear at the right-bottom of a PC screen.

"Many Toast ad programs use a feature called WebView to render Web content for displaying ads," according to AhnLab researchers. "However, WebView operates based on a browser. Therefore, if the program creator used IE-based WebView to write the code, IE vulnerabilities could also be exploited in the program."

**A Hot-Buttered Zero-Click Toast Exploit**

According to AhnLab's analysis released last week, the state-sponsored cyberattack group compromised an ad agency, and then used the bug, tracked as CVE-2024-38178 (CVSS 7.5), to inject malicious code into the Toast script the agency uses to download ad content to people's desktops. Instead of ads, the script began delivering malware.

Related:South Korean APT Exploits 1-Click WPS Office Bug, Nabs Chinese Intel

"This vulnerability is exploited when the ad program downloads and renders the ad content," the researchers explained in their report on the attack, which they called "Code on Toast." "As a result, a zero-click attack occurred without any interaction from the user."

The malware delivered is the RokRAT, which APT37 has consistently used in the past.

"After infecting the system, various malicious behaviors can be performed, such as remote commands," the researchers noted, adding, "In this attack, the organization also uses Ruby to secure malicious activity persistence and performs command control through a commercial cloud server."

The campaign had the potential to cause significant damage, they said, but the attack was detected early. "In addition, security measures were also taken against other Toast advertising programs that were confirmed to have the potential for exploitation before the vulnerability patch version was released," according to AhnLab.

**IE Lurks in Apps, Remains a Cyber Threat**

Microsoft patched the bug in its August Patch Tuesday update slate, but the continued use of IE as a built-in component or related module within other applications remains a concerning attack vector, and an incentive for hackers to continue to acquire IE zero-day vulnerabilities.

Related:BlankBot Trojan Targets Turkish Android Users

"Such attacks are not only difficult to defend against with users' attention or antivirus, but can also have a large impact depending on the exploited software," AhnLab researchers explained in the report (PDF, Korean).

They added, "Recently, the technological level of North Korean hacking groups is becoming more advanced, and attacks that exploit various vulnerabilities other than IE are gradually increasing."

Accordingly, users should make sure to keep operating systems and software up to date, but "software manufacturers should also be careful not to use development libraries and modules that are vulnerable to security when developing products," they concluded.

Translation provided by Google Translate.

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Tag

#pdf