Ransomware/Malware Activity

Threat Actors Use Latrodectus Malware in Phishing Campaign

The malware known as Latrodectus, emerging in email phishing campaigns since late November 2023, represents a sophisticated evolution in the cyber threat landscape, closely related to the previously identified IcedID loader. Discovered and analyzed by researchers from Proofpoint and Team Cymru, Latrodectus exhibits advanced sandbox evasion capabilities and is designed to download and execute arbitrary commands, marking it as a dynamic and formidable downloader. It appears to be the brainchild of the same threat actors behind IcedID, aimed at facilitating the deployment of additional malware through initial access brokers, notably TA577 and TA578. These campaigns cleverly leverage spoofed legal threat communications to distribute a JavaScript file, which subsequently deploys the Latrodectus payload. This malware verifies its operating environment by checking for a valid MAC address and a sufficient number of running processes, ensuring stealth operation. Beyond its technical prowess, Latrodectus's infrastructure shows clear operational ties to IcedID, including shared backend infrastructure and methodologies, suggesting a strategic evolution by these threat actors to maintain their nefarious activities. The emergence of Latrodectus signifies a notable shift in the cybercriminal toolkit, potentially increasing the threat level for organizations worldwide, especially those previously targeted by IcedID-related campaigns.

Threat Actor Activity

New Phishing Campaign Targets Latin America with Advanced Evasion Techniques

Threat actors have been observed conducting a sophisticated phishing campaign aimed at the Latin American region, specifically targeting Windows systems with malicious payloads. The campaign begins with phishing emails containing ZIP files that, upon extraction, reveal HTML files directing users to download disguised malicious invoices. These emails appear to originate from a domain employing "temporary[.]link" and are tailored to evade detection by behaving differently based on the recipient's IP address' geolocation, particularly targeting users in Mexico. The malware involved in this campaign is complex, designed to gather system information, check for antivirus defenses, and deploy additional malicious files from Dropbox. This operation bears resemblance to the tactics used in past Horabot malware campaigns, which also focused on Spanish-speaking users in Latin America. In addition to this phishing scheme, cybersecurity researchers have also uncovered a malvertising campaign exploiting Microsoft Bing users with counterfeit NordVPN ads leading to the download of a remote access trojan called SectopRAT, as well as a fake Java Access Bridge installer that deploys a cryptocurrency miner. Furthermore, a Golang-based malware has been discovered in recent campaigns, showcasing advanced evasion techniques such as geolocation checks and installing a root certificate for secure communication with its command-and-control (C2) server. These incidents underscore the evolving sophistication of cyber threats and the need for vigilance among users and cybersecurity professionals alike, especially in the context of region-specific targeting and the exploitation of popular software and services.


Critical Vulnerability in Magento eCommerce Websites Actively Exploited

UPDATE: Cybersecurity researchers have identified a novel exploit targeting Magento websites, utilizing a critical vulnerability. Magento is a platform with built-in PHP, which helps users to create eCommerce websites. Adobe characterized this vulnerability, tracked as CVE-2024-20720 (CVSS score of 9.1/10), as an improper neutralization of special elements issue, which could lead to arbitrary code execution if exploited. The flaw was patched in updates issued on February 13, 2024. The exploit involves a sophisticated attack where a malicious layout template inserted into the database automatically injects code, enabling attackers to execute system commands via the Magento layout parser and the beberlei/assert package. This method triggers when the checkout cart page is accessed, deploying a backdoor for code execution and installing a Stripe payment skimmer to steal financial data. The discovery coincides with the Russian government charging six individuals for deploying skimmer malware to pilfer credit card details from international e-commerce platforms since late 2017, leading to the illegal acquisition and sale of information from nearly 160,000 payment cards. CTIX analysts recommend that all Magento users ensure they have installed the latest update to prevent future exploitation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.