In our latest Threat Digest, we spotlight the maneuvers of the notorious FIN8 group and applaud the swift intervention of the Blackpoint Cyber SOC in halting their latest ploy. From DarkGate’s sly comeback via popular communication tools to the surprising leak of HelloKitty ransomware’s source code, the digital landscape remains ever-volatile. Also, delve into updates from the open-source realm, curl’s kinks, and heed a timely alert for WordPress enthusiasts about disguised dangers. Navigate these intricate cyber waters with us. Stay informed, stay safe!

In a recent cyber incident, the notorious FIN8 threat group, also known as Storm-0288, utilized sophisticated tactics to infiltrate networks, emphasizing their continuous evolution to bypass organizational defenses. Leveraging a Remote Desktop Protocol (RDP) connection from a compromised machine, they initiated their attack, which was promptly detected by the SOC. The group’s multifaceted approach involved:

• disabling legitimate monitoring software,
• executing various malicious commands, and
• establishing backchannels for persistent control over the compromised systems.

Notably, they displayed advanced system manipulations, like modifying ‘OneDriveSetup.exe,’ hinting at their technical adeptness. The swift and comprehensive response by the SOC successfully neutralized the threat, emphasizing the importance of vigilant monitoring and proactive cybersecurity measures.

Between July and September, Trend Micro detected the resurgence of the DarkGate malware campaign, which exploited instant messaging platforms to deliver a malicious VBA (Visual Basic for Applications) loader script to victims. The campaign notably abuses Skype and Microsoft Teams, with messages appearing from trusted sources, thus leveraging compromised accounts or potentially previous breaches. Once deceived, the victim downloads a second-stage payload containing the DarkGate malware code. The malware exhibits extensive malicious features, including:

• keylogging,
• information theft,
• privilege escalation, and
• cryptocurrency mining.

While historically dormant, DarkGate has seen an uptick in activity this year, predominantly in the Americas. Trend Micro underscores the importance of securing and limiting an organization’s exposure to such threats, especially by implementing measures like multifactor authentication (MFA), application allowlisting, and continuous employee training on security awareness.

The complete source code for the initial version of the HelloKitty ransomware has been publicly leaked on a Russian-speaking hacking forum. This discovery was made by cybersecurity researcher 3xp0rt, who identified the threat actor releasing the code as ‘kapuchin0’, also known under the alias ‘Gookee’. Notably, Gookee has a track record of previous malware-related activities, including a connection to the ‘Gookee Ransomware.’ It’s speculated that kapuchin0/Gookee is the original developer of HelloKitty and is now working on a more advanced encryptor. While such leaks can aid security research, there’s a significant risk, as evidenced by past instances where ransomware code was repurposed for new cyberattacks. With HelloKitty having been operational since 2020, involved in notable breaches like the one against CD Projekt Red, the leak underscores the need for updated defenses against this evolving threat.

The command line transfer tool, curl, has patched what is described by its founder, Daniel Stenberg, as “probably the worst curl security flaw in a long time.” The two distinct vulnerabilities, identified as CVE-2023-38545 and CVE-2023-38546, have been addressed. These vulnerabilities can be exploited to corrupt/steal data, execute arbitrary code and hijack sessions. Users of affected versions are strongly advised to upgrade to curl 8.4.0. The early disclosure of one of these patches by Red Hat’s CentOS Stream project led to attempts to identify exploitation methods. The industry’s response suggests some feel the vulnerability’s severity was overstated, though widespread use of tools like curl implies inherent risk.

US government groups, such as CISA, FBI, NSA, and the Treasury Department, have together shared new safety advice for using open-source software (OSS) in operational tech (OT) areas. This advice is based on CISA’s past work on open-source software safety. The main focus is to help people understand and use OSS safely, especially in areas like industrial systems. The guide points out that both OSS and OT have some common security issues, like weak points in the software and missing setup instructions. Because OT systems often get attacked, it’s advised to keep both OT and IT systems updated. The guide also suggests building systems with safety first and being open about where the software comes from to lower risks. This new guide builds on a similar one they put out last year.

Wordfence’s incident response team recently identified a sophisticated malware posing as a legitimate WordPress plugin. Disguised as a caching plugin, this malicious code operates as a backdoor, granting attackers multiple functionalities, including:

• the creation of an admin account,
• remote plugin activation & deactivation,
• the concealment from lists of activated plugins
• modify content,
• target certain user types with malicious content, and
• remotely control features.

Detected on July 18, 2023, Wordfence quickly developed a signature to counteract this threat. While Wordfence Premium, Care, and Response users received immediate protection against this malware, free users obtained the protective signature after a 30-day delay. Wordfence urges users to remain vigilant, emphasizing that while they offer robust protection against such threats, monitoring and proactive measures remain crucial for optimal site security.

For real-time intel and updates, don’t forget to follow APG on Twitter and Reddit.