Cyber Security Weekly Recap (17-21 Oct.)

Cyber Security Weekly Recap 17 21 Oct. 1024x713

Cybercriminals related to Black Basta Ransomware are using Qakbot to Deploy Brute Ratel C4

Black Basta threat actors have been seen employing the Qakbot trojan to drop the Brute Ratel C4 framework as a second-stage payload in recent security attacks.

In a technical report that came out last week, the cybersecurity company Trend Micro said that this is the first time that the adversary simulation software has been sent through a Qakbot infection.

The hackers were able to get into systems by sending a phishing email with a weaponized link that led to a ZIP archive.

Known to have been active since at least 2007, Qakbot is a banking trojan and information stealer also known as QBot and QuackBot. But because it is flexible and can be used as a downloader, it has become the main tool to spread more malicious code.

Although the attack was stopped before any damage could have been done, it is believed that the ultimate goal was domain-wide ransomware dissemination.

A critical RCE flaw has been found in the Cobalt Strike Hacking Tool

An out-of-band security update has been released by Helpsystems, the company behind the Cobalt Strike software platform, to fix a remote code execution vulnerability that might enable an attacker to gain control of targeted devices.

Despite the fact that Cobalt Strike is a commercial red-team framework commonly used for adversary simulation, ransomware operators and espionage-focused advanced persistent threat (APT) organizations have been seen actively abusing hacked copies of the program.

This vulnerability is identified as CVE-2022-42948 and affects Cobalt Strike version 4.7.1. From what we know, the flaw is caused by an incomplete fix for a cross-site scripting (XSS) flaw (CVE-2022-39197) that was published on September 20, 2022, and could allow remote code execution.

Authorities warn of a PowerShell backdoor masquerading as a Windows update

New information has been revealed about a totally undetectable (FUD) PowerShell backdoor that acts like a Windows update to stay out of sight.

According to Tomer Bar, SafeBreach’s head of security research, the self-developed tool, and the related C2 instructions appear to be the product of a clever, unknown threat actor who has targeted about 100 victims.

According to the revelations, on August 25, 2022, a weaponized Microsoft Word document was uploaded from Jordan, marking the beginning of an attack chain using the virus.

An analysis of the document’s metadata reveals that the first vector of attack was a LinkedIn-based spear-phishing attempt, which in turn launched a PowerShell script through a malicious macro.

Researchers Explain A Critical Azure SFX Vulnerability That Could Have Given Hackers Admin Access

Additional information concerning a recently fixed security weakness in Azure Service Fabric Explorer (SFX) that might have allowed an attacker to get administrator rights has been made public by cybersecurity experts.

Microsoft patched the issue, identified as CVE-2022-35829, as part of last week’s Patch Tuesday updates. The CVSS rating for this vulnerability is 6.2.

The security firm Orca Security identified the vulnerability as FabriXss and reported it to the tech giant on August 11, 2022. This issue affects versions of Azure Fabric Explorer 8.1.316 and earlier.

According to Microsoft, SFX is an open-source tool for analyzing and controlling Azure Service Fabric clusters. The Service Fabric is a distributed systems platform for creating and deploying microservices-based cloud applications.

The new Ursnif Banking Trojan targets businesses for data theft and Ransomware

The Ursnif virus is the most recent example of a banking trojan that has repurposed itself as a generic backdoor capable of delivering subsequent-stage payloads, joining the ranks of other examples such as Emotet, Qakbot, and TrickBot.

Codenamed LDR4, the updated and reworked edition was first identified in the wild by the Google-owned threat intelligence organization on June 23, 2022. The shift in purpose is thought to be an effort to set the framework for future ransomware and data theft extortion operations.

Ursnif (also known as Gozi or ISFB) has been linked to attacks since 2007. In a report from August 2020, Check Point published a timeline charting the “evolution of Gozi”, and highlighting the platform’s growth over time.

The malware’s most recent attack chain details how hackers have been using phishing emails posing as invoices and job postings to trick victims into downloading an Excel sheet that contains malware.

Google Play Store removed 16 Clicker Malware-Infected Android Apps

According to cybersecurity company McAfee, a Clicker virus attempted to deceive users into installing it by disguising itself as apparently innocuous apps like cameras, currency/unit converters, QR code scanners, note-taking apps, and dictionaries.

More details reveal that when the Clicker software is downloaded and used, the malicious code behind it is activated, allowing the virus to visit fake websites and make fake clicks on ads without the victims’ awareness.

The software takes into consideration when it was installed, making sure that the suspicious behavior doesn’t begin within the first hour of installing the program. Also, it uses a random delay in between transmissions to avoid detection.

As per the report, 16 infected applications with over 20 million combined downloads were removed from the Google Play Store for engaging in the above-described mobile ad fraud.

About the author


Lidia Howler

Lidia is a web content creator with years of experience in the cyber-security sector. She helps readers with articles on malware removal and online security. Her strive for simplicity and well-researched information provides users with easy-to-follow It-related tips and step-by-step tutorials.

Leave a Comment