Get the TIGR Threat Watch and Bulletin

Our Threat Intelligence Gathering & Research (TIGR) team is focused on threat intelligence and curates a daily intelligence report, TIGR Threat Watch, with information collected from several industry intel sources. We also create and publish ad-hoc Threat Bulletins in case of critical and time-sensitive vulnerabilities or threats. Threat Bulletins include details and recommendations for mitigation/remediation.

Threat Watch Feed

🚩 – IOCs Added

The red flag indicates that Indicators of Compromise (IOCs) have been added to SRA’s Threat Feed used by CyberSOC clients. Articles may not be flagged if IOCs are not available at the time or are not applicable to the article.

🚩 Adversaries Leverage Amadey Bot to Deploy Additional Malware via Phishing Sites

The Amadey bot, an infostealing trojan previously distributed through exploit toolkits, is currently spreading through phishing sites and spam emails. After users interact with the malicious site for initial infection, Amadey creates a copy of itself in a temporary directory and schedules a task to execute the malware continuously. The bot collects machine data, connects to a command-and-control (C2) server, and executes two malicious DLL files to perform additional malicious activities.

Impact: Threat actors continue elevating their tactics by equipping malware with many features. The Amadey bot presents an extreme threat to various potential victims due to its reconnaissance, infostealing, exfiltrating, and clipper functionalities.

Recommendation: A successful strategy to mitigate risk within your organization is leveraging a defense in depth security mindset. Fortinet explains the strategy’s components and specific recommendations for each security layer: https://www.fortinet.com/resources/cyberglossary/defense-in-depth

🚩 Threat Actors Deploy Kronos Malware via Chrome Extension

IBM security researchers discovered an unexpected increase in Kronos malware activity in Mexico, injecting malicious Chrome extensions into organizations’ JavaScript-based web pages. Since 2011, the Kronos malware has continued to emerge in new campaigns with additional functions after occasionally going dormant. In recent months, threat actors developed a Chrome extension named Seguridad to install the malware in attacks against financial institutions.

Impact: After installation, the malware executes web-injection attacks to steal credentials, authentication tokens, and other browser data.

Recommendation: Users should avoid installing software from untrusted vendors unless instructed to do so by system administrators.

🚩 Vice Society Ransomware Group Targets Manufacturing Companies

Researchers from Trend Micro recently identified the Vice Society ransomware gang executing attacks against several manufacturing organizations, despite previously targeting the education and healthcare industries. The rapid change in victimology likely indicates the group purchased compromised credentials on the dark web for initial access in attacks against manufacturing companies. Vice Society uses a broad toolset, including Cobalt Strike, Rubeus C#, and Mimikatz, to execute its attacks.

Impact: Once threat actors gain administrative permissions, they terminate many processes to enable the successful deployment and execution of their ransomware and evade detection.

Recommendation: Organizations should develop a multilayered approach to prevent threat actors from accessing their systems. Administrators should consider end-point, email, web, network, and physical protections. View the technical analysis section of the linked article for an in-depth timeline of Vice Society’s infection chain.

🚩 New Python-Based RAT Leverages WebSockets for Stealthy C2 Connection

A new attack campaign, tracked by Securonix as PY#RATION, recently emerged using a Python-based remote access trojan (RAT) to exfiltrate data, perform keylogging, and execute other malicious activities. The malware leverages Python’s built-in Socket.IO framework to evade antivirus and security software detection while communicating with a command-and-control (C2) server and performing data exfiltration. The initial infection begins with a phishing email containing two LNK files within a malicious ZIP attachment.

Impact: By leveraging the WebSocket protocol, the threat actors behind this campaign can simultaneously receive and send data over a single transmission control protocol (TCP) connection, often using open ports like 80 or 443.

Recommendation: Instruct employees to avoid opening unexpected email attachments and any files or URLs from users outside the organization. Securonix provides a MITRE ATT&CK mapping, indicators of compromise, and threat hunting queries here: https://www.securonix.com/blog/detecting-python-based-pyration-attack-campaign-with-securonix/

🚩 CISA Releases Advisory on the Malicious Use of RMM Software

CISA released a security advisory with the NSA and the Multi-State Information Sharing and Analysis Center (MS-ISAC) to provide protection strategies against adversaries’ recent abuse of remote monitoring and management (RMM) software. The advisory outlines a campaign in which an unknown threat actor used a phishing email to lure targets into downloading a malicious executable, leading to the installation of RMM software.

Impact: The adversaries behind the campaign seem to be financially motivated, as they abused the RMM software to access and modify victims’ bank account information.

Recommendation: Organizations should leverage CISA’s mitigation strategies to create a layered security structure. Encouraging users to use caution against phishing or other social engineering attacks is an additional method to prevent further attacks.

CheckPoint Identifies Several Tech Giants as Top Impersonated Brands of 2022

Adversaries have increasingly leveraged phishing and other social engineering attacks as an initial attack vector. Throughout 2022, Yahoo, Microsoft, Google, and other well-known technology organizations are included in the top ten impersonated brands in social engineering attacks.

Impact: Threat actors typically use phishing attacks to lure targets into unknowingly installing malware via downloadable files and executables. Adversaries can create a sense of trust by spoofing popular brands, often convincing targets to compromise their security.

Recommendation: Training employees to spot social engineering and phishing attempts can increase your organization’s security posture. Organizations are encouraged to implement the tactics from CISA’s phishing prevention guide: https://www.cisa.gov/sites/default/files/publications/phishing-infographic-508c.pdf

Sign up here!

To receive the threat bulletin and critical vulnerability notifications, simply complete the form below.

 

Follow on Twitter

@SRA_ThreatWatch will keep you up to date with the most recent posts on your social media feed.

Subscribe to the RSS!

Just copy and add this link to your RSS app and be notified immediately when new intel is posted.

How to use RSS

Following the RSS feed is easy. RSS can be added in your Outlook desktop app, and there are many free RSS readers available for your mobile device.

To follow using Outlook:

(click here for detailed instructions and additional options for Outlook)

Popular mobile RSS reader apps include:

  • Feedly
  • NewsBlur
  • RSS Reader
  • Inoreader

After installing your preferred RSS reader, you will be able to add this feed by entering the URL: https://sra.io/blog/category/tigr/feed

Threat Bulletin Archive

Interested in what we do?

Explore our Advisory Services to learn how our team can help improve your cyber program.