Focus Mode
Trash

RST TI Report Digest: January 13, 2025

iocOne
RST TI Report Digest: January 13, 2025
This week’s threat intelligence report from RST Cloud highlights significant cyber threats from various actors, including the Chinese state-sponsored group RedDelta targeting Mongolia, Taiwan, and Southeast Asia, as well as the emergence of new malware like Banshee and the Gayfemboy botnet. The report summarizes key findings from 29 threat intelligence reports, detailing tactics, techniques, and procedures (TTPs) used in these attacks, and includes numerous indicators of compromise (IoCs). Affected: Recorded Future, CrowdStrike, Check Point, Trend Micro, Huntress, Cyberhaven, CERT-AGID

Keypoints :

  • RedDelta targets Mongolia, Taiwan, and Southeast Asia using PlugX backdoors and spear-phishing.
  • Cobalt Strike servers identified on Huawei Cloud, utilizing Visual Studio Code tunnels for evasion.
  • Phishing campaigns imitating CrowdStrike’s hiring process to distribute XMRig cryptominer.
  • Banshee malware targets macOS users, evading detection and stealing sensitive information.
  • Gayfemboy botnet leverages vulnerabilities in Four-Faith Industrial Routers, growing to over 15,000 nodes.
  • Vidar campaign exploits compromised PEC mailboxes in Italy, using advanced obfuscation techniques.
  • Cyberhaven incident involved a compromised Chrome extension exfiltrating sensitive data.
  • RedCurl APT group conducted cyberespionage in Canadian organizations, focusing on data extraction.

MITRE Techniques :

  • RedDelta: DLL Search Order Hijacking (T1218.005) – Used to load malicious DLLs.
  • RedDelta: Spear Phishing (T1566) – Conducted campaigns with lure documents.
  • Cobalt Strike: Command and Control over HTTPS (T1071.001) – Utilized Visual Studio Code tunnels.
  • Vidar: Obfuscated JavaScript (T1027.002) – Implemented to avoid detection.
  • Gayfemboy: Exploitation of Vulnerability (T1203) – Leveraged 0day vulnerabilities in devices.
  • Banshee: Credential Dumping (T1003) – Extracted sensitive information from browsers and wallets.
  • RedCurl: Scheduled Task (T1053.005) – Used to execute binaries from suspicious locations.

Indicator of Compromise :

  • [IP Address] 115[.]61[.]168[.]143
  • [IP Address] 189[.]1[.]231[.]190
  • [Domain] abecopiers[.]com
  • [Domain] cscrm-hiring[.]com
  • [Domain] moonsif[.]store
  • Check the article for all found IoCs.

Full Research: https://medium.com/@rst_cloud/rst-ti-report-digest-13-jan-2025-ada620e4191c?source=rss——cybersecurity-5

Tags: BACKDOOR, CLOUD, VULNERABILITY, CREDENTIAL, PHISHING, WINDOWS, CHINA, BOTNET