Author: SekoiaIO

Sneaky 2FA: exposing a new AiTM Phishing-as-a-Service
In December 2024, a new Adversary-in-the-Middle (AiTM) phishing kit known as Sneaky 2FA was identified, targeting Microsoft 365 accounts. This phishing kit, sold as Phishing-as-a-Service (PhaaS) by the cybercrime service “Sneaky Log”, utilizes sophisticated techniques including autograb functionality and anti-bot measures. The analysis reveals its operational methods, including the use of Telegram for distribution and support.…
Read More
Double-Tap Campaign: Russia-nexus APT possibly related to APT28 conducts cyber espionage on Central Asia and Kazakhstan diplomatic relations
This report discusses a cyber espionage campaign linked to the Russian intrusion set UAC-0063, which targets Central Asian countries, particularly Kazakhstan, using weaponized Office documents. The campaign is associated with the APT28 group and aims to collect strategic intelligence concerning Kazakhstan’s diplomatic and economic relations. Affected: Kazakhstan, Ukraine, Israel, India, Kyrgyzstan, Tajikistan

Keypoints :

UAC-0063 is a Russian intrusion set active since at least 2021, targeting various countries.…
Read More

In September 2023, a successful disinfection campaign against the PlugX worm was conducted, involving collaboration with multiple countries to remotely clean infected systems. The campaign utilized innovative methods to ensure effective disinfection while addressing legal frameworks. #CyberSecurity #PlugX #MalwareDisinfection

Keypoints :

Ownership of an IP address associated with the PlugX worm was successfully taken in September 2023.…
Read More

Summary :

YARA is a powerful tool for malware detection and classification, extensively used by Sekoia.io’s Threat Detection and Research team. The integration of YARA into their workflows enhances threat hunting and malware analysis, and the release of their YARA rules on GitHub fosters community collaboration.…

Read More

Summary:

The report outlines the structure and dynamics of China’s offensive cyber operations, highlighting the roles of state actors like the PLA, MSS, and MPS, as well as the increasing involvement of private companies and patriotic hackers. It emphasizes the shift in cyber activities post-2015 and the complexities in attributing cyber attacks to specific entities.…
Read More

Summary:

This report discusses the ClickFix social engineering tactic, which utilizes deceptive web pages to trick users into executing malicious PowerShell commands, leading to system infections. The analysis highlights various infection chains, detection opportunities, and the evolution of this tactic within the cybersecurity landscape.

Keypoints:

ClickFix is a new social engineering tactic monitored since May 2024.…
Read More
Short Summary: The Sekoia Threat Detection & Research team has been investigating a sophisticated cyber attack infrastructure since mid-2023, focusing on compromised edge devices used as Operational Relay Boxes (ORBs). The infrastructure, believed to be operated by multiple Chinese actors, includes 63 servers and utilizes malware such as GobRAT and Bulbature for offensive cyber operations.…
Read More

Short Summary:

This report discusses a series of cyberattacks attributed to the 8220 Gang, targeting Oracle WebLogic servers through the exploitation of critical vulnerabilities. The attackers deployed various malware, including K4Spreader and Tsunami, to mine Monero cryptocurrency and establish persistence on compromised systems. The analysis highlights similarities with previous attacks, particularly the Hadooken malware case, and suggests a focus on cloud environments, especially in South America.…

Read More
Short Summary

In early 2024, the Sekoia Threat Detection & Research team investigated a suspicious script on a Kurdish website that prompted users to activate their webcams and share their locations. The investigation revealed 25 compromised Kurdish websites with four variants of a malicious script. The campaign, notable for its scale and duration, began in late 2022 and did not match any known TTPs, suggesting a new threat actor targeting the Kurdish community.…

Read More

Short Summary:

This report discusses the ongoing monitoring of the Emmenhtal loader, a stealthy malware loader used for distributing various infostealers. The analysis highlights the use of WebDAV technology for hosting malicious files, the diverse range of malware delivered, and the potential for this infrastructure to be offered as a service to multiple threat actors.…

Read More

This report was originally published for our customers on 20 June 2024.

Today, the Check Point Research (CPR) team published a report on the same implant, providing details of recent MuddyWater campaigns.

Table of contents

Introduction

On June 9 2024, ClearSky tweeted about a new campaign associated with the MuddyWater intrusion set, employed by the Iranian intelligence service MOIS (Ministry of Intelligence) against Western and Middle Eastern entities.…

Read More