This week’s threat intelligence report from RST Cloud analyzes various cybersecurity threats targeting different sectors and establishments. Noteworthy attacks include FatalRAT impacting industrial organizations in the Asia-Pacific region, with an advanced delivery mechanism utilizing DLL sideloading. The Silent Killers report discusses a large-scale exploitation of legacy drivers, while other reports cover threats like Koi Stealer, AMOS Stealer, and attackers affiliated with the Hellcat and Silver Fox groups targeting governmental and healthcare sectors, respectively. Affected: industrial organizations, healthcare, cryptocurrency sector, government entities, educational institutions, critical national infrastructure.
Keypoints :
- FatalRAT targets industrial organizations in APAC through sophisticated delivery methods.
- Legacy driver exploits are linked to a significant cyber campaign with multiple affected applications.
- RustDoor and Koi Stealer linked to North Korean actors exploiting cryptocurrency sectors.
- Operation SalmonSlalom spreads malware via email and messaging platforms using social engineering.
- Hellcat Ransomware Group targets critical infrastructure with spearphishing and CVE exploitation.
- Silver Fox APT exploits healthcare applications, showing increased sophistication in evasion tactics.
- Patchwork APT conducts multi-faceted attacks on military and educational institutions in South Asia.
- PolarEdge botnet targets devices using Cisco router vulnerabilities, established extensive infrastructure.
MITRE Techniques :
- T1075 (Pass the Hash): Attackers use stolen credentials to access systems and conduct lateral movement.
- T1086 (PowerShell): PowerShell commands are utilized for malware execution and persistence.
- T1218.011 (DLL Side-Loading): Malicious DLL loaded from legitimate applications with the context of DLL sideloading.
- T1071.001 (Application Layer Protocol: Web Protocols): C2 communication established via HTTP/HTTPS.
- T1213 (Data from Information Repositories): Targeting sensitive data like credentials from locations such as Veeam backups and credential managers.
Indicator of Compromise :
- [IP Address] 43[.]155[.]73[.]235
- [IP Address] 192[.]168[.]1[.]1
- [Domain] api[.]youkesdt[.]asia
- [URL] http://mytodesktest-1257538800[.]cos[.]ap-nanjing[.]myqcloud[.]com/DLL[.]dll
- [Hash] md5=bcec6b78adb3cf966fab9025dacb0f05
This HTML content follows the specified format and summarizes the provided information regarding various threat intelligence reports. Each section is clearly delineated, including a summary, key points, MITRE techniques, and indicators of compromise.
Full Story: https://medium.com/@rst_cloud/rst-ti-report-digest-03-mar-2025-d68432f2e9a1?source=rss——cybersecurity-5