FOCUS MODE
EXTRACT IOC
Threat Research

RST TI Report Digest: 10 Mar 2025

iocOne
RST TI Report Digest: 10 Mar 2025
This week’s threat intelligence report reveals a range of sophisticated cyber threats, including targeted multistage malware attacks, ransomware groups adopting new backconnect malware, and social engineering tactics employed in recruitment scams. Notable threats included a campaign targeting aviation and transport in the UAE, while other malware leveraged social media for distribution. The report outlines the evolving tactics of various actors and highlights the critical need for heightened security awareness. Affected: UAE aviation sector, North American financial institutions, Russian users, Middle East and North Africa, job seekers in cryptocurrency sector

Keypoints :

  • Proofpoint identified the UNK_CraftyCamel campaign targeting UAE’s aviation and transport sectors.
  • The attackers used a compromised email from INDIC Electronics to distribute malicious content.
  • Black Basta and Cactus ransomware groups have been launching backconnect malware attacks, with a focus on North America.
  • Typosquatting Go packages were found to deliver malware targeting developers in the financial sector.
  • Social media platforms are being used to spread modified malware disguised as legitimate software.
  • Kimsuky Group exploited a state of emergency to launch APT attacks in South Korea.
  • GrassCall campaign involved job seekers lured by fake job offers leading to malware installation.

MITRE Techniques :

  • TA0001: Initial Access – spear-phishing technique used to gain entry through malicious emails citing emergencies or job opportunities.
  • TA0002: Execution – usage of backdoors such as Sosano to evade detection.
  • TA0007: Discovery – reconnaissance through Cobalt Strike and other tools during exploitation.
  • TA0008: Lateral Movement – utilization of backconnect malware for maintaining control over compromised networks.
  • TA0010: Exfiltration – targeted strategies for data theft using tools like MScleanup64.exe and remote commands.

Indicator of Compromise :

  • [IP Address] 46[.]30[.]190[.]96
  • [Domain] indicelectronics[.]net
  • [URL] https://indicelectronics[.]net/or/1/OrderList[.]zip
  • [SHA-256] 0ad1251be48e25b7bc6f61b408e42838bf5336c1a68b0d60786b8610b82bd94c
  • [email] admin_52351@brautomacao565[.]onmicrosoft[.]com

Full Story: https://medium.com/@rst_cloud/rst-ti-report-digest-10-mar-2025-55d66eb2b87e?source=rss——cybersecurity-5

Tags: WINDOWS, INITIAL ACCESS, CVE, FINANCIAL, CLOUD, SOCIAL MEDIA, PERSISTENCE, DISCOVERY