Here is a look at some of the significant malware activity observed recently, highlighting persistent threats and emerging tools.
The persistent Andariel subgroup, linked to the notorious Lazarus Group, remains highly active, particularly targeting entities in South Korea. Researchers have detailed their use of new and updated custom malware strains. Among these are EarlyRat, a backdoor written in the Go programming language, and MagicRat, a remote access trojan developed in C++. They continue to employ multi-stage infection chains, often leveraging known vulnerabilities or spear-phishing to gain initial access, demonstrating a clear intent to compromise government and critical infrastructure targets. Another tool in their arsenal noted is Nuklir.
Akira Ransomware continues its disruptive campaigns. Affiliates are reportedly utilizing remnants of the leaked LockBit 2.0 builder to facilitate their operations. A common initial vector for Akira attacks involves exploiting vulnerabilities in Cisco VPNs, allowing attackers to gain a foothold inside target networks before deploying the ransomware. This underscores the critical importance of patching network infrastructure devices promptly.
Elsewhere in the ransomware landscape, Rhysida Ransomware has been implicated in several high-profile incidents, including attacks against healthcare organizations. Like many modern ransomware groups, Rhysida employs double extortion tactics, not only encrypting data but also threatening to leak stolen information if the ransom is not paid.
Despite past disruptions, the resilient QakBot botnet shows signs of resurgence. Though major infrastructure takedowns have occurred, researchers are observing renewed distribution efforts, suggesting threat actors are adapting their methods, potentially relying on new phishing templates or malvertising redirectors to rebuild its presence. QakBot remains a significant threat as a loader for other malicious payloads.
A notable loader making rounds is NewLoader, also identified as ChordRAT. This malware serves as a distributor for various payloads, including information stealers like Meduza Stealer. Its distribution often relies on malicious advertising campaigns or compromised websites redirecting users to download the malware, posing a risk of diverse follow-on infections.
BianLian Ransomware has shown an interesting evolution in its tactics. While originally a standard encryptor, recent observations indicate a shift towards prioritizing pure data extortion. In some cases, they may skip the encryption phase entirely, focusing solely on stealing sensitive data and threatening its public release to coerce victims into paying a ransom.
Other active threats include MortalKombat Ransomware, which continues to be deployed in various regions, notable for its use of XOR encryption, and the widely available commercial tool Remcos RAT, which remains a favorite among cybercriminals for its robust remote access and control capabilities, used in a wide range of malicious activities from surveillance to data theft.
Staying vigilant and implementing strong security practices, including regular patching, employee training on phishing awareness, and robust endpoint protection, remains crucial in defending against this dynamic threat landscape.
Source: https://securityaffairs.com/179429/breaking-news/security-affairs-malware-newsletter-round-51.html
