Sneaky Azorult Stealer returns in a new campaign

Azorult malware, first identified in 2016, has resurfaced in a new campaign, maintaining its role as a potent information-stealing threat. This malware specializes in harvesting a range of data from victims, including browsing history, cookies, login credentials, and cryptocurrency details. Recent discoveries reveal multiple link samples actively distributing Azorult, indicating a concerted effort to target unsuspecting users.

In its latest iteration, Azorult initiates its attack via a zip file that contains a malicious shortcut file disguised as a PDF document. This file harbors an obfuscated PowerShell script, which, in turn, drops and executes a batch file using the task scheduler. The attack progresses with the download of an additional loader from a remote server, followed by shellcode injection and loader execution. The final stage involves another PowerShell script that culminates in the execution of the Azorult malware. Remarkably, the entire process, from the downloading of the loader to the execution of the final payload, is designed to occur entirely within the memory, thereby eluding conventional detection methods.

Read CRIL’s full analysis of this campaign here.

GitLab releases security fixes for two vulnerabilities impacting multiple versions

A critical vulnerability, identified as CVE-2023-7028, has recently been discovered in GitLab, affecting both its Community Edition (CE) and Enterprise Edition (EE). Released on January 11, 2024, the security update addresses this severe issue, which impacts multiple versions of GitLab CE/EE. This vulnerability is particularly alarming as it allows threat actors to manipulate the user account password reset process, enabling them to redirect password reset emails to an email address of their choosing.

The exploit of this vulnerability could lead to unauthorized account takeovers, bypassing user interaction entirely. The root of this security flaw lies in a bug within the email verification process. A significant aspect of this vulnerability is that it affects various versions of self-managed GitLab instances. Alarmingly, all authentication mechanisms in these versions are susceptible to the exploit. However, for users with two-factor authentication enabled, while their passwords can be reset, complete account takeover is mitigated since the second authentication factor is still required for login. This distinction highlights the additional security layer provided by two-factor authentication, even in the face of critical vulnerabilities.

Read CRIL’s detailed breakdown of this vulnerability here.

Go-based infostealer used to carry out a cyberespionage campaign against the Indian Air Force

Cyble Research and Intelligence Labs (CRIL) has identified a new variant of Go Stealer malware, which appears to be strategically targeting the Indian Air Force. The malware is cleverly distributed via a ZIP file named “SU-30_Aircraft_Procurement,” hosted on Oshi, an anonymous file storage platform. This tactic exploits the Indian Defense Ministry’s recent approval in September 2023 for the procurement of 12 Su-30 MKI fighter jets, part of India’s defense modernization efforts, thereby aiming at Indian Air Force professionals.

The infection process is sophisticated, beginning with the zip file and progressing through an ISO file to a .lnk file, which ultimately deploys the stealer payload. This particular variant of Go Stealer, originally found on GitHub, has been modified to include advanced features. It now targets more browsers and utilizes Slack for data exfiltration. Distinctively, this stealer focuses on harvesting login credentials and cookies specifically from four browsers, unlike other stealers that target a broader range of applications. At this stage, attributing this cyberattack campaign to a specific Threat Actor (TA) or group remains challenging due to the scarcity of available information. This development underscores the evolving nature of cyber threats and the need for heightened cybersecurity vigilance, especially in sensitive sectors like defense.

CRIL has analyzed this campaign in detail.

Sign up today for an exclusive webinar featuring Dipesh Kaura, a distinguished expert in cyber threat intelligence. Dive deep into the cyber threat landscape of 2024, with a focus on India and SAARC. Attendees will gain a comprehensive understanding of emerging threats, cutting-edge cyber threat intelligence tools, and the most effective strategies for risk mitigation.

This webinar offers a unique opportunity for interactive engagement with Dipesh during the Q&A session. It’s a must-attend event for IT leaders, cybersecurity professionals, technology policymakers, and anyone with a keen interest in the nuances of cyber threats in the Indian and South Asian context.

Reserve your place now.

Dawnofdevil Hacker Group Resurfaces putting Indian Entities on High Alert

The resurgence of the hacker group “dawnofdevil” has put Indian entities on high alert. This group, which is primarily active on BreachForums, has escalated its operations by compromising the Income Tax Department of India and breaching data from the popular Internet Service Provider (ISP) Hathway, affecting millions of users. An individual operating under the pseudonym ‘dawnofdevil’ claims to have gained unauthorized access to an email account on the incometax.gov.in domain, potentially enabling registrations on various Indian government websites.

The ramifications of this breach are staggering, raising concerns about the confidentiality and integrity of sensitive information within the Indian Income Tax Department. The group responsible is seeking buyers for the compromised email accesses, currently priced at US$500. In a separate incident, dawnofdevil announced the successful hacking of Hathway on December 22, 2023, claiming to possess the Personally Identifiable Information (PII) of 41.5 million customers, including sensitive details and over 4 million KYC documents. This data, alongside MySQL and Oracle database access, is being sold for US$10,000. Dawnofdevil has also set up a Tor site for data searches using mobile numbers and email addresses, highlighting the critical need for robust cybersecurity measures in Indian organizations and the urgent need for investigations into these breaches.

Read The Cyber Express’ extensive coverage on this here.

The post Cyble Chronicles – January 18: Latest Findings & Recommendations for the Cybersecurity Community appeared first on Cyble.