This report highlights various cyber threats analyzed over a week, focusing on specific malware, threat actors, and vulnerabilities affecting various sectors. Key threats include targeted malware attacks, vulnerability exploits in popular software, and phishing campaigns. The report emphasizes ongoing cybersecurity challenges and evolving tactics among threat actors. Affected: Southeast Asia, cryptocurrency sector, military personnel, journalists, government agencies
Keypoints :
- Stately Taurus group employs PubLoad and Bookworm malware targeting Southeast Asian organizations.
- The Zhong Stealer malware targets the cryptocurrency and fintech sectors via sophisticated phishing strategies.
- Increased targeting of Signal Messenger accounts by Russian state-aligned actors amidst military conflicts.
- Trimble Cityworks vulnerability (CVE-2025-0994) allows remote code execution on IIS servers with critical infrastructure risks.
- LightSpy malware expands capabilities to extract data from social media platforms.
- SecTopRAT malware is distributed through counterfeit Google Chrome installers.
- Weak passwords exploited in the SafePay ransomware attack, leading to extensive file encryption.
- PKT Classic and Monero mining operations exploit SQL Server vulnerabilities for unauthorized mining.
- Angry Likho APT group resurfaces with updated tactics and tools targeting Russian organizations.
- Shadowpad malware evolves into ransomware, exploiting weak security measures across multiple organizations.
MITRE Techniques :
- Execution (T1203): Utilization of malicious documents to execute malware in the Stately Taurus attack.
- Persistence (T1547): Use of modified Windows registry keys and scheduled tasks in the Zhong Stealer campaign.
- Credential Dumping (T1003): Exploitation of weak passwords during the SafePay ransomware incident.
- Data Exfiltration (T1041): Usage of non-standard ports for exfiltrating data by Zhong Stealer.
- Privilege Escalation (T1068): Gaining higher privileges via remote code execution status via CVE-2025-0994.
- Communication Through Removable Media (T1200): Involvement of USB storage in spreading LightSpy malware.
- Resource Hijacking (T1496): PKT mining using SQL Server vulnerabilities for cryptocurrency without consent.
- Remote Access (T1219): Use of SecTopRAT for remote access through disguised Chrome installations.
- Network Credential Dumping (T1003.001): SafePay attackers utilized domain administrator access.
Indicator of Compromise :
- [IP Address] 123[.]253[.]32[.]15
- [Domain] www[.]fjke5oe[.]com
- [URL] http://download[.]microsoft[.]com/v11/2/windowsupdate/redir/v6-win7sp1-wuredir[.]cab
- [Hash] sha256=2a00d95b658e11ca71a8de532999dd33ddee7f80432653427eaa885b611ddd87
- [Email] zhongmaziil992@outlook[.]com
Full Story: https://medium.com/@rst_cloud/rst-ti-report-digest-24-feb-2025-149303d09098?source=rss——cybersecurity-5