Department of Defense Cyber Crime Center (DC3) banner graphic

Cyber Threat Roundup - 20 October 2023

Department of Defense Cyber Crime Center (DC3) sent this bulletin at 10/24/2023 02:27 PM EDT

Having trouble viewing this email? View it as a Web page. |

20 Oct 23

Cyber Threat Roundup

A collection of recent open-source items of interest to the Defense Industrial Base

BlackCat Ransomware Uses New ‘Munchkin’ Linux VM in Stealthy Attacks

The BlackCat/ALPHV ransomware operation has begun to use a new tool named 'Munchkin' that utilizes virtual machines to deploy encryptors on network devices stealthily. Munchkin enables BlackCat to run on remote systems or encrypt remote Server Message Block (SMB) or Common Internet File (CIFS) network shares. The introduction of Munchkin to BlackCat's already extensive and advanced arsenal makes the RaaS more attractive to cybercriminals seeking to become ransomware affiliates.

https://www.bleepingcomputer.com/news/security/blackcat-ransomware-uses-new-munchkin-linux-vm-in-stealthy-attacks/

Fake Corsair Job Offers on LinkedIn Push DarkGate Malware

A threat actor is using fake LinkedIn posts and direct messages about a Facebook Ads specialist position at hardware maker Corsair to lure people into downloading info-stealing malware like DarkGate and RedLine. Cybersecurity company WithSecure detected the activity and tracked the activity of the group, showing in a report today that it is linked to Vietnamese cybercriminal groups responsible for the ‘Ducktail’ campaigns first spotted last year. These campaigns aim to steal valuable Facebook business accounts that can be used for malvertising or sold to other cybercriminals.

https://www.bleepingcomputer.com/news/security/fake-corsair-job-offers-on-linkedin-push-darkgate-malware/

ExelaStealer: A New Low-Cost Cybercrime Weapon Emerges

A new information stealer named ExelaStealer has become the latest entrant to an already crowded landscape filled with various off-the-shelf malware designed to capture sensitive data from compromised Windows systems. Written in Python and incorporating support for JavaScript, it comes fitted with capabilities to siphon passwords, Discord tokens, credit cards, cookies and session data, keystrokes, screenshots, and clipboard content.

https://thehackernews.com/2023/10/exelastealer-new-low-cost-cybercrime.html

Over 40,000 Cisco IOS XE Devices Infected with Backdoor Using Zero-Day

More than 40,000 Cisco devices running the IOS XE operating system have been compromised after hackers exploited a recently disclosed maximum severity vulnerability tracked as CVE-2023-20198. There is no patch or a workaround available and the only recommendation for customers to secure the devices is to “disable the HTTP Server feature on all internet-facing systems.” Networking gear running Cisco IOS XE includes enterprise switches, industrial routers, access points, wireless controllers, aggregation, and branch routers.

https://www.bleepingcomputer.com/news/security/over-40-000-cisco-ios-xe-devices-infected-with-backdoor-using-zero-day/

Hamas Application Infrastructure Reveals Possible Overlap With TAG-63 and Iranian Threat Activity

Recorded Future's research group, Insikt Group, has identified an application disseminated on a Telegram Channel used by members/supporters of the Hamas terrorist organization. The application is configured to communicate with Hamas's Izz ad-Din al-Qassam Brigades website. Infrastructure analysis associated with the website led to the identification of a cluster of domains that mimic the domain registration tradecraft of TAG-63 (AridViper, APT-C-23, Desert Falcon), a cyber group that we believe operates at the behest of the Hamas terrorist organization.

https://www.recordedfuture.com/hamas-application-infrastructure-reveals-possible-overlap-tag-63-iranian-threat-activity

Clever Malvertising Attack Uses Punycode to Look Like Keepass's Official Website

Threat actors are known for impersonating popular brands in order to trick users. In a recent malvertising campaign, we observed a malicious Google ad for KeePass, the open-source password manager which was extremely deceiving. The malicious actors registered a copycat internationalized domain name that uses Punycode, a special character encoding, to masquerade as the real KeePass site. The difference between the two sites is visually so subtle it will undoubtably fool many people. As we have noted recently, malvertising via search engines is getting more sophisticated. For end users this means that it has become very important to pay close attention where you download programs from and where you should avoid them. In a business environment, we recommend IT admins provide internal repositories where employees can retrieve software installers safely.

https://www.malwarebytes.com/blog/threat-intelligence/2023/10/clever-malvertising-attack-uses-punycode-to-look-like-legitimate-website

Update your subscriptions, modify your password or email address, or stop subscriptions at any time on your Subscriber Preferences Page. You will need to use your email address to log in. If you have questions or problems with the subscription service, please visit subscriberhelp.govdelivery.com.

This service is provided to you at no charge by Department of Defense Cyber Crime Center (DC3).