This week’s cyber intelligence report illustrates a dangerous uptick in big-game hunting and ransomware attacks against various industries worldwide, as well as the continued transformation of the most common widespread malware payloads. Security researchers have detected a significant movement of ransomware groups with advanced evasion tactics aiming for data exfiltration and double extortion.
At the same time, the malware space is characterized by soaring availability of powerful Remote Access Trojans (RATs) and the exploitation of fresh vulnerabilities.
Ransomware in the Spotlight – RedFox Recovers with Evasive Techniques
This week a new type of ransomware, named RedFox, has been discovered. RedFox demonstrates sophisticated anti-analysis protections, employing long sleep periods to avoid being detected by security tools.
It also uses WMI (Windows Management Instrumentation) to carry out potentially malicious activities, and runs commands and manipulate the system unnoticed.
The ransomware also asks to be contacted within 12 hours for an alleged reduction in the ransom, and in addition to the encryption, the threat actors behind the ransomware said they will leak sensitive data, such as financial documents and employee information, if the ransom is not paid.
Analysts anticipate that RedFox is likely to further develop with improved evasion and persistence tactics, thereby remaining a worrisome and long-term threat to organizations whose infrastructure is built on Windows machines.
Malware Trends: PureRAT Makes a Comeback, Good Intentions With a Dose of AI
PureRAT, the infamous Remote Access Trojan, has resurfaced in a spate of attacks – this time targeting Russian companies. Characterized as a Malware-as-a-Service (MaaS) model, this malware disburses further evidence of the emerging danger of commoditized and rapidly scalable means to compromise systems.
Attackers are mainly spreading PureRAT via spam emails carrying malicious attachments disguised as legitimate documents, in some cases having double extensions to prevent from being detected by victims at first sight. Upon execution, PureRAT creates long-lasting remote access that can be used to steal data and carry out other malicious tasks.
In bad news today, scientists found a new trend where “bad actors” are using the concept of Artificial Intelligence (AI) to deliver malware. Newly discovered destructive malware dubbed “Numero” is being delivered by fake installers of fake AI software, such as the “CyberLock” variant, to install ransomware on victim systems.
These malvertisers are usually hosted on seemingly legitimate-looking sites that rank in the first few search hits of a search engine, targeting unsuspecting users looking for free AI tools. This approach emphasizes the need to adhere to the origin of everything you download to your computers, especially in the field of AI apps which is booming.
Critical Weaknesses and Exploits
There were also warnings this week of insecure default configurations in kubernetes deployments, leaving personal data open to access.
Also, attackers are actively targeting disclosed vulnerabilities like CVE-2024-7399 of Samsung MagicINFO to distribute botnet flavors, it added. Such incidents highlight the importance of strong configuration management, as well as the timely patching of software holes on all systems.
Outlook and Recommendations
The overall threat environment requires an increased level of vigilance and protectiveness. Companies should conduct awareness training with staff on what to look for in phishing, and the dangers of downloading software from unknown locations.
Implementing robust endpoint detection and response (EDR) controls, a current patching pulse, and frequently auditing and hardening system configurations are key marching orders to combat the ever-changing exceptions to ransomware and malware. The ongoing monitoring system of user operation and network traffic will remain the key for the early detection of malicious behaviors.
