https://bit.ly/3qXad6I - 🌐 Cybersecurity firm Bitdefender has conducted an extensive investigation into a targeted cyber attack against East-Asian infrastructure, uncovering the workings of a sophisticated, presumably custom malware dubbed as Logutil backdoor. This operation reportedly ran for over a year, aiming to compromise credentials and exfiltrate data. #Cybersecurity #Bitdefender #LogutilBackdoor 🕵️‍♀️The operation, traced back to early 2022, leveraged multiple tools to achieve its nefarious ends, Logutil being the primary one. Notably, AsyncRat was used during the initial stages of infection. The investigation suggests that CobaltStrike was part of the attackers' arsenal too. The victim of this operation was a company operating in the Technology/IT Services industry in East Asia. #CyberAttack #AsyncRat #CobaltStrike 💾 Modern cybercrime syndicates are increasingly leveraging legitimate components to perpetrate their attacks. For instance, DLL hijacking and misuse of legitimate scheduled tasks and services are commonly employed tactics. Notably, state-affiliated actors such as the APT29 group have used this strategy effectively, substituting a binary responsible for updating Adobe Reader with a malicious component, thus achieving persistence. #CybercrimeTactics #APT29 #AdobeReader 📍 These stealthy tactics were evident in the recent incident as well. The perpetrators deployed malware in locations less likely to be suspected of hosting such threats and more likely to be excluded from the security systems' scrutiny. #MalwareDeployment #CybersecurityChallenge 🔐 In this attack, the actors demonstrated capabilities of collecting credentials from various applications including MobaXterm, mRemoteNG, KeePass, and even Chrome passwords and history. They also attempted data exfiltration from mysql servers by accessing server process memory, and made attempts to dump LSASS memory. #DataExfiltration #CredentialTheft 🔁 The investigation also found that the attackers could infect other systems if an RDP session was established with the infected system, by placing malicious components in \tsclient\c\ subfolders if tsclient share was enabled. This highlights the extent of the attack's complexity and potential for propagation.

https://bit.ly/47f9rS9 - 🔒Cybercriminals are exploiting macro-enabled Excel add-in (XLL) files, with .xlam files now ranking as the 7th most commonly abused extension in Q3 2023. A significant rise from the 42nd position in Q2, this trend signals an increased focus on XLL attacks, despite a previous decline in early 2023. #Cybersecurity #XLLThreat 🚀 XLL files, offering enhanced capabilities over alternatives like VBA macros, are being used more effectively by attackers due to features like multithreading support. Notably, malware developers such as Dridex and Formbook have previously adopted XLL files. The increased functionality of XLLs makes them a potent tool for cyberattacks. #MalwareDevelopment #TechSecurity 📊 After Microsoft’s default block on VBA macros, attackers shifted focus, experimenting with different file types for malware attacks. Microsoft Office documents, often perceived as safe, are increasingly being used as mediums for malware distribution. #MicrosoftSecurity #OfficeSafety 📁 Post VBA macro block, .LNK files, OneNote file experimentation, along with ISO and RAR attachments, surfaced as alternatives. The resurgence of XLL file use, despite Microsoft’s default block on XLL attachments from untrusted locations, is particularly noteworthy. #FileSecurity #CyberAttackTrends 🛡️ Attackers have successfully bypassed XLL blocks, as demonstrated in a remote access trojan (RAT) campaign using XLL attachments disguised as scanned invoices. The multithreading capability of add-ins was exploited to deploy payloads and increase the perceived legitimacy of the file. #RATAttack #CyberDefense 💼 The Parallax RAT, available for purchase, offers attackers remote control access, data exfiltration, and credential theft. Similar tactics were used in a campaign targeting LATAM hotels, installing XWorm RAT via PowerPoint add-in files. XWorm’s capabilities extend to keylogging and clipboard hijacking. #DataTheft #CybercrimeTactics 🌎 Separate XWorm attacks, targeting various industries in the US, Republic of Korea, and Germany, utilized malicious URLs embedded in .pdf, .docx, and .rtf formats. These evolving techniques highlight the need for continuous vigilance and adaptive security measures.