Between 20 and 27 May 2022, RiskIQ detected 299 Magecart and skimmer injected URLs, and detected 76 unique C2 domains used by known Magecart threat actors. Note that many of these URLs are legitimate, compromised websites. The full URL should be considered and the domain itself is not necessarily malicious. Also, note that some C2 domains may be compromised, legitimate domains when establishing current maliciousness. See RiskIQ’s most recent reporting on Magecart in the references.
RiskIQ: Files with Image Extensions Hosted on Discord’s CDN Drop Smoke Loader RiskIQ reviewed malicious files that were hosted on Discord’s Content Delivery Network that ended in various image file extensions (.jpeg, .jpg, .bmp, .png, and .gif). We keyed in on a few samples that used URL shortening services to forward to the Discord URL hosting the image file. One set of activity noted was five different image files that all loaded up the same executable which was identified as Smoke Loader. No detailed analysis has been conducted on the Smoke Loader file, but it is noted that according to the Hybrid Analysis Sandbox, the Smoke Loader file reads terminal service related keys: “TSUSERENABLED” and “TSAPPCOMPAT”. The file was also packed with “Safeguard v1.03 -> Simonzh”.
Python Package ‘pykafka’ TypoSquatting Attack Targets macOS & Linux Researchers from Sonatype reported on a supply chain attack via a malicious Python package ‘pymafka’ that was uploaded to the popular PyPI registry. The package attempted to infect users by means of typosquatting: hoping that victims looking for the legitimate ‘pykafka’ package might mistype the query and download the malware instead. Depending on whether you are running Windows, macOS, or Linux, an appropriate malicious trojan is downloaded and executed on the infected system. The trojan in dropped in this attack is a Cobalt Strike (CS) beacon.
Metastealer New Information Stealer Variant MetaStealer is a new information stealer variant designed to fill the void following Racoon stealer suspending operations in March of this year. Israeli intelligence firm, Kela, first identified its emergence on underground marketplaces. Significant findings include: – Heavy reliance on open-source libraries – Microsoft Defender Bypass – Scheduled Task Persistence – Password Stealer – Keylogger – Hidden VNC server Currently seen distributed via phishing as Excel attachments. Early on in execution, a PowerShell command adds an exclusion rule to Microsoft Defender, effectively turning off scanning of files with ‘.exe’ extension. This decreases the chances of the main payload being detected as well as any subsequent payloads that may be delivered to the target host post infection. To maintain persistence, a scheduled task is created to trigger at user login, ensuring the malware remains across reboots.