APT37 deploys RokRAT in campaign targeting North Korea experts

SISA Weekly Threat Watch, 05 February 2024

In the latest cybersecurity developments, the week witnessed a surge in diverse threats targeting various sectors. These cybersecurity threats included North Korean hackers using research lures for RokRAT delivery, malicious packages on PyPI distributing WhiteSnake Stealer, a Docker API-targeting cryptojacking campaign named “Commando Cat,” a Cactus ransomware attack on Schneider Electric, and Ivanti disclosing actively exploited zero-day vulnerabilities. This week’s threats underscore the importance of vigilance and proactive cybersecurity measures across various domains. 

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats. 

1. Malicious packages on PyPI deliver WhiteSnake infostealer malware on Windows systems

Security researchers have uncovered malicious packages on the Python Package Index (PyPI) repository, distributing WhiteSnake Stealer, a malware specializing in information theft on Windows operating systems. Identified packages such as nigpal, figflix, telerer, seGMM, fbdebug, sGMM, myGens, NewGends, and TestLibs111, uploaded by the threat actor “WS,” deploy a final malicious payload based on the victim’s operating system. While Windows systems are directly affected by WhiteSnake Stealer, compromised Linux hosts receive a Python script for information harvesting.  

Targeting primarily Windows users, the malware captures data from various sources, including web browsers, cryptocurrency wallets, and applications, with a focus on exfiltrating sensitive information, particularly related to cryptocurrency wallets. It is recommended to verify package authenticity, perform code reviews for critical projects, and use automated tools for dependency scanning to identify potential vulnerabilities or malicious components. 

2. North Korean hackers weaponize research lures to deliver RokRAT backdoor 

In a recent cyber-espionage initiative, the North Korean-affiliated threat actor ScarCruft, also known as APT37, has targeted media entities and experts in North Korean affairs, demonstrating a focus on cybersecurity professionals. ScarCruft, linked to the Ministry of State Security (MSS), differentiates itself from other North Korean groups by concentrating on governments and defectors. Utilizing spear-phishing, the group delivers RokRAT and other backdoors to discreetly gather intelligence.  

Recent attacks involved innovative tactics, including impersonating a North Korea Research Institute member and using benign files alongside two LNK files for multi-stage infections. This underscores the adversary’s evolving strategies, potentially driven by insights into non-public cyber threat intelligence and defense strategies. Mitigation measures include advanced email filtering, robust endpoint security, regular patch management, and network segmentation to contain potential breaches.

3. Cryptojacking alert: ‘Commando Cat’ targets unprotected Docker APIs

Docker API endpoints exposed on the internet are under attack from Commando Cat, a cryptojacking campaign recently uncovered by security researchers. Commando Cat strategically exploits Docker as an initial access vector, deploying interconnected payloads from an actor-controlled server for tasks such as establishing persistence, backdooring the host, extracting cloud service provider credentials, and initiating mining operations. 

The campaign deploys a seemingly benign container using the Commando open-source tool, allowing the escape of the container via the chroot command. The multifaceted malware acts as a credential stealer, a stealthy backdoor, and a cryptocurrency miner, emphasizing its versatility for extracting maximum value from compromised systems. Mitigation measures include regular system updates, securing Docker configurations, implementing network segmentation, and monitoring Docker activity for real-time threat detection. 

4. Energy giant Schneider Electric hit by Cactus ransomware attack 

Schneider Electric, a global energy management and automation firm, fell victim to a ransomware attack by the Cactus ransomware group, with the Sustainability Business division as the specific target. While Schneider Electric confirmed unauthorized data access and engaged with affected customers, access to the Sustainability Business division’s platforms has been restored as of January 31, 2024. The attack impacted the EcoStruxure Resource Advisor platform, used by over 2,000 global companies for monitoring energy and resource data.  

Cactus ransomware, known for targeting major corporations since March 2023, utilizes VPN devices for initial access and employs legitimate tools like AnyDesk and Splashtop. The ransomware group executes double-extortion attacks, compelling victims to pay for a file decryptor and assurance that stolen data will not be leaked. Companies refusing to pay face the threat of data leakage on Cactus’ dedicated platform, with over 80 companies listed as victims. 

5. Ivanti discloses 2 new zero-day flaws, one under active exploitation 

Ivanti issues warnings about two high-severity vulnerabilities, CVE-2024-21888 and CVE-2024-21893, in its Connect Secure and Policy Secure products, with the latter actively exploited. CVE-2024-21888 involves a privilege escalation issue, allowing users to elevate their privileges to an administrator level. CVE-2024-21893 relates to a server-side request forgery vulnerability in the SAML component, enabling unauthorized access to restricted resources. 

While Ivanti has not detected impacts from CVE-2024-21888, it acknowledges targeted exploitation of CVE-2024-21893 and anticipates increased exploitation once details become public. Additionally, two other vulnerabilities, CVE-2023-46805 and CVE-2024-21887, in the same products are actively exploited, deploying backdoors, cryptocurrency miners, and KrustyLoader. Ivanti recommends patching affected products and performing a factory reset before applying the patch as a precaution against upgrade persistence by threat actors. 

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.

For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.

SISA’s Latest
close slider