SISA Weekly Threat Watch – August 29th, 2022

SISA’s weekly series on threat advisories offers a quick snapshot of top security vulnerabilities and exploits, to help organizations stay up-to-date with the evolving threat landscape. The advisories also provide relevant information and recommendations to help them take preventive actions against the latest and critical threats.

Organizations can also opt-in for our free daily threat advisories by subscribing here.

SISA Weekly Threat Watch August-29

New and evolved threat actors are deploying cutting-edge tactics such as encoding and encryption of malicious samples and multi-stage malware distribution to get past organizations’ security defenses. This past week also saw them using trusted connections to their advantage to move up the supply chain and gain access to critical environments. New ransomware groups with previously known modules, cryptomining malware, zero-day vulnerabilities and new backdoors were infamously leveraged by attackers to target network infrastructures and devices worldwide.

SISA Weekly Threat Watch – our new weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. BlueSky ransomware: fast encryption via multithreading

A new family of ransomware called BlueSky has adopted contemporary methods to get past security measures. Particularly, the network search module of BlueSky is a perfect replica of Conti v3 with similarities in their multithreaded architecture codes. Also, much like Babuk Ransomware, BlueSky employs the file encryption technique ChaCha20 and the key generation algorithm Curve25519.

It uses Base64 encoding and DEFLATE compression in the initial dropper, which is typical with PowerShell droppers. The stage.ps1 PowerShell script checks to see if it is being run as a privileged user and advances to the following stage of downloading and running the ransomware payload. If not so, it downloads a modified version of the local privilege escalation tool and runs by the script if the host operating system is Windows 7, 8, or XP. For Windows 10 or later, the script gets downloaded and runs ghost.exe and spooler.exe to exploit vulnerabilities CVE-2020-0796 and CVE-2021-1732 and downloads the final BlueSky ransomware payload. To stay secure from such ransomware attacks, it is recommended to keep track of account abnormalities, regularly update software, hardware, and applications, and configure appropriate security settings on network infrastructure devices.

2. Malicious packages flood Python Package Index (PyPI) registry

A PyPI package called “secretslib” that calls itself “secrets matching and verification made easy” is secretly launching cryptominers on Linux computer in-memory (straight from the RAM), a practice commonly used by fileless malware and crypters. A mystery file called “tox” gets downloaded, receives execute permission, runs with root privileges (“sudo”), and then gets deleted after sneakily inserting another ELF file into the memory. Antivirus software may find it more difficult to proactively detect fileless malware that has moved into a system’s volatile memory as the intermediary step of writing the harmful file to the hard drive is omitted. It is therefore recommended to avoid using secretslib package altogether to protect systems from getting compromised.

Two more malicious Python packages were disguising themselves as one of PyPI’s very well open-source packages. To deceive victims into installing a malicious package, the attacker utilized a description of the legitimate “requests” package except for one malicious file called The script creates a temporary file and executes a second one-line Python script inside it using the system.start() function. The final payload – Python Trojan uses cryptography to start gathering passwords from browsers, stored cookies, and Discord tokens in distinct threads. To prevent this malicious attack, it is recommended to avoid using ultrarequests-2.28.3.tar.gz and pyquest-2.28.3.tar.gz packages.

3. Apple releases security updates to patch two new zero-day vulnerabilities

Apple has released security updates to address vulnerabilities in multiple products including patches for two new zero-day vulnerabilities – CVE-2022-32893 and CVE-2022-32894. In the context of the logged-on user, successful exploitation of the most critical of these vulnerabilities could lead to arbitrary code execution. An attacker could then install applications, read, modify, or remove data, or create new accounts with full user access, depending on the privileges connected to the user. The flaws were discovered by unidentified researchers and were patched by Apple in iOS 15.6.1, iPadOS 15.6.1, and macOS Monterey 12.5.1 by improving bounds checking for both vulnerabilities.

Affected organizations are advised to review the Apple security advisory and apply any relevant updates. To reduce the risks of spear phishing, social engineering, and other user interaction-based techniques, users must be educated to be aware of access or manipulation attempts by an adversary. Using the least privilege principle for all systems and services and running all applications in non-privileged access (one without administrative privileges) is also recommended as a security best practice. Additionally, restrict the use of certain websites, block downloads/attachments, block JavaScript, and restrict browser extensions to stay protected them.

4. Andariel hackers use Maui ransomware for financial gains and disruptions

The North Korean state-sponsored hacker group “Andariel”, well-known for utilizing illegal online operations to make money and create discord in South Korea, has been linked to the Maui ransomware campaign. Kaspersky researchers observed the TTPs used in Maui ransomware incident and discovered similarities to previous Andariel (also known as Stonefly/Silent Chollima) behavior. After initial infection or to maintain access, both employed legal proxy and tunnelling tools, and coupled PowerShell scripts with Bitsadmin to download more threats. They used only DTrack, also known as Preft, and spent months within the victim’s networks before taking any action.

In a separate Andariel attack, the DTrack malware was used to target a Japanese victim just hours before encryption while 3Proxy tool was being used in the internal network for months before the attack. A modular bit of malware called DTrack is used to steal data and steal HTTP traffic using Windows commands. Servers providing healthcare services like electronic health records, diagnostics, imaging, and intranet services were encrypted by the attackers using the Maui ransomware. It is recommended to ensure that all machines have up-to-date antivirus and anti-malware software, and multi-factor authentication is enabled across the organization. Educating users on how to identify and report phishing attacks is also crucial to prevent ransomware attacks and breaches.

5. APT27 group backdoors MiMi Chat app for supply chain attack

A new backdoor “rshell” that can be used to steal data from Linux and macOS systems has been trojanized and delivered through versions of the cross-platform instant messaging programme known as “MiMi” targeting the Chinese market. According to researchers from SEKOIA, while investigating the C2 infrastructure of the HyperBro RAT connected to APT27, an odd connection to this programme was discovered. Researchers also claim that the malicious JS code in MiMi’s source code first checks to see if the app is running on a Mac computer before downloading and launching the rshell backdoor.

A supply chain attack on Mimi’s servers was the target of several variants of the same malware, according to a second investigation from TrendMicro. Outdated versions of MiMi that were trojanized and targeting Windows and Linux (using rshell) (with HyperBro RAT) were also discovered. When the malware is activated, it gathers information about the system, sends it to the C2 server, and then waits for commands from APT27 to upload files. The malware can be used by the attackers to download, read, write, and list directories and files on compromised systems. It is recommended that the organizations in the industry adopt a variety of controls like updated antivirus and anti-malware software and multi-factor authentication that can help prevent such threats.

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.

For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.

SISA’s Latest
close slider