This aims to keep readers abreast of developments in the cyber security space from an intel perspective. The news covers the trending cyber security news over a timeframe of 7 days before the publication day of each report.
This week’s wrap will be centered around Atomic Stealer, Lumma Stealer variant being spread via a crack on YouTube, Malicious PyPI Packages Deploy CoinMiner on Linux Devices, and Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN.

Atomic Stealer rings in the new year with an updated version

Summary:

• Atomic Stealer, a popular stealer in the criminal underground, has been updated with payload encryption to bypass detection rules.
• The developers of Atomic Stealer ran a promotion offering a special holiday discount to their customers.
• Malvertising campaigns have been observed distributing Atomic Stealer to Mac users, often through deceptive ads impersonating popular tools like Slack.
• Atomic Stealer is designed to steal passwords, crypto wallets, and browser cookies, making it a significant threat to Mac users.
• To protect against Atomic Stealer and similar threats, it is recommended to use web protection and antivirus software like Malwarebytes Browser Guard and Antivirus for macOS.

Lumma Stealer Variant being spread via deceptive Cracked Software on YouTube

Summary:

• A threat group is using YouTube channels to distribute a Lumma Stealer variant.
• The attacker breaches a YouTuber’s account and uploads videos masquerading as sharing cracked software.
• The videos contain a malicious URL that leads users to download a ZIP file containing the Lumma Stealer payload.
• The Lumma Stealer targets sensitive information such as user credentials, system details, browser data, and extensions.
• The attackers utilize open-source platforms like GitHub and MediaFire to distribute their malicious servers and evade web filter blacklists.

New Malicious PyPI Packages Deploy CoinMiner on Linux Devices

Summary:

• Three new malicious PyPI packages have been identified that deploy CoinMiner on Linux devices. The packages are named modularseven-1.0, driftme-1.0, and catme-1.0, and they originate from the same author known as “sastra”.
• These packages conceal their payload by hosting it on a remote URL, reducing their detectability. The payload is released incrementally in various stages to execute its malicious activities.
• The malicious activity is triggered by an “import” statement in the __init__.py file. The payload includes a configuration file for executing the program and a CoinMiner executable, both hosted at remote addresses.
• The malware inserts malicious commands into the ~/.bashrc file, ensuring persistence and reactivation of the malware on the user’s device. The CoinMiner executable has been previously uploaded to VirusTotal and is recognized as malicious by multiple vendors.
• These malicious packages exhibit similarities to the “culturestreak” PyPI package, including the hosting of the configuration file and coin mining executables on similar domains. However, the new packages showcase enhanced strategies to conceal their presence and maintain their malicious functions.

Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN

Summary:

• Two zero-day vulnerabilities in Ivanti Connect Secure VPN devices are being actively exploited in the wild.
• The vulnerabilities allow for unauthenticated remote code execution, giving attackers full control over the system.
• The threat actor behind the exploits is tracked under the alias “UTA0178” and is believed to be a Chinese nation-state-level actor.
• The attacker used a combination of webshells, proxy utilities, and file modifications to carry out the attacks and steal credentials.
• Organizations using Ivanti Connect Secure VPN should immediately apply the provided mitigation and thoroughly analyze their systems for signs of compromise.

Sources

• https://www.malwarebytes.com/blog/threat-intelligence/2024/01/atomic-stealer-rings-in-the-new-year-with-updated-version?utm_source=podia&utm_medium=broadcast&utm_campaign=1773599
• https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/?utm_source=podia&utm_medium=broadcast&utm_campaign=1773599
• https://www.fortinet.com/blog/threat-research/lumma-variant-on-youtube?utm_source=podia&utm_medium=broadcast&utm_campaign=1773599
• https://www.fortinet.com/blog/threat-research/malicious-pypi-packages-deploy-coinminer-on-linux-devices?utm_source=podia&utm_medium=broadcast&utm_campaign=1773599