Welcome back to the Kraven Security weekly newsletter, triaging the week. We round up the week’s top news stories, highlight our featured article, give you some learning resources, and finish with a few personal notes about what’s happening at the company. Enjoy!
Top 5 News Stories
New Android Malware Steals Crypto Credentials Using Image Recognition
A new Android malware, SpyAgent, uses optical character recognition (OCR) to steal cryptocurrency wallet recovery phrases from images stored on mobile devices.
Top 4 takeaways:
🪲 The malware has been found in at least 280 APKs distributed outside of Google Play via SMS or malicious social media posts.
🥸 The malware disguises itself as legitimate apps, stealing text messages, contacts, and images.
🌎 Initially targeting South Korea, there are signs of expansion to the UK and potential development of an iOS variant. It has also improved its obfuscation techniques.
🛡️ To mitigate risks, avoid installing apps outside of Google Play, disregard suspicious SMS messages, and conduct regular Google Play Protect scans.
Chinese APT Weaponize Visual Studio Code
The China-linked APT group Mustang Panda is exploiting Visual Studio Code in cyber espionage operations targeting Southeast Asian government entities.
Top 4 takeaways:
😈 The group used Visual Studio Code’s embedded reverse shell feature to gain access and execute arbitrary code.
⚡️ The attackers also utilized ShadowPad malware, a modular backdoor, for further infiltration and data exfiltration. They also created persistence with scheduled tasks and used Dropbox for data exfiltration.
👬 Another cluster of activity using the ShadowPad backdoor was observed in the same environment, possibly indicating collaboration or piggybacking between two threat actors.
🤔 It’s uncertain if the observed activities are from the same threat actor or a collaboration between different groups.
Black Hat SEO Campaign Targets IIS Servers
A Chinese-speaking actor is targeting IIS servers across Asia and Europe for SEO rank manipulation.
Top 4 takeaways:
😈 The hacking group “DragonRank” targets various industries (healthcare, media, transportation, etc.) across multiple countries, using tools and techniques linked to Simplified Chinese-speaking groups.
🪲 They compromise Windows IIS servers to implant the BadIIS malware, manipulate SEO, and promote scam websites. They also use PlugX malware for persistence and stealth.
🌐 DragonRank uses black hat SEO practices to boost their clients’ online visibility through unethical means, including keyword manipulation and bulk posting on social media.
⚡ The group exploits vulnerabilities in web applications, uses web shells for control, and employs various credential-harvesting tools. Its activities are linked to Simplified Chinese-speaking actors.
New RAMBO Attack Steals Data from Air-Gapped System’s RAM
A novel side-channel attack that uses electromagnetic radiation from a device’s RAM to transmit data from air-gapped computers.
Top 4 takeaways:
🔒 These systems are isolated from external networks to prevent unauthorized access and data leakage.
⚡️ The attack manipulates memory access patterns to generate controlled electromagnetic emissions, which are intercepted and converted back into binary information.
🪲 This attack uses malware to generate radio signals from a computer’s RAM, allowing data to be exfiltrated from air-gapped systems with speeds up to 1,000 bits per second (suitable for small data like text and keystrokes).
🛡️ Defensive recommendations include physical defenses, RAM jamming, external EM jamming, and Faraday enclosures to block emissions.
RansomHub Uses Kaspersky’s TDSSKiller Tool to Disable Defences
The RansomHub gang is using Kaspersky’s TDSSKiller tool to disable endpoint detection and response (EDR) services on target systems.
Top 4 takeaways:
😈 After disabling defenses, RansomHub deploys the LaZagne tool to extract credentials from various application databases.
🛠️ TDSSKiller, developed by Kaspersky, is used to disable security services like Malwarebytes Anti-Malware Service.
🪲 LaZagne is a credential-harvesting tool that targets database credentials to gain access to critical systems.
🛡️ Security tools can detect LaZagne, but TDSSKiller’s legitimate status makes it harder to flag. Activating tamper protection and monitoring specific flags can help defend against these attacks.
Top Tips of the Week
Threat Intelligence
- Foster cross-industry CTI collaboration. Learn from other sectors to strengthen overall threat intelligence capabilities.
- Understand threat actors’ motives and objectives. Knowing the ‘why’ enhances your ability to predict and counter their actions.
Threat Hunting
- Integrate threat intelligence into risk management. Enhance resilience by identifying and mitigating potential risks.
- Trust your instincts in cyber threat hunting. Intuition is a valuable tool; investigate anything that feels off.
Custom Tooling
- Test custom tools in controlled environments before deployment. Identify and address issues before they impact production.
- Integrate custom tools with existing systems. Seamless integration enhances workflow efficiency and data sharing.
- Collaborate with internal teams for custom tool development. Leverage diverse expertise to create solutions that address specific challenges.
Feature Article
An intelligence requirement template provides the scaffolding you need to comprehensively define your organization’s intelligence requirements. It empowers you to focus on what matters, create good requirements, and not waste time figuring out what this important document should include or look like.
This is why we have created a FREE intelligence requirements template you can use right now!
The template includes everything you need to thoroughly document your organization’s intelligence requirements, including collection requirements, production requirements, and a process for generating new intelligence requirements.
Intelligence requirements are the foundation of every cyber threat intelligence program. Kickstart your journey to creating them with our template.
Learning Resources
Discover the Power of Obsidian for Notetaking
Obsidian is a powerful (and free) notetaking tool for writers, researchers, and note-takers.
This excellent video covers the basics of the user interface, including the canvas feature, file organization, and linking notes. It also shows how to use markdown for formatting, create and manage links between notes, and utilize plugins for added functionality.
Try it out today!
Build Your Own Active Directory Hacking Lab With GOAD
Learn to build your own Active Directory hacking environment in this comprehensive video on setting up Game of Active Directory (GOAD).
It covers setting up GOAD with various domains, forests, and vulnerabilities, making it ideal for training and practicing attacks. Practice your hands-on Active Directory hacking skills now!
Should You Learn Go as Your First Programming Language?
Go is an awesome programming language that has simple syntax, fast execution speed, and is in high demand, but is it a good choice for beginners?
This video answers this question by exploring the benefits and challenges of learning Go compared to other languages like Python, JavaScript, and C++. It also emphasizes the importance of mastering programming basics regardless of the language chosen.
Take Control Over Your Outlook Calendar Today!
This video provides 11 essential Outlook Calendar hacks to improve time management. The tips range from ending meetings early to scheduling polls and setting up automatic replies for holidays.
Take back control of your time and start using Microsoft Outlook the right way!
Personal Notes
🤔 Our website refresh is complete!
Last week and most of this week, the team and I focused on refreshing our website’s look to make our services clearer and easier to find. The menu of coaching services has been brought to the forefront (with transparent pricing) so our clients can make a more informed purchasing decision.
As always, we pride ourselves on our free learning resources. We have now divided them into threat intelligence, threat hunting, and custom tooling, making it easier to find what you’re looking for.
We hope you enjoy the new look and feel of the website!
