Security researchers have uncovered an ongoing attack campaign, dubbed FROZEN#SHADOW by Securonix, utilizing phishing emails to distribute SSLoad malware. The campaign also involves the deployment of Cobalt Strike and ConnectWise ScreenConnect remote desktop software. SSLoad is designed to infiltrate systems stealthily, gather sensitive information, and transmit it back to the operators, deploying multiple backdoors and payloads for persistence and to avoid detection. The attack starts with phishing emails targeting organizations in Asia, Europe, and the Americas. These emails contain links leading to the retrieval of a JavaScript file, initiating the infection process. Palo Alto Networks discovered two different distribution methods for SSLoad: one using website contact forms with booby-trapped URLs and the other employing macro-enabled Microsoft Word documents. These methods have been observed delivering another malware called Latrodectus, possibly a successor to IcedID. The obfuscated JavaScript file, when executed, retrieves an MSI installer file, "slack.msi," from a network share and runs it to download and execute the SSLoad malware payload. SSLoad then beacons to a command-and-control (C2) server, providing information about the compromised system. Subsequently, Cobalt Strike is deployed to download and install ConnectWise ScreenConnect, enabling remote access to the compromised host. The attackers then proceed to acquire credentials and gather critical system details, scanning for stored credentials and sensitive documents. The attackers pivot to other systems in the network, including the domain controller, creating their domain administrator account to infiltrate the victim's Windows domain fully. This level of access allows them to access any connected machine within the domain, posing a significant challenge for organizations to remediate. Meanwhile, AhnLab Security Intelligence Center (ASEC) reported infections of Linux systems with the Pupy RAT open-source remote access trojan.
everal popular Android applications available on the Google Play Store are vulnerable to a path traversal-affiliated vulnerability known as the Dirty Stream attack. This vulnerabil...
The US confirms Russian hackers have breached water systems. They warn North American and European operators about ongoing attempts by pro-Russia activists to infiltrate their tech...
The Simone Veil hospital in Cannes, France, has become the latest target of cybercriminals, with the LockBit ransomware gang claiming to have accessed and published confidential da...