Security Affairs
Ryuk Ransomware Member Pleads Guilty Over Attacks on U.S. Organizations|Progress Told ShareFile Customers to Pull the Plug on Their Servers. Here’s What We Know.|SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 105|Security Affairs newsletter Round 585 by Pierluigi Paganini – INTERNATIONAL EDITION|U.S. CISA adds iCagenda and Balbooa Forms flaws to its Known Exploited Vulnerabilities catalog|Critical U-Boot Bugs Undermine Secure Boot on Millions of Devices|Update Now: Critical Zimbra Classic Web Client Flaw Could Expose Mailboxes|Ransomware Never Stopped: Over 9,000 Confirmed Attacks Since 2018|222 GitHub Repositories Linked to Fake Go Package Malware Operation|Former Ransomware Negotiator Sentenced to 70 Months in Prison for Secretly Helping BlackCat Gang|GigaWiper Merges Three Malware Families Into One Destructive Backdoor|INTERPOL Operation First Light Nets 5,811 Arrests and Seizes $293 Million|Ryuk Ransomware Member Pleads Guilty Over Attacks on U.S. Organizations|Progress Told ShareFile Customers to Pull the Plug on Their Servers. Here’s What We Know.|SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 105|Security Affairs newsletter Round 585 by Pierluigi Paganini – INTERNATIONAL EDITION|U.S. CISA adds iCagenda and Balbooa Forms flaws to its Known Exploited Vulnerabilities catalog|Critical U-Boot Bugs Undermine Secure Boot on Millions of Devices|Update Now: Critical Zimbra Classic Web Client Flaw Could Expose Mailboxes|Ransomware Never Stopped: Over 9,000 Confirmed Attacks Since 2018|222 GitHub Repositories Linked to Fake Go Package Malware Operation|Former Ransomware Negotiator Sentenced to 70 Months in Prison for Secretly Helping BlackCat Gang|GigaWiper Merges Three Malware Families Into One Destructive Backdoor|INTERPOL Operation First Light Nets 5,811 Arrests and Seizes $293 Million|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Clasiopa group targets materials research in Asia

A previously unknown threat actor, tracked as Clasiopa, is using a distinct toolset in attacks aimed at materials research organizations in Asia. Broadcom Symantec researchers have reported that a previously unknown threat actor, tracked as Clasiopa, that is using a distinct toolset in attacks aimed at materials research organizations in Asia. At the time of […]

Bitwarden

A previously unknown threat actor, tracked as Clasiopa, is using a distinct toolset in attacks aimed at materials research organizations in Asia.

Broadcom Symantec researchers have reported that a previously unknown threat actor, tracked as Clasiopa, that is using a distinct toolset in attacks aimed at materials research organizations in Asia.

At the time of this writing, the infection vector used by Clasiopa is yet to be discovered, the experts believe that the attackers gain access through brute force attacks on Internet-facing servers.

According to the experts, the threat actor checked the IP addresses of the computers they were on using, they also attempted to disable Symantec Endpoint Protection (SEP) by stopping the SepMasterService.

The attackers used two legitimate software packages, the HCL Domino (formerly IBM Domino) and the Agile DGS and Agile FD servers. The experts noticed that both the Domino and Agile software appear to be using old certificates and the Agile servers use old vulnerable libraries.

The arsenal of the Clasiopa group includes:

  • Atharvan custom remote access Trojan (RAT).
  • Modified versions of the publicly available Lilith RAT. The versions employed in the attacks supported the following features:
    • Killing the process
    • Restarting the process
    • Modifying the sleep interval
    • Uninstalling the RAT
    • Executing a remote command or PowerShell script
    • Exiting the process
  • The Thumbsender hacking tool.
  • A custom proxy tool.

The experts have yet to determine the origin of the hacking group and its motivation, but evidence collected by Symantec suggests it is based in India.

The researchers noticed a Hindi mutex used in the Atharvan backdoor is “SAPTARISHI-ATHARVAN-101”. Atharvan is a legendary Vedic sage of Hinduism. The backdoor also sends a post request to a C&C server with the arguments:

  • d=%s&code=%d&cid=%s&time=%dtharvan

One of the passwords used by the threat actors for a ZIP archive was “iloveindea1998^_^”.

“While these details could suggest that the group is based in India, it is also quite likely that the information was planted as false flags, with the password in particular seeming to be an overly obvious clue.” concludes the report which also includes Indicators of Compromise (IoCs).

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Clasiopa)