Threat Briefing: November 8, 2024

Cyber threat actors are constantly developing new campaigns to infiltrate systems, deploy malware, and extract valuable information. Some campaigns rely on longstanding malware or exploits, while others leverage newly developed techniques. This week’s Threat Briefing highlights multiple campaigns that utilize infostealers to collect victims’ credentials. Infostealers are valuable tools for threat actors, enabling them either to use the stolen credentials in further attacks or to sell them to other cybercriminals.

• Rhadamanthys Infostealer Delivered Via Phishing Emails Using Copyright Infringement Lure – Each victim receives an email from a unique address, crafted to appear as if it’s from legal representatives of technology, media, or entertainment companies. These emails have targeted victims across Asia, the Americas, and Europe, impacting hundreds of organizations. The emails instruct recipients to delete specific media files, allegedly included in an attachment. However, the attachment redirects them to an online platform that hosts a decoy document, ultimately leading to the deployment of Rhadamanthys malware on the victim’s system. Dark Reading
• “SteelFox” Campaign Delivers Cryptominer and Infostealer Since 2023 – The unidentified cyber threat actors behind this campaign are distributing counterfeit versions of legitimate software to compromise users. One such tool, “SteelFox,” is marketed as a free application activator, allowing users to activate paid software at no cost. This campaign has affected over 11,000 individuals across Latin America, Asia, and Europe. Once “SteelFox” is installed, it attempts to gain administrative access to the victim’s system, ultimately deploying the XMRIg coin miner and downloading an infostealer that captures credentials, credit card information, cookies, and system data. Dark Reading
• Malicious PyPI Package Imitates Legitimate Package Used to Steal AWS Credentials – The malicious package “fabrice” was designed to impersonate a popular Python library, “fabric,” which has been downloaded over 200 million times. Since its release in 2021, “fabrice” was downloaded around 37,000 times until it was finally removed in 2024. This fake package is engineered to steal credentials and establish backdoors in victims’ systems, specifically targeting AWS keys and access to AWS accounts. The Hacker News
• FreeBSD Servers Targeted in Ransomware Attacks from Interlock Variant – Interlock attacks began in September 2024 and have impacted six victims so far. Interlock exfiltrates data and encrypts files on the victim’s system, threatening to release the information publicly if the ransom is not paid. The malware includes both Windows and Linux versions. FreeBSD, a less common target in ransomware attacks, is also affected by Interlock; the last known ransomware to target FreeBSD was the Hive variant. Bleeping Computer
• U.S. Consumer Financial Protection Bureau (CFPB) Discourages Use of Mobile Devices for Agency Business Following Compromise of U.S. Telecom Infrastructure – The U.S. CFPB has advised its employees and contractors to avoid using mobile devices for agency business following a compromise of U.S. telecom infrastructure. This directive comes in response to a breach by Salt Typhoon, a Chinese cyber threat group, which infiltrated the systems of major telecom providers AT&T and Verizon. The attackers likely gained access to call logs, unencrypted text messages, and possibly audio recordings. Salt Typhoon has previously been linked to attacks on U.S. internet service providers. CSO Online