Welcome to this week’s Cyber Threat Intelligence Summary, where we bring you the latest updates and insights on significant cyber threats. This edition covers the SuperShell malware targeting Linux SSH servers, an in-depth analysis of three Chinese-linked clusters responsible for cyberattacks in Southeast Asia, and CitrineSleet exploiting a zero-day Chromium vulnerability.
1. SuperShell malware used to target Linux SSH servers
Full report available for CYMON users here.
Key Takeaways:
- Researchers have observed an attack where a backdoor malware called SuperShell was installed onto an improperly managed Linux server.
- SuperShell was made by a Chinese-speaking developer and written in the Go language. The malware works on Windows, Linux, and Android and functions as a reverse shell that can be used to control infected systems remotely.
- In this instance, the attacker accessed the system by guessing login details such as ‘abc123’ or ‘password’. It then installed a shell script which downloaded SuperShell from web or FTP servers.
- The XMRig Monero coin miner was installed alongside SuperShell, making it likely that the attacker’s goal was monetary gain via cryptocurrency mining.
Analyst Comment:
- Crypto-jacking is the act of exploiting a computer to mine cryptocurrencies against the user’s will. The identity and location of the victim in this attack have not been named.
- The threat actor’s motivation is most likely financial so potential victims could range to all nationalities.
2. Three Chinese-linked clusters identified behind cyberattacks in Southeast Asia
Full report available for CYMON users here.
Key Takeaways:
- Three China-linked clusters (STAC1248, STAC1870, STAC1305) target Southeast Asian governments under Crimson Palace.
- Attacks focused on data exfiltration and expanding network presence.
- Compromised networks and Exchange Server used as C2 points, with rotating channels for evasion.
- Key tools: Cobalt Strike, Havoc, SharpHound, and TattleTale keylogger.
Analyst comment:
- The technique of compromising a government-adjacent network to host a C2 framework and further spread malware via impersonation has been observed previously.
- Further monitoring of situations like these would be beneficial, as it is clearly a growing and developing trend.
3. CitrineSleet exploiting zero-day Chromium vulnerability
Full report available for CYMON users here.
Key Takeaways:
- North-Korean threat actor CitrineSleet has exploited a zero-day vulnerability to gain remote access to organisations.
- The vulnerability, now identified as CVE-2024-7971, affects Chromium and allows attackers to conduct remote code execution.
- CitrineSleet likely targeted the cryptocurrency sector for financial gain in this campaign.
- After remote code execution was achieved, a sandbox escape technique was initiated and the FudModule rootkit was deployed.
- Analysis indicates that there may be shared use of FudModule between North Korean threat actors, such as Lazarus and CitrineSleet.
Analyst comment:
- While there are overlaps in TTPs between CitrineSleet and Lazarus, they are tracked as separate threat clusters with the shared aim of monetary gain..
Discover the strategic and tactical insights, plus expert analyst comments
Stay ahead of cyber threats with our comprehensive threat intelligence reports. Request a demo today to access these invaluable insights and enhance your cybersecurity posture.