Attacks with the novel Veaty and Spearal malware strains have been deployed by Iranian state-backed advanced persistent threat operation OilRig, also known as APT34, against Iraqi government agencies and organizations as part of a new cyberespionage campaign.
After achieving initial server access via weak passwords, threat actors proceeded to launch a pair of scripts to retrieve the Hadooken malware, which features not only a cryptocurrency miner but also the Tsunami distributed denial-of-service botnet.
Blind Eagle's attacks commence with the distribution of Colombia tax authority-spoofing phishing emails luring recipients into clicking embedded links redirecting to a Google Drive folder-hosted ZIP archive that facilitates BlotchyQuasar execution.
Attackers leveraged a malicious DLL from the Microsoft Word app to retrieve from open-source remote desktop and remote admin software UltraVNC a launcher that would facilitate injections of the CXCLNT malware and CLTEND remote access tool.
Intrusions leveraging the vulnerability have facilitated the distribution of not only the GOREVERSE reverse proxy server but also the Condi malware, the Mirai botnet variant Jenx, and four other cryptocurrency mining payloads.
Developers have been subjected to intrusions involving the exploitation of LinkedIn to deliver a ZIP file purporting to be a Python coding challenge but contains the novel COVERTCATCH malware.
More than 50 Alibaba-hosted command-and-control servers have been leveraged to facilitate the distribution of the backdoor, which impersonates the Java, bash, sshd, SQLite, and edr-agent utilities.