Get Help Now
CONTACT US

Get expert threat analysis weekly. Sign up to receive our Threat Briefing:

    RESOURCES  >   THREAT INTEL BRIEFINGS

    Date: 01/11/2023

    Decryptor for MegaCortex Ransomware Released

    Overview

    Last week, BitDefender released a decryptor for the MegaCortex ransomware variant. It is the result of collaboration between BitDefender and several law enforcement agencies.

    Potential Impact

    The positive impact of having a decryptor will be of high value for any organization recovering from a MegaCortex ransomware attack, especially for organizations that chose not to pay ransom demands.  

    Recommended Actions

    This decryptor may be helpful if you have been a victim of this ransomware variant. For others, this is a good reminder that although decryptors occasionally become available, often weeks or months after the ransomware event, and are far inferior to an ounce of prevention.

    Request Consultation

    For more information, fill out the form below and we will be in touch shortly

      Number of Employees - select one:
      Industry - select one:

      Dridex Malware Running on OSX

      Overview

      According to researchers at TrendMicro, instances of Dridex malware running on Apple’s OSX have been increasing since 2019, with the highest occurrence in December 2022.

      Potential Impact

      This Dridex variant overwrites docx files in OSX with a Windows executable. Researchers suspect this is a work in progress and that OSX will be a target for Dridex in the coming months. Dridex is most often noted as a banking trojan but has capabilities for stealing a wealth of information from victims and running other malicious code.

      Recommended Actions

      Don’t ignore OSX security. Ensure that systems are patched and that your organization installs a quality EDR product on all operating systems.

      Sources

      https://www.trendmicro.com/en_us/research/23/a/-dridex-targets-macos-using-new-entry-method.html

      https://www.theregister.com/2023/01/06/dridex_macos_microsoft_malware/

      Malicious PyPI Packages

      Overview

      The Phylum security team has published findings on six malicious Python Package Index (PyPI) packages that deploy information stealers on systems. These packages include pyrologin, easytimestamp, discorder, discord-dev, style.py, and pythonstyles. These repositories install information-stealing and highly invasive dependencies such as pynput, pydirectinput, and pyscreenshot. They have also been observed deploying PowerShell and Visual Basic scripts.

      Potential Impact

      The dependencies installed by these packages allow for control over mouse and keyboard input, the ability to capture screen contents, and the ability to track keystrokes. Additionally, these repositories have embedded the malicious code into the setup script, meaning that running the default “pip install” command is adequate interaction to activate all malicious code. 

      These packages have also been observed installing cloudflared, a command-line tool that allows the remote connection to Cloudflare resources without utilizing publicly routable IP addresses. This is an easy way for threat actors to bypass firewall security detection.

      Recommended Actions

      Organizations can protect themselves from attacks such as these by implementing strict change control policies and Python package deployment application/approval procedures. Additionally, user awareness and security training for developers are paramount to educating users on the risks associated with installing untested Python packages.

      Sources

      https://thehackernews.com/2023/01/malicious-pypi-packages-using.html?&web_view=true

      https://blog.phylum.io/a-deep-dive-into-powerat-a-newly-discovered-stealer/rat-combo-polluting-pypi

      VSCode Marketplace Hosting Malicious Extensions

      Overview

      Threat actors have been observed uploading malicious Visual Studio Code extensions to the VSCode Marketplace. Visual Studio Code is used by approximately 70% of professional software developers. 

      Researchers at AquaSec found that project details like GitHub stats can be edited freely to create the sense of an active, reputable project. Also, the add-on name doesn’t have to be unique, so malicious actors can copy the exact names of legitimate add-ons.

      Potential Impact

      The impact of downloading and using a malicious add-on will vary based on what the add-on is designed to do. For example, AquaSec researchers found two add-ons named “API Generator Plugin” and “code-tester” that send HTTP requests to a domain known to distribute malware. Actors could use this vector to compromise the host systems and launch network-wide attacks.

      Recommended Actions

      Developers using VSCode extensions should scrutinize add-ons extensively before installing them on production systems. Also, it is recommended that all endpoints be protected and monitored with Endpoint Detection & Response tools. 

      Sources

      https://www.bleepingcomputer.com/news/microsoft/vscode-marketplace-can-be-abused-to-host-malicious-extensions/

      For strategic clients, your vCISO will add this to your next Office Hours for further discussion. However, if you have an immediate need, concern, or question, please reach out to them directly.

      For non-strategic clients, please reach out to your Advisor for further discussion.

      For those not yet clients of GreyCastle Security, please click the “Contact Us” button below and we’ll be glad to provide assistance as well as answer any questions you might have.


      Let’s Discuss Your Cybersecurity Needs

      Contact Us  
      Privacy Settings
      We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
      Youtube
      Consent to display content from - Youtube
      Vimeo
      Consent to display content from - Vimeo
      Google Maps
      Consent to display content from - Google
      Spotify
      Consent to display content from - Spotify
      Sound Cloud
      Consent to display content from - Sound
      Contact Us