![]() Unfortunately, it has long been loved by hackers ranging from government APT groups to ransomware operators.Īlthough the tool is not available to ordinary users, attackers still find ways to use it (for example, rely on old, pirated, hacked and unregistered versions). And this can be a real gold mine for hackers.Ĭobalt Strike is a legitimate commercial tool built for pentesters and red teams and focused on operations and post-operations. The fact is that by attacking members of the cybersecurity community, in theory, attackers not only gain access to data on vulnerability research (which the victim can work on), but can also gain access to the network of a cybersecurity company. The researchers note that this is not the first case of targeted attacks on cybersecurity experts. The deobfuscated exploit sample showed that the fake PoC runs a PowerShell script that executes another gzip-compressed PowerShell script ( VirusTotal) to inject the beacon into memory. NET and pretend to exploit the IP address, in fact infecting users with a backdoor. Wizard Spider possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals. Cyble analysts have taken a closer look at the fake PoCs and found that they are written in. Wizard Spider is a Russia-based financially motivated threat group originally known for the creation and deployment of TrickBot since at least 2016. You might also be curious to know what Cybersecurity Experts Analyzed the Methods of a Group of Russian Hackers Wizard Spider.Īnd it soon became clear that the exploits were actually fake, and Cobalt Strike beacons were installed on people’s devices. As always happens after the publication of PoC exploits, the news quickly spread on Twitter and even attracted the attention of attackers on hacker forums. Cyble analysts reported.įake exploits were published in the repositories of the user rkxxz, which have now been deleted along with the account itself. Interestingly both repositories belong to the same profile, indicating the possibility that Threat Actor (TA) might be hosting a malware campaign targeting Infosec Community. Both the malicious samples were available on GitHub. Similarly, we found a malicious sample that appears to be a fake POC of CVE-2022-24500. Upon investigation, we discovered that it’s malware disguised as an Exploit.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |