The IT Nerd

Cado Security has revealed that its researchers have identified a new Realst information stealer campaign being spread through a fake video call company. Users are tricked into downloading the software as part of a widespread scam, using AI to enhance their credibility.

The threat actors behind this campaign set up fake websites that cycle through different names, going as far as to create social media accounts and AI generated content and blog posts. The company reaches out to targets to set up a video call, prompting the user to download the meeting application from the website, which is Realst info stealer. 

You can read Cado’s blog post on the topic here.

Cado Security has revealed its researchers discovered malware-as-a-service (MaaS) targeting macOS that steal credentials and cryptocurrency wallets from various stores, including game accounts. 

The malware is an Apple disk image (dmg) impersonation bundled with GoLang binaries disguised as legitimate software, including CleanMyMac, Grand Theft Auto IV (there appears to be a typo for VI), and Adobe GenP.

The dmg and a command-line tool for running AppleScript and JavaScript prompts users to open the software and provide their passwords. The malware fingerprints the victim’s system to gather IP details, OS version, hardware, and software information. 

Cado discovered the malware sold on two well-known malware marketplaces, which are used for communication, arbitration, and advertising of the stealer. The developers and affiliates operate as a team using Telegram, rented to individuals for $500/month.

The leading developer pays affiliates a percentage of earnings based on what their deployment of the stealer has stolen. Each affiliate of the stealer is responsible for deploying the malware. 

While MacOS has long been considered a secure system, malware targeting Mac users remains an increasing security concern, underscoring the demand for how to protect Apple users against cyber threats. 

Tara Gould, Threat Researcher at Cado Security, explores how the MaaS operators carry out their activities, best practices for significantly reducing the risk of falling victim to Mac malware, and recommendations for ensuring systems remain secure.

You can read the research here.

In today’s digital landscape, cybercriminals are constantly finding new sophisticated ways to compromise corporate systems. An example of a clever tactic used: typosquatting- an attack style that intentionally includes misspelled characters in the domain name that at a quick glance to the average user, may appear to be legitimate. Interacting with the fake domain may set the user up for a potential phishing attack.

Cado Security has released their latest blog, which discovered a domain that closely resembled the Cado corporate domain.

During a routine check, Cado discovered that just three days prior and before any damage had been done, the domain resembling the Cado domain, had been registered that contained a character substitution similar to what is seen for typosquatting attacks. Analysis revealed that not only was the domain being mimicked, but also several other tech companies’ domains have been targeted in a similar fashion.

This blog will discuss how this domain was identified, and the steps taken following discovery. You can read the blog here.

Upon initial discovery, a reasonably sophisticated malware sample that uses a peer-to-peer (P2P) botnet for its command and control mechanism, P2Pinfect, a rust-based malware covered extensively by Cado Security in the past, mainly appeared dormant. 

It would spread primarily via Redis and a limited SSH spreader, but ultimately did not have an objective other than to spread. Recently, Cado Security has observed a new update to P2Pinfect that introduces a ransomware and crypto miner payload.

P2Pinfect is still a highly ubiquitous malware that has spread to many servers. Its latest updates to the crypto miner, ransomware payload, and rootkit elements demonstrate the malware author’s continued efforts to profit off their illicit access and spread the network further as it continues to worm across the internet.

The choice of a ransomware payload for malware primarily targeting a server that stores ephemeral in-memory data is an odd one, and P2Pinfect will likely see far more profit from their miner than their ransomware due to the limited amount of low-value files it can access due to its permission level.

Cado Security can determine the command to start the ransomware was issued on May 16, 2024, and will continue to be active until December 17, 2024.

You can read the details here.

Cado Security, provider of the first investigation and response automation platform, today announced the world’s first solution to perform forensic investigations in distroless container environments. With Cado Security’s new offering, security teams can investigate the root cause, scope, and impact of malicious activity detected within distroless container environments to gain greater visibility into cloud risk.

Distroless containers are designed for efficiency and security, stripped of standard OS components like shell utilities and package managers. While these containers offer some security benefits by minimizing the attack surface, they actually leave a huge security blindspot when something malicious does indeed occur. Until today, it was impossible to perform an investigation in these environments, resulting in a significant visibility gap.

Cado Security delivers a first-of-its-kind solution that addresses the unique challenges distroless containers introduce for security teams. Cado’s unique patent-pending approach collects data from distroless and private clusters without impacting the target container to enable immediate investigation. The collected data includes running processes, crucial log files, and forensic artifacts. Cado also uses its previously open-sourced “varc” toolset to collect memory from individual processes for forensic analysis. This evidence is then seamlessly presented in the Cado platform for unprecedented visibility into cloud risk.

Join Cado Security at RSA 2024: Visit the team at Booth #4316 or schedule an on-site meeting during the RSA Conference in San Francisco from May 6-9. For more information about Cado Security’s Distroless Container Support, please visit https://www.cadosecurity.com/blog/cado-introduces-first-ever-support-to-perform-investigations-in-distroless-containers.

Cado Security has revealed a newly encountered emerging malware campaign targeting misconfigured servers running the following web-facing services: Apache Hadoop YARN, Docker, Confluence, and Redis.

Notably, the new research depicts the exploitation of not just one but multiple services typically deployed in the cloud, deployment of Confluence, demonstrating a willingness to weaponize security research for nefarious purposes, and use of the Platypus reverse shell to maintain access to the host.

You can read the research here.

Cado Security, provider of the first cloud forensics and incident response platform, today announced the release of the Cado Security Labs H2 2023 Cloud Threat Findings Report, sharing deep insights into the cloud threat landscape to help security teams remain at the forefront of securing their organizations against the latest threats.

Cado Security Labs operates honeypot infrastructure across four distinct geographical regions to collect cloud attacker telemetry. The latter half of 2023 saw the introduction of “Cloudypots,” a new, more sophisticated, high-interaction honeypot system that allows researchers to honeypot accurate services quickly and safely. 

As commercial adoption of cloud technologies continues, cloud-focused malware campaigns have increased in sophistication and number – a collective effort to safeguard both large and small enterprises is critical. Security teams need to reassess their internal tools and approaches to ensure their ability to correctly identify, investigate, and respond to emerging cloud threats. 

The report provides insights into the second half of 2023, an analysis of real-world techniques employed by attackers, an overview of novel malware campaigns found in the wild targeting cloud environments, including Qubitstrike, Legion, Blackcat, Bioset, Cetus, P2Pinfect, and 9hits.

Key technical findings from attacker telemetry, which Cado Security covers in detail within the report, include:

• Attackers target cloud services that require specialist technical knowledge to exploit. Attackers are increasingly targeting services, such as Docker, Redis, Kubernetes, and Jupyter, that require expert technical knowledge to exploit, different from what’s required for attacking generic Linux servers. 
• Docker is the most commonly exploited “cloud-native” service for initial access. Although cloud-focused attackers aim to exploit various services typically deployed in cloud environments, Docker remains the most frequently targeted for initial access, with 90.65% of honeypot traffic when discounting SSH. 
• Threat actors leverage hosting companies across the globe for their infrastructure. Identified malware campaigns, such as P2Pinfect, had a wide geographical distribution with nodes belonging to providers in China, the US, and Germany, which shows that regardless of where your infrastructure is located, it is still susceptible to Linux and cloud-focused attacks.
• Cryptojacking is no longer the sole focus of cloud attackers. While cryptojacking is a legitimate and significant threat, Cado Security Labs has started to see a diversification in objectives displayed by recent Linux and cloud malware campaigns. For example, with the discovery of new Linux variants of ransomware families, such as Abyss Locker, there is a worrying trend of ransomware on Linux and ESXi systems. Cloud and Linux infrastructure is now subject to a broader variety of attacks. 

Other observations also include: 

• Attackers continue to exploit web-facing services in cloud environments to help them gain access to cloud environments and invest significant time into hunting for misconfigured deployments of these services. 
• Rust malware continues to increase as the language gains popularity in general software development and will also become increasingly popular in the malware community, with threat actors increasingly developing malicious payloads in Rust.

To ensure effective and efficient cloud incident handling, Cado Security Labs recommends that security teams establish a policy of regularly reviewing the security of deployed services in their cloud estate, reduce the attack surface by only deploying public-facing services when necessary, and use networking security features provided by their Cloud Service Provider (CSP), collect and aggregate logs from CSP’s control plane and for the individual services intended to run in their accounts, and hold a periodic review and automated alerting for anomalies found in these log sources.

To download the full report, visit https://offers.cadosecurity.com/h2-2023-threat-findings-report. 

Cado Security has revealed that it discovered a new malware, Migo, that aims to compromise Redis servers for mining cryptocurrency demonstrating that cloud-focused attackers continue refining techniques and improving their ability to exploit web-facing services. 

This campaign utilized several Redis system weakening commands to turn off security features of the data store that may impede their initial access attempts. These commands have not previously been reported in campaigns leveraging Redis for initial access.  

Migo is taking steps to obfuscate and aid reverse engineering. Rather than a series of shell scripts, as seen in previous campaigns, Migo is delivered to produce a compiled binary as the primary payload. It continues to hone its techniques and complicate the analysis process. 

The malware deploys a modified version of a popular user-mode rootkit to hide processes and on-disk artifacts. Although cryptojacking campaigns frequently use process hiders, this variant includes the ability to hide on-disk artifacts in addition to malicious processes. 

You can read this report here.

Cado Security has published its discovery of the first documented case of malware deploying the 9Hits Traffic Exchange, “A Unique Web Traffic Solution,” viewer application as a payload. The 9Hits app responsible for generating hits and credits is now being deployed by malware to generate credits for the attacker. 

Cado observed a novel campaign targeting vulnerable Docker services to deploy two containers: an XMRig miner and 9hits. Members can buy credits on this platform to exchange traffic generated on their chosen website and run the 9hits viewer app to visit websites requested by other members in exchange for a cut of the credits. 

This campaign shows that exposed Docker hosts are still a common entry vector and that attackers always seek more strategies to profit from compromised hosts. Cado can observe the processes being run, allowing the 9hits app to authenticate with their servers and pull a list of sites to visit. Once visited, the session owner is awarded a credit on the 9hits platform.

In the new research, Nate Bill, Threat Intelligence Engineer at Cado Security, analyzes why the threat actor behind this campaign removed the ability to visit crypto-related sites, the main impact of this campaign on compromised hosts, and the result on infected servers unable to perform.

You can read the details here.

Since Cado Security Labs’ recent  discovery, its researchers have been monitoring and reporting the exponential growth of the P2Pinfect malware, which acts as a cross-platform botnet agent exploiting cloud environments.

Today Cado Security will reveal a new P2Pinfect variant compiled for the Microprocessor without Interlocked Pipelined Stages (MIPS) architecture that its researchers have discovered. 

This novel discovery demonstrates that the threat actors behind P2P2infect are increasingly targeting routers, IoT, and other embedded devices. 

The new sample includes updated evasion mechanisms, making it more difficult for researchers to analyze dynamically, including Virtual Machine (VM) detection methods for embedded payloads, debugger detection, and anti-forensics on Linux hosts.

You can read the details here.