Bullet points of key topics + chapter markers
[00:36] HelloXD Ransomware Installing Backdoor on Targeted Windows and Linux Systems
[07:20] Iranian Hackers Spotted Using a new DNS Hijacking Malware in Recent Attacks
[13:10] Chinese Hackers Distribute Backdoored Wallets for iOS and Android Users
[19:57] New Botnets Target Critical Vulnerability in Confluence Servers

Links
https://unit42.paloaltonetworks.com/helloxd-ransomware/
https://thehackernews.com/2022/06/hello-xd-ransomware-installing-backdoor.html
https://malpedia.caad.fkie.fraunhofer.de/details/win.microbackdoor
https://thehackernews.com/2022/06/iranian-hackers-spotted-using-new-dns.html
https://thehackernews.com/2022/06/chinese-hackers-distribute-backdoored.html?&web_view=true
https://cyware.com/news/new-botnets-target-critical-vulnerability-in-confluence-servers-9b210f41
https://cyware.com/research-and-analysis/patch-now-atlassian-confluence-vulnerability-cve-2021-26084-advisory-e7ba
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26134

HelloXD Ransomware Installing Backdoor on Targeted Windows and Linux Systems

• HelloXD
  • surfaced in the wild on November 30, 2021
  • deploys a backdoor for persistence
  • impacting Windows and Linux systems
  • code based off of Babuk
• Double Extortion Group
  • demand cryptocurrency payments by exfiltrating a victim’s sensitive data in addition to encrypting it and threatening to publicize the information.
  • doesn’t have an active leak site
  • negotiations through TOX chat and onion-based messenger instances
• MicroBackdoor
  • open-source malware
  • used for command-and-control
  • developer says
    • “really minimalistic thing with all of the basic features in less than 5,000 lines of code.”
  • Capabilities
    • browse the file system
    • upload and download files
    • execute commands
    • erase evidence
  • researchers suspected that the deployed
    • to monitor the progress of the ransomware.
• Palo Alto Networks Unit 42
  • linked to a likely Russian developer
    • online aliases x4k, L4ckyguy, unKn0wn, unk0w, _unkn0wn, and x4km
• CyberWar Angle
  • different variants of the implant were adopted by the Belarusian threat actor dubbed Ghostwriter
    • against Ukrainian state organizations in March 2022

Iranian Hackers Spotted Using a new DNS Hijacking Malware in Recent Attacks

• Lyceum
  • AKA: Hexane, Spirlin, or Siamesekitten
  • Iranian state-sponsored threat actor
  • known for targeting the Middle East and Africa
  • new custom .NET-based backdoor
    • DNS Backdoor
      • customized version of the open-source tool ‘DIG.net
• DNS Attack
  • DNS Hijacking
    • Redirection Attack
    • attacker-controlled DNS server
    • manipulates the response of DNS queries
    • resolves them as per their malicious requirements.
• Attack
  • macro-laced Microsoft Document
    • “news-spot[.]live
      • Pretends to be a real news site
    • Report about Iran’s Drone Strikes
  • Upon accepting Macro
    • drops the implant to the Windows Startup folder
      • to establish persistence
    • ensure it automatically runs every time the system is restarted.
    • Point DNS traffic to their malicious domain server
      • cyberclub[.]one
      • command-and-control (C2) communications to evade detection
    • It can upload and download files to and from the remote server
    • execute malicious system commands
      

Chinese Hackers Distribute Backdoored Wallets for iOS and Android Users

• SeaFlower
  • a technically sophisticated threat actor
  • discovered in March 2022
  • “hint[s] to a strong relationship with a Chinese-speaking entity yet to be uncovered”
    • based on the macOS usernames
    • source code comments in the backdoor code
    • its abuse of Alibaba’s Content Delivery Network (CDN)
• targeting Android and iOS users
  • mimics official cryptocurrency wallet websites
    • distribute backdoored apps
    • to drain victims’ funds.
      • By exfil the seed phrase
• Targeted Apps Include
  • Coinbase Wallet
  • MetaMask
  • TokenPocket
  • imToken
• Attack Vector
  • setting up cloned websites
  • leverages SEO poisoning techniques
  • act as a conduit to download trojanized versions of the wallet apps
    • virtually unchanged from their original counterparts except for the addition of new code designed to exfiltrate the seed phrase to a remote domain
  • target iOS users by means of provisioning profiles that enable the apps to be sideloaded onto the devices.

New Botnets Target Critical Vulnerability in Confluence Servers

• the exploitation of the flaw CVE-2021-26084 (9.8/10)
  • Confluence Server and Data Center
  • unauthorized attackers to:
    • create new admin accounts, run commands, and take over the server remotely to backdoor publicly exposed servers.
• Last week zero-day (CVE-2022-26134)
  • Atlassian Confluence by Volexity
  • Remote Code Execution Vulnerability
  • Just one day after being disclosed publicly, the flaw was actively abused and Atlassian released security updates. Further, advised patching installations to prevent ongoing attacks.
  • CISA ordered federal agencies to restrict all internet traffic to Confluence servers on their networks.
• Botnets
  • Kinsing, Hezb, and Dark[.]IoT
    • targeting exposed Linux servers
      • deliver backdoors and crypto miners.