BlogNews18TH APR 2024
AuthorSamir Yawar
7 min read
News

FIN7, Redline Malware, and Akira Ransomware dominate headlines

Twitter
Facebook
WhatsApp
Email
LinkedIn
cybersecurity news roundup for april 2024

Recent cybersecurity incidents have underscored the persistent and multifaceted nature of cyberattacks. From the targeted infiltration of a major U.S. car manufacturer by the notorious FIN7 group to the emergence of a deceptive game cheat masking a Redline-linked malware, and the widespread impact of Akira ransomware operations, these developments highlight the diverse tactics employed by threat actors to compromise organizations worldwide. 

Cybersecurity News Roundup for April 2024

Here’s what went down this week:

FIN7 Targets U.S. Auto Giant with Anunak Backdoor

A notable U.S. automotive manufacturer fell victim to a targeted cyber intrusion orchestrated by the financially motivated threat actor FIN7, employing spear-phishing tactics aimed at the IT department's personnel to implant systems with the Anunak backdoor.

Recent findings from BlackBerry researchers reveal that the assault transpired late last year, leveraging living-off-the-land binaries, scripts, and libraries (LoLBas) as part of its modus operandi. The threat actor strategically targeted individuals with elevated privileges, enticing them with links masquerading as the legitimate Advanced IP Scanner tool.

BlackBerry's attribution of the attacks to FIN7 rests on a robust foundation of evidence, notably the deployment of distinctive PowerShell scripts employing the adversary's 'PowerTrash' obfuscated shellcode invoker—a hallmark first identified in a campaign dating back to 2022.

Prior to this incident, FIN7's nefarious activities had been observed targeting exposed Veeam backup and Microsoft Exchange servers, alongside the deployment of Black Basta and Clop ransomware payloads within corporate networks.

The attack commenced with spear-phishing emails directed at high-ranking IT personnel within the U.S.-based automotive giant. These emails contained links redirecting recipients to a fraudulent domain, "advanced-ip-sccanner[.]com," posing as the legitimate Advanced IP Scanner project hosted at "advanced-ip-scanner.com."

Upon redirection to "myipscanner[.]com" (currently offline), visitors were presented with a Dropbox page housing a malicious executable named 'WsTaskLoad.exe,' masquerading as the genuine Advanced IP Scanner installer.

Upon execution, 'WsTaskLoad.exe' initiates a multi-stage process involving DLL invocation, WAV file manipulation, and shellcode execution, culminating in the decryption and execution of a file named 'dmxl.bin,' housing the Anunak backdoor payload.

Anunak, also known as Carbanak, constitutes one of several malware tools wielded by FIN7, alongside Loadout, Griffon, PowerPlant, and Diceloader. Notably, 'WsTaskLoad.exe' additionally facilitates the installation of OpenSSH for persistent access, accompanied by the creation of a scheduled task. Although FIN7 has previously utilized OpenSSH for lateral movement, BlackBerry's analysis did not detect such activity in the examined campaign.

Redline-Linked Malware Poses as Game Cheat

A newly discovered information-stealing malware, purportedly associated with Redline, has surfaced under the guise of a game cheat dubbed 'Cheat Lab,' enticing potential victims with the promise of a complimentary copy in exchange for recruiting others to install it.

Redline, a formidable information-stealing malware notorious for its capability to harvest sensitive data from compromised systems, including passwords, cookies, autofill details, and cryptocurrency wallet credentials, commands a significant presence among cybercriminal circles, its reach extending across global distribution channels.

McAfee threat researchers have identified that this new iteration of information stealer employs Lua bytecode to evade detection measures, affording the malware the ability to infiltrate legitimate processes surreptitiously and exploit Just-In-Time (JIT) compilation for enhanced performance.

The malicious payloads masquerade as demos for cheating utilities named "Cheat Lab" and "Cheater Pro," disseminated through URLs affiliated with Microsoft's 'vcpkg' GitHub repository. Distributed within ZIP archives, the malware conceals itself within an MSI installer that, upon execution, deploys two files—compiler.exe and lua51.dll—alongside a 'readme.txt' file housing the malicious Lua bytecode.

Employing a cunning tactic to propagate further, the malware entices victims with the prospect of receiving a complimentary, fully licensed version of the cheating software upon successful recruitment of acquaintances. The enticement is supplemented with an activation key, adding an air of legitimacy to the deceitful scheme.

Akira Ransomware Rakes in $42 Million in Payments

A joint advisory released by the FBI, CISA, Europol's European Cybercrime Centre (EC3), and the Netherlands' National Cyber Security Centre (NCSC-NL) disclosed that the Akira ransomware operation has successfully infiltrated the networks of more than 250 organizations, amassing an estimated $42 million through ransom payments.

The emergence of Akira in March 2023 marked the onset of its notoriety as it swiftly targeted entities spanning various industry sectors on a global scale. By June of the same year, the ransomware collective had developed and deployed a Linux encryptor tailored to exploit VMware ESXi virtual machines, widely deployed within corporate environments.

Negotiation transcripts obtained by BleepingComputer revealed that Akira's operators are issuing ransom demands ranging from $200,000 to multimillion-dollar sums, contingent upon the scale of the compromised entity.

A joint advisory underscored the gravity of the situation, cautioning that, "As of January 1, 2024, the ransomware group has impacted over 250 organizations and claimed approximately $42 million (USD) in ransomware proceeds." Furthermore, it noted, "Since March 2023, Akira ransomware has impacted a wide range of businesses and critical infrastructure entities in North America, Europe, and Australia."

Recent victims of Akira's ransomware campaigns include Nissan Oceania, which disclosed a data breach affecting 100,000 individuals in March, and Stanford University, which similarly acknowledged a breach compromising the personal data of 27,000 individuals last month.

Previous Coverage

Want to catch up on the latest security news? Check out:


Samir Yawar
Samir Yawar / Content Lead
Samir wants a world where people can instinctively whack online scams and feel accomplished without the need for psychic powers. As an ISC2 member, he is doing his bit to turn cybersecurity awareness training into a fun concept with simple, approachable and accessible content. Reach out to him at X @yawarsamir
FAQsFrequently Asked Questions
If you suspect you've been targeted by a spear phishing attack, refrain from clicking on any links or downloading attachments in the suspicious email. Instead, report it to your organization's IT department or security team for further investigation and guidance.